By Meshack Masibo
One unique thing about the 2022 elections was that it was the first election conducted after the adoption of the Data Protection Act, 2019. The Act, together with its regulations, has revolutionized how different bodies collect and process personal data, which includes voters’ data.
The principles of data protection espoused in the law include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability. The import of this Act is that the Independent Electoral and Boundaries Commission (IEBC), as a data controller and the processor is bound to conduct elections in line with the principles of data protection.
One of the key practical applications of the principle of data transparency during elections is the Biometric Voter Registration System (BVR). The BVR system is a dual concept that refers to the digital roll of voters and the device used to identify voters at the polling station. The BVR captures a voter′s facial image, fingerprints and civil data or personally identifiable information (PII) such as name, gender, identity card or passport number and telephone number. It was first deployed in 2013 and has since been used as a means of voter registration, identification and verification.
According to section 25 of the Data Protection Act, every data controller or data processor shall ensure that personal data, including voter identification details, is processed lawfully, fairly and in a transparent manner. Data transparency has been defined as the ability to easily access and use data irrespective of its location or the application that created it or the assurance that the data that is being reported is accurate and originates from the official source.
Further, regulation 50 of the Data Protection Regulations 2021 elaborates on the elements of the principle of transparency. These include making the information on the processing easily accessible to the data subject; providing the information on the processing to the data subject at the relevant time and in the appropriate form and providing details of the use and disclosure of the information of a data subject.
The Office of the Data Protection Commissioner also released a Guidance Note for Electoral Purposes to assist data controllers and data processors dealing with voters’ data to understand their obligations under the Act. One of the key principles that the guidance note addresses are the principle of data transparency. The guidance note states that the personal data processed by the electoral commission and government organizations should be processed fairly and in a transparent manner.
In addition, the note provides that the IEBC must comply with the obligations under section 29 of the Data Protection Act which state that data controllers and data processors must notify data subjects of the purpose and reasons for the collection of personal data, in so far as is practicable and in line with the principle of data transparency.
During the 2022 election, KICTANet deployed a 90-member observation mission that observed the technology component of the elections in 21 counties from preparedness, the voting process, transmission, and post-election processes. The team developed a pre-election observation report and a preliminary election observation report, which highlighted the progressive steps and the challenges noted in the use of technology by the IEBC.
Some of the progressive aspects included that IEBC managed to collect and process the personal data of 22.1 million voters, which were hosted locally. Also, IEBC reported that it conducted a data protection impact assessment. Further, redacted the voter’s National ID & Passport numbers contained in the lists of registered voters published outside polling stations.
Moreover, the commission provided an online voter verification portal (verify.iebc.or.ke) and an SMS short code (70000) to enable the public to confirm their registration status. During the election, the Commission supplied adequate Kenya Integrated Election Management System (KIEMS) kits across all 46,229 polling stations. Additionally, a majority of the voters were identified biometrically, and a minority through an alphanumeric search.
The KICTANet pre-election observation report noted pointed out several challenges such as that the IEBC had not made its data protection impact assessment public, or published a data protection policy or notice. In addition, the KPMG audit report identified several gaps in regard to the management of the personal data of voters, some of which IEBC was not able to address before the election.
On election day, there were challenges with biometric identification, especially among casual labourers, farmers, and elderly people whose fingerprints could not be recognised by the KIEMS devices. Also, during the election period, there was an increase of the use of spam messages sent to the mobile numbers of voters irregularly obtained by political candidates indicating abuse of voter data.
Despite the challenges experienced, KICTANet’s observation mission report noted that the 2022 general election management demonstrated that there was great potential to leverage technology to enhance the accuracy, verifiability, transparency and integrity of the processing of voter data as required under the law.
Consequently, it recommended that IEBC invest in innovation in election technology and consider progressively digitizing all aspects of the electoral process. This could include developing a super KIEMS application to provide a one-stop-shop for services such as voter registration, electronic voting, tallying and display of results.
Finally, the Commission was urged to include at polling stations, information for voters on how to access the voter registration SMS service, portal, and help desks to guide voters.
By Meshack Masibo is a Legal Fellow at KICTANet.