Legal Alert: Huduma Namba Initiative, Judicial Review Application No. E1138 OF 2020

The roll-out and implementation of the Huduma Namba in Kenya was brought to a grinding halt in a recent decision by the High Court. The High court declared the Huduma Namba initiative illegal on the grounds that the process was not in adherence to the Data Protection Act 2019 (‘the Act’). An overview of the Act is covered in our article here. The Government was expected to manage a central master population database which is the ‘single source of truth’ on a person’s identity. The initiative involved a mass collection, processing and storing of personal data.

Justice Ngaah was of the view that a Data Protection Impact Assessment (DPIA) ought to be conducted as prescribed in Section 31 (1) of the Data Protection Act. Section 31 (4) of the Act defines a DPIA as a process that enables a data processor to identify and minimise various risks when collecting data, such as risks to the rights and freedoms of individuals; as well as security measures and mechanisms in place to ensure the protection of personal data.  

Had the government carried out a DPIA on the Huduma Namba Initiative, it would have achieved 2 things;

The DPIA would have illuminated various risks to the data subject such as privacy breaches and loss of data of the initiative.The undertaking of a DPIA would have demonstrated   transparency in the data collection process as there is a systematic description of how the process will be carried out, as well as the purpose and legitimate interest behind the need for the Government to collect the data.


We note that there is retrospectivity in the decision regarding application of the Data Protection Act. However, the Court opined that the Act in its entirety is a derivative of Article 31 of the Constitution which gave rise to the rights to privacy.  Therefore, the constitutional right to privacy did not come up with the enactment of the Data Protection Act, rather it ensued from the Constitution’s promulgation.

The court reasoned that the lack of a legislative framework to elaborate on a right is not a legitimate reason for the duty bearer not to safeguard such rights. Thus, the failure to conduct a DPIA would aggregate to a continual violation of the law and the constitution. The Act was seen by the Court to be a defensive wall that protected the citizens against any potential excess data collection by the state.

The court in its final determination held that the state had not taken into keen consideration the application of the Data Protection Act with regard to collecting and processing data collected under NIIMS, or else they would have conducted a data impact assessment before processing such personal data and rolling out Huduma cards. The court quashed the state’s decision to roll out the Huduma Cards as it went against the provisions of Section 31 of the Data Protection Act; and further compelled the state to conduct a data protection impact assessment in accordance with Section 31 of the Act, before processing of data and rolling out the Huduma cards.

Data Protection Impact Assessment

The Act under Section 31 requires the Data Controller to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.

Regulation 42 of the Draft Data Protection General Regulations stipulates that processing operations taken to constitute high risks and that shall require conducting a data protection impact assessment prior to processing include:

automated decision making with legal or similar significant effect that includes the use of profiling or algorithmic means or use of sensitive personal data as an element to determine access to services or that results in legal or similarly significant effects;use of personal data on a large-scale for a purpose other than that for which it was initially collected;processing biometric or genetic data;a single processing operation or a group of similar processing operations;financial and reputational benefits, demonstrating accountability and building trust and engagement with data subjects;where there is a change in any aspect of the processing that may result in higher risk to data subjects;processing sensitive personal data or data relating to children or vulnerable groups;combining, linking or cross-referencing separate datasets where the data sets are combined from different sources and where processing is carried out for different purposes;large scale processing of personal data;large scale processing of personal data;a systematic monitoring of a publicly accessible area on a large scale;innovative use or application of new technological or organizational solutions;where the processing itself prevents a data subject from exercising a right; orany similar or related processing activity.

The Data Protection Impact Assessment shall include:

a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;an assessment of the necessity and proportionality of the processing operations in relation to the purposes;an assessment of the risks to the rights and freedoms of data subjects;the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with the Act, taking into account the rights and legitimate interest

Previously, Parliament had attempted to introduce the Huduma Bill in 2019 which our thoughts on the bill was covered here. There is no question that, the Huduma Namba initiative possess a huge risk to the rights and freedoms of data subjects. The Government, therefore, needs to take into consideration principles of purpose limitation, data minimization, accuracy and confidentiality while conducting the process.

Transparency in data collection and processing is crucial, as data subjects have the right to know the purpose behind their data being collected and how it will be stored. The rights of data subjects need to be taken into consideration while collecting and processing data. The Attorney General has since appealed this decision. We await to see whether the Court of Appeal will uphold the High Court’s decision.

Source: TripleOKLaw Read More

Leave a Reply