Citizen Data protection anomaly at Ministry of Interior

Every week since the CS initiated the rapid results initiative, the
Immigration Department has been publishing publicly the names of all
passports ready for collection.

Kindiki may have been doing a good thing – expediency, but as they say, the
road to hell is paved by good intentions.

The list is available on the immigration department website here
immigration.go.ke/category/rri-7/ for all passports ready for
collection for 6th-10th November 2023. More data is available for other
weeks. The data has tracking numbers, full passport holder names, and
collection dates. Through quick analysis, this week alone has 18,654 names
published and distributed as follows;
Kisii 1500
Kisumu 1692
Eldoret 1787
Embu 1750
Mombasa 1552
Nakuru 1000
Nairobi 9373

Questions
1. What can go wrong? What can bad actors do with this data?
2. Do data subjects need to give consent for such data to be published in a
public portal?
3. Does the government have the capacity to safely handle mass citizen
data?
4. How have other government agencies provided verification services
without compromising on privacy? IEBC had such a challenge before the 2022
elections and they instituted a verification process for accessing voter
registration data.
5. Does the Ministry of Interior have the capacity to roll out the Digital
ID dubbed Maisha namba?
6. Is the ODPC under the Data Protection Act 2019 up to the task of
regulating and enforcing compliance of government agencies?
7. How can we help the government in handling citizen data?

For demonstration purposes, what are the implications of a data breach at
scale?
Just this year, there were allegations that Fuliza scammers gained access
to the National Registration Bureau Database and added new citizens. The
freshly minted ghost citizens went ahead and borrowed close to Ksh500
million through Safaricom’s Fuliza overdraft facilities.
ntvkenya.co.ke/crime/eight-suspects-arrested-in-kes-500-million-fuliza-fraud-scheme/