High Court terms roll out of Huduma Namba illegal
By Bernice.Mbugua, October 15, 2021
The High Court yesterday stopped the roll out of the Huduma card number saying it contravenes the Data Protection Act.
Justice Jairus Ngaah ruled that the State failed to ensure that the bill of rights including the right to privacy was respected and protected during the registration and processing of the cards.
“I hereby quash the decision of 18th November 2020 to roll out Huduma Cards for being ultra vires to Section 31 of the Data Protection Act, 2019,” he ruled.
The judge ordered the State to conduct a data protection impact assessment in accordance with Section 31 of the Data Protection Act before processing of data.
Section 31 of Data Protection Act 2019 states: “Where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment.”
The suit was filed by Katiba Institute and former Constitutional Review Commission chairman Yash Pal Ghai.
The respondents included Cabinet Secretaries Joe Mucheru (ICT) and Fred Matiang’i (Interior) and the Attorney General.
Impact assessment
In the judgement, Justice Ngaah noted that the State had not appreciated the import and extent of the Data Protection Act with respect to the data collected under National Integrated Identity Management System (NIIMS).
“If they did, they would have given effect to Section 31 of the Data Protection Act and conducted a data impact assessment before processing personal data and rolling out the Huduma cards,” he said.
The Judge also noted that NIIMS, which the State used to collect the data relied on Section 9(a) of the Registration of Persons Act which in turn came about as a result of the Miscellaneous Amendment Act No 19 of 2018.
According to the Judge, the said Act no.19 of 2018 was nullified by a three judge bench among other laws that were purportedly enacted by the National Assembly without any involvement of the Senate.
“It is the individual constitutional rights and basic rights that were under threat by exercise of the State in collecting and processing data without a legal framework to ensure that even as it embraces a new system of identification, the right to privacy is protected,” he said adding: “I will stand with the individual against the might of the State and hold that fairness is in interpretation of Section 31 as being retrospective in its application.
I am satisfied that the applicant has made out a case against the respondents,” he ruled.
In the suit, Katiba Institute through lawyer Dudley Ochiel, had argued that the roll-out of Huduma Namba cards lacked guarantees of theft or misuse of Kenyans’ personal information.
According to the lobby, the State failed to subject the fresh registration of Kenyans to Data Protection Impact Assessment — a requirement under the law.
“The respondent’s omission to conduct the data protection impact assessment in this case is not only ultra vires the Act, but also threatens the right to privacy under Article 31 of the Constitution,” they argued.
Right to privacy
It was their contention that the nature of the data collected is such that there exists a tangible risk that subjects may be discriminated against on various bases in contravention of Articles 10 and 27 of the Constitution.
The lobby also argued that the omission to conduct a data protection impact assessment and the decision to roll-out Huduma Namba Cards before and without the assessment constitutes a grave violation of the Right to Fair Administrative Action as enshrined in Article 47 of the Constitution and Section 4 of the Fair Administrative Action Act.
“Article 31 guarantees every person the right to privacy which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed,” they argued.