IEBC poll servers to be hosted locally
It will now be mandatory for the Independent Electoral and Boundaries Commission (IEBC) to have its election data and transmission servers hosted in the country ahead of the 2022 general elections.
Previously, IEBC has had its servers held in France.
However, this will only happen if the National Assembly approves the draft Data Protection (General) Regulations, 2021 proposed by ICT Cabinet Secretary Joe Mucheru.
The proposed regulations, currently undergoing public participation, will help in the implementation of the Data Protection Act, which secures data in the country from unauthorised access. The regulations specify the conduct of elections among data processing that should be done in the country.
“A data controller or data processor who processes personal data for the purpose of actualising a public good shall be required to ensure that such processing is effected through a server and data centre located in Kenya,” the regulations state.
Under the Data Protection Act that came into force on November 8, 2019, IEBC is both a data controller and a data processor.
A data controller because it has the custody of the voter register and a processor because it uses the voter register when conducting elections. The law further categorises a voter register as personal data.
Illegal secret server
Yesterday nominated MP Godfrey Osotsi, an Information Technology expert, maintained that a country may want to have data stored in another country for backup purposes.
This came as an MP who did not want to go on record claimed that the government may want to use the regulations to set up an illegal secret server in the country without the knowledge of IEBC. The secret server, according to the MP, is to influence the outcome of President Uhuru Kenyatta’s succession battle ahead of his retirement in 2022.
This claim was augmented by Mr Osotsi, who questioned why the government was keen to have the Data Protection regulations in place yet the critical data infrastructure regulations are yet to be enacted.
“Kenya first needs the critical data infrastructure regulations to govern the setting up of data centres, where the country’s data is to be held. So far this has not happened,” Mr Osotsi said.
“How will the data that is not housed be protected? Unless they are telling us that they are setting up a data centre for the management of elections. But then, this will be illegal as there is no legal framework,” he said.
Under the Computer Misuse and Cybercrimes Act, the ICT Cabinet Secretary is required to develop the critical infrastructure regulations to control the setting up of data centres.
However, since the law came into effect on May 16, 2018, CS Mucheru is yet to publish the regulations and submit them to the National Assembly for approval.
Data protection
“What is the purpose of coming up with data protection regulations when you don’t have the critical data infrastructure regulations? It is the perfect case of putting the cart before the horse,” Mr Osotsi noted.
“In the absence of the critical data infrastructure regulations, we have not mitigated the problem. There still lies the risk of State capture,” the MP who did not want to go on record said.
But CS Mucheru dismissed the claims as far-fetched.
“Parliament has the power to summon us and seek clarification on the regulations. Parliament makes laws. Why are they making the claims through the media,” Mr Mucheru asked.
During the hearing of the 2017 presidential election petition at the Supreme Court, the IEBC declined to open its servers despite court orders.
At the time, OT Morpho, a French company that supplied IEBC with the Kenya Integrated Election Management System used in the 2013 and 2017 general elections, hosted the IEBC servers in France.
The failure by the IEBC to open the servers was among the reasons the Supreme Court nullified the August 8, 2017 presidential election results.
Source: Nation Media