Security Of Personal Data: Lessons From The Huduma Number Court Decision

25 October 2021

3 minute read

Security of Personal Data: Lessons from the Huduma Number Court Decision
In the world we live in today, data has become quite a crucial commodity with immeasurable capabilities that cannot be overlooked. Data protection compliance is increasingly becoming a key requirement to transactions across the globe, due to the potential risks involved in handling personal data. This is applicable to both private and public person or entities, including the handling of personal data by the Government.The Registration of Persons Act as amended by the Statute Law Miscellaneous (Amendment Act) 2018 introduced the National Integrated Information Management System (NIIMS) that was intended to be a single repository of personal information of all Kenyans as well as foreigners resident in Kenya. However, these amendments raised many concerns including that there were no proper mechanisms in place to safeguard the personal information to be collected under the NIIMS system. Without such protection mechanisms in place, there would be a violation to the constitutional right to privacy.As a result, some aggrieved persons, including several non-governmental organisations petitioned the court (Petition 56, 58 and 59 of 2019) seeking conservatory orders prohibiting the Kenyan Government from implementing any form of registration under the NIIMS.The Court held that there is an imminent threat to the right to privacy, particularly with respect to the collection of biometric data and GPS coordinates, based on the protection measures in place.Biometric data and GPS coordinates required by the amendments are personal, sensitive, and intrusive data that requires protection, a strong security policy and detailed procedures on its protection and security which comply with international standards. On this issue, the government neither disputed that there was no specific regulatory framework that governs the operations and security of NIIMS nor did it provide any reason for the lack of it. The Court therefore found that the framework on the operations of NIIMS is inadequate and poses a risk to the security of data that is to be collected, and thereby ordered that appropriate measures be put in place to protect the personal data collected before implementing NIIMS.Whereas digitisation of certain public service systems may improve service delivery, precautionary measures must be put in place to safeguard against the increased threats of data breaches. It is of uttermost importance to have checks and balances in place to ensure any data is secure and handled in line with international standards.On the outset, NIIMS did not have clear, verifiable, accountable and secure measures in place to safeguard the privacy and security of the persons’ data. For example, no mention has been made with respect to who can access the data and for what purpose, leaving an opening for unauthorised persons to access the sensitive personal data. Further to this, there has been no evidence of the security measure in place to safeguard the data collected, or even whether the measures currently in place meet the requirements introduced by the Data Protection Act (the Act), 2019. This raises the question of whether the Government is able to maintain a data bank that will provide the much-needed transparency and security of the information held.Currently, NIIMS does not comply with core data protection principles on consent and legitimacy, fair and lawful processing, purpose and relevance of data, management of the data lifecycle, transparency of processing, as well as confidentiality and security of personal data. A lot needs to be done to ensure our local systems meets the regulatory threshold for maintaining a data bank, including NIIMS, to ensure we meet international standards and eliminate a growing barrier to doing business in Kenya.The decision of the High Court, being amongst the first decisions in Kenya relating to the principles of data protection under the Act, merely highlighted an area that remains unknown relating to the security standards required for holding personal data. Both private and public institutions should evaluate how their operations in handling of personal data collected are safeguarded and ensure complete compliance with the Act.For more information, please contact our corporate team through emailing us on

Related blogs & news

Huduma Number is here

Attached, is information on the recently launched "HUDUMA NAMBA" for your reference....

Notification to the National Employment Authority

Part X of the Employment Act (Act No. 11 of 2007) provides for the management of employment and applies to employers with more than 25 persons in their employ. Sections 76 to 79 imposes certain responsibilities on employers to notify the Director of Employment (the “Director”) in the event of a vacancy, termination/lay offs and abolishing of a post in its business. ...

Termination of Employees on account of Redundancy

The Employment Act defines Redundancy as “the loss of employment, occupation, job or career by involuntary means through no fault of an employee, involving termination of employment at the initiative of the employer, where the services of an employee are superfluous and the practices commonly known as abolition of office, job or occupation and loss of employment.”...

Garden Leave Clauses in Employment Contracts

Garden leave is a term used to reference the practice of having an employee work away from the office with limited access to the employer’s resources following a notice of termination or resignation. ...

Garden Leave: Mitigating the Legal Risks of Employee Turnover for ICT Firms

ICT companies operate in a very fast-paced environment, where new technology, innovations and inventions are the order of the day and firms have to constantly find innovative solutions for their market in order to keep up. ...

section separator logo

Let us take it from here.

+254 716 209673

Skip to contentHomeAbout UsInsightsServicesContactAccessibility