The Office of the Data Protection Commissioner ran a successful international data protection week, January 26–27, 2023, that culminated in the International Data Protection Day graced by Dr. William Samoei Ruto, the President of the Republic of Kenya.
The Data Protection Week brought together diverse stakeholders, including the public, private, and non-governmental sectors, to deliberate on the important themes around the data rights of citizens as well as the obligations of data controllers as enshrined in the Kenya Data Protection Act of 2019.
Hosted at the Kenyatta International Convention Center, the conference themed ‘Promoting data privacy in a digitally transformed economy’ explored various ways in which various stakeholders, including but not limited to Fintechs, SMEs, Telcos, Academia, Professional Associations, Civil societies and government agencies and ministries, could contribute towards the Kenyan and global data protection agenda.
Digital Identity – Huduma Namba
On the last day, the event was graced by the President. He struck at the heart of the data economy when he tasked the Cabinet Secretary for ICT and Digital Economy to ensuring that Kenya has a digital identity system for every citizen, resident, and foreigner within our territory.
Of course, Kenyans within and outside the room are familiar with the Huduma Namba project, where the previous administration attempted to create digital identities for all born, dead, or alive.
The project, launched with much fanfare by former President Uhuru Kenyatta, has stalled when his administration approached its end, leaving Kenyans holding onto some plastic cards and not knowing where and when to use them.
The Huduma Namba project had the same noble objective of creating a single source of truth about an individual, accessible and verifiable by different stakeholders in a very efficient manner.
Single Source of Truth
Kenyans are familiar with the burden of carrying multiple identity cards to be flashed to different actors in the public and private sectors depending on their current needs.
If you met a traffic police officer, you better have your driving license; if you went to a government ministry, you better have your national ID. You better carry your hospital and insurance card if you go to the hospital. If you were being interviewed for a job, you should bring all your educational certificates, which could date back to when you finished primary school.
The digital ID, dubbed Huduma Namba, was supposed to make this burden easier, allowing you to carry one ID, and flash to whichever stakeholder you met, be they the policeman, the government agency, the hospital, or your prospective employer. The Huduma number would act as your single source of truth to each of them – eliminating the need to carry all other documents.
So, what went wrong?
Like all projects, the devil lies in the details.
Firstly, the Huduma Namba project faced multiple court cases, with civil society groups demanding that the government ensures that the data they are consolidating in a centralized manner is safe and secure and conforms to the Data Protection Act.
The courts agreed and demanded that the government perform a Data Protection Impact Assessment before proceeding with the project. Additionally, the question of whether Kenyans can access the status of their data – as collected, stored, and processed by Huduma Namba remains a grey area.
But beyond court cases, the technical design of the Huduma Namba system has adopted the prevailing centralized, client-server approach that is attractive to hackers and vulnerable to identity theft, denial of service attacks, and single point of failure.
An alternative decentralized blockchain approach proposed in the KE Blockchain report has been ignored or rejected.
The big question remains: will the CS for ICT and Digital Economy take the President’s order to create a digital identity for Kenyans differently? Or will he dump Huduma Namba, start afresh and repeat its mistakes?
Time will tell.