Data security came to play at the High Court in Nairobi on Thursday, October 14, 2021, after Justice Jairus Ngaah declared that the government’s decision of November 18, 2020, to roll out Huduma Cards was illegal. The judge said the government had not adhered to the provisions of Section 31 of the Data Protection Act, 2019, on data protection impact assessment. The court ordered the government to conduct a data protection impact assessment in accordance with Section 31 of the Data Protection Act, 2019, before processing of data and rolling out the Huduma Cards.
Justice Ngaah also stated that the applicant, Katiba Institute, was not a complainant to the Office of the Data Protection Commissioner as it does not possess the status of a data subject as per the Data Protection Act.
The Statute Law (Miscellaneous Amendments) Act, No. 18 of 2018, contained amendments to the Registration of Persons Act. The amendment introduced the National Integrated Identity Management System (NIIMS) which is a system of identification for both citizens of Kenya and foreigners registered as residing in the country.
The reasons for the introduction of this system are in the nature of functions set out in the newly amended section and are, by and large, self-explanatory. The amendment and its implementation were, however, challenged in constitutional petitions respectively filed as Petition Nos. 56, 57 and 59 of 2019 by the Nubian Rights Forum, Kenya Human Rights Commission and the Kenya National Commission on Human Rights. The three petitions were consolidated and determined together by a three-judge bench of the High Court. In its decision rendered on 30 January 2020, the Court ordered that:
- The government is at liberty to proceed with the implementation of the National Integrated Identity Management System and to process and utilize the data collected in NIIMS, only on conditions that an appropriate and comprehensive regulatory framework on the implementation of NIIMS that is compliant with the applicable constitutional requirements identified in this judgment is first enacted.
- The court also declared that the collection of DNA and GPS coordinates for purposes of identification was intrusive and unnecessary, and to the extent that it is not authorised and specifically anchored in the empowering legislation, it is unconstitutional and a violation of Article 31 of the Constitution.
The government passed the Data Protection Act and necessary Regulations for the roll out of NIIMS. Then on the 18th of November 2020, they announced that they will roll out Huduma Cards. Katiba Institute filed a judicial review at the High Court challenging this decision. Their major bone of contention was that the Huduma Card had been launched without a data impact assessment, contrary to the provisions of Section 31 of the Data Protection Act and is also in defiance of the orders and direction of this court in the Nubian Rights Forum case.
What is a DPIA
A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible. A DPIA may not eliminate such risks altogether but should help to identify and manage them. At its core, a DPIA guides data controllers on the least privacy intrusive means of achieving their legitimate use with the personal data under their control.
DPIA to be performed before any personal data processing operation likely to result in high risk to the rights and freedoms of a data subject. The subsequent DPIA report is to be submitted to the Office of the Data Protection Commissioner (ODPC) at least 60 days prior to commencement of any processing operation.
High risk parameters warranting the conduct of a DPIA as per ODPC guidance note on DPIAs
- Collection of biometric data – constitutes sensitive personal data as per the DPA – Sensitive personal data attracts stricter data protection obligations due to the higher risk associated with its processing.
- Data processed in large volumes or on a large scale
- Data concerning vulnerable data subjects – i.e. segments of the population requiring special protection (minorities, persons with disabilities, asylum seekers and refugees,or elderly patients, children etc.)
- When the processing in itself prevents data subjects from exercising a right. This includes processing operations that aim at allowing, modifying or refusing data subjects’ access to a service or entry into a contract.
Outcome of DPIA helps identify the appropriate technical and organisational measures to be implemented to uphold the confidentiality, integrity and availability of the data in question.
Impact of this judgement
Huduma Cards issue delay
The government had planned to phase out the current National Identification cards by December 12, 2021 and replace them with the Huduma Namba cards to be issued from December 1, 2020. This won’t be the case anymore until the DPIA is done and concluded.
New route for data protection redress?
The Office of the Data Protection Commissioner had filed a preliminary objection to the judicial review case on grounds that the applicants had exhausted the remedies provided in the Data Protection Act. Katiba Institute submitted that they are not a data subject and therefore the option of the alternative dispute resolution in the Act is not open to it.
Data Protection lawyer Mugambi Laibuta took to Twitter to air his views. He said that he foresees people sidestepping the complaints mechanisms set out under the Data Protection Act and filing constitutional petitions claiming that they are not ‘data subjects’. In his view, this is worrying for data controllers and processors who will find themselves in court defending a matter that could have at first instance be handled by the controller/processor inhouse failure to which the ODPC mechanism would check in then the High Court.
Lawyer Ochiel Dudley responded to the Tweet by stating that the High Court rejected Prof. Yash Pal Ghai’s complaint and affirmed that he should first have gone to the Data Protection Commissioner even though he had arguments not to. Lawyer Waikwa Wanyoike added that this was a case of systemic failure as it would have been injudicious for the court to order “36” million people to file individual complaints on Huduma Namba.
While both parties are right, it is important to note that the case was filed on November 24, 2020, which was days after President Uhuru Kenyatta had appointed the Data Protection Commissioner. Therefore, it is sufficient to state that the ODPC was not in a position to handle any complaints and Katiba Institute had no choice but to take the case to the High Court.
The fear of people by-passing the ODPC may also be stemming from their approach to complaints that they have received in the recent past.
Does ODPC have sufficient capacity to perform its duties?
In August, a Nairobi based advocate sent a letter to the Data Protection Commissioner asking her Office to investigate an alleged data breach at Radisson Blu. The response left much to be desired. This was weeks after the ODPC responded to complaints on the unconsented listing of individuals in various political party registers. These moves have contributed to the erosion of confidence in the Office’s capacity to perform its statutory obligations and it will lead people to find other ways to find recourse.
The Office of the Data Protection Commissioner should take action and save its reputation and credibility. It needs to be seen as an office that can be relied on for disputes arising from the Act.
While the government will most likely appeal the decision, the office in the spotlight is the Office of the Data Protection Commissioner.