An Independent Electoral and Boundaries Commission (IEBC) official inside a polling station in Kiambu County before polls open during Kenya's general election on August 9, 2022.
Kenya’s electoral commission is set for reforms to make it transparent in terms of free and immediate access to information under its custody, including technology deployed in elections, in a proposed law change that seeks to extinguish its ‘opaqueness’ moniker.
The Independent Election and Boundaries Commission (IEBC) has previously come under attack for failing to share information sought, especially just before and after the election, and not even court orders have guaranteed access specifically to its servers, scrutiny of votes, and provision of voters’ register.
However, the Elections (Amendment) Bill 2024 before Parliament seeks to lessen the friction and anger generated by outright information blockade, with an eye for a friendly commission.
“The commission shall ensure access to information, including any technology used in elections, and shall not charge fees where the information requested is provided in soft copy,” reads the proposed new clause 82A of the Bill.
However, where information requested is to be provided in hardcopy format, “the commission may charge a prescribed fee for the provision of the information.”
“The fee shall not exceed the actual costs of making copies of such information and if applicable, supplying them to the applicant,” the Bill says.
The Bill sponsored by Senate Minority Leader Stewart Madzayo (Kilifi) is a creation of the National Dialogue Committee (Nadco) report and is anchored on the Access to Information Act, the Data Protection Act, and the IEBC Act.
“Where a request for access is made pursuant to scrutiny of votes, the commission shall facilitate access in the case of a presidential election, within three days of the date of the request and in the case of any other elective position, within seven days of the date of the request,” the Bill proposes.
While IEBC has hitherto blocked its stakeholders— including political parties and candidates— from accessing information it holds, it has been accused of allowing unauthorised access to its election servers, exposing it to risks of manipulating stored data- election results.
The Office of Data Protection (ODP) is required to formulate regulations to facilitate prompt access to the critical information infrastructure only by authorised persons in the event of a cybersecurity incident or during auditing for compliance.
Under the Data Protection Act that came into force on November 8, 2019, and establishes ODP, IEBC is both a data controller and a data processor.
A data controller because it has custody of the voter register and a processor because it uses the voter register when conducting elections and referenda in the country. The law further categorises a voter register as personal data.
The management of election data- voters register and the election results transmission system- has always been a contested affair in the country’s election history with accusations of being manipulated to twist the outcome of elections.
During the hearing of the 2017 presidential election petition at the Supreme Court, the highest court in the land, the IEBC declined to open its servers despite the court orders.
At some point, Senior Counsel (SC) Paul Muite, the then IEBC lawyer in the presidential election petition confirmed to the court that the IEBC servers in the 2017 election were hosted in France and it would require some time to have them opened for access.
“My lords, the servers are in Europe. We are not refusing to give access. Europe is a couple of hours behind and we have to wait for them to start working,” SC Muite then told the Supreme Court.
“They have to set up the access window with safeguards,” he added.
The failure of the IEBC to open the servers was among the reasons the Supreme Court nullified the August 8, 2017, presidential election results and directed that “a fresh, fair, and credible” presidential election be held on October 26, 2017.
The enactment of the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024, compels the localisation of the country’s critical information infrastructure.
“An owner of a critical information infrastructure shall ensure that the infrastructure on which critical information is domiciled is located in Kenya,” the regulations state.
However, an owner of a critical information infrastructure who intends to have the critical information located outside Kenya, “shall apply to the National Computer and Cyber Crimes Co-ordination Committee'' which is headed by a Director-General, for consideration.
