By Meshack Masibo
Increasingly, elections are becoming more data intensive as the adoption of technology for personal data collection, storage, and processing, during the entire election cycle have grown in recent years. The 2022 general election will be different and unique as it shall be the first to be carried out with a comprehensive data protection legal and institutional framework in place to oversee the collection and processing of voters’ personal data.
In recognition of these developments, KICTANet has published a policy brief on personal data and elections 2022. The brief reviews the legal framework, previous data protection challenges, highlights the implications of the Data Protection Act 2019 on the election cycle and presents some insights on how stakeholders could address the privacy risks that could arise in the upcoming elections.
The brief notes that the basis for elections and the collection of personal data is the Constitution, which grants all sovereign power to the people and for the right of every citizen to free, fair and regular elections based on universal suffrage. More importantly, article 31 provides for the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed; or the privacy of their communications infringed.
Moreover, the brief underscores the mandate of the IEBC under the Elections Act to compile and maintain a roll of registered voters in the country at ward, constituency and national level. Further, the Commission is required to carry out continuous voter registration and review, including through regularly revising and updating the register of voters. These processes involve the collection and processing of data for purposes of conducting elections that pose a threat to the right to privacy.
The study notes that the collection and processing of personal data through biometric voter registration and identification technologies presents new challenges and risks to privacy rights, especially considering the role of third-party contractors hired to develop and deploy data collection technologies.
Likewise, the collection of personal data by political parties and its use to drive campaigns, for political strategy, targeting and campaign messaging including on social media could present opportunities for abuse. Moreover, the increased use of digital technologies and connected devices over the internet to relay this information also presents new cybersecurity risks if systemic vulnerabilities are not addressed. Collectively, gaps in the handling of personal data could undermine the electoral process, leading to a loss of confidence in democratic institutions.
Furthermore, the brief points out that it will be imperative that entities such as the IEBC, the Office of the Registrar of Political Parties, telecommunication companies and political parties conduct data protection impact assessments (DPIA). DPIAs are critical as the processing of personal data for elections may put at risk the rights and freedoms of a data subject, by its nature, scope, context and purposes as stated in the Data Protection Act.
The brief also finds that even though the Data Protection Act and its constituent regulations are in place, the key stakeholders that are part of the election cycle are yet to update their procedures to align them to the Act. Indeed it is commendable that the Data Protection Commissioner (ODPC) has issued a Guidance on Processing Personal Data for Electoral Purposes, whose implementation during the electoral period shall be critical.
In conclusion, the policy brief makes the following key recommendations.
- Election management bodies including the IEBC, Office of the Registrar of Political Parties and political parties should urgently have in place comprehensive data protection policies and comply with the Data Protection Act, 2019 at all stages of the election cycle, including conducting data protection impact assessments.
- The ODPC should provide effective and independent oversight on the data collection and processing operations of the various election management entities, including developing guidelines for the handling of personal data during electoral processes.
- Telecommunication companies and other third-party technology companies facilitating the election should adopt privacy and security by design and default in all their systems to be used for the collection and processing of personal data belonging to voters.
- The public should be educated to enable them to cultivate a value system that promotes respect for the right to privacy.
- Civil society should continue to monitor the implementation of the Data Protection Act by all stakeholders during the electoral process.
Meshack Masibo is a Legal Fellow at KICTANet.