Biometric data collection in Kenya risky

I was buying a SIM card when the customer care agent asked me to pose for a photo, saying it was a government requirement.

I would later discover, after reading the Kenya Information and Communications (Registration of SlM Cards) Regulations, 2015, that such a requirement does not exist.

Every day, people give out their biometric data to the State and non-state agencies.

But there is a lingering historical concern on the use of technology that communicates how some feel about it.

During the first biometric voter registration (BVR) in 2012, rumours were rife in western Kenya on how fingerprint scans would make it easy for chiefs to arrest petty village offenders.

ARREST
Joseph Kamaru’s rendition of the Mau Mau song "Uhoro Uria Mwaiguire" tells of a community mourning the incarceration of war heroes who refused to have their fingerprints taken.

This reservation and fear played out last year when some Mau Mau veterans shunned BVR for fear of arrest over crimes they committed in the liberation war.

There is no law in Kenya stipulating how biometric data should be handled — save for the slight definition of “biometrics” in the Elections Act as unique identifiers or attributes, including fingerprints, hand geometry, earlobe geometry, retina, and so forth.

DATA MISUSE
Data collection is part of ‘know your customer’ (KYC) logic — for efficiency, trust and security.

But, increasingly, that has in itself become the business model of most firms.

The value of aggregated personal thoughts, habits and social networks are as valuable as any other high-end market activities — surveillance capitalism.

However, the collection and centralised storage of highly sensitive and valuable data exposes the companies to the risk of data misuse and theft.

This data is monetised by sale to fraudsters, who may use it to carry out identity theft.

In jurisdictions with data protection laws, the principle for corporations handling consumer data is that if obtained for one purpose it shall not be used for any other.

But this rule has general exceptions — such as when the information is public, the subject has given consent, and in public interest.

LAW
Security breaches and data losses are reported regularly in the United States and Europe, but in Kenya there is no such requirement.

During last year’s elections, many voters received targeted campaign text messages that were too intrusive.

They had the voter’s name and constituency. How politicians got access to the voter register and particulars remains a mystery.

It also shows how vulnerable we are after subscribing for services where personal information is required and could be shared arbitrarily.

One way to push for accountability is by asking Parliament to breathe life into Article 31 of the Constitution by passing a data protection law.

DATA PROTECTION
In Conceptualising Privacy, Daniel J. Solove argues that privacy “involves more than avoiding disclosure; it also involves the individual’s ability to ensure that personal information is used for the purposes she desires”.

There is a dire need for a legal obligation on data processors to be transparent about what data they collect, how it will be used and with whom it will be shared.

This will force them to take data protection more seriously, while protecting one’s privacy.

While many argue that they have nothing to hide, they should always remember that they have something to protect.

Next time you think of buying a SIM card, remember that you will probably be asked for more personal information than is required and that there is no law governing the use of that.

Mr Monyango is a research assistant at the Centre of Intellectual Property and Information Technology Law (CIPIT), Strathmore University [email protected]