The Supreme Court of India has declared the roll out of Huduma Namba, which the government spent over 10 billion illegal for being in conflict with Data Protection Act.
Justice Jairus Ngaah ruled that the government should have conducted impact assessment before rolling out the Huduma cards. The judge further ordered the government to conduct the assessment before the rollout, to create safeguards for protecting Kenyan data, as the cards have already been rolled out in Kenya.
Katiba Institute and law scholar Yash Pal Ghai sued the government arguing that it was wrong for the government to develop Huduma cards, before conducting a Data Protection Impact Assessment.
The lobby group and Prof Ghai argued that the assessment would identify the risks such as breaches to privacy, loss of data, while some Kenyans could be locked from the roll-out because they lack identity cards.
Order of mandamus ordered orders hereby issued for directing the government to conduct a data protection impact assessment in accordance with section 31 of the data protection act before processing of data and rolling out the huduma cards.
Katiba Institute argued that the government plans to roll out Huduma cards before undertaking a data protection impact assessment as required by section 31 of Data Protection Act.
The lobby said the move is also a threat to privacy under Article 31. The Court heard that section 31 of the Act, 2019 requires the government to conduct a data protection impact assessment where a processing operation is likely to result in a high risk to people's rights and freedoms.
While announcing the planned roll-out on November 18, 2019, ICT C, Joe Mucheru said the card would be the primary source of data on every citizen and foreigner.
The lobby said the High Court had ruled that processing of the National Integrated Identity Management System NIIMS, including processing of biometrics and data of children, implicates high risk to the rights of a data subject.
However, the Respondents have defied sections 31 of the Act and violated a court order in Nubian Rights Forum to conduct any data protection impact assessment on the NIIMS collected data, lawyer Dudley Ochiel said.
He said due to the lack of public information on the system, it is unclear where and how personal data, and which data, will be stored and processed between the cards themselves and other components of the NIIMS system.
He said a data protection impact assessment is a necessary mechanism for mitigating this gap and alleviating the risks associated with the system, including the production and rollout of Huduma Namba cards.
In a case determined earlier, several organisations argued that the data might be lost, deleted or encrypted, identity theft and fraud. They were also apprehensive of malicious use of information, wrongful entries, mismatch of information and hacks via cybercrimes.