July 21, 2021

A Risk-based Assessment to Digital ID Systems: The Case for Huduma Number (by Florence Ogonjo and Rachel Achieng)

Digital identity (ID) technologies are being tried and tested, and discussions about their adoption are becoming more common. The effectiveness of these systems will be determined by how privacy and security concerns are addressed during the early stages of implementation. When considering digital ID, the technical infrastructure and legal framework go hand in hand. Therefore, the establishment and adoption of good ID necessitate the need for legal and technical safeguards that address data protection, privacy, and security.

Kenya adopted the National Integrated Identity Management System (NIIMS) in 2019. The system was designed to create and maintain a national population register as a single source of information about Kenyan citizens and foreign residents in the country. The adoption of this system was met with numerous reservations particularly concerning security, privacy, and inclusivity. These issues were raised and challenged in the acclaimed Huduma Number case (Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties) that halted the nationwide biometric registration to collect the information for the NIIMS system and roll out of the Huduma number. The case resulted in the development of data protection laws and regulations, as well as additional legislation allowing for the establishment and use of NIIMS, which were not previously in place. The Government of Kenya began the first phase of the Huduma number rollout towards the end of 2020.

A risk-based assessment evaluates the digital ID system’s operation, privacy and security, the use of biometrics in the digital ID system, data lifecycle management, governance structures, and potential security threats. Privacy and security is an integral part of the functioning of the Digital ID system. The Huduma number case brought into question the system’s design, and its technical and functioning capabilities in ensuring the privacy and security of the data that would be processed for the proper functioning of the system. This is anchored to the operation of the NIIMS system especially in consideration of the use of biometrics which is highly susceptible to security threats. The system is vulnerable to serious threats due to the nature of the data collected and stored, the most serious of which are third-party data leaks and identity theft.  These potential threats are likely to negatively impact the data, the systems and the users whose data is stored and managed in the database.

The more data the system processes, the more complex the threats and the greater the need for strong security measures. These security measures are not only established by technical and organizational measures but also operational governance structures. Governance is significant in establishing public trust and protecting the constitutional right to privacy. The introduction of digital ID in Kenya led to the establishment of laws and policies that form the basis of governance that regulates the functioning of NIIMS. The Data Protection Act, 2019, the Registration of Persons NIIMS Regulations (2020), and the Data Protection (Civil Registrations) Regulations (2020) are the primary references for the statutory regulation of NIIMS. The risks posed by digital ID management systems cannot be overstated given the government’s continued reliance on personal data in providing services. The systems must therefore be continuously evaluated and improved while taking into account the risks the continued use poses to privacy, security, digital identity, and the overall functioning of the system.

NIIMS’s success or failure, will be determined by how well and consistently security measures are implemented. Access control mechanisms, network monitoring, and intrusion detection systems, are required to detect and respond to cybersecurity attacks. Most governments have established cybersecurity agencies, research centres, and standards and technology institutes to oversee such systems and ensure overall security within other systems that the public has access to. Running and maintaining such systems necessitates a consistent financial flow, adequately trained cybersecurity personnel, and a government that understands the importance of personal data privacy and security. The Kenyan government must take these issues into account, particularly in the system’s operation.

The transition to a digital ID management system is an unavoidable reality. Digital transformation, adoption, and increasing digitization opens the door to an infinite number of risks, those presently known, and those that might develop in the future. Vigilance on NIIMS’s technical infrastructure, potential security risks, and vulnerabilities, as well as the current legal framework, is necessary for determining whether the parameters established will remain sufficient in light of ever-changing processes and technology.

Florence A. Ogonjo is a Research Assistant at the Center for Intellectual Property and Information Technology Law (CIPIT) currently working on the research areas of digital ID, and Data Governance in Kenya.

Rachel Achieng is a Research Assistant at the Centre for Intellectual Property and Information Technology Law (CIPIT) currently working on the research areas of digital ID and data governance in Kenya.

Leave a Reply

Your email address will not be published. Required fields are marked *