More by this Author

Various media reports show that the government intends to collect sensitive personal data from its citizens. Kenyans will be required to surrender their biometric and location data in order to acquire their national IDs. This has caused panic and anxiety on social media, but should we be worried?

To start with, we must be aware that social media sites like Facebook, Google and Instagram as well as established companies like Microsoft and Apple have collected more data on us than any government would ever collect. And yet we never complained. Your local mobile provider also knows your daily routine to the minute. Where you live, what time you leave for work as well as the club you pass by every other day before getting back home. Using your mobile money records, they can tell where you shop, eat or play your golf or soccer. They also of course know whom you called last evening and how long you stayed on that call.

Essentially, your digital footprint is already all over cyberspace and yet you have never bothered to complain. But the moment you hear the government wants to get an extra piece of your data, you suddenly get worried.



Perhaps the reason for the double standard is that most private-sector data controllers – as they are called – have very strict data privacy policies that provide a certain level of assurance that personal data would not be abused.

And in cases where those policies have been abused, as in the recent Facebook-Cambridge Analytica fiasco, the CEOs can be summoned by authorities and made to account for their actions or omissions.

Who would call the government to account in case of data breaches for the sensitive personal data it collects?

If someone hacked the government databases and extracted the exact location of some senior politician’s residence and subsequently used that information to lay an assassination trap, who would be held responsible for the unfortunate outcome?

The breached location data doesn’t even have to be used for political assassination, it could be used to settle domestic scores, like getting rid of that mistress who seems to be taking up too much of your husband’s time.

It could also be used to settle business scores. Sorting out that business rival who always seems to get ahead of you in a highly competitive market segment, forcing you to hire some thugs to slow him down – physically speaking.



Leaked biometrics, such as fingerprint data, could even get innocent citizens in trouble when such data is planted at the scene of a crime. Sophisticated criminals could commit serious crimes and replace their fingerprints with those of some unsuspecting citizen.

These are all valid examples of possible abuse of data collected for one purpose and subsequently being used for another.

Kenyans have therefore every reason to be worried, when the government collects personal sensitive data without an adequate legal and regulatory framework to secure it.

The government as a data controller would have ZERO incentive to invest in securing citizen data, if there are no protective laws in place obligating them to do so and prescribing compensation for citizens whose personal data may be subsequently compromised.

Put differently, whereas governments have every right to collect any data from citizens, they should only do so under established laws that clearly balance out citizen privacy rights against government propensity for abuse. We have repeatedly argued here for a data protection law. But the recent development can only reinforce the point that we are more than late in enacting a data protection law.


Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT. Email:, Twitter: @Jwalu