Layered exclusions: The rapid digitisation of government services
The COVID-19 pandemic has accelerated the digitisation of many government services in Kenya. This digitisation had already been part of the government’s plan, with the rollout and pilot phases taking place in different arms and departments. But due to the sudden implementation of the plans, digital rights issues have now become a priority.
This report offers and overview of challenges to the implementation of the Huduma Namba, a national ID number system in Kenya, and situates this in the context of government requirements making it mandatory to be vaccinated to receive government services. It argues that in the context of widespread digital exclusion in the country, what has been created is a situation of layered exclusions that need to be challenged by digital rights actors.
Kenya has established a digital National Identity Integrated Management System (NIIMS) through Executive Order No. 1 of (2018) and by the Statute Law (Miscellaneous Amendments) Act, 2018, section 9A. This includes the creation of the Huduma Namba (or Huduma Number), a unique and permanent personal identification number randomly assigned to every resident individual at birth or when an individual applies for official registration. It only expires upon the death of the individual. Upon registration, one will be issued with a Huduma Card, which will eventually replace the current identity card that all Kenyans currently have and use.
The government hopes that the Huduma Card will enable individuals to access various government services as well as use it as a travel document within the East African region. The card will have a person’s data merged and installed in an electronic chip, therefore eliminating the requirement for other identity and personal information documents as is the case currently.
Officially, the pilot for the Huduma Cards started on 1 December 2020, and countrywide distribution started in February 2021. The government expected that all Kenyan adults who had been registered would be issued with their Huduma Cards by December 2021.
The initiative resulted in two High Court actions, the first involving a petition by the Kenya Human Rights Commission (KHRC), the Nubian Rights Forum and the Kenya National Commission on Human Rights (KNCHR), which challenged the legality of the NIIMS project.
For their part, many members of the Nubian community who have been living in Kibera – a slum area of Nairobi – have found it difficult to get Kenyan citizenship, even though the community has existed in Kenya for more than a century. The community was started when people from Sudan were brought into Kenya during British colonial rule. Many members of the ethnic group have not been able to register for a Huduma Namba as they do not have the national IDs needed to do so. They called for the whole scheme to be scrapped given that the government says people will need a Huduma Namba to access public services.
In the end, a three-judge High Court bench comprised of Judges Pauline Nyamweya, Mumbi Ngugi and Weldon Korir validated the legitimacy of the Huduma Namba in a judgment that addressed various issues. On whether the personal information collected is excessive, intrusive and disproportionate, the Court found that biometric data and GPS coordinates required in the amendments are personal, sensitive and intrusive data that requires protection. And even though there was no evidence brought by the petitioners of any violations of rights to privacy, the Court found that the amendments impose obligations on the relevant respondents to put in place measures to protect the personal data.
On whether there is a violation of children’s right to privacy, the High Court found that section 9A of the Registration of Persons Act and NIIMS applies to children and that the legislative framework on the protection of children’s biometric data collected in NIIMS is inadequate. On whether there are sufficient legal safeguards and data protection frameworks, the Court found that while there is a legal framework for the collection and processing of personal data, adequate protection of the data requires the operationalisation of this legal framework.
However, since there was no specific regulatory framework that governs the operations and security of NIIMS, the Court found that the legal framework for the operations of NIIMS was inadequate, and posed a risk to the security of data that would be collected in the system.
On discrimination against the Nubian community, the Court stated that they were unable to discern violations of the right to equality and non-discrimination from the evidence presented before them. They stated that should there be challenges in other statutes or provisions, such challenges cannot properly be raised in the NIIMS case, in which the legislation in contention is entirely different. In the same breath, on exclusion, the Court found that there is a need for a clear regulatory framework that addresses the possibility of exclusion in NIIMS. Despite this possibility, they did not find it as a sufficient reason to find NIIMS unconstitutional.
The Court also ruled that there was sufficient public participation in the process to amend the Registration of Persons Act to create the NIIMS, and to justify miscellaneous amendments to related acts.
However, the High Court struck down the government’s decision to roll out Huduma Cards due to violations of the Data Protection Act (2019) on 14 October 2021. The Court found that the government had started collecting personal data from Kenyans without first determining how it would protect that data and that it had “not appreciated the import and the extent of the application of the Data Protection Act with respect to the collection and processing of data under the National Integrated Identity Management System.” The court compelled the government to complete a data protection impact assessment, as required by the Data Protection Act, prior to processing data or rolling out Huduma Cards.
This second judgment on the project is yet to be fully implemented. The judgment strengthens the prerequisites contained in the Data Protection Act for the implementation of the digital identity card. It also highlights that a proper understanding of the effects of digitisation of people’s identity is necessary in a society where there is a high level of digital exclusion, and a corresponding low level of awareness of digitising personal identity.
Mandatory vaccination and effects of digitisation of government services
The government is on its post-pandemic “building back better” journey and had directed that all who will want to access in-person government services from 21 December 2021 must be fully vaccinated. This directive, which was not promulgated or published in the Kenya Gazette, has digital rights implications as the vaccination certificates in Kenya are digital. On the one hand, this was likely to result in limitations to human rights, in a country where sectors of society have poor access to the internet and low digital literacy. It was also not clear if e-government services will be available to those without vaccination certificates.
Among others, unvaccinated Kenyans were to be excluded from or not able to access universities, hospital and prison visitations, immigration services, the Kenya Revenue Authority (KRA), the National Transport Service Authority (NTSA), and port services.
While the government offered the option of online access to services, this raises the problem of access to the internet and digital devices for the average Kenyan.
Within days following the announcement, the High Court suspended the government directive.
Access to the internet and digital devices
One of the biggest challenges in the digitisation of government services is access to the internet. The uptake of internet services increased in 2020 in light of COVID-19 pandemic mitigation measures that greatly reduced physical contact. To meet the internet demand, bandwidth capacity was increased by 29.6% to 8.1 million Mbps in 2020. The increase of capacity allowed networks to handle the sudden surges and new patterns in internet traffic. According to the DataReportal 2021 report on Kenya, there were 21.75 million internet users in Kenya in January 2021 and internet penetration stood at 40%.
The 2019 Kenya Population and Housing Census results show that 20,694,315 of individuals aged three years and older owned a mobile phone. More females (10,425,040) than males (10,268,651) owned a mobile phone. The data also shows that 22.6% of individuals aged three years and older used the internet, while 10.4% used a computer. The proportion of the population aged 15 years and older who searched and bought goods and services online was 4.3%.
These statistics show that 60% of Kenyans cannot access government services that are available online. Moreover, of those that do access the internet, a relatively small percentage actually use the internet for accessing goods and services. Therefore, accessing government services online is already a challenge for most Kenyans and the sudden digitisation of government services is leading to further exclusion despite the intention being inclusion.
One can see that COVID-19 has resulted in Kenya accelerating its journey in digitising government through projects that had started before the pandemic, such as the Huduma Namba and other e-government services, including eCitizen, the Transport Information Management System, the Kenya Revenue Authority’s iTax online service, and the National Education Management Information System (NEMIS).
The key rights issues that this digitisation process highlights concern privacy and exclusion, with two judgments from the High Court handed down with respect to the Huduma Namba project.
What is clear is that the pandemic has rushed the plans for digitisation and pushed policy implementation to short-cut the steps that were necessary to ensure that these plans were inclusive, and came with the proper privacy safeguards. That the digitisation plans were problematic was already recognised prior to the pandemic – in 2015, the Commissioner of Administrative Justice declared a crisis in the issuance of legal documentation in Kenya.
Due to a lack of adequate digital literacy that is needed to enable people to access government services online, many use the help of intermediaries such as cybercafé staff. The challenge with this is that these people – who are not officially trained or mandated to serve as government intermediaries – then have access to a significant amount of personal information and are a potential weak link in the data privacy chain.
Digital literacy training would have helped in at least attempting to ensure that people using computing devices for government services would not need informal third-party assistance. However, the absence of a strategy specifically on this suggests the need for the government to better consider last-mile factors impacting on access before rolling out e-government platforms.
Digital exclusion is just one form of exclusion in Kenya, and the case of the Nubian community show that exclusions are multi-layered and intersectional. Similarly, by introducing the compulsory vaccination e-certificate to access government services, marginalised groups and communities are potentially further isolated from these services.
Transitioning to a digital identification system without first addressing the existing problem of widespread discrimination will not solve these problems. It will, rather, increase discrimination and exclusion. The result now is that civil society needs to push back against the digitisation agenda, firstly, to properly understand the layered exclusions that it implies, and secondly, to ensure that any necessary safeguards to mitigate these exclusions are implemented retrospectively.
Civil society organisations need to:
- Create awareness-raising material to inform people on their right to privacy and to support the communities that have been systematically excluded. This could be done in collaboration with relevant regulators and government bodies. A potential ally is the Office of the Data Protection Commissioner, which has shown interest in creating public awareness on the right to privacy.
- Form alliances with organisations representing excluded communities to strengthen advocacy collectives, and to engage meaningfully in litigation where necessary.
- Engage legislators on the human rights implications of the Huduma Namba. This is especially the case now that the Huduma Bill is in Parliament. Civil society organisations need to push for laws and implementation processes that will not result in privacy breaches and the intersectional exclusion of people.
 Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties)  eKLR.
 Kenya Human Rights Commission. (2021, 18 October). Consortium applauds court judgement declaring Huduma Cards illegal; calls for further reforms. https://www.khrc.or.ke/2015-03-04-10-37-01/press-releases/754-consortium-applauds-court-judgement-declaring-huduma-cards-illegal-calls-for-further-reforms.html
 Kemp, S. (2021, 11 February). Digital 2021: Kenya. DataReportal. https://datareportal.com/reports/digital-2021-kenya
 Kenya National Bureau of Statistics. (2019). Kenya Population and Housing Census: Volume IV. https://www.knbs.or.ke/download/2019-kenya-population-and-housing-censu…
 Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties) .
 The Huduma Bill, 2021 proposes that all Kenyans receive the Huduma Namba and subsequently a Huduma Card. The Huduma Namba is based on the National Integrated Identity Management System (NIIMS) database and will be linked to all government services. Without the Huduma Card, a person will not be able to get government services. Part of the Bill reads, “Every resident individual shall have a mandatory obligation to present their Huduma Namba to be issued with a passport, apply for a driving license, register a mobile phone number, register as a voter, pay taxes, transact in the financial market, open a bank account, register a company or a public benefit organization, transfer or make any dealings in land, register for power connection, access universal healthcare services, or register a marriage.”
This report was originally published as part of a larger compilation: “Global Information Society Watch 2021-2022: Global Information Society Watch 2021-2022"
Creative Commons Attribution 4.0 International (CC BY 4.0) - Some rights reserved.
Global Information Society Watch 20121-2022 – print
APC Serial: APC-202211-CIPP-R-EN-P-343
Global Information Society Watch 2021-2022 web and e-book
APC Serial: APC-202211-CIPP-R-EN-DIGITAL-342