The nomination of a director with the electoral agency who had a starring role in the August 2017 presidential petition as the country's inaugural data commissioner has caused jitters in political circles.
As the director of voter registration and election operations at the Independent Electoral and Boundaries Commission (IEBC), Immaculate Kassait was a key player in the disputed polls and now MPs are questioning her integrity and suitability for the position.
The legislators, who did not want to go on record, accused Ms Kassait of being IEBC's face of impunity in the management of data during the hearing of the Supreme Court petition challenging the outcome of the presidential election. At the time, the IEBC flatly denied the petitioners' access to its servers despite a court order.
"Given her contribution to the IEBC's opaqueness over the registration of persons in the previous elections and violation of Supreme Court orders. I will oppose her nomination for the job," said an MP.
With the country already on campaign mode, the control of biometrics and personal data of millions of Kenyans will be a major issue ahead of the 2022 polls.
The only option for the legislators is to ventilate on her suitability during the consideration of the report of the Committee on Communication, Information and Innovation on her vetting, which is chaired by Marakwet West MP William Kisang.
President Uhuru Kenyatta nominated Ms Kassait in a message that was read out to the House on Tuesday afternoon by Speaker Justin Muturi, officially triggering the 21 days within which to consider her suitability.
The commissioner is a creation of the Data Protection Act, which was signed into law by the President on November 8 last year. It's a state office under Article 260 (q) of the Constitution with the powers to maintain a register of data controllers and regulate the processing of personal data, such as health and biometrics.
The Act gives effect to Article 31 (c) and (d) of the Constitution, which proclaims the right to privacy, meaning that every Kenyan has a right not to have information relating to their family or private affairs unnecessarily required or revealed. The law gives the commissioner powers to ensure security of the three types of data submitted by Kenyans to various processors and controllers - health, biometrics and personal details.
Rig 2022 polls
The processors and controllers whose activities will be under the commissioner include IEBC, National Registration Bureau (NRB), Hospitals, National Hospital Insurance Fund (NHIF) and the National Social Security Fund (NSSF).
Already, MPs allied to Deputy President William Ruto claim the government intends to use Huduma Namba -- which registered 37 million Kenyans last year -- to rig the 2022 polls.
If appointed, Ms Kassait will be tasked to seal loopholes in personal data breaches to curb cyber insecurity, which will include exercising oversight over data processing operations, ensuring lawful handling of personal information in accordance with the principles of lawful processing and establishing legal mechanisms to protect it.
State agencies seeking to retrieve data on individuals will be required to secure court orders as some have been accessing such information at will. However, where there is a compelling security issue, agencies may be exempted from the rigours of consent from the data subject or court. If the data is for the public interest, such as tracking terrorism suspects or individuals with tax issues, agencies will be exempted from the law. This means the Kenya Revenue Authority will be among the agencies exempted. The taxman is known to do a lot of data analytics in the pursuit of tax evaders and is often required to work closely with other agencies.
In the recent past, the telcos have connived to leak private phone conversations. Some individuals have also recorded and shared phone conversations without the consent of their subjects, and with the emergence of social media, it has become chaotic.
The new law comes after Facebook was in July last year fined US$5 billion in the US for deceiving users about their ability to keep personal information private after a year-long investigation into the Cambridge Analytica data breach. The fine was imposed by the Federal Trade Commission (FTC), the US consumer regulator that also announced a lawsuit against Cambridge Analytica.
Here, the Director of Public Prosecutions (DPP) Noordin Haji and Directorate of Criminal Investigations (DCI) boss George Kinoti suffered a setback after the High Court dismissed a suit filed against Deputy Chief Justice Philomena Mwilu after it was discovered that they had accessed her personal data without a court order.
With the absence of an enabling law, the court made its determination on the strength of Chapter Four of the Constitution -- the right to privacy.