This Privacy Notice will inform you how the team at the Government of Kenya (hereafter “we” or “us”) will process Personal Data belonging to citizens and residents of Kenya as well as foreigners and refugees (hereafter “you”) in relation to the Kenyan Digital ID Initiative (hereafter “the Digital ID.”)

This privacy notice will apply to you if you have applied for or being signed up to receive the Digital ID.

The Digital ID is a digital representation of your identity information located in Government Population Databases (which includes the Integrated Population Management System and the National Integrated Identity Management System) that allows you to have digital identification and eases digital access to Government Services.

1. What data do we process?

   The Digital ID is a Government Initiative that seeks to issue you with a digital representation of your information as collected and stored in the Government Population Databases. In order to issue you with a Digital ID certain information will be verified by us against the data in the Government Population Databases in order to verify your identity.

   Note that the information in the Digital ID will be built upon your legal identity using information already supplied by you or issued to you by the Government of Kenya. In order to acquire a Digital ID you must already have an e-citizen account, your ability to access this account will be a further step in verification of your identity before issuance of a Digital ID.

   We will not store your biographical, biometric, or Government issued Document Information but will only process it in order to verify your identity and enable you to receive government services. All such information has been collected and will continue to be stored in the Government Population Databases.

   The Digital ID will operate as a Data Exchange Layer to allow communication between yourself and the Government Population Registries when either applying for the Digital ID or accessing a Government Service through it. For instance when you input biometric data we will communicate via API with the relevant Government Population Registry to confirm your identity as the person whose data has been inputted. Once verification has been conducted (whether or not successful) we shall not store your biometric data and that particular integration will be terminated . This is the process that will be used to display all personal data associated with the Digital ID.

   In order to register for a Digital ID and to continue to access Government Services we may require you to input or provide the following information:

   1. Biographical Information:
      1. Full name; and
      2. Date of birth.
   2. Contact Information:
      1. Phone number; and
      2. Email address.
   3. A recent photograph of yourself.
   4. Biometric Data :
      1. Fingerprint scans; and
      2. Facial recognition data.
   5. Government-issued Document Information:
      1. Passport or National ID number; and
   6. Proof of Identity and Residence:
      1. Documents such as utility bills, bank statements, or government-issued certificates to verify identity and residence
      2. Signature (if applicable): and
      3. Digital or physical signature for verification purposes.
   7. Authentication Information:
      1. Username; and
      2. Password or PIN (for access and authentication purposes.)
   8. Consent and Preferences:
      1. Explicit consent to use the data for the digital ID system; and
      2. Preferences for data sharing or restrictions.
   9. Parental or Guardian Information (for minors):

      Information about parents or legal guardians when issuing Digital IDs for minors.

   10. Information around the government services you apply for

       This includes what government services you apply for through your Digital ID, the cost of services and the amount of time it takes to receive them.

   11. Information relating to access of the services
       1. Mode of accessing the services e.g. web based, application based etc;
       2. Internet protocol address;
       3. Cookies relating to your website or app usage;
       4. information about your device and browser, such as your operating system and user ;
       5. Your internet provider number (IP address);
       6. The date and time of your use of the authentication service; and
       7. Successful and unsuccessful attempts at authenticating.
   12. We may require access to some of your device’s functionalities including the ability to take photos or videos.

2. Why do we process personal data?

   Personal Data is processed in order to allow us to issue you with a Digital ID and to enable you to access government services digitally through your Digital ID. Examples of specific purposes for collection of Personal Data include:

   1. Biographical Information:

      Biographical information, including full name and date of birth, is requested in order to verify your identity while you apply for the Digital ID, ensuring that it accurately represents you and to ensure that nobody else can apply for a Digital ID on your behalf.

   2. Contact Information:

      Contact information (address, phone number, email) is collected for communication between government agencies and citizens regarding services, notifications, and updates related to the Digital ID.

   3. Photograph:

      A recent photograph is used for visual identity verification and helps ensure that the Digital ID holder matches the photo on record in government record

   4. Biometric Data:

      Biometric data, such as fingerprint scans, iris scans, or facial recognition data, enhance identity verification and reduces the risk of fraudulent use of digital IDs. These can be compared against existing government records to ensure that only you have access to your Digital ID and its associated account.

   5. Government-issued Document Information:

      Government-issued document information, like passport or national ID numbers, is used to issue the Digital ID and verify the authenticity of your identity.

   6. Signature:

      Signatures, either physical or digital, may be used for authentication and legal validation of documents and transactions related to the digital ID.

   7. Authentication Information:

      Username, password, or PIN are used for secure authentication, ensuring that only authorized individuals can access government services and online accounts related to their Digital ID.

   8. Digital Certificate:

      Digital certificates and associated keys enable secure digital signatures and transactions, enhancing the security and trustworthiness of Digital ID-related activities.

   9. Consent and Preferences:

      Consent and preferences help you exercise control over how their data is used, and preferences can be used to customize government services or communication based on individual choices.

   10. Parental or Guardian Information (for minors):

       Parental or guardian information is collected when issuing Digital IDs for minors to establish legal guardianship and ensure child welfare in the context of the Digital ID.

   11. Information around the services you access.

       This will allow us to let you access government services digitally and to improve service delivery to you

   12. Information relating to access of the services.

       This information will be used to improve the services offered to you in terms of reducing downtime, increasing accessibility to different web based devices and monitoring user experience to identify and fix any bugs. This information will also be used to identify and respond to issues that indicate authentication integrity risks as well as analyse, detect, manage and investigate fraudulent activity which may lead to criminal prosecution.

   13. Access to Device Functionality.

       We may request access to your devices functions including the ability to take photos or videos within the E-Citizen App and access to your albums. This will be required in order to allow your device share your photograph or fingerprint scans so that you can be properly identified and registered for your digital ID.

   14. Statistical Information

       We will collect statistical information on demographic trends such as age, gender, usage of mobile and internet devices to assist the government in policy making. We will anonymise your personal data before it is used to compile reports and analyse statistical data related to use of the Digital ID System and to generate statistical analysis around the Kenyan population.

3. Our Legal Basis for collecting and processing personal data

   We will process personal data from you based on the following legal justifications:

   1. Upon you granting us consent to collect the personal data.

      Note that in order to process and issue you with a Digital ID and to enable you to receive government services through the Digital ID it will be necessary for us to process your personal data. It is thus necessary for you to read through our consent form and familiarise yourself with the uses of personal data so that you can give us an informed consent to process your personal data.

   2. In order to provide you with services:

      Government services are provided to you upon your application. It is necessary for the Government Ministries, Departments and Agencies to verify your identity in order to provide you with government services, we shall therefore need to process data related to your identity in order to do this.

   3. Our performance of a task as a public authority

      We will issue you with Digital IDs and ensure that you are able to access government services digitally. As a public authority and in order to carry out this public service it is necessary to process your personal data.

   4. To pursue our legitimate interests.

      We may use your personal data ie biographic data but not biometric; in order to satisfy our legitimate interests or the legitimate interests of a third party requesting access to your personal data. In all such cases we will ensure that your rights are protected and that the purpose to which the data is being put is reasonable and closely related to the purposes for which you supplied it, an example of this may be visa processing by a foreign government.

   5. For the purposes of historical or statistical research.

      We may use your personal data in order to conduct research or carry out analysis relating to the population of the Republic of Kenya.

4. What are your rights as a Data Subject?

   The following are your rights as a Data Subject submitting data to the us:

   1. To access information about the use to which their personal data is to be put, this is contained in this notice;
   2. To access all your personal data in our custody this can be accessed through your profile on your Digital ID. Note however that we shall not collect data from you but only act as a Data Exchange Layer enabling data verification or data requests between you and the Government Population Databases in charge of your data or providing you with a service.
   3. To object to the processing of all or part of your personal data, note that we may be unable to provide you certain services related to your Digital ID if you object to processing of personal data;
   4. To correction of false or misleading data, note that as this data pertains to official government records if the change you are requesting contains information contrary to what the government officially holds you may be required to follow other legal procedures to ensure its change.
   5. To the deletion of false or misleading data about you; and
   6. To the access of this Policy.

   In order to object or correct false or misleading data kindly send an email to [email protected] or call +254207903260 in order to make your request known. Any request made to us will be responded to within fourteen days and you will be informed whether the request can be effected and what additional information may be required.

5. Who may receive your data

   1. We may share your data with relevant government departments in order to enable them provide the service to you and in order to update official government records about you.
   2. We may share your personal data if compelled to do so by the precepts of any law, court order, or other legal obligation to the Government of Kenya.
   3. We may share your information with third party service providers but only to the extent necessary for them to provide a necessary service to us and after making sure we have the necessary contractual safeguards to ensure that your data will be protected in the same manner that we would protect it.
   4. Under no circumstances will we sell or rent your data to third parties for any purpose whatsoever.
   5. No information that you provide to us will be used to market any product or service to you.

6. Data Retention

   1. We will not retain your personal data. All personal data displayed through use of the Digital ID is only accessed through API from the Government Population Database when requested by you. Once you log off of the E-Citizen Application the integration is severed. This integration is only reestablished once you log onto the App again.

7. Data Protection

   1. We have set up internal systems and processes to ensure that your data is protected. Our cybersecurity protocol is constantly tested and updated to keep up with the latest developments in the field and to ensure that all potential threats are addressed before becoming a reality.
   2. Varying levels of encryption are applied to your data and access control is given in a manner that only allows people who need your data for official purposes such as providing a service access to it.
   3. We will regularly run penetration tests on our systems and update them in line with the latest technology and emerging threats to ensure that your personal data is secure.

8. Customer Care

   1. In order to receive any assistance in regards to the exercise of your rights as a data subject you can reach out to our data protection office on [email protected] call us on +254207903260
   2. You can lodge a complaint about the processing of your personal data through the contact information above. Upon receipt of a complaint we shall contact you within seven (7) days in order to assist you resolve the complaint.

9. Changes to the Policy

   The Policy may be updated from time to time in line with changes in law and best practices on data protection around the world. In the event that this happens the date on which the policy is updated will also change to enable you confirm when changes are made.