Voter register is at risk without a data protection Act

What you need to know:

  • The  voter register is now online and voters can drill down to the list of voters by county, constituency or ward level. 
  • Imagine if your private data, including fingerprints, were floating around somewhere and everywhere.

  • These organisations hold sensitive information about citizens and have, for far too long, enjoyed the absence of a data management framework

After intense pressure from the opposition and courts, the Independent Electoral and Boundaries Commission (IEBC) has finally published the detailed voter register online as demanded by the 2016 Elections Laws (Amendment) Act, Section 6A, which states in subsection 3 as follows:

The Commission shall, upon expiry of the period for verification specified under subsection (1) publish —

(a) a notice in the Gazette to the effect that the revision under subsection (2) has been completed; and

(b) the Register of Voters online and in such other manner as may be prescribed by regulations.

The voter register is now online and voters can drill down to the list of voters by county, constituency or ward level. Of course the list is anonymised to hide the personal details of the voters such as their national ID or telephone numbers.

This is a good practice that protects the privacy of citizens as demanded by article 31 the Constitution of Kenya, which reads as follows:

31. Every person has the right to privacy, which includes the right not to have—

(a) their person, home or property searched;

(b) their possessions seized;

(c) information relating to their family or private affairs unnecessarily required or revealed; or

(d) the privacy of their communications infringed. 

The challenge, however, is that anonymised voter details do not allow for a detailed audit of the register in terms of identifying and filtering duplicate national identify cards and dead voters, among other useful insights that a published voter register was meant to achieve.

So how can we achieve or balance out the conflicting requirements of protecting citizen data while simultaneously providing sufficient transparency in the register to weed out fraudulent entries?

SCARY STUFF

The IEBC allows interested stakeholders to pay for, and receive, the non-anonymised voter register. People who do so may be in a position to carry out a detailed analysis of the register from within the confines of their organisations.

How can we ensure these stakeholders do not betray the trust and responsibility they have in terms of ensuring that the confidentiality of the voter records in their possession is preserved and protected?

At the moment there is no framework to hold such stakeholders to account, which is why copies of private voter information such as IDs is finding its way to the blogosphere.

Imagine if your private data, including fingerprints, were floating around somewhere and everywhere, with no institutional mechanism of knowing who has access to them, what they are doing with them, how they are being stored or for how long.

This can be scary stuff indeed, particularly when you think about modern criminals with the capacity to plant your digital footprint at the scene of their crime.

DATA CONTROLLERS

To protect us against such possibilities, the constitutional privacy provisions of Article 31, Parliament was supposed to legislate and pass a Data Protection Act, as has been done in Ghana and many other progressive nations.

In brief, the Data Protection Act would define the framework that those handling citizen data are expected to adhere to.

This would include basic data protection and security standards for acquiring, storing and transmitting of personally identifiable information. 

Further, the Act would provide institutional provisions for tracking and enforcing compliance, through penalties and other regulatory instruments.

This Act would also apply to any other organisation handling citizen data. These would include, but not be limited to, supermarkets, hospitals, banks, universities, online taxi services, mobile network operators and even that security guard who makes you register on the visitor’s book at major buildings and offices.

Collectively known as data controllers, these organisations hold sensitive information about citizens and have, for far too long, enjoyed the absence of a data management framework that guides how they should secure and treat our confidential data.

They can chose to monetise, abuse, leak or otherwise do whatever they want with our data since, as we say in Kenya, mta du? What, indeed, will you do?

Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @jwalu