By Phillis Njoroge**
The Statute Law (Miscellaneous Amendment) Bill, 2018 seeks to amend a number of Acts and among them the Registration of Persons Act (Cap 107). This bill proposes the establishment of a National Integrated Identity Management System as well as the capture of biometric data and geographical data (GPS) during the registrations of persons in Kenya. This essentially means that one will be required to provide their biometric information before being issued with a National Identity card. Biometric information in this context includes, fingerprint, hand geometry, earlobe geometry, retina and iris patterns, voice waves and Deoxyribonucleic Acid (DNA) in digital form.
It is foreseeable that this law will have positive and negative implications in various fields. A number of advantages that might come as a result of the collection and digitisation of biometric data include: identification accuracy, establishing accountability in the civil registry as each transaction shall be accurately documented by the individual associated with it, thus reducing the possibility of system misuse and fraud. Similarly, the risk of identity theft shall be reduced consequently leading to an improved return on investments due to the enhanced accuracy, accountability and reduced opportunities for misuse.
As much as this system comes with a number of advantages the collection and storage of DNA data in Kenya’s registry of persons raises a number of legal and ethical concerns. The grimmest of these is the potential contravention of Kenyans’ right to privacy, as provided for under Article 31 of the Constitution, particularly, the guarantee to not have information relating to one’s family or private affairs unnecessarily required or revealed.
DNA data is sensitive. It is not only a unique identifier of an individual, it also can be used to determine an individual’s entire genetic history including their propensity towards certain diseases. This brings it within the ambit of ‘family or private affairs’ as stipulated under Article 31 of the Constitution. The Government of Kenya has not provided sufficient justification for the collection of this data nor has it demonstrated that it shall institute the required stringent security measures within the National Integrated Identity Management System, for the protection of this data. This measure, if adopted, shall transform Kenya into an Orwellian ‘Big Brother State’.
Similar concerns were raised by Britons in their vote against a national data registry and identity cards in 2010. This registry would have required the collection of fingerprint, iris or palm-print data. Their biggest concern was that the collection and storage of up to 50 different kinds of information on one person, would amount to a sort of ‘big brother’ approach. They also felt that it was unclear how secure this data would be from manipulation.
The security of this data is thus under scrutiny. Unlike passwords, biometric data such as DNA fingerprints and the like cannot be easily changed. This means that in the event of a data breach, one cannot easily reset their biometric details. The potential loss in the event of a breach is astronomical as a offender with a sample of the biometric data in question would obtain indefinite access to a database that is secured by the biometric data.
Moreover, the establishment of a DNA database in the absence of a comprehensive data protection legislation further puts the security of such data at risk. It is unclear whether Kenya will be able to afford the necessary encryption technologies and/or adopt the information security and privacy best practices like intrusion detection, breach reporting and having a risk management programs.
The collection of DNA data in a national registry of persons also raises the following ethical questions:
Firstly, who owns the collected DNA data? Given that DNA is unique to a particular individual it is appropriate to assume that DNA is owned by the individual whom it identifies. It is for this reason that the European General Data Protection Regulation (GDPR) in Article 4(5) requires that all organizations, bodies or persons seeking to collect DNA information (pseudo-anonymised data) from anyone to first have consent from that person.
The proposed law in Kenya does not however give people the opportunity to opt in or out of giving their DNA; it makes it a requirement for all Kenyans in order for them to be granted identification as citizens. The implication of refusal to provide such data is the deprivation of national identification documents and potentially one’s citizenship, contrary to Article 14 of the Constitution. As DNA is owned by the individual that it identifies, it is improper for the government or any other entity to collect such data without the explicit consent of the subject.
Given Kenya’s history with ethnic discrimination in both the public and private sector it is important to take into consideration the potential implications of the collection of DNA data, on a national level, on this issue. As DNA data can be used to identify the ethnicity of the subject, there is a risk of such data being abused to discriminate individuals based on their ethnicity. This is compounded by the fact that the Bill is silent as to the specific measures that shall be used to prevent the abuse of the National Integrated Identity Management System.
Additionally, the Ministry of Interior will also require GPS satellite details of Citizens’ homes. While the government can access mobile phones’ GPS data with a court order, they typically have to follow certain procedures to obtain such data from Mobile Networks. However, the collection and storage of both GPS and DNA data as proposed by the Bill is without any oversight, and risks making Kenya a Police State.
One cannot therefore ignore the security risk in collecting DNA data in the absence of elaborate data protection laws. These privacy and surveillance reservations are valid given the Cambridge Analytica (CA) scandal where 50 million facebook users’ data was collected and shared with CA, which built ‘psychographic’ profiles of facebook users. These profiles were then used in targeted political messaging during the United States’ 2016 election. Similarly, research carried out by CIPIT into the privacy implications of the use of biometrics in Kenya’s 2017 general elections established that Kenyans received unsolicited political campaign messages which contained accurate data on their names and in some cases polling stations. In light of the manipulation of personal data for profiling and other nefarious purposes, it is imperative that personal data, more so DNA data, is kept secure and only accessed by authorised personnel when absolutely necessary.
That said, keeping in mind the advantages of a National Integrated Identity Management System, is the risk of putting our DNA in the hands of our government worth it?
** Phillis Njoroge is a 4th Year Bachelor of Laws student at the Strathmore University.