Monday, April 22, 2019

Why the haste?

I said a stupid thing the other day. I declared, "One of the truest expressions of governmental excess is the Penal Code and the plethora of offenses established by written laws. Only three classes of offenses should be prosecuted by the State: murder, all sexual offenses and theft." My friend Gitonga challenged me to set down my views in a post and so here we go.

In modern society, it is impossible to live without effective governmental regulation of both public and private affairs. In one form or the other, Government has an obligation to regulate our affairs in order to protect us from harm, even if the harm comes by our own hands. How Government goes about protecting us is of vital importance. It must be given power to take certain measures to protect us but it must not be given too much power that it becomes oppressive. It is in this context that I made the stupid declaration about laws and governmental excess.

In recent weeks, Government has sought to consolidate our personal information in a new database, the National Identity Information Management System, and to issue every Kenyan with a unique identifier, the Huduma Namba. In theory, the consolidation of personal information in the NIIMS, as the system has been named, and the issuance of the Huduma Namba, will allow for the seamless provision of public services by all governmental agencies. There is a fear though, that such a consolidation is ripe for abuse, especially in the absence of a law regarding the protection of such personal data as will be consolidated in the NIIMS. Mass surveillance has been listed as one of the downsides of consolidation as has been the sale of private data to non-governmental entities. (Many have experienced the unlawful use of their personal data because entities holding that data have shared it with political parties, business entities and unscrupulous persons seeking to swindle us.)

Some have argued that the information being consolidated is already in the possession of Government in its various databases: the Civil Registry, the Kenya Revenue Authority, the Land Registry, the Births and Deaths Registry, the National Transport and Safety Authority, the National Hospital Insurance Fund, the National Social Security Fund, and the Immigration Department, among others. They argue that there is nothing wrong with the consolidation in the manner that is being prosecuted by Government with NIIMS. What they haven't been able to explain is the secrecy surrounding the whole affair, especially with the existence of a statutory and administrative regime set out in the Kenya Citizens and Foreign Nationals Management Service Act.

The Kenya Citizens and Foreign Nationals Service, its Board and the Director of Immigration, under the Act, were the institutions charged with the type of consolidation of personal data contemplated in the NIIMS and yet no explanation has been given as to why, 8 years after the law was passed by Parliament and assented to by the President, the law has not been operationalised or why no steps have been taken to operationalise it at all. No reason has been given as to why a system that had already been endorsed by Government has been abandoned even before it got off the ground. The unseemly haste with the operationalisation of NIIMS and the coercive undertones of its implementation raise doubts that the proposals and rationalisations behind NIIMS are on the up and up. For this reason, skepticism is warranted, hyperbole aside.

An analysis of NIIMS and the system contemplated under the Kenya Citizens and Foreign Nationals Management Service Act are fundamentally the same. The key difference is the manner in which both came to be. The former was pushed through by an amendment to the Registration of People Act (which was done through the Statute Law (Miscellaneous Amendments) Act, 2018, which was assented to on the 31st December 2018. No one, in the heat of Christmas and New Year celebrations, noticed the amendment and very few even commented on the proposals. The latter was an Act of Parliament that, even with the madness of the last two years of the Kibaki Government, underwent considerable public review and participation before it became the law of the land.

I don't have a problem with the proposals in NIIMS but I have a problem with the haste, the secrecy and the coercion behind its implementation. I have a problem that it is being done despite the fact that a similar system already exists, at least in law. I have problem with the implications of a lack of a data protection law in the face of the haste and coercion related with NIIMS. Finally, I am skeptical with the argument being advanced that NIIMS is merely the digitization of our personal data. During the second Kibaki Government and the first Uhuru Kenyatta Government, under James Orengo and Charity Ngilu, the Lands Registry was digitised twice over at great public expense. The National Transport and Safety Authority has digitised traffic and drivers' data since its establishment. KRA, with the iTax system, is fully digital. No reason has been advanced as to why the other elements of the NIIMS system are yet to be digitised.

Finally, the risks of consolidation of personal data in the current climate evokes fears of abuse and misuse. In 2001, in Godhra, India, Muslims in Gujarat were attacked and massacred by the thousands. One way that their attackers used to find them was the state's voters roll which identified Muslims by name and address down to the apartment. In Kenya, the 2013 and 2017 general elections were marred by allegations that the digital voter register and digital voter tallying system were manipulated to boost some candidates' number and reduce other candidates'. Secrecy and coercion are not a recipe for public trust. NIIMS is secretive and coercive. If that doesn't change, there is no reason why we should take the word of its boosters that it is for our safety.

1 comment:

Gitonga Murang'a said...

the concerns are valid. It's taken a different direction that I had anticipated. As for Data Protection Law, there was a time it was being pushed and the access to information law was not a priority. Somehow the access to information law won the race. Is data protection something that can be handled in the mean time through statutory provisions pending legislation? can guidelines work under the CAJ Act? or do we intend to ensure there are penal provisions to guard against abuse? is abuse of the data a criminal matter or a civil matter? Good read.