The High Court has allowed Katiba Institute and law scholar Yash Pal Ghai permission to challenge the roll-out of Huduma Namba cards over lack of guarantees of theft or misuse of Kenyans personal information.
The lobby group and Prof Ghai argued that the State failed to subject the fresh registration of Kenyans to data protection impact assessment (DPIA) — a requirement under the law.
The assessment is aimed at flagging risks that could reveal breaches of privacy, loss data and unlawful use of information like names, date of birth, postcode and residences.
Kenyans will start receiving Huduma Namba cards from next week in a gradual rollout that will see current national identity cards invalidated in December next year.
Justice Jairus Ngaah certified the case as urgent and directed the lobby group and Prof Ghai to file the case and serve it to Cabinet secretaries Joe Mucheru (ICT), Fred Matiang’i (Interior) as well the Attorney-General Paul Kihara and Data Commissioner Immaculate Kasait.
The judge, however, rejected a plea to stop the roll-out, which the government announced would start on December 1.
“I am satisfied that the application is urgent and is hereby certified as such. I am also satisfied that the applicants merit grant of leave to file a substantive motion for judicial review orders for prohibition restraining the respondents, their servants and agents from executing the decision of November 18, 2020, to roll out Huduma cards before and without a data protection impact assessment,” the judge said.
Katiba Institute argued that the government plans to roll-out Huduma cards before conducting a data protection impact assessment as required by section 31 of the Data Protection Act.
The petitioners reckon that the assessment would mitigate the risks before the planned roll-out.
The lobby said the move is also a threat to the right to privacy under Article 31.
The court heard that section 31 of the Act, 2019 requires the government to conduct a data protection impact assessment where a processing operation is likely to result in high risk to the rights and freedoms of the people.
Under Huduma Namba, the State was to combine all vital documents including the national ID, passport, driving licence, National Social Security Fund and the National Hospital Insurance Fund numbers.
Those registered provided a photo, information about themselves and their parents or guardians, among others.
Also required were details like the place of birth, phone number, e-mail address, physical and permanent residence and marital status.
Data collected through the Huduma Namba registration will be stored in the Integrated Population Registration System — the central location for easy electronic access by institutions, including private corporations that provide crucial and sensitive services.
Lawyer Dudley Ochiel said due to the lack of publicly available information on the system, it is unclear where and how personal data, and which data, will be stored and processed, between the cards themselves and other components of the NIIMS system.
He said a data protection impact assessment is a necessary mechanism for alleviating this gap and mitigating the risks associated with the system, including the production and rollout of Huduma Namba cards.