ARTICLE 19 Eastern Africa (or ARTICLE 19 EA ) and the Kenya ICT Action Network (or KICTANet ) present this memorandum in response to the call for public participation on the said Data Protection (Civil Registration) Regulations, 2020 currently being considered by the Principal Secretary, State Department of Information Communication and Technologies (or ICT ) and Innovation.
The following is a summary of our key recommendations:
1. The civil registration and identity management framework should be enacted through a stand-alone Act of Parliament. This should be subjected to (bicameral) legislative oversight and effective public participation. Notably, regulations should in practice provide general guidelines of practice, and cannot be used to regulate and create substantive systems which have implications on the effective and proper functioning of government, and which directly affect individuals’ identity.
a. Recommendation: Enact an ‘appropriate and comprehensive’ civil registration and identity management through an Act of Parliament introducing a Bill to amend the Registration of Persons Act (CAP 107).
2. The Data Protection Act (2019) cannot be used to give statutory effect to this civil registration system (or CRS ) as that is not the objective of the Act. CRSs provide the ‘foundation for national identity management systems’1 and are inherently linked to the generation, collection and utilisation of vital statistics which inform a nation’s development agenda, amongst other core functions. In Kenya, national identity management systems are provided for under the Registration of Persons Act (CAP 107) and the Citizenship and Immigration Act, 2011, the Refugees Act all of which legislate on CRS related issues, including national identity and the National Integrated Identity Management System (or NIIMS ) in Kenya.
a. Recommendation: Introduce a bill with these substantive amendments to the Registration of Persons Act which deals with civil registration, to address the inadequacies of the Act relating to civil registration. These regulations should not be anchored under the Data Protection Act, 2019.
3. The Regulations do not comply with the Data Protection Act (2019). In particular:
a. Section 18 of the Data Protection Act (2019), requires the prior registration and certification of all data controllers collecting and processing copious amounts of sensitive personal data by the Data Commissioner. The provisions dealing with automated decision-making provide limited duties for data controllers and limit the rights of data subjects, in violation of the Data Protection
b. Regulations 10 and 13 impose fees which are not stated and therefore could be a challenge for low income data subjects.
c. The Regulations permit the retention of personal data by data controllers in perpetuity, despite the requirement for data to be retained in accordance with the ‘reasonably necessary’ requirement, and in any event, should provide the period of retention.
d. The Regulations do not explicitly cater for, or have a mechanism to ensure that data breaches are notified to both the Data Commissioner, and data subjects, in line with section 43, Data Protection Act (2019) and international standards.
e. The Regulations fail to provide for a mechanism capable of ensuring that the transfer of personal data through a public network is transmitted using strong encryption methods given the known weaknesses of commonly used encryption systems.
f. The Regulations permit the transfer of personal data outside Kenya and directly contravenes sections 48 and 49 of the Data Protection Act (2019) as well as international standards.
g. The Regulations fail to flesh out the ‘adequacy’ requirement.
Recommendation: The government should fast-track the operationalisation of the Office of the Data Protection Commissioner (or ODPC ) to ensure that there is proper oversight over the collection and processing of sensitive personal data in accordance with the Data Protection Act (2019). The provisions of the proposed regulations should comply with the Data Protection Act, 2019.
4. The Regulations should provide explicit ( technical, personnel and procedural ) safeguards to ensure that personal information is accorded the highest safety and security, management and governance protection.
5. In conjunction with civil society and other stakeholders, the Ministry should develop ‘appropriate and comprehensive regulatory frameworks’ which adhere to the High Court’s orders in Consolidated Petitions No. 56, 58 and 59 (2019) and which pay proper homage to the letter and the spirit of the Data Protection Act (2019) and international standards which Kenya is bound by.