Elections and Data Protection

Kenya’s electoral process is increasingly dependent on data. The process of voter registration, voter verification, voting and transmission of results, all involve the collection of some personal data of the Kenyan electorate.

?The recent audit of the Voters’ Register by KPMG shows that there are currently 22,642,233 registered voters in Kenya. This makes the IEBC one of the bodies that handles big data, most of which is sensitive personal data. This places a weighty obligation on IEBC to ensure that it has proper policy framework and security measures to maintain the integrity and security of the data it holds.

Voter registration is data intensive. For one to be registered as a voter, they provide their name, identification number, residential, postal and email addresses and their biometric data.

The IEBC needs safeguards to ensure that the data it collects is safe, inaccessible by unauthorised parties and to ensure its use for the intended purpose; that is: voter identification and verification.

Recently the High Court affirmed the need to safeguard voters’ data in the case of Free Kenya Initiative & Others -vs- Independent Electoral and Boundaries Commission & Others (Consolidated with Petition No. E219 of 2022, Petition No. E225 of 2022 and Petition No. 12 of 2022).

In this case, the petitioners challenged the constitutionality of the Elections (General) Regulations, 2012 (amended in 2017) on the grounds that the Regulations contravene the right to privacy and the Data Protection Act, DPA, in so far as they require independent candidates to provide copies of identification documents (national ID cards/passports) of the voters to support their candidature.

While allowing the petition, the court addressed two fundamental principles of data protection applicable to the electoral process.

Firstly, the court held that it is at the registration stage of a voter where a person's biometric data is collected. Once a person is registered as a voter, the IEBC retains the personal details of the voter including the details of the national ID or passport used in registration. The person’s name is also entered in the Register of Voters.

The court held that these details are held by the IEBC and it was not necessary for it to request copies of identification documents of from independent candidates. The IEBC could verify the details submitted by the candidates independently to accord with the principle of data minimisation.

Secondly, the court held that if the independent candidates were to collect sensitive data, they had no way of assuring its security.

It may be necessary, in future, for the IEBC to conduct a data protection impact assessment to ensure compliance with provisions of the DPA.

Although the DPA only provides that the principles of data protection are applicable to processing of personal data of voters, there is need for a balancing act between rights of the voters to data protection and responsibility of the IEBC to ensure it safeguards the integrity of the data and minimizes the risk of tampering and breach.

It may be necessary to harmonise the DPA and the electoral laws to provide clarity on the storage and handling of voter sensitive data held by IEBC. If there are systems and processes in place for this, a response to allegations of manipulation of data and interference can be militated against.

As we have an active Data Commissioner, we expected that subsequent will have guidance on the application of DPA in elections.

In case of any queries on elections or data protection, please reach out to Emmanuel Otieno Ouma at [email protected]