Following the recent gazettement by Government of the National Integrated Identity Management Systems (NIIMS) Regulations, 2020, the Lawyers Hub convened a webinar discussion on the 27th October 2020 to put the Regulations into perspective.
The webinar mostly attended by members of the legal profession aimed at analysing the Regulations with a view of highlighting its adequacy in governing the NIIMS system also known as Huduma Namba. The panellists for this discussion were; Sigi Mwanzia – Digital Policy Consultant at Article 19, Diana Gichengo – Programme Manager at the Kenya Human Rights Commission (KHRC), and Laura Bingham – Senior Managing Legal Officer at Open Society.
The discussion kicked off with a brief overview of the salient provisions of the NIIMS Regulations followed by introductory remarks from the panellists who proceeded to analyse critical issues around the Regulations.
Sigi from Article 19 started by highlighting the Huduma Namba Petition and the judgement issued earlier this year, going further to show how it relates to the Regulations. She decried the fact that the government had failed to incorporate the orders of the Court in the Regulations, and the concerns raised by the public and the civil society during the public participation phase of the draft Regulations earlier this year.
Among the issues raised by civil society in the Petition were; exclusion of certain communities in the enrolment of NIIMS due to lack of identification documents and biometrics, and lack of an effective data protection framework to protect data. To remedy this, the High Court ordered that the data collection and processing under NIIMS could only continue in the presence of a clear and robust regulatory framework that addresses the possibility of exclusion in NIIMS, adding the need for operationalisation of the legal framework on data protection.
She, however, commended the government for the consideration of certain concerns raised on the Data Protection Regulations, which were published together with the NIIMS Regulations. One of the major changes she mentioned was the complete removal of the provision which attempted to provide powers to the National Security Council in the context of the transfer of personal data outside Kenya. The Regulations have now reverted the responsibility to the Data Protection Commissioner under Regulation 38.
Diana from the Kenya Human Rights Commission (KHRC) equally expressed dissatisfaction with the Regulations. She commenced by tracing it back to the Parent Act which is the Registration of Persons Act. She mentioned that the Act had not been amended since its enactment in 1949 to incorporate changes brought about by the 2010 Constitution.
She also shed light on the issue of exclusion of stateless and marginalized communities in the enrolment of NIIMS. She mentioned that the enrolment form attached to NIIMS Regulations, makes no reference to stateless persons and that the definition introduced in the Regulations therein expressly negates stateless persons.
She added that marginalized communities are also likely to be left out in the enrolment of NIIMS due to lack of access to citizenship documents which are key in the enrolment. She mentioned that there should be inclusion of all communities including those hailing from border communities and informal settlements in towns and cities.
Laura expounded on this issue and noted that the government had rushed to move forward with Huduma Namba without engaging with the actual complexities faced by people, and without engaging the judgement made by the Court. She mentioned that the court in its judgement did not go deep enough in understanding the mechanics of exclusion in the system.
She noted that the Regulations ignore the plight of people who lack IDs and people whose biometrics fail due to age or natural circumstances. She mentioned that the Regulations lack of foresight on these issues may lock people out of the system at the point of authentication. She recommended that the Regulations should provide a remedy for this.
Laura also mentioned that the data collected in the 2019 exercise was kind of suspended in an extra-legal situation. This is because there was no impact assessment done and yet the government proceeded with data collection. This was a major concern because of the sensitivity of the data collected.
A Data Protection Impact Assessment Test (DPIA) is essential in the NIIMS exercise as it sheds light on the potentially broad impacts of the system.
Concerning data protection, Sigi mentioned that the State and corporates still have a responsibility to implement and internalize the provisions of the Data Protection Act. She stated that the fact that the office of the Data Protection Commissioner has not been fully operationalized does not take away the State’s and corporates responsibility of adhering to the provisions of the Data Protection Act.
In conclusion, the panellists recommended a review of the NIIMS Regulations and the Registration of Persons Act to incorporate the concerns raised on inclusivity of all communities in Kenya in the enrollment of NIIMS. The panel also recommended for a robust regulatory framework to govern the NIIMS system as had been ordered by the Court, and indicated that the Regulations alone were not enough to govern the NIIMS system which is very data-intensive. They also recommended for strict adherence to the provisions of the Data Protection Act to protect data in the NIIMS system.