{"id":1548,"date":"2019-02-08T16:38:25","date_gmt":"2019-02-09T00:38:25","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=1548"},"modified":"2020-01-28T10:17:11","modified_gmt":"2020-01-28T18:17:11","slug":"kenya-government-mandates-dna-linked-national-id-without-data-protection-law","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2019\/02\/08\/kenya-government-mandates-dna-linked-national-id-without-data-protection-law\/","title":{"rendered":"Kenya Government mandates DNA-linked national ID, without data protection law"},"content":{"rendered":"

Last month, the Kenya Parliament passed a seriously concerning amendment<\/a> to the country\u2019s national ID law, making Kenya home to the most privacy-invasive national ID system in the world. The rebranded, National Integrated Identity Management System (NIIMS) now requires all Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of their residential address, retina scans, iris pattern, voice waves, and earlobe geometry before being issued critical identification documents. NIIMS will consolidate information contained in other government agency databases and generate a unique identification number known as Huduma Namba.<\/p>\n

It is hard to see how this system comports with the right to privacy articulated in Article 31 of the Kenyan Constitution. It is deeply troubling that these amendments passed without public debate, and were approved even as a data protection bill which would designate DNA and biometrics as sensitive data is pending.<\/p>\n

Before these amendments, in order to issue the National ID Card (ID), the government only required name, date and place of birth, place of residence, and postal address. The ID card is a critical document that impacts everyday life,<\/a> without it, an individual cannot vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights.<\/p>\n

Mozilla strongly believes that that no digital ID system should be implemented without strong privacy and data protection legislation. The proposed Data Protection Bill of 2018 which Parliament is likely to consider next month, is a strong and thorough framework that contains provisions relating to data minimization as well as collection and purpose limitation. If NIIMS \u00a0is implemented, it will be in conflict with these provisions, and more importantly in conflict with Article 31 of the Constitution, which specifically protects the right to privacy.<\/p>\n

Proponents<\/a> of NIIMS claim that the system provides a number of benefits, such as accurate delivery of government services. These arguments also seem to conflate legal and digital identity. Legal ID used to certify one\u2019s identity through basic data about one\u2019s personhood (such as your name and the date and place of your birth) is a commendable goal. It is one of the United Nations Sustainable Development Goals 16.9<\/a> that aims \u201cto provide legal identity for all, including birth registration by 2030\u201d<\/i>. \u00a0However, it is important to remember this objective can be met in several ways. \u201cDigital ID\u201d systems, and especially those that involve sensitive biometrics or DNA, are not a necessary means of verifying identity, and in practice raise significant privacy and security concerns. The choice of whether to opt for a digital ID let alone a biometric ID therefore should be closely scrutinized by governments in light of these risks, rather than uncritically accepted as beneficial.<\/p>\n