This past week, there have been several news reports and announcements that the Government seeks identifiable data of persons in order to improve public service delivery.

One of the classes you have to go through as a law student is Jurisprudence. The theory of law. Where you’re taught about the various schools of thought that influence law and decision making. One that stood out for me years back and still resonates to date is the Social Contract theory.

I believe the proponent whose thoughts I particularly resonate with is John Locke. The gist of which was, as citizens we surrender some freedom to the Government. We enter into some form of informal contract with the State permitting them to do certain things and take certain actions for our protection and/or good.

My reading of the recent announcement of the formation of the Presidential Committee and executive announcements is just that.

In essence, the State would like more of your data (in addition to what they already have on from your birth certificate, national ID, Passport, National Housing Scheme, National Social Security  Fund and the National Taxpayer PIN. All of which really in essence require the same type of information at registration. A bulk of this information is held under the IPRS which feeds into the Public Service Delivery Portal E – Citizen.

The Integrated Population Registration system (IPRS) is the Government endeavor to harmonize all government population registration databases into one national data base.

Per the website, this initiative is in line with the objectives of the Government as contained in the Kenya Vision 2030 and the Jubilee Manifesto of having a single database a source of truth on identity of persons. The National Population Register was installed in the 2008 and it has be continuously been populated with data from relevant government agencies such as Civil Registration, National Registration Bureau, Immigration and Refugees Affairs.

Currently the register is populated with about 39 million records of registered Kenya citizens and foreign residents.

According to Techweez, during the staging of Connected Kenya 2018 at the Bomas of Kenya, the Cabinet Secretary for ICT Joe Mucheru revealed that the government was planning to issue unique numbers for all Kenyan citizens at Huduma Centres. Dubbed Huduma Number, the unique identifiers are meant to hasten delivery of services as the state continues to synchronize citizens’ data with other government services.

The government is now free to collect data on Kenyans’ DNA and physical location of their homes including satellite details during registration of persons.

This follows President Uhuru Kenyatta’s approval of amendments to the Registration of Persons Act that has included the two to the list of requirements needed at the national people’s registry.

The new law allows the creation of the National Integrated Identity Management System, which will ensure that all IDs, refugee cards, birth and death certificates as well as driving licences and passports are printed and distributed for collection from a central location.

The new system will be a single source of personal information of all Kenyans and registered foreigners.

Having undertaken extensive research and review of data protection legal instruments, that data shall be collected is inevitable. How it is handled and managed however is the most important element in this value chain.

There are internationally accepted principles of data protection which should guide and inform data management.

These are: (source here)

  • Lawfulness, fairness and transparency – Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose limitation – Only collect personal data for a specific, explicit and legitimate purpose. The purpose should be clearly stated and only collect data for as long as necessary to complete that purpose.
  • Data minimisation – Processed data should be adequate, relevant and limited to what is necessary in relation to the processing purpose.
  • Accuracy –  Every reasonable step to update or remove data that is inaccurate or incomplete should be taken. Individuals have the right to request that one erase or rectify erroneous data that relates to them once informed.
  • Storage limitation – A data controller or processor must delete personal data when it is no longer needed for the purpose it was collected for.
  • Integrity and confidentiality – Organizations should take appropriate technical or organisational  measures to ensure that personal data is safe and protected against unauthorised or unlawful processing.

Read more here and here.