The Ministry of Interior’s proposed regulations, subject to parliamentary approval, mandate the Independent Electoral and Boundaries Commission (IEBC) to host its election data and transmission servers within the country.
As presented to the Departmental Committee on Administration and Internal Security, chaired by Narok West MP Gabriel Tongoyo, the regulations stipulate that access to critical information infrastructure requires the infrastructure owner to restrict and monitor authorized access, with specific emphasis on ensuring stringent measures for protection.
Furthermore, the regulations advocate for institutions like the IEBC to seek authorization from the National Security Council (NSC) before storing critical information outside Kenya. Proposed under the Computer Misuse and Cybercrimes Act 2024, the regulations aim to compel owners of critical information infrastructure to keep essential information systems within Kenya’s borders. Only authorized individuals should have immediate access in case of a cybersecurity incident.
Critical information infrastructure in Kenya includes defense, public safety, security, banking, finance, and entities like the World coin cryptocurrency project, which faced operational halts due to privacy concerns.
Authorization to access critical information infrastructure requires individuals to provide evidence of identity, contact details, and any relevant information requested by the infrastructure owner. Applicants must disclose potentially hazardous items and subject themselves to scrutiny via electronic or other applicable means.
When considering applications for critical information to be located outside Kenya, the committee must assess security measures, safeguards, compliance with standards, and the necessity for information storage beyond the country’s jurisdiction.
These regulations aim to enforce the Data Protection Act, safeguarding data within the country from unauthorized access. If an owner intends to have crucial information situated outside Kenya, they must apply to the National Computer and Cybercrime Coordination Committee. The committee will evaluate compliance with security standards and communicate its decision within 30 days.
The backdrop of these regulations includes past electoral controversies in Kenya, such as the 2022 general elections, where access to IEBC servers became a contentious issue. The Supreme Court, dealing with the dispute filed by presidential candidate Raila Odinga, granted access to the servers, emphasizing the importance of locally hosted electoral data. In the 2022 general election, IEBC had contracted Smartmatic International Holdings B.V
