An Overview of the Digital ID system and the Unique Personal Identifier in Kenya
In a statement released on 4th February 2023,1 the Ministry of Interior and National Administration announced that it had made progress over the last three months to streamline service delivery at the State department for Citizen services. The progress made highlighted four (4) key areas namely:
Issuance of New E-Passports
Approval of Citizenship Applications
Upscaling Security Systems at JKIA and other entry points
Civil Registration of Persons
According to the press release, the Ministry had made progress in civil registration and registration of persons by launching a policy framework for efficient online registration of births and deaths. It has also introduced a Unique Personal Identifier (UPI) for newborns, which will serve as the child’s personal number at school2 before eventually becoming their national identity number, social security number, health insurance number and finally the death certificate number. In the press release, the Ministry will also work on the introduction of the Third Generation, smart and digital ID.
The press release is a reiteration of the ICT Policy 2019, which recognizes the importance of digital ID and UPIs in enabling efficient and effective service delivery in both the public and private sectors. According to the policy, the government of Kenya will develop and deploy a national digital ID system that is secure, efficient, and accessible to citizens. Each person will be given a unique identifier that can be used to access government services and other internet services. The policy also emphasizes the importance of protecting the privacy and security of personal data and describes the steps that must be taken to ensure that digital ID systems are developed and deployed in a way that respects individuals’ privacy and data protection rights. This includes implementing strong security measures to prevent unauthorized access to personal data and ensuring that individuals own their personal data and have control over how it is used.
The implementation of UPIs, especially in digital ID systems, presents several risks to individuals. The collection and storage of sensitive personal information, such as biometric data, raises privacy concerns and can lead to data breaches and identity theft. If a child’s identity is stolen, how will this be resolved? Furthermore, the use of these identifiers may result in exclusion and discrimination of individuals based on their personal characteristics. Hacking and cyber attacks, which could compromise personal information and result in the theft of sensitive data, are also possibilities. Individuals without a UPI may be denied access to certain services that require such identification.
This move by the Ministry is aimed at digitising government services which has been a key goal of the government ‘to migrate all its services to the digital platform in the next 6 to 12 months.’3 During the Jamhuri day celebrations, the president stated that the government intends to ‘transfer 80 percent of the remaining government services to the digital space so that Kenyans can get services wherever they are.’4 The same was reiterated during the data privacy day where the Head of State mentioned the government’s plan to digitise 5000 services.5 A key pronouncement made by the president was tasking the Ministry of ICT to work on a digital identity so that the Huduma Namba can have a digital identity.6 He also mentioned that the CS for the Ministry of ICT had been mandated to ensure that Kenyans can identify themselves digitally and it is ‘not the work of the government to issue IDs but to identify Kenyans.’7
The Digital ID system
The initiative by the government to come up with a digital ID system can be traced back to 2019 when an amendment to the Registration of Persons Act (RPA) was passed to establish the National Integrated Identity Management System (NIIMS) also referred to as huduma namba.8 The amendment would increase the data collected during a person’s registration to include ‘biometric data, DNA and GPS coordinates of their home address.’9
Huduma Namba I
This was challenged in the case of Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Huduma Namba I).10 NIIMS was challenged on the grounds that in its original state, it would pose a threat to Constitutional rights and freedoms.11 Concerning the right to privacy provided in Article 31 of the Constitution the petitioners concerns were namely:
Lack of an existing legislation that guaranteed the privacy provisions in the Constitution.12
Collection of DNA and GPS coordinates would violate the privacy rights of individuals.13
In its decision, the high court held that implementation of NIIMs would proceed on condition that a comprehensive regulatory framework compliant with the Constitution requirements is enacted.14 Additionally, the collection of DNA and GPS coordinates was found to be intrusive as it violated the Constitution right to privacy.15The high court in its judgment however nullified the collection of DNA and GPS coordinates.16
In addition to this, the Nubian Rights Forum, on behalf of the Nubian community, claimed that the program violated their rights to privacy and non-discrimination. They claimed that the program’s mandatory nature, as well as the government’s collection of biometric data like fingerprints and photographs, was intrusive and could lead to the misuse of their personal information. The High Court eventually ruled in favor of the government, allowing the Huduma Namba program to proceed. However, the case highlighted the privacy and security concerns associated with the use of digital IDs, as well as the importance of ensuring that digital ID systems are implemented in a way that respects individuals’ privacy rights and protects their personal information.
The government came up with a new enrolment exercise in 2020 which required people to come with all their identity documents.17 In this exercise copies of documents and also unique numbers were recorded.18 The exercise also included capturing digital fingerprints and facial photographs of both adults and children.19 This exercise was an indication of why it is necessary to have a digital ID system. This is because people were supposed to carry several identification documents which include ‘national identity cards or passport for adults, functional identity documents like driving licences, national health insurance cards and national social security cards.’20
Huduma Namba II
This exercise was however challenged in the same year through a petition made to the High Court alleging that there was insufficient input from the public when the legal amendment was enacted and also data privacy concerns.21In the case, R v Joe Mucheru , Cabinet Secretary Ministry of Information Communication and Technology and others ex parte Katiba Insitute and Yash Pal Ghai22 (Huduma Namba II) the applicants alleged that the roll out of Huduma cards violated the Data Protection Act 2019 which required a data protection impact assessment to be conducted.23 The applicants asked the court to grant them the following orders:
Prohibition of the rolling out of Huduma cards
Certiorari to quash the decision to roll out Huduma cards for being ultra vires
Mandamus to compel the respondents to conduct a data protection impact assessment as required by section 31 of the Data Protection Act.
In its decision, the court granted the last two orders24 and ordered the government to conduct a Data Protection Impact Assessment (DPIA) before moving forward with the Huduma Namba program implementation. A DPIA is a process that evaluates the privacy and security risks associated with a specific data processing activity and determines how to mitigate those risks.25 The court’s decision to require the government to conduct a DPIA before implementing the Huduma Namba program emphasizes the importance of designing and implementing digital ID systems in a way that protects citizens’ personal information and privacy rights. The DPIA results would inform the government’s next steps in program implementation and would be used to address any privacy and security concerns raised by the case.
Current developments and advancements
The government of Kenya is developing a new digital ID system to provide citizens and residents with a unique, secure, and verifiable digital identifier. The goal of this digital ID system is to improve government service delivery and financial inclusion. In addition to the digital ID system, Kenya is developing a new policy framework to support and regulate the use of digital identities. This policy framework outlines the principles and standards for collecting, storing, using, and sharing personal information with the goal of protecting individuals’ privacy and security.
Both the Huduma Namba I and II cases highlight the country’s complex and critical issues surrounding digital IDs and privacy rights. On the one hand, digital IDs have the potential to significantly improve the delivery of government services while also increasing citizens’ financial inclusion. The Huduma Namba program, for example, aims to improve service delivery while also increasing access to financial services. Digital IDs, on the other hand, raise serious privacy and security concerns, particularly regarding the collection and storage of personal information. The Huduma Namba II case court’s decision to require a DPIA highlights the importance of implementing digital ID systems in a way that protects citizens’ personal information and privacy rights. Perhaps an unpopular viewpoint at a time when the benefits of digital ID outnumber the risks, but would it not be more prevalent if we addressed the weaknesses and risks that have already been identified rather than rushing to implement the system?
1 President Ruto Banks on Digital Revolution to Create one million. (2022, December 15). NACOSTI. https://www.nacosti.go.ke/2022/12/15/president-ruto-banks-on-digital-revolution-to-create-one-million-jobs/
3 Ogonjo, F. (2023, January 31). Insights from the Kenyan International Data Privacy Day. Centre for Intellectual Property and Information Technology Law. https://cipit.strathmore.edu/insights-from-the-kenyan-international-data-privacy-day/
5 Mutung’u (n 6)
8 King’ori, M. (2022, February 8). How the Kenyan High Court (temporarily) struck down the national digital ID Card: Context and Analysis – Future of Privacy Forum. Future of Privacy Forum. https://fpf.org/blog/how-the-kenyan-high-court-temporarily-struck-down-the-national-digital-id-card-context-and-analysis/#:~:text=The%20High%20Court%20of%20Kenya
13 Ministry of Interior and National Administration, Press Statement on improvement of service delivery at the state department for citizen services (4 February 2023) <https://twitter.com/InteriorKE/status/1621898046249336838>
14 Section 31, Data Protection Act.
15 Mutung’u, G. (2021). Digital Identity in Kenya. In Research ICT Africa. https://researchictafrica.net/wp/wp-content/uploads/2021/11/Kenya_1.11.21.pdf
19  KEHC 122 (KLR).
20 Section 31 (1) provides that, ‘Where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment.’
21 King’ori (n 9)
22 NACOSTI (2022)
23 Ngugi, M. (2017, February 25). Unique Personal Identifier to replace index numbers in KCPE, KCSE. Citizen Digital. https://www.citizen.digital/news/unique-personal-identifier-to-replace-index-numbers-in-kcpe-kcse-158926
25 Resian, S. (2023, January 27). President Ruto tasks ICT Ministry to issue Kenyans with Digital IDs to replace Huduma Namba. Capital Business. https://www.capitalfm.co.ke/business/2023/01/president-ruto-tasks-ict-ministry-to-issue-kenyans-with-digital-ids-to-replace-huduma-namba/