Privacy, data safety fears over Huduma Namba


The three-judge Bench comprising Weldon Korir, Mumbi Ngugi and Pauline Nyamweya on April 1, 2019 dealt a blow on the clamour for privacy rights. They dismissed an application seeking conservatory orders barring the implementation of the now infamous “Huduma namba” registration exercise which is poised to create an integrated identity management system for all Kenyans.

Following this ruling, the Government on April 2 , 2019, began with a lot of pomp and circumstance the rollout of the project which is still novel to many Kenyans.

The question Kenyans and both constitutional and privacy law experts are asking is what this move means for the right to privacy and the safety of your personal data.

Before sounding apocalyptical, it is critical to understand how we got here and why most experts are concerned. The National Integrated Identity Management System (NIIMS) was made law by dint of the Statute Law (Miscellaneous Amendments) Act No. 18 of 2018. The Act introduced various critical amendments to the Registration of Persons Act, Cap 107. The Act introduced a National Integrated Management system which essentially maintains a national population’s register for all persons within Kenya including registered foreigners. This register shall contain inter alia certain unique biometric identifiers such as one’s deoxyribonucleic acid (DNA) in digital form, one’s county of origin and residence and one’s physical residence including their position under the Global Positioning system (GPS).

Granted, the introduction of the NIIMS is well meaning in the wake of several challenges plaguing Kenya. Having an integrated identity management system will: aid the government in tackling the growing threat of terrorism and runaway insecurity; tackle tax evasion as well as enhance access to government services.


From a constitutional point of view, NIIMS presents a unique scenario where the enabling law will be at crosshairs with the spirit of the constitution. From the onset, the manner in which the system was introduced to Kenyans seems like a knee-jerk reaction by the government and falls nothing short of suspect. It was sneaked in vide a miscellaneous Amendment Act which has traditionally been the preserve of minor amendments to legislation. Amendments that sanction the collection of persons’ DNA, GPS co-ordinates and other sensitive information are so monumental in character as to warrant certain constitutional checks such as public participation as is spelled out in the constitution.

Kenyan laws guarantee every person right to privacy which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed. The new amendments make it mandatory for every adult citizen to furnish registration particulars including providing DNA and GPS co-ordinates. This is not only intrusive but is also unnecessary.

Although the principal secretary is on record stating that they shall not require one’s DNA, it is only a matter of time since the same is already in the letter of the law. The high court in its ruling shared similar sentiments in its decision. Although giving the government the green light, it cautioned against taking DNA or GPS co-ordinates, or taking down information without the consent of the data subject. It also prohibited the government from sharing this personal information to third parties. Once the main petition is heard and determined, we anticipate that some of the requirements under NIIMS will be declared unconstitutional for flying in the face of the right to privacy.

Another concern that is shared by many an expert is the absence of a robust legal and institutional data protection framework. Experts unanimously agree that the current project should have awaited the enactment of the Data Protection Bill, 2018 which will be the 1st piece of legislation that regulates how personal data is collected, processed, stored and disseminated.

The unique card shall be used in virtually all spheres of life including accessing bank, medical, and other government services thus making the sensitive information prone to the vulnerabilities of cyber insecurity. Additionally, insufficient public awareness shall make implementation of the project an uphill task given that a majority of Kenyans still do not understand its purpose, the kind of information that is required, why it is required, how it is going to be used and the safety of such data.

Edwin Munga Ndichu and Grace Njoki Kamau