On September 12, 2023, the Government of Kenya made a significant announcement regarding the issuance of third-generation IDs, known as the Maisha Card, starting from September 29, 2023. These new IDs introduce the use of Unique Personal Identifiers (UPIs) as a fundamental component.
The UPIs are not limited to adults; the rollout includes school-going children and even newborns. Each child will be assigned a UPI, which they will use throughout their educational journey. Upon reaching the age of 18, this UPI will become their national identity number. The introduction of UPIs aligns with the ICT Policy of 2019.
However, this initiative is not the first attempt at launching a digital ID system in Kenya. In January 2019, the government introduced the National Integrated Identity
Management System (NIIMS), commonly known as the Huduma Number. NIIMS shared similar goals with the Maisha Card, but it faced legal challenges.
The Katiba Institute, through Judicial Review No 1138 of 2020, argued that the rollout of the Huduma Number violated section 31 of the Data Protection Act and the judgment delivered in the Nubian Rights Forum Case. These legal disputes underscored the necessity for a robust Digital Identity Management System and comprehensive data regulation.
To comprehend the significance of a Digital Identity Management System, it is essential to define what a digital identity is. A digital identity can be described as an electronic representation of an individual, encompassing personal information and online behavior. Consequently, Digital Identity Management refers to the process of processing, storing, and accessing an individual’s digital identity.
Digital identities come with their fair share of challenges. Concerns arising from the Huduma Number rollout included data breacJhes, identity theft, phishing attacks, surveillance, discrimination, data control, and consent. These challenges highlight the importance of establishing a comprehensive Digital Identity Management System.
A robust Digital Identity Management System must strike a balance between user rights and restrictions. It determines whether a user has permission to access information within the system and the extent of that permission. Therefore, a well-defined policy and regulatory framework are essential.
Kenya has made significant strides in data protection since the enactment of the Kenya Data Protection Act in 2019. These developments include the registration of data controllers and processors, compliance and enforcement measures, and general regulations. Key areas covered by these regulations include complaint handling, data controller and processor registration, data protection rights, obligations, and procedures.
Additionally, several guidance notes have been created to assist entities in understanding their roles as data controllers or processors, complying with mandatory registration requirements, managing personal data for electoral purposes, conducting Data Protection Impact Assessments, and fulfilling consent-related duties under data protection regulations.
In conclusion, Kenya’s journey in the realm of digital identities and management has witnessed significant developments and challenges. These advancements, supported by the expertise of MMA Advocates, underscore the importance of comprehensive regulations and a well-defined Digital Identity Management System to protect individuals and their data in the digital age.
This communication is intended solely for informational use. Should you require legal assistance.