January 2018

Table of contents
 Introduction
 Right to Privacy
 Communication Surveillance
 Data Protection
 Identification Schemes
 Policies and Sectoral Initiatives
Introduction

Acknowledgement

Key Privacy Facts

1. Constitutional privacy protections: Article 31 of the Kenyan Constitution specifically protects

the right to privacy.

2. Data protection law: Kenya does not currently have specific data protection legislation.
However, a Data Protection bill was tabled in Parliament in 2015.

3. Data protection agency: Kenya does not have a specific data protection authority.

4. Recent scandals: Kenyan and international civil society groups report high levels of
extrajudicial surveillance.

5. ID regime: The Integrated Population Registration System (IPRS) collects data from a dozen
databases held by various government agencies.

Right to Privacy

The constitution
Article 31 of the Constitution specifically protects the right to privacy. It states:

"Every person has the right to privacy, which includes the right not to have—

(a) their person, home or property searched;

(b) their possessions seized;
(c) information relating to their family or private affairs unnecessarily required or revealed; or
(d) the privacy of their communications infringed."
 Furthermore, Article 2 states that Kenya's international obligations, such as its commitment to
the Universal Declaration of Human Rights and International Covenant on Civil and
Political Rights, which include privacy rights, are part of Kenyan domestic law. It states:

"(5) The general rules of international law shall form part of the law of Kenya.

(6) Any treaty or convention ratified by Kenya shall form part of the law of Kenya under this
Constitution."

Regional and international conventions

Kenya is a signatory to or has ratified a number of international conventions with privacy
implications, including:

 the Universal Declaration of Human Rights (UDHR) (signed); and

 the International Covenant on Civil and Political Rights (ICCPR) (ratified).
Communication Surveillance

Introduction
The Communications Authority of Kenya (CA) regulates the telecommunications industry and
collects statistics on the sector. Mobile penetration was recorded at 86.2 % in March 2017, with
39.1 million mobile subscriptions. There were an estimated 40.59 million internet users in Kenya
in March 2017, representing an internet penetration rate of 89.4% according to the CA.

Social media is widely used in Kenya. Kenya is reported to have over 5 million active daily
Facebook users, and 693,000 confirmed active users on Twitter, according to a study by Ogilvy,
an advertising and public relations firm.

Surveillance laws
The Kenya Information and Communications Act (2009), penalises the unlawful interception
of communications by service providers. Article 31 states:

"A licensed telecommunication operator who otherwise than in the course of his business—

(a) intercepts a message sent through a licensed telecommunication system; or

(b) discloses to any person the contents of a message intercepted under paragraph ; or

(c) discloses to any person the contents of any statement or account specifying the
telecommunication services provided by means of that statement or account, commits an offence
and shall be liable on conviction to a fine not exceeding three hundred thousand shillings or, to
imprisonment for a term not exceeding three years, or to both."
Article 83 states:

"(1) Subject to subsection (3), any person who by any means knowingly:—

(a) secures access to any computer system for the purpose of obtaining, directly or indirectly, any
computer service;

(b) intercepts or causes to be intercepted, directly or indirectly, any function of, or any data
within a computer system, shall commit an offence."

Article 93 (1) states:

"No information with respect to any particular business which—

(a) has been obtained under or by virtue of the provisions of this Act; and

(b) relates to the private affairs of any individual or to any particular business,

shall, during the lifetime of that individual or so long as that business continues to be carried on
be disclosed by the Commission or by any other person without the consent of that individual or
the person for the time being carrying on that business."

Section 15 (1) of the Kenya Information and Communications (Consumer Protection)

Regulations (2010), states that:

"Subject to the provisions of the Act or any other written law, a licensee shall not monitor,
disclose or allow any person to monitor or disclose, the content of any information of any
subscriber transmitted through the licensed systems by listening, tapping, storage, or other kinds
of interception or surveillance of communications and related data."

However, several recent legal developments have eroded protections against surveillance and
expanded the intelligence and law enforcement agencies' interception powers.

These include the National Intelligence Service (NIS) Act (2012), article 36 of which reads:

"(1) The right to privacy set out in Article 31 of the Constitution, may be limited in respect of a
person suspected to have committed an offence to the extent that subject to section 42, the
privacy of a person's communications may be investigated, monitored or otherwise interfered
with.

(2) The Service shall, prior to taking any action under this section, obtain a warrant under Part
V."
Article 45 states:

"....an officer of the Service the power to obtain any information, material, record, document or
thing and for that purpose — (a) to enter any place, or obtain access to anything; (b) to search for
or remove or return, examine, take extracts from, make copies of or record in any other manner
the information, material, record, document or thing; (c) to monitor communication; or (d)
install, maintain or remove anything."

The Prevention of Terrorism Act (2012) grants extensive powers to state authorities to limit
fundamental freedoms and encroach on the right to privacy through surveillance. Article 35
states:

"(1) Subject to Article 24 of the Constitution, the rights and fundamental freedoms of a person or
entity to whom this Act applies may be limited for the purposes, in the manner and to the extent
set out in this section.

(2) limitation of a right or fundamental freedom under subsection (1) shall apply only for the
purposes of ensuring —

(a) the investigations of a terrorist act;

(b) the detection and prevention of a terrorist act; or

(c) 'that the enjoyment of the rights and fundamental freedoms by an individual does not
prejudice the rights and fundamental freedom of others.

(3)The limitation of a fundamental right and freedom under this section shall relate to

(a) the right to privacy to the extent of allowing ...

(iii) the privacy of a person's communication to be investigated, intercepted or otherwise

interfered with."

The Security Laws (Amendment) Act (2014) states in article 69, which is an amendment of the
Prevention of Terrorism Act, that:

"(1) The National Security Organs may intercept communication for the purposes of detecting,
deterring and disrupting terrorism in accordance with procedures to be prescribed by the Cabinet
Secretary.

(2) The Cabinet Secretary shall make regulations to give effect to subsection (1), and such
regulations shall only take effect upon approval by the National Assembly.
(3) The right to privacy under Article 31 of the Constitution shall be limited under this section
for the purpose of intercepting communication directly relevant in the detecting, deterring and
disrupting terrorism."

These acts have been presented as a positive tool for tackling threats to national security in light
of the 2013 terrorist attack on the Westgate shopping mall, and attacks by Al Shabaab in
Mandera in 2014 and Garissa in 2015.

Data retention

The Kenya Information and Communications Act (2009) regulates the retention of electronic
records and of "information in original form". Section 83 states:

"Where any law provides that documents, records or information shall be retained for any
specific period, then that requirement shall be deemed to have been satisfied where such
documents, records or information are retained in electronic form if:

(a) the information contained therein remains accessible so as to be usable for subsequent
reference;

(b) the electronic record is retained in the format in which it was originally generated, sent or
received or in a format which can be demonstrated to represent accurately the information
originally generated, sent or received; and

(c) the details which will facilitate the identification of the original destination, date and time of
dispatch or receipt of such electronic record are available in the electronic record..."

Surveillance actors
The principal intelligence agency of Kenya is currently the National Intelligence Agency (NIS).
The NIS was established by the 2012 National Intelligence Service (NIS) Act; it is both the
domestic and foreign intelligence agency of Kenya. Its precursor, the National Security
Intelligence Service (NSIS), was created in 1998 as a successor of the Special Branch, which
dated to the late colonial period. Until 1999, the NSIS had been joined to the police.

The NIS has a wide-ranging mandate. Its primary function is to gather, collect, analyse and
transmit or share with the relevant state agencies any security intelligence and counter
intelligence with an aim of detecting and identifying threats or potential threats to national
security. It also advises the President and government of these threats, and transmits
intelligence information to other agencies.
A National Security Council oversees intelligence operations in Kenya. The council is
comprised of the President, Cabinet Secretaries including the Secretaries responsible for defence,
foreign affairs, and internal security; the Attorney-General; the Chief of Kenya Defence Forces;
the Director-General of the National Intelligence Service; and the Inspector-General of the
National Police Service.

The Kenyan Police Service also has surveillance powers, established in the National Police
Service Act (2011) and the National Police Service Commission Act 2011. The current
Kenyan police force reports to the Inspector General of Police and is a department of Ministry
of Interior and Coordination of National Government. The Directorate of Criminal
Investigations of the Police Force was created in the 1920s. It has authority to "collect and
provide criminal intelligence; undertake investigations on serious crimes including ...cyber
crime".

Surveillance capabilities
Direct access

A March 2017 investigation by Privacy International revealed that the NIS has direct access to
Kenya's telecommunications networks, which allows for the interception of both
communications data and content. Direct access describes situations where state agencies have a
direct connection to telecommunications networks which allows them to obtain digital
communications content and data (mobile and/or internet) without prior notice or judicial
authorisation and without the involvement of the telecommunications provider or internet service
provider that owns or runs the network.

Internet and social media monitoring

In March 2012, the telecommunications industry regulator, the then-Communications

Commission of Kenya (CCK, the precursor to the Communications Authority), announced that
it was setting up a system to allow the authorities to monitor incoming and outgoing digital
communications. The CCK requested that all telecommunication service providers cooperate in
the installation of internet traffic monitoring equipment; known as the Network Early Warning
System (NEWS). The CCK cited a rise in cyber security threats as a justification for this move.
NEWS is an initiative of the UN's International Telecommunication Union (ITU) to aggregate
data on cybersecurity threats and disseminate it worldwide.

In January 2017, the Communications Authority (CA) announced a further three measures
costing an estimated 2 billion KSh (15.2 million GBP) to monitor Kenyans' communications and
communications devices. Among these was a "device management system" to detect
fraudulent devices and a social media monitoring project. According to an investigation
published in March 2017 by Privacy International, in late 2016, the CA finalized a
contract with Israeli 'web intelligence' firm webintPro, according to CA sources.

Packet inspection

In January 2013, The Citizen Lab of the University of Toronto published a research brief in
which it reported that researchers had discovered Blue Coat PacketShaper installations in
countries including Kenya. Technologies from US-based Blue Coat allow for the the surveillance
and monitoring of interactions on applications including Facebook, Gmail, Skype and Twitter,
among others. It is unclear whether Blue Coat PacketShaper installations were in place in Kenya.

Technical research published in March 2017 by the Centre for Intellectual Property and
Information Technology Law (CIPIT) at Kenya's Strathmore University indicated the presence
of a middle-box on Safaricom's cellular network. According to CIPIT, middle-boxes assume
dual-use character in that they can be used for legitimate functions (e.g., network optimisation)
and can simultaneously be used for traffic manipulation, surveillance and aiding censorship.

Mobile interception devices

Units of the NIS, the Directorate of Military Intelligence and Police Directorate of Criminal
Investigations all have (or had) mobile devices used to track targets, collect communications data
and listen into live communications for operational purposes, according to a March 2017
investigation by Privacy International.

Surveillance oversight, checks and balances

The telecommunications industry is regulated by the Communications Authority(CA),
formerly known as the Communications Commission of Kenya (CCK). The CA was established
in 1999 and is responsible for facilitating the development of the ICT sector including
broadcasting, multimedia, telecommunications, electronic commerce, postal and courier services.

Surveillance case law

Privacy International is not aware of any court cases challenging or touching upon
communications surveillance powers in Kenya. Please send any tips or information
to: research@privacyinternational.org

Examples of surveillance
According to the few civil society groups in Kenya who work on the issues, it is difficult to work
on privacy and surveillance in the country as the issue is not widely deemed important. This is in
part because an increased number of security threats has enabled a strong national security
discourse to overshadow concerns about individuals' privacy. Privacy is often considered
subsumed to other human rights issues.

There are nevertheless serious concerns over disproportionate and unlawful surveillance in
Kenya. In 2012, Peace Brigades International stated in relation to human rights defenders
(HRDs) in Kenya that "incidences of surveillance by state and non-state actors have been
reported. Offices have been raided or burgled and computers hacked, and several organisations
suspected that their phones were being tapped." In October 2013, Human Rights Watch warned
of the rising attacks on HRDs. Regular reports by the East and Horn of Africa Human
Rights Defenders Project (EHAHRDP) and Front Line Defenders of HRDs and journalists
being intimidated, attacked, arrested, tortured, killed, and kidnapped in Kenya demonstrate the
significance of the issue.

During and in the aftermath of the March 2013 elections, the Kenyan government requested
that mobile phone providers block text messages that were deemed to incite violence using a
firewall that would detect messages containing key words, identified beforehand, to be further
analysed. The National Steering Committee on Media Monitoring of the Ministry of ICT
reportedly intercepted 300,000 texts messages daily during the 2013 elections.

In July 2015, it was revealed that agents of the Kenyan intelligence services had
contacted intrusion malware company Hacking Team to ask them to shut down a critical blog
as a 'proof of concept' for their surveillance tools. The Kenyan government appeared to be
attempting to procure the Remote Control System tool that allows for remote hacking and control
of target devices.

The combination of these trends raises serious concerns about the government's potential use of
surveillance tools to further repress civil society and human rights defenders, especially in the
context of the 'war on terror,' which the government has used as a legitimizing narrative to justify
serious human rights violations.

Surveillance in counterterrorism operations

According to a March 2017 investigation by Privacy International, communications

surveillance is being carried out by Kenyan state actors, essentially without oversight, outside of
the procedures required by Kenyan law. Intelligence gained by intercepting phone
communications, primarily by the NIS, is regularly shared with police units to carry out counter-
terrorism operations, particularly the GSU-Recce company and Anti-Terrorism Police Unit
(ATPU). These police units have well-documented records of abuses,
including torture and extrajudicial killings. Information acquired from communications
surveillance is central to the counterterrorism cycle - from surveilling, profiling, locating,
tracking and arresting targets to abuse, torture, abduction and extrajudicial killing.

US government surveillance

In May 2014, The Intercept reported that a programme of the US National Security Agency
(NSA) called MYSTIC secretly monitored the telecommunications systems of several countries
including Kenya, where the system was known as DUSKPALLET. The programme was
described in internal documents as a "program for embedded collection systems overtly installed
on target networks, predominantly for the collection and processing of wireless/mobile
communications networks." Evidence provided to The Intercept shows that the programme dates
back to 2013, and that data gathered through it has been used to generate intelligence reports.
The Intercept states that "the operation in Kenya is 'sponsored' by the CIA, according to the
documents, and collects 'GSM metadata with the potential for content at a later date'." In
some of the other countries where MYSTIC is implemented (The Bahamas, Mexico and the
Philippines), MYSTIC required "contracted services for its 'operational sustainment'"; this is not
the case for Kenya however. It is unclear what - if any - role the government of Kenya, as well as
telecommunication and communication providers, played in the deployment of MYSTIC.

Data Protection

Data protection laws

Kenya does not currently have specific data protection legislation. However, a Data Protection
Bill was tabled in Parliament in 2015. The Bill has not yet passed. Once law, the Bill would
give effect to Article 31(c) of the Constitution, which outlines the right of every person not to
have "information relating to their family or private affairs unnecessarily required or revealed"
and Article 31(d), the right not to have "the privacy of their communications infringed". It would
also regulate the collection, retrieval, processing, storing, use and disclosure of personal data.
Yet the proposed legislation does not explicitly address the protection of data stored in the
"cloud" (synchronised storage centres for digital data). Many cloud repository servers are based
outside Kenya, which further troubles the proposed legislation.

In 2016, a draft Cyber Security and Protection Bill originating in the Senate was tabled and
read. It was withdrawn in December.

Law enforcement access to stored data

Under section 31 of the Kenya Information and Communication Act (2010), a

telecommunications provider is liable for prosecution if it "otherwise than in the course of [its]
business -- (a) intercepts a message sent through a licensed telecommunication system; or (b)
discloses to any person the contents of a message intercepted under paragraph (a); or (c)
discloses to any person the contents of any statement or account specifying the
telecommunication services provided by means of that statement or account".

In this vein, Section 15(1) of the Kenya Information and Communications (Consumer
Protection) Regulations (2010), states that a licensee "shall not monitor, disclose or allow any
person to monitor or disclose, the content of any information of any subscriber transmitted
through the licensed systems by listening, tapping, storage, or other kinds of interception or
surveillance of communications and related data".

On 7 February 2014, the Kenya Information and Communications (Registration of

Subscribers of Telecommunication Services) Regulations (2014) were published. Section 13
states:

"A licensee shall grant the Commission's officers access to its systems, premises, facilities, files,
records and other data to enable the Commission inspect such systems, premises, facilities, files,
records and other data for compliance with the Act and these Regulations."

The CCK/Communications Authority has argued that their request to access personal
information is in line with Article 35 of the Constitution that permits citizens the right to access
information held by the State or by another person and is required for the exercise and protection
of any rights or fundamental freedom. However, the Kenya High Court ruled that a company or
agency is not a "natural person" and so could not enjoy the rights upheld by Article 35.

The Law Enforcement Disclosure annex of Vodafone's transparency report,published in June

2014 noted that "local operators are legally prohibited… from implementing the technical
requirements necessary to enable lawful interception" and that it had "not received any agency or
authority demands for lawful interception assistance" in Kenya. Vodafone also noted that "the
legal position is unclear regarding whether or not it would be lawful for Safaricom (Vodafone's
local associate operator) or Vodafone to disclose statistics related to agency and authority
communications data demands".

Accountability mechanisms
Privacy International is not aware of any specific accountability mechanisms related to
communications surveillance in Kenya. Please send any tips or information
to: research@privacyinternational.org

Data breaches: case law

In December 2016, the High Court in Nairobi declared unconstitutional a presidential
directive seeking to collect names of people living with HIV, including names of school age
children, among others. Along with other organisations, the Kenya Legal & Ethical Issues
Network (KELIN) had filed a case against a directive, arguing that the creation of this list was
in violation with Article 31 and 53(2) of the Constitution, respectively, the right to privacy and
the position that the "child's best interests are of paramount importance in every matter
concerning the child."

Examples of data breaches

In December 2014, the Kenyan government arrested and expelled 77 Chinese citizens on
suspicion of "preparing to raid the country's communication systems", according to the
Police. Kenyan media reported that police raids had uncovered equipment capable of
infiltrating bank accounts and government servers, as well as a popular banking system and
ATM machines.

Reports from April 2016 indicate that hacker collective Anonymous breached the Kenyan
Ministry of Foreign Affairs' servers and published 1 terabyte of files online. The Ministry
later confirmed the hack as genuine and the result of junior staff members unknowingly giving
access to the hackers by changing their passwords.

Identification Schemes

ID cards and databases

Population registration

In December 2012, a Ukrainian company, EDAPS, completed the creation of an Integrated

Population Registration System (IPRS) for the Kenyan government. The IPRS collects data
from a dozen databases held by various government agencies. It combines data from birth and
death registers, the citizenship register, ID card register, aliens register, passport register and the
marriage and divorce register as well as the elections register, tax register, drivers register,
National Social Security Fund (NSSF) register, National Hospital Insurance Fund (NHIF)
register and the Kenya National Bureau of Statistics (KNBS) register. Kenya has yet to adopt
data protection legislation and the collection, centralisation and sharing of this type of data.

Biometric registration

In April 2014, the Kenyan government announced that it would be registering all Kenyans in a
new national digital database that would include biometric details as well as information on land
ownership, establishments and assets. The aim of the programme is to facilitate the identification
of people holding forged or false identification documents. Under the Umoja Kenya Initiative,
the government would collect all data pertaining to an individual including name, age, identities
of relatives, property owned and residence.

In September 2015, it was announced that Pakistan's government database and registration
authority, the National Database and Registration Authority (Nadra), had won a contract to
provide e-passport software for Kenya. NADRA's databases in Pakistan are among the world's
biggest population registers.

Voter registration
The right to vote is guaranteed to all Kenyan citizens over the age of 18. The Independent
Electoral and Boundaries Commission requires registrants to provideeither a national Identity
Card (ID) or a valid passport as a proof of identity.

The government conducted an exercise to biometrically verify voters for the August 2017
presidential elections. In March 2017, the government announced that it had awarded a 3.8
billion KSh contract for an elections management system to the French multinational defense
and security company OT-Morpho. In September, the Supreme Court of Kenya annulled the
August 2017 results, which saw President Uhuru Kenyatta reelected, over irregularities in the
electronic transmission of the results from polling stations across the country. Kenyatta was re-
elected in a fresh round of elections held on 26 October 2017.

In other election-related news, President Kenyatta's Jubilee party reportedly hiredUK big data
consulting firm, Cambridge Analytica, to assist in President Kenyatta's re-election campaign.

SIM card registration

Identification and registration of subscribers

In 2010, the Communications Commission of Kenya (CCK) (renamed the Communications

Authority in 2014) announced that mobile phone subscribers would be required to register their
details with operators or risk having their SIM cards deactivated. Subscribers have been obliged
to provide the following personal information in order to register their SIM cards: full names,
physical and postal addresses, dates of birth, and alternate contacts. When a minor is
registered, the child's guardian must produce an identification card.

The Kenya Information and Communications (Amendment) Act (2013) integrated some
requirements already included in the Kenya Information and Communications (Registration
of Subscribers of Telecommunication Services) Regulations (2012).

In January 2017, the Communications Authority announced three projects — one each to
monitor radio frequencies, monitor social media platforms, and 'manage devices' — to prevent a
 repeat of the post-election violence of the 2007 election period. The telecommunications
industry reacted strongly against the measures. CA authorities rushed to assure Kenyans that
the projects would only be used to enforce regulatory compliance. Details of the Device
Management System leaked to the press in March 2017, prompting a successful High Court
challenge to the system which suspended its progress until May.

Policies and Sectoral Initiatives

Cybersecurity policy
Kenya's cybersecurity initiatives rely heavily on foreign government assistance. The National
Cybersecurity Strategy, also referred to as the National Cybersecurity Strategy and Master Plan,
was first developed for the Ministry of Information and Communication (MOIC) over four
months from July 2012 with a grant from the US Trade and Development Agency for Technical
Assistance. Booz Allen Hamilton, a prominent American management firm with significant
national security contracts, was contracted to help develop the plan. The resulting National
Cybersecurity Strategy was unveiled in May 2014. The four goals of the strategy are to:

 Enhance the nation's cybersecurity to facilitate the country's growth, safety, and prosperity;
 Raise cybersecurity awareness and develop Kenya's workforce to address cybersecurity needs;
 Foster information sharing and collaboration among stakeholders to facilitate an information
sharing environment; and
 Provide national leadership by defining the national cybersecurity vision, goals, and objectives
and coordinating cybersecurity initiatives at the national level.
The National Computer Incident Response Team (KE-CIRT) was created in consultation
with International Telecommunications Union. The CIRT is responsible for the implementation
of the national Cybersecurity Strategy, among other tasks. It derives its mandate from the Kenya
Information and Communications Act 1998. It has been operational since 2012.

According to a 2017 Privacy International investigation, the Communications Authority

shepherded the creation of a National Intrusion Detection System (NIDS) — since renamed the
National Intrusion Detection and Prevention System (NIPDS). According to its draft project
proposal, the new NIDS would "provide a cyber-early warning on any possible attacks on critical
Government Internet infrastructure." Particularly problematic, however, is the potential scale of
monitoring that can be conducted, as well as the lack of transparency about what exactly will be
visible and to whom.

Cybercrime
Kenya does not yet have a law dealing specifically with cybercrime, though public officials
claim that rates of cybercrime are on the rise.
An early 2014 draft Cybercrime and Computer Related Crimes Bill sought to equip law
enforcement agencies with the legal and forensic tools to tackle cybercrime. Free speech
advocacy group Article 19 warned that if enacted, the Bill would be devastating for freedom of
expression online in Kenya because of its broad definition of speech offences, offences against
computers and other computer-related offences.

The 2016 Computer and Cyber Crimes Bill, which replaces the 2014 draft, was approved by
the Kenyan cabinet in April 2017. The bill has been criticised for having overly broad
categories of offenses, which could potentially be used to prosecute free speech. Another draft
2016 Cybersecurity and Protection Bill was withdrawn in December 2016.

Encryption
There are no specific regulations concerning citizens' use of encrypted communication methods.

Licensing of industry
Kenya has a diverse market of telecommunications and internet service providers. In June 2017,
Safaricom dominated the market with 72.6% of mobile subscribersfollowed by Airtel, Telkom
Kenya, Finserve and others. The Kenyan government owns 35% of Safaricom shares, while
40% are owned by Vodafone and 25% are freely floated.

The top data providers in June 2017 are Safaricom (77.1%), Airtel (15.6%), and Telkom Kenya
(6.2%). Kenya also has a broadband (fixed) internet penetration rateof 15.4%, corresponding
to 34.2 million subscriptions.

Safaricom, which controls a large share of both the mobile telephony and internet market, is a
stated partner of the Kenyan police service and has recently won a number of high-value state
security contracts, including for a nationwide CCTV and emergency response monitoring
centre.

E-governance/digital agenda
A variety of government services including business, marriage and land documentation are
provided online through the eCitizen portal. The eCitizen services terms of use state that "No
personally identifiable information is automatically collected about visitors who simply browse
this site or who download information from it. eCitizen does not release any information about
the collection of IP addresses to any third party, except under court order or as required by law."

Health sector and e-health

In 2011, the government of Kenya published a national e-Health strategy. The strategy is linked
to the achievement of Vision 2030, a Kenyan government initiative whose overall goal is to have
an "equitable and affordable healthcare at the highest achievable standard" for Kenyan citizens.

Safeguarding privacy and security is one principle of the strategy, which states that the
government will aim to "[a]dhere to/put in place applicable legislation to protect consumer
confidentiality as a mandatory part of the regulatory environment governing procedural or
systems development processes to support e-Health. In addition, to providing basic system
security and protect against unlawful access or malicious damage to information, every effort
must be made to ensure that access is absolutely restricted to authorized persons in accordance
with their rights and permissions profile."

In 2017, it was announced that Kenyan company BioSIM was launching two new biometric
verification products designed to track pupil enrolment and attendance in schools (BioSIM for
Education) and make healthcare service delivery more efficient (BioSIM for Health). The
technology involves collecting clients' iris scans and using these to verify identity for access to
services. BioSIM for Education has been reportedly taken up by a number of schools across
Kenya.

Smart policing
In May 2014, the government announced that the partially state-owned Kenyan communications
provider Safaricom had been awarded a government tender to set up a new surveillance system,
known as the Integrated Public Safety Communication and Surveillance System, for the Kenyan
Police.

When the surveillance system was made public, it was announced that the system would cost
KES 12.3 billion (approximately US$ 140 million). There are two elements to the project. First,
the system would link all security agencies in order to facilitate information sharing and public
safety activities. Secondly, it would establish a surveillance camera system consisting of 1,800
CCTV cameras nationwide. These would be installed in Nairobi, the capital, and the coastal city
of Mombasa and connected to 195 police stations through a secure 4G network. The system
would have facial and movement recognition capacities in real time. The main organising hub
for the system would be a monitoring centre in Nairobi where data collected would be retained
and analysed. The system is now functional in Nairobi and Mombasa.

In June 2014, the Kenyan National Assembly's Committee on National Security had decided to
suspend the contracting process for the new system on the basis that the procurement process had
failed to meet necessary standards, following complaints from unsuccessful companies who bid
for the contract. The final decision in May 2015 has been to award Safaricom the contract for the
system.

The tender has since become the focus on a corruption scandal following the publication in
Nairobi Law Monthly of details alleging improper procurement procedures and bribery by
Safaricom and Huawei.

Transport
Kenya's National Transport and Safety Authority (NTSA) announced in July 2017 that it
would begin issuing digital driving licenses. The ID, which bears a microchip, would
reportedly contain driving histories and allow for direct payments to judicial services in the event
of fines. It is unclear which authorities would have access to information held on the card.