In January 2019, the Kenyan government announced the launch of a national identity card system—the National Integrated Identity Management System (NIIMS), popularly known as “Huduma Namba”—requiring the personal and biometric information of all ID-holders to be entered into a centralized national database. Its implementation, in its current form, would result in the exclusion of millions of Kenyan residents from receiving a national ID, barring them from accessing many public services and purchasing goods, as well as give the government all-encompassing surveillance powers.Multiple civil society and human rights groups have launched legal challenges to the implementation of the system, and in January 2020, the Kenyan High Court ordered the government to delay its implementation until a comprehensive regulatory framework could be put in place to address both data privacy issues and the exclusionary nature of the system.
Despite this ruling, the Kenyan government published a gazette notice in October 2020 announcing NIIMS implementing regulations and the Data Protection Act. The regulations run contrary to the High Court’s ruling and do not conform to domestic or international law and standards.
Governments across the globe are increasingly employing digital ID systems, which are often hailed as a solution to under-development, administrative obstacles, and the absence of civil registration systems. However, privacy concerns associated with digital identification systems have been extensively raised and debated. Without adequate regulations controlling their use, these systems can exacerbate these problems by excluding individuals and creating a mass surveillance system ripe for authoritarian abuse.Kenya’s National Integrated Identity Management System (NIIMS) will establish a national population register storing information in a centralized manner on all lawful Kenyan residents. According to the government, NIIMS would provide “multi-channel, ‘single window’ citizen access to transactional government services.” Meanwhile, through amendments to the Registration of Persons Act, the Kenyan government has permitted NIIMS to collect a broad range of data for the purposes of identification, including GPS location information and biometric information such as fingerprints, facial images, DNA, and more. Data in NIIMS would also be shared with other government databases that include information regarding tax and driving records, land registration, and health and education.
NIIMS, in addition to giving the government access to extensive personal data, will also share information on when and where an individual made purchases with their unique ID number (or “Huduma Namba”, Swahili for “service number”). What is more often overlooked is how NIIMS will penalize groups that have difficulty obtaining the legal identity documents required to register, such as Kenya’s Nubian and Somali communities. Without a Huduma Namba, individuals would be unable to access many government services and purchase goods.
The Nubian Rights Forum (NRF), a community-based organization, the Kenya Human Rights Commission (KHRC), and the Kenya National Commission on Human Rights (KNCHR) have launched multiple legal challenges to the government’s implementation of the system. Although, in response to mounting criticism, Kenya passed a Data Protection Act requiring a privacy impact assessment to be conducted and approved by a data protection commissioner before the system’s implementation, the impact assessment has never been carried out.
In January 2020, the Kenyan High Court ordered the government to delay the implementation of the system until a comprehensive and constitutionally sound regulatory framework can be implemented to protect data privacy and address the exclusionary nature of the system. The court also determined that the collection of DNA and GPS information for identification is unconstitutional.
The NRF and the KHRC have appealed portions of the High Court decision on the basis that:
- the court declined to review the constitutionality of NIIMS itself in its current form;
- the court did not cite insufficient public participation in the introduction and implementation of NIIMS; and
- the court did not order the establishment of a task force that would include experts and civil society to design the system’s architecture and regulatory framework, as requested by the NRF.
In October 2020, the Kenyan government published a gazette notice announcing implementing regulations on NIIMS and the Data Protection Act, which neither acknowledge the High Court’s ruling nor correspond to domestic or international law and standards.
The Justice Initiative is part of NRF’s legal team together with Yussuf Bashir, the director of community-based Haki na Sheria Initiative. The Justice Initiative also supports Kenyan community groups working to ensure full access to documentation for populations at risk of statelessness.
NIIMS and mandated enrollment in the system will result in indirect discrimination. Kenya established NIIMS and mandated enrollment in the system as a prerequisite to accessing many public services without correcting existing discriminatory registration laws and practices or addressing the widespread lack of birth registration in the country. Because enrollment requires proof of identity and citizenship, many risk being excluded from the system, which violates Constitutional provisions on indirect discrimination and discrimination in effect, and contradicts the government’s obligation to address historical injustices faced by disadvantaged groups. Kenyans already struggling with access to documentation risk being registered in NIIMS as non-citizens, further compounding their exclusion. Even after enrollment in the system, individuals can still be permanently locked out, should their biometric information change or fade over time.The harmonization and interlinking of databases in NIIMS carry a high risk for privacy violations. It would allow the government to conduct mass surveillance through searching aggregated data on individuals across linked databases and easily allow the government to profile individuals and groups. NIIMS would also collect data without legal constraints such as time limits on how long data can be retained. Access to public services provided through NIIMS would rely on biometric identification and log all transactions, storing metadata on them indefinitely and for any purpose. This would violate constitutional provisions and international standards regarding proportionality and purpose limitation. Despite the fact that arguments presented to the High Court showed that alternative designs would be less restrictive, it appears that the government made no effort to minimize data collection, instead proposing an all-encompassing system unconstrained in its use toward any purpose the government chooses.
NIIMS is highly vulnerable to data security breaches due to the centralized way in which it would store information. Security breaches would result in harsher repercussions because records would be linked across different databases in a massive and integrated manner through a unique ID number. Moreover, the collection and storage of biometric data in NIIMS means that the consequences of a breach would be particularly dire and permanent: while a stolen password can be changed, it is impossible to alter biometric markers. In addition, there are insufficient protections against unauthorized access across the entire system.
The introduction and implementation of a centralized biometric ID system should not proceed without democratic checks and balances, due to its wide-ranging impacts on basic rights and fundamental freedoms. The Kenyan government violated the Constitution by using an administrative act to introduce legislation of such significance. The government also acted unlawfully by failing to consult the Senate in the adoption of the law, in light of its wide-ranging impacts at the national and county level in Kenya’s devolved system of government.
This article was first published by the Open Society Justice Foundation.