Election Data Concerns: IEBC, private sector and the public face risks
Against the backdrop of the 2022 General Election, Kenyans have been receiving unsolicited political messages, as political parties clamber to influence voters.
Voter registration has been in overdrive, currently in the second phase of the enhanced continuous voter registration due to end on February 6, 2022. Meanwhile, political campaign strategists are licking their lips at the prospect of targeting and swaying the preferences of newly registered voters.
Kenya has adopted the use of an integrated electronic electoral system that conducts biometric voter registration and identification. The justification for the electronic registration emanates from the need to ensure that elections are void of voter registration fraud i.e. elections are conducted on a one voter, one vote basis. As such, voters’ personal data including full names, gender, and identification numbers are collected to mitigate voter fraud.
The Office of the Data Protection Commissioner’s guidance note on electoral purposes has stated that the processing of personal data for inclusion on the Register of Voters is done on the lawful basis that it is necessary to perform a public task, i.e for the conduct of a democratic electoral process.
The reality on the ground is that the register of voters is being illegally acquired by political parties in order to identify voters registered in respective constituencies. This allows political parties to determine the number of voters in a particular constituency, alongside their phone numbers, enabling them to be directly contacted by politicians vying during the elections. Furthermore, voters can be identified along tribal/ethnic lines from their names and location entered into the register.
Risks the IEBC’s voter register is facing
The illegal access to voter lists by political parties stems from abuse of the obligation of the IEBC to open the voter register for inspection by members of the public at all times for the purpose of rectifying the particulars therein.
IEBC employees and officials pose the greatest risk to abuse of voter registers. IEBC needs to ensure that voter registration lists are not sold to interested parties that shall use the data collected to perform targeted and unsolicited political messaging to influence voter preferences.
The rise in unsolicited political messaging will affect the integrity and reputation of the IEBC. Concerns about the security of voter registers can manifest into significant distrust around the operations and conduct of the IEBC in other aspects of the electoral process, such as the security of servers with votes.
Risks to Private Sector
Personal data collected and processed by private corporations can be used to corroborate the accuracy of the voter data input into the Register of Voters.
- Telecommunications providers – Agents and dealers who register subscribers on behalf of telecommunication providers are expected to maintain the confidentiality of the personal data they collect for onward transmission to the respective telecommunication companies.
- Content Service Providers (CSPs):
- CSPs must begin taking an active role by questioning political parties. CSPs need to confirm whether the person receiving political messages had given consent to the political parties to send the messages. Without consent, the messages are an infringement of the voter’s right to privacy.
- CSPs need to ensure that no inciteful or hateful bulk political messages are disseminated using their platforms, or risk being deemed complicit in the spread of inciteful content.
Risks faced by the public
- Undue influence of voting preferences – Members of the public face unwanted influence over their voting preferences. Persistent and aggressive targeted political messaging can convince a voter to commit to alternative candidates, and when perpetrated on a mass scale, can affect the outcome of an entire election.
- Abuse of the right to privacy – Kenya’s data protection laws protect its citizens’ right to privacy, including providing them with the opportunity to object to processing of their data. Therefore, voters that have not opted to receive political messaging are legally permitted to prevent political parties from sending them such messages.
- Political SMSs may contain inciteful speech that may have the potential to cause outbreaks of violence among the populace, especially within ethnically diverse communities.
Mitigating risks to voter data
- IEBC should implement effective user access policies (UAPs). These policies ensure that only authorised personnel are granted access to the principal voter register containing the comprehensive list of registered voters. This will enable the IEBC to compile a list of persons authorised to view the voter register, and shall be crucial in the investigation of voter register abuse by IEBC officials.
- Adoption of encryption measures by the IEBC to protect voter registers from being viewed in a readable format. The encryption shall operate in a complementary manner to the UAPs.
- IEBC to ensure data minimisation is observed throughout the voter registration process. This entails strictly collecting the personal data of voters that is absolutely necessary for the conduct of the elections.
- Private sector companies to engage in training of staff to sensitise them on the risks of exposing their client’s personal data. Corporations should seek to raise awareness of the abuse of personal data during elections to the staff and agents that regularly handle and process customer personal data.
Following the aftermath of the Cambridge Analytica saga, Kenyans are more aware about the dangers of undue influence of voter preferences. As we approach August 9, 2022, the IEBC and the private sector need to embark on a fresh set of awareness campaigns to inform organisations in possession of personal data about the risks they face if found complicit in election interference or violating the privacy rights of voters.