On September 12, 2023, the Government of Kenya made a significant announcement
regarding the issuance of third-generation IDs, known as the Maisha Card, starting from
September 29, 2023. These new IDs introduce the use of Unique Personal Identifiers
(UPIs) as a fundamental component.
The Maisha Card and Unique Personal Identifiers (UPIs).
The UPIs are not limited to adults; the rollout includes school-going children and even
newborns. Each child will be assigned a UPI, which they will use throughout their
educational journey. Upon reaching the age of 18, this UPI will become their national
identity number. The introduction of UPIs aligns with the ICT Policy of 2019.
However, this initiative is not the first attempt at launching a digital ID system in Kenya.
In January 2019, the government introduced the National Integrated Identity
Management System (NIIMS), commonly known as the Huduma Number. NIIMS
shared similar goals with the Maisha Card, but it faced legal challenges.
Legal Challenges and the Need for Digital Identity Management.
The Katiba Institute, through Judicial Review No 1138 of 2020, argued that the
rollout of the Huduma Number violated section 31 of the Data Protection Act and
the judgment delivered in the Nubian Rights Forum Case. These legal disputes
underscored the necessity for a robust Digital Identity Management System and
comprehensive data regulation.
Understanding Digital Identity Management.
To comprehend the significance of a Digital Identity Management System, it is essential
to define what a digital identity is. A digital identity can be described as an electronic
representation of an individual, encompassing personal information and online
behavior. Consequently, Digital Identity Management refers to the process of
processing, storing, and accessing an individual’s digital identity.
Challenges in Digital Identity Management.
Digital identities come with their fair share of challenges. Concerns arising from the
Huduma Number rollout included data breaches, identity theft, phishing attacks,
surveillance, discrimination, data control, and consent. These challenges highlight the
importance of establishing a comprehensive Digital Identity Management System.
The Role of Policy and Regulation.
A robust Digital Identity Management System must strike a balance between user rights
and restrictions. It determines whether a user has permission to access information
within the system and the extent of that permission. Therefore, a well-defined policy
and regulatory framework are essential.
Regulatory Developments.
Kenya has made significant strides in data protection since the enactment of the Kenya
Data Protection Act in 2019. These developments include the registration of data
controllers and processors, compliance and enforcement measures, and general
regulations. Key areas covered by these regulations include complaint handling, data
controller and processor registration, data protection rights, obligations, and
procedures.
Guidance for Entities.
Additionally, several guidance notes have been created to assist entities in
understanding their roles as data controllers or processors, complying with mandatory
registration requirements, managing personal data for electoral purposes, conducting
Data Protection Impact Assessments, and fulfilling consent-related duties under data
protection regulations.
In conclusion, Kenya’s journey in the realm of digital identities and management has
witnessed significant developments and challenges. These advancements underscore
the importance of comprehensive regulations and a well-defined Digital Identity
Management System to protect individuals and their data in the digital age.
By Devinah Manyasi.
Disclaimer.
This communication is intended solely for informational use. Should you require legal
assistance,