I&M Bank House, 5th Floor, 2nd Ngong Avenue, Upper Hill, Nairobi, Kenya

Security of Personal Data: Lessons from the Huduma Number Court Decision

In the world we live in today, data has become quite a crucial commodity with immeasurable capabilities that cannot be overlooked. Data protection compliance is increasingly becoming a key requirement to transactions across the globe, due to the potential risks involved in handling personal data. This is applicable to both private and public person or entities, including the handling of personal data by the Government.

The Registration of Persons Act as amended by the Statute Law Miscellaneous (Amendment Act) 2018 introduced the National Integrated Information Management System (NIIMS) that was intended to be a single repository of personal information of all Kenyans as well as foreigners resident in Kenya. However, these amendments raised many concerns including that there were no proper mechanisms in place to safeguard the personal information to be collected under the NIIMS system. Without such protection mechanisms in place, there would be a violation to the constitutional right to privacy.

The Court held that there is an imminent threat to the right to privacy, particularly with respect to the collection of biometric data and GPS coordinates, based on the protection measures in place.

As a result, some aggrieved persons, including several non-governmental organisations petitioned the court (Petition 56, 58 and 59 of 2019) seeking conservatory orders prohibiting the Kenyan Government from implementing any form of registration under the NIIMS.

The Court held that there is an imminent threat to the right to privacy, particularly with respect to the collection of biometric data and GPS coordinates, based on the protection measures in place.

Biometric data and GPS coordinates required by the amendments are personal, sensitive, and intrusive data that requires protection, a strong security policy and detailed procedures on its protection and security which comply with international standards. On this issue, the government neither disputed that there was no specific regulatory framework that governs the operations and security of NIIMS nor did it provide any reason for the lack of it. The Court therefore found that the framework on the operations of NIIMS is inadequate and poses a risk to the security of data that is to be collected, and thereby ordered that appropriate measures be put in place to protect the personal data collected before implementing NIIMS.

Whereas digitisation of certain public service systems may improve service delivery, precautionary measures must be put in place to safeguard against the increased threats of data breaches. It is of uttermost importance to have checks and balances in place to ensure any data is secure and handled in line with international standards.

On the outset, NIIMS did not have clear, verifiable, accountable and secure measures in place to safeguard the privacy and security of the persons’ data. For example, no mention has been made with respect to who can access the data and for what purpose, leaving an opening for unauthorised persons to access the sensitive personal data. Further to this, there has been no evidence of the security measure in place to safeguard the data collected, or even whether the measures currently in place meet the requirements introduced by the Data Protection Act (the Act), 2019. This raises the question of whether the Government is able to maintain a data bank that will provide the much-needed transparency and security of the information held.

Currently, NIIMS does not comply with core data protection principles on consent and legitimacy, fair and lawful processing, purpose and relevance of data, management of the data lifecycle, transparency of processing, as well as confidentiality and security of personal data. A lot needs to be done to ensure our local systems meets the regulatory threshold for maintaining a data bank, including NIIMS, to ensure we meet international standards and eliminate a growing barrier to doing business in Kenya.

The decision of the High Court, being amongst the first decisions in Kenya relating to the principles of data protection under the Act, merely highlighted an area that remains unknown relating to the security standards required for holding personal data. Both private and public institutions should evaluate how their operations in handling of personal data collected are safeguarded and ensure complete compliance with the Act.

For more information, please contact our corporate team through emailing us on info@bdps.co.ke.