Listen to This Article Enhance your reading experience by listening to this article.

It will be mandatory for the Independent Electoral and Boundaries Commission (IEBC) to have its election data and transmission servers hosted locally should Parliament approve new regulations from the Ministry of Interior.

The regulations tabled before MPs says that institutions such as the IEBC will have to get authorisation from the National Security Council (NSC) to have its critical information stored outside Kenya.

The computer misuse and cybercrimes (critical information infrastructure and cybercrime management) regulations, 2024, seeks to compel owners of critical information infrastructure to ensure that the infrastructure on which critical information is domiciled, is located in Kenya.

The other institutions that will be affected include the World coin, the cryptocurrency project whose operations were halted over privacy queries.

Critical information infrastructure in Kenya is identified as critical sectors or systems including the: Defence, public safety, and security sector. banking and finance sector. The electoral and judicial sector
Reads the regulations: “An owner of a critical information infrastructure shall ensure that the infrastructure on which critical information is domiciled is located in Kenya.”

General elections

The regulations come hardly a year after there was a standoff during the 2022 general elections when Azimio la Umoja presidential candidate Raila Odinga claimed that they had been denied access to the IEBC servers as they are not locally hosted.

The move promoted the supreme court which was dealing with the Presidential election dispute filed by Raila to grant him and other parties’ access to the servers.

In the 2022 general election, IEBC entered into a valid legal contract with Smartmatic International Holdings B.V that was founded in 2000 in Florida, USA for the supply, delivery, installation, testing, commissioning, support and maintenance of the Kenya Integrated Election Management System (KIEMS).

The regulations tabled before the Departmental Committee on Administration and Internal Security chaired by Narok West MP Gabriel Tongoyo provides that for anyone to access critical information infrastructure, the owner of the information infrastructure will restrict and ensure adequate measures are in place to monitor permitted access to a critical information infrastructure system or data.

Critical information

For purposes of being granted permission to access a critical information infrastructure, the regulations provides that the interested person will be required to furnish proof of their identity including contact details and any other relevant information required by the owner of a critical information infrastructure; declare possession of any item, object or thing that may be dangerous to the safety of the critical information infrastructure, declare the contents of any vehicle, suitcase, bag, handbag, folder, envelope, parcel or container of any nature, which is in the possession, custody or control of the person as well as subject himself and anything in his possession or under his control to scrutiny and examination by either electronic or other apparatus.

Adds the regulations: “Upon granting access to a critical information infrastructure, the owner shall require the person granted access to comply with the conditions for access.

The regulations which will help in the implementation of the Data Protection Act, which secures data in the country from unauthorised persons, provides that an owner of a critical information infrastructure who intends to have critical information located outside Kenya, shall apply the National Computer and Cybercrime Coordination committee which shall consider the notification and verify that it meets the security standards provided and shall communicate its decision within 30 days of receipt of the notification.

The committee which shall report to the Cabinet Secretary in charge of Internal Security, will comprise of principal secretaries Interior and ICT, Attorney General, Chief of the Kenya Defence Forces, Inspector General of the National Police Service, Director General National Intelligence Service (NIS), Director-General of the Communications.

Authority of Kenya, Director of Public Prosecution, Governor of the Central Bank of Kenya and a Director who shall be the secretary of the Committee and who shall not have a right to vote.

In making its decision the committee will have to consult NSC before making its decision.

The regulations states that the committee in considering an application by the operator to have critical information located outside Kenya will be required take into account various measures including the security measures and safeguards being applied to the information and infrastructure on which the information is contained meet the standards set, whether it is necessary for the information to be stored outside the geographical jurisdiction of the Republic.