High Court declares Huduma Namba illegalThursday October 14 2021
The High Court has declared the roll out of Huduma Namba, which the government spent more than Sh10 billion illegal for being in conflict with Data Protection Act.
Justice Jairus Ngaah ruled that the government should have conducted impact assessment before rolling out the Huduma Cards. The Judge further ordered the government to conduct the assessment before the rollout, to create safeguards to protect Kenyans' data, as the cards have already been rolled out
Katiba Institute and law scholar Yash Pal Ghai sued the government arguing that it was wrong for the government to roll out the Huduma cards, before conducting a data protection impact assessment.
The lobby group and Prof Ghai argued that the assessment would identify the risks such as breaches to privacy, loss of data, while some Kenyans might be locked from the roll-out because they lack identity cards.
“Order of mandamus is hereby issued compelling the government to conduct a data protection impact assessment in accordance with section 31 of the data protection act before processing of data and rolling out the huduma cards,” Judge Ngaah ordered.
Katiba Institute argued that the government plans to roll-out Huduma cards before conducting a data protection impact assessment as required by section 31 of the Data Protection Act.
The lobby said the move is also a threat to the right to privacy under Article 31. The court heard that section 31 of the Act, 2019 requires the government to conduct a data protection impact assessment where a processing operation is likely to result in high risk to the rights and freedoms of the people.
While announcing the planned roll-out on November 18, 2019, ICT CS Joe Mucheru said the Card would be the primary source of data on every citizen and foreigner.
The lobby said the High Court had ruled that processing of the National Integrated identity Management System (NIIMS), including the processing of biometrics and data of children, implicates high risk to the rights of a data subject.
“However, violating section 31 of the Act and defying the court order in Nubian Rights Forum, the Respondents have failed to conduct any data protection impact assessment on the NIIMS collected data,” lawyer Dudley Ochiel said.
He said due to the lack of publicly available information on the system, it is unclear where and how personal data, and which data, will be stored and processed, between the cards themselves and other components of the NIIMS system.
He said a data protection impact assessment is a necessary mechanism for alleviating this gap and mitigating the risks associated with the system, including the production and rollout of Huduma Namba cards.
In a case determined earlier, several organisations argued that the data might be destroyed, deleted or vital records lost, identity theft and fraud. They were also apprehensive of malicious use of the information, wrongful entries, mismatch of information and hacks through cybercrimes.