Technology is changing how businesses and governments handle personal information. From digital ID systems to mobile apps, data is at the heart of service delivery in Kenya but with this comes legal responsibility. 

One of the most significant cases addressing these concerns is Okiya Omtatah Okoiti v Communications Authority of Kenya & 8 Others, commonly associated with the Huduma Namba litigation. The case arose following the Government’s introduction of the National Integrated Identity Management System (NIIMS), popularly known as Huduma Namba. The system was designed to consolidate various forms of citizens’ personal information including biometric data such as fingerprints and facial images into a single national digital database intended to streamline access to government services. 

Despite its intended efficiency, the rollout of the system attracted constitutional challenges. Petitioners argued that the collection and centralisation of such sensitive personal data had been undertaken without adequate legal safeguards to protect citizens’ privacy. The concerns were grounded in Article 31 of the Constitution of Kenya 2010, which guarantees every person the right to privacy, including protection against the unnecessary revelation of personal information. 

The court examined whether the implementation of NIIMS complied with the statutory framework governing personal data. Particular attention was given to the Data Protection Act 2019 (Kenya), which requires that personal data be collected and processed lawfully, fairly, and transparently. The Act also imposes stricter safeguards when sensitive personal data such as biometric information is involved. In addition, the court considered the broader regulatory environment governing digital systems, including obligations to ensure adequate security measures against misuse or unauthorised access. 

In its decision, the court emphasised that technological innovation must operate within constitutional and statutory boundaries. It held that the collection and processing of biometric data without sufficient safeguards raised legitimate concerns regarding the right to privacy. As a result, aspects of the implementation of the Huduma Namba system were halted until appropriate legal and regulatory protections were put in place. 

The decision marked an important development in Kenya’s approach to digital governance. It affirmed that privacy rights remain enforceable even in the face of large-scale technological initiatives and that compliance with the Data Protection Act 2019 (Kenya) is mandatory. The case also reinforced the principle that institutions implementing digital systems must incorporate legal safeguards at the design and implementation stages. 

Although the case concerned a government initiative, its implications extend to private entities as well. Businesses and organisations that collect or process personal data whether through mobile applications, customer databases, biometric systems, or online platforms must ensure that their data practices comply with Kenyan law. The Huduma Namba decision therefore serves as a reminder that effective technology deployment must be accompanied by responsible data governance and strict adherence to constitutional and statutory protections.