Chiefs are asking Kenyans to register to vote – and violating their privacy
What you need to know:
- More recently however, reports that chiefs at local level have been instructed and mobilised to ensure that every eligible voter within their zones is registered brings privacy concerns closer home.
- Three simple steps, and you avoid having to walk through each homestead searching for unregistered voters.
- You simply sit in your office and make targeted calls to mobilise your strongholds
As election fever heats up across the country, various stakeholders are coming to terms with data protection laws, or more precisely the complete lack of them.
Earlier on, the Communications Authority of Kenya (CA) sounded a warning that it has invested heavily in surveillance equipment and systems to ensure that Kenyans do not incite violence on social media.
How they will do this? That they are actually doing it in the absence of a data protection law that would have balanced national security concerns against citizen privacy rights leaves a lot to be desired.
More recently, however, reports that chiefs at local level have been instructed and mobilised to ensure that every eligible voter within their zones is registered brings privacy concerns closer to home.
One way the chiefs would have found out who is and who is not registered within their zone is to visit every homestead and ask the appropriate question. However, this is time consuming and with limited registration timelines, it may not be very effective.
An easier, and more effective, way is to correlate some relevant databases and tease out the answer as to who is and is not registered as a voter. The most relevant databases would be the IEBC database, the registration of persons database and a mobile operator’s subscriber database.
The IEBC database already has summary of the potential number of unregistered voters per county, while the registration of persons database can be filtered out by National ID Number for each county to make an educated guess of who these unregistered people are.
The last step is simply to run this list of suspected unregistered voters against a mobile phone dataset to tease their individual mobile phone numbers.
NICE, EASY AND EFFICIENT
Sounds nice, easy and efficient. Three simple steps, and you avoid having to walk to each homestead, searching for unregistered voters. You simply sit in your office and make targeted calls to mobilise your strongholds.
However, the problem is that you have to breach several data protection principles to pull this off.
According to the European Union data protection directive, data collectors or custodians, both in the public and private sector, should observe the following seven principles with regard to the collected citizen data:
Notice—data subjects should be given notice when their data is being collected;
Purpose—data should only be used for the purpose stated and not for any other purposes;
Consent—data should not be disclosed without the data subject’s consent;
Security—collected data should be kept secure from any potential abuses;
Disclosure—data subjects should be informed as to who is collecting their data;
Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
Clearly, principle numbers two, three, five and possibly seven will have to be violated if this digital approach to filtering out unregistered voters were to be adopted. Principle number two expects that the data collector uses citizen data only for the originally stated purpose; that means mobile subscriber data should only be used within the restricted domain of mobile services.
PUNITIVE ACTION
Similarly, the Registrar of Persons is not expected to share or use citizen data outside its originally intended purpose – which has nothing to do with voter registration.
Principle number three and five provide that this data may, however, be used for other new purposes, on condition that the citizen’s approval has been sought, explained and granted.
Finally, in the event of data breaches, citizens should have a formal and published mechanism for reporting and expecting corrective as well as punitive action on an offending data collector.
All these principles are codified under data protection law, which for some reason, continues to not be a priority in Kenya. As we head into the official election campaign period, we should expect more of these breaches and less progress towards a Data Protection Act.
Nevertheless, knowledge is power. Now you know.
Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @jwalu
