Towards Effective Biometrics and Digital Identity Systems in Africa

By Victor Kapiyo |

In many countries across Africa, identity systems have largely been paper-based. It is estimated by the World Bank that at least 500 million people in Sub-Saharan Africa lack proof of legal identification. In order to bridge this gap, several countries have adopted some form of digital identity (ID) system for civil registration, including birth, national IDs, voting purposes, incorporating biometrics such as fingerprint, facial or iris recognition as a form of authentication. Indeed, the systems have gained popularity given their benefits as part of digital transformation journeys to promote accessibility, efficiency, and transparency in service delivery – in health, migration, education, social security, and elections. 

Within the last decade, Lesotho, Mozambique,  Tanzania, Uganda,  Zambia and Zimbabwe have introduced national biometric digital identity cards.  

Lesotho’s national ID has so far covered 85% of the eligible population. Mozambique has a digital ID card with a Unique Citizen Identification Number (NUIC), assigned during birth registration. This national identification number is used on NID cards, health cards, driver’s licenses, and passports. The country also has the National Immigration Service (SENAMI), for its immigration system for travel documents and residence permits; as well as the Electronic System for Civil Registration and Vital Statistics (e-SIRCEV) for civil registration.  Birth certificates are a prerequisite for obtaining NIDs. The NID is valid for five years for individuals below 40 years of age and valid for 10 years for individuals between the ages of 40 and 50 years.

Tanzania introduced its biometric national ID programme in 2013 and started issuing cards in 2016..  As of 2020, at least 22.1 million individuals or 80% of the adult population had been registered for the National Identification Number (NIN). Also, mandatory SIM card registration requires the collection of fingerprint data in addition to official documentation such as national identity cards, birth certificates, driver’s licenses or passports.

Zambia introduced its National Registration Card (NRC), in 2013. The USD 54.8 million Integrated National Registration Information System (INRIS) replaced the paper-based system introduced in 1965 and would issue biometric-based documents such as national registration cards, birth and death certificates, and facilitate voter registration. 

In the early 2000s, the  Zimbabwean government introduced biometric IDs by the then Registrar General, Tobaiwa Mudede, as a formalised transition to reportedly enhance issues of e-governance. Unfortunately, there was very limited publicity and awareness on this transition, as well as transparency about the tendering and procurement processes. In 2018, the government also adopted a biometric system for the registration of voters, and for the registration of civil servants in 2019. 

It is worth noting that these systems, despite their benefits, present risks which were previously not common in paper-based identity systems. Some common risks to digitalised personal data include data breaches, surveillance, misuse of personal information, unwarranted intrusion, and financial harm. These risks may be amplified in the absence of comprehensive policy, legal and institutional frameworks for privacy and data protection. Notably, even where laws exist, if they are weak, fragmented, outdated, poorly enforced, lack strong and independent oversight mechanisms, or fail to provide effective remedies, the risk of harm to the data collected is heightened. 

Also, the use of centralised databases, weak information-sharing safeguards, and the lack of transparency and accountability in the management of identity databases have been documented as loopholes that could inevitably create opportunities for abuse by state and non-state actors with access to the information. 

Furthermore, the incomprehensive implementation of biometric digital ID programmes could entrench digital exclusion and discrimination of vulnerable groups, such as the elderly and refugees, from accessing government services due to lack of a national ID as the case was in Uganda. In Zimbabwe, the country’s Human Rights Commission’s (ZHRC) inquiry into access to documentation revealed that there is often neglect and marginalisation of people living with disabilities and members of minority groups. In Mozambique for example, studies showed that citizens who live in remote areas are more at risk of exclusion than others, as they have to travel further, and possibly a number of times, to complete the registration, and thus, bear higher costs.

Currently, 30 African countries have enacted data protection laws and policies. One of the early adopters of data protection laws is Lesotho, which adopted its Data Protection Act, in 2011. Uganda adopted its Data Protection and Privacy Act in 2019. Zambia and Zimbabwe adopted their Data Protection Acts in 2021, while Tanzania adopted its Personal Data Protection Bill in 2022. However, not all these countries have adopted the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention). So far, only Mozambique and Zambia have signed the Convention and deposited the instruments of ratification. Lesotho, Tanzania, Uganda and Zimbabwe are yet to sign or ratify the convention.

Whereas having data protection laws is critical, African countries should also have in place appropriate policy, regulatory and institutional frameworks for the implementation of their digital identity programmes. Such frameworks are essential for fostering public trust and confidence in the use of digital identity systems, especially in the digital economy. 

However, enactment of the relevant laws and policies (including reviewing the existing ones) is just the first step in harnessing the dividends of biometrics and digital ID systems. States need to ensure that the implementation of digital ID systems meets certain thresholds.

  • Biometrics and digital identity systems should be user-centric, rights-respecting, privacy-respecting by default and by design, and secure throughout their lifecycle. 
  • Developers of such systems should anticipate and recognise potential privacy risks such as data breaches and fraud, and address them within the existing systems and frameworks. In addition, the developers should adopt a distributed and federated approach rather than a centralised approach. 
  • Further, there should be a clear governance framework, with independent oversight, well-defined roles and responsibilities, rules and standards. In addition, the systems should entrench accountability, including compliance with data protection laws and the conduct of data protection impact assessments (DPIAs). 
  • Countries should establish independent and robust oversight data protection bodies to regulate data and privacy protection including biometric data. The bodies should be given a commendable level of autonomy and facilitated sufficiently with the required resources to ensure that they function effectively, independently and with minimal external influence over their mandate.
  • In countries where digital identity systems were implemented prior to the enactment of data protection laws, the existing processes should be reviewed to ensure compliance with data protection laws. Key aspects to be considered include the conduct of DPIAs, review of data-sharing arrangements, compliance with data protection principles on consent, accuracy, purpose limitation, automated data processing, children, lawfulness, fairness and transparency, data minimisation, storage limitation, and security. 
  • In addition, countries should review the emerging best practices in the implementation of digital identity systems, learn from other countries and adopt those suitable for their context. 
  • Countries should build the capacity of government officials responsible for biometric digital ID systems, including data protection bodies, law enforcement, prosecution, regulators, and the Judiciary in effective data protection, with skills and knowledge in key principles of data protection and the rights of data subjects.
  • Programme implementation should proactively plan and ease the accessibility of services by the most vulnerable and marginalised groups – elderly, persons with disabilities, women, those in remote areas. This would include phased implementation of digital ID systems, wide distribution of enrollment centers in disability and poor-friendly environments, as well as cost waivers.  
  • Finally, stakeholder engagement and proactive disclosure of information relating to such programmes should always be integrated into the design and deployment of the programmes. 

State of Internet Freedom in Africa 2022: The Rise of Biometric Surveillance

FIFAfrica22 |

Digital biometric data collection programmes are becoming increasingly popular across the African continent. Governments are investing in diverse digital programmes to enable the capture of biometric information of their citizens for various purposes.

A new report by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) documents the emerging and current trends in biometric data collection and processing in Africa. It focuses on the deployment of national biometric technology-based programmes in 16 African countries, namely Angola, Cameroon, Central African Republic, Democratic Republic of Congo, Kenya, Lesotho, Liberia, Mozambique, Nigeria, Senegal, Sierra Leone, Tanzania, Togo, Tunisia, Uganda, and Zambia.

The report published today is the ninth consecutive one issued by CIPESA since 2014 under the State of Internet Freedom in Africa series. It was released at the Forum on Internet Freedom in Africa (FIFAfrica), which is taking place in Lusaka, Zambia.

The biometric data collection programmes reviewed by the report include those related to civil registrations, such as the issuance of National Identity cards, biometric voter registration and identification programmes, government-led CCTV programmes with facial recognition capabilities, national ePassport initiatives, refugees’ registration, and mandatory biometric SIM card registration.

The report highlights the key trends, potential risks, challenges and gaps relating to biometric data collection projects in the continent. These include limited public engagement and awareness campaigns; inadequate legal frameworks that heighten risks to privacy; exclusion from accessing essential services; enhanced surveillance, profiling and targeting; conflicting interests and the wide powers of third parties; and limited capacity and training. 

Consequently, the study notes that these biometric programmes are being implemented in countries with poor digital rights records, declining democracy and rising digital authoritarianism, which casts doubt on the integrity of biometric data collection programmes and the resultant databases. Thus, viewed collectively, the developments, trends and risks outlined in the report heighten concern over the growing threats to the right to privacy of personal data and potential violations of digital rights on the continent. 

Finally, the report presents recommendations to various stakeholders including the government, civil society, the media, the private sector and academia, which, if implemented, will go a long way in addressing data protection and privacy gaps, risks and challenges in the study countries. 

The key recommendations include a call to:

  • Governments to implement the laws and policy frameworks on identity systems and data protection and privacy while paying keen attention to compliance with regionally and internationally recognised principles and minimum standards on data protection and privacy for biometric data collection and require the adoption of human rights-based approaches. 
  • Countries without data protection and privacy laws such as Liberia, Mozambique, Sierra Leone and Tanzania should expedite the process of enacting appropriate data protection laws so as to guarantee the data protection and privacy rights of their citizens. 
  • Governments to ratify the AU Convention on Cyber Security and Personal Data Protection (Malabo Convention) to ensure government commitment to regional data protection and privacy as a means to hold them accountable.
  • Governments to establish independent and robust oversight data protection bodies to regulate data and privacy protection including biometric data.
  • Civil society to engage in advocacy and lobby governments to develop, implement and enforce privacy and data protection policies, laws and institutional frameworks that are in compliance with regional and international minimum human rights standards.
  • Civil society to monitor, document and report on the risks, threats, abuses and violations of privacy and human rights associated with biometric data collection programmes, and propose effective solutions to safeguard rights in line with international human rights standards.
  • The media to progressively document and report on initiatives such as advocacy by civil society and other stakeholders to keep track of developments. 
  • The media to conduct investigative journalism to identify and expose privacy violations arising from the implementation of biometric data collection programmes.
  • The private sector to take deliberate efforts to ensure that all their respective biometric data collection programmes and systems are developed implemented and managed in compliance with best practices prescribed by the national, regional and international human rights standards and practices on privacy and data protection, including the UN Guiding Principles on Business and Human Rights.
  • The private sector to ensure that they progressively adopt and develop comprehensive internal privacy policies to guide the collection, storing and processing of personal data. 
  • The private sector to take deliberate efforts aimed at involving data subjects in the control and management of their personal data by providing timely information on external requests for information. 
  • Academia to conduct evidence-based research on data protection and privacy including biometrics, highlighting the challenges, risks, benefits and trends in biometric data collection programmes. 

The full State of Internet Freedom in Africa 2022 Report can be accessed here.

FIFAfrica22: Biker To Ride From Uganda To Zambia Imparting Digital Security Skills At Stops in Six Countries

By FIFAfrica22 |

The distance between Kampala, Uganda and Lusaka, Zambia is approximately 3,300 kilometres by road. As part of a road trip to the Forum on Internet Freedom in Africa 2022 (FIFAfrica22), Ugandan digital security expert Andrew Gole will travel between the two countries over 28 days on his motorbike, making multiple stops to impart tips and advice on digital security.

Gole’s trip will take him through Uganda before crossing into Rwanda, Tanzania, Malawi, and finally to the FIFAfrica22 host country Zambia. The return trip will include stops in Tanzania, Zanzibar and Kenya. Gole will interact with human rights organisations and communities along the way in addition to human rights organisations on the value of securing devices and communications as a means of protecting their digital rights.

“Through my work with various communities, I have seen the positive impacts and benefits of digital security,” noted Gole who has done extensive work skilling users across the region, including through the Level-Up programme.  “Pair this [expertise] with a bike and the places I can go and people I can reach are unlimited,” says Gole. He has previously completed road trips across Uganda addressing the digital security concerns of rural-based civil society organisations.

 “Everyone is heading in the direction of the digital ecosystem. Everyone will be in it. If we do not address some of the challenges people are facing now, we will have a generation of people using systems without knowing the risks present online. We all need it. We need to future-proof the internet experience.” Noted Gole who revealed that some people are self-taught but still lack some important capacities when it comes to securing their personal or organisational online security concerns.

Gole’s Digital Security on Wheels initiative was founded in 2020 when much of the world was at a  near standstill due to the Covid-19 pandemic. In Uganda, private and public transportation was limited, yet digital security concerns went on the rise due to the increased reliance on digital communication. Recognising the digital security gap in areas outside the capital, Gole embarked on a journey to the Eastern and Northern regions of Uganda. What started off as a 14-day trip ended up being a 21 day trip due to the extensive digital security needs of the various organisations he went to engage.

“Some problems simply couldn’t be solved in the short amount of time available. I had to extend my stay with eth organisations to address their problems, otherwise the effort would be meaningless.”

At FIFAfrica22, Gole will join the multi-lingual (English, French, Swahili, Arabic) Digital Security walk-in clinic/help desk,  which comprises Access Now, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), Digital Society of Africa, Encrypt Uganda, Internews, Greenhost, Jigsaw (a technology incubator created by Google), Defend Defenders and Zaina Foundation. The Hub will allow FIFAfrica22 participants to access new innovative Internet freedom technology, privacy and data protective tools, measures and platforms in order to respond to their emergent digital security concerns. It will also offer immediate support and demos of various digital security tools and advisory on improving organisational security and resilience against threats and dangers when working, engaging, socialising and organising online.

Elsewhere at FIFAfrica22 digital security experts will participate in skills-sharing workshops and panel discussions.  Sessions include: Utilizing Collaborative Digital Resilience Mechanisms for Efficient Rights Protection and Advocacy in growing IOT Society hosted by the entities running the walk-in clinic/help desk; South-to-South Peer Learnings on Digital Resilience for Social Justice hosted by the Global Network for Social Justice and Digital Resilience; , Privacy and Anonymity Online hosted by the Tor Project and Usability Design and Developing Scenario Personas for Digital Rights Tools hosted by La Poiema.

Meanwhile, FemTech-Africa, an Internews pilot programme will host a feminist digital security exhibition to showcase gendered approaches to digital security. The exhibition will provide similar services as the digital security clinic but with a focus on behavioural change and strategies for online safety specifically for women human rights defenders and journalists. Women human rights defenders (WHRDs) and journalists face peculiar internet freedom challenges, such as trolling, cyberbullying and other forms of online violence against women, which have far-reaching impacts on their safety and on rights protection, not least free expression and democratic participation.

The exhibition will disseminate safety guide comic series and online safety for women booklets localised in up to five languages. The exhibition will feed into the panel discussion on women’s rights online including on Resistance & Connection: An African Feminist Perspective for Decolonising the Internet.

In 2020 and 2021, the hybrid formats of FIFAfrica also featured digital security components. At FIFAfrica20, a digital security and risk assessments workshop was held for investigative journalists and human rights activists in Kinshasa, Democratic Republic of Congo. In addition, a multilingual (English, French and Arabic) digital security hub provided virtual digital security support through a chat widget, email or messaging during the three days of FIFAfrica20. The virtual digital security hub was also run during FIFAfrica21.

Be part of the online conversation using #FIFAfrica22 and share your vision for #InternetFreedomAfrica! | Follow @cipesaug on Facebook, Twitter, LinkedIn

Visit the event website

About FIFAfrica

The Forum on Internet Freedom in Africa (FIFAfrica) is an annual landmark event which convenes a spectrum of stakeholders from across the internet governance and digital rights arenas in Africa and beyond. Hosted by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), the Forum offers a platform for government representatives, civic actors, journalists, policymakers and technologies to engage in the latest developments and trends in technology policy and digital rights.


FIFAfrica22: Recognising Access To Information As A Fundamental Digital Right

Greetings from #FIFAfrica22 |

On September 28 the International Day for Universal Access To Information (IDUAI) will be commemorated globally. The day was proclaimed by the United Nations Educational and Scientific and Cultural Organisation (UNESCO) General Conference in 2015, following the adoption of the 38 C/Resolution 57 which recognised the significance of access to information. The 2022 edition of the Forum on Internet Freedom in Africa (FIFAfrica) will also commemorate this day through a series of discussions pertaining to access to information as a fundamental digital right.
Since its inception, FIFAfrica has coincided with  IDUAI commemorations every September 28 during which it has endevoured to create awareness about access to information offline and online and its connection to wider freedoms and democratic participation. These engagements have drawn consistent partnerships from UNESCO, among other global and regional actors.

In 2017, the African Commission Special Rapporteur for Freedom of Expression and Access to Information, Advocate Pansy Tlakula, addressed FIFAfrica, where she received special recognition for her contributions to promoting access to information.

The theme for IDUAI 2022 is “Artificial Intelligence, e-Governance and Access to Information” which echoes various sessions that will feature at FIFAfrica22.

The opening of FIFAfrica22 will feature Honourable Ourveena Geereesha Topsy-Sonoo, the Africa Commission on Human and Peoples Rights (ACHPR) Commissioner on Freedom of Expression and Access to Information. Further sessions like Building Resilient Access to Information Legislation in the Digital Age; The Internet as a Tool for Promoting Information Integrity, Addressing Information Pollution Online and Offline; Artificial Intelligence Policy and Practice: Towards a Rights-Based Approach in Africa; Data Protection Trends and Advocacy in Africa; and Digital Inclusion: Acces, Data Governance and Ethical Innovation in Africa which resonate with this year’s global IDUAI theme will form part of the discussions at FIFAfrica22.

Speakers at the sessions will represent a diversity of actors working on advancing the free flow of information,  each of whom brings new insights and approaches to addressing practice and policy gaps affecting the realization of access to information in Africa.  The speaker lineup includes representatives from  Panos Institute, Africa Freedom of Information Centre (AFIC), African Centre for Media Excellence (ACME), Bloggers of Zambia, International Training Programme on Media Development in a Democratic Framework (ITP), International Centre for Non-For-Profit Law (ICNL), ALT Advisory, Center for Intellectual Property and Information Technology (CIPIT), Paradigm Initiative, Lawyers Hub Kenya, World Benchmarking Alliance, Development Initiatives, Data Science for Health Discovery and Innovation in Africa (DSI-Africa), Internet & Jurisdiction Policy Network, Internews, and Access Now.

Be part of the online conversation using #FIFAfrica22 and share your vision for #InternetFreedomAfrica! | Follow @cipesaug on FacebookTwitterLinkedInVisit the event website

About FIFAfrica
The Forum on Internet Freedom in Africa (FIFAfrica) is an annual landmark event which convenes a spectrum of stakeholders from across the internet governance and digital rights arenas in Africa and beyond. Hosted the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), the Forum will offer a platform for government representatives, civic actors, journalists, policymakers and technologies to come face to face.

Forum on Internet Freedom in Africa 2022 (#FIFAfrica22):  Four Days of Workshops, Exhibitions, Panel Discussions and More!

#FIFAfrica22 |

Since its inception in 2014, the Forum on Internet Freedom in Africa (FIFAfrica) has offered a platform for policymakers, government officials, civil society, media, tech companies and technologists to convene and deliberate on various aspects of internet governance and digital rights arenas in Africa. This year’s FIFAfrica marks the return to a physical event following two years of hybrid events in the wake of the Covid-19 pandemic and will take place in Lusaka, Zambia, on September 26-29, 2022. It will feature two days of network meetings and skills workshops (September 26-27,2022) ahead of a two-day main event (September 28-29, 2022).

The FIFAfrica22 agenda is spread over 21 tracks with speakers and session organisers representing an extensive diversity of national, regional and international organisations, governments, tech platforms and think tanks. The largest agenda to date represents the growth in interest in digital rights as well as the concerns that have emerged and prevail on the continent’s digital landscape.

Tracks at FIFAfrica22
Access to Information Cybercrime
Artificial Intelligence Data Governance
Artivism and Creative Expression Online Digital Economy
Business and Human Rights Digital Health
Child Online Protection Digital Resilience
Digital Sovereignty Internet Rights and Governance
Digitalisation and Access to Justice Movement Building
Disinformation Network Disruptions
Inclusive Access and Affordability Platform Accountability
Infrastructure Strategic Litigation for Digital Rights
Technology and Education Women’s Rights Online

FIFAfrica22 will also feature a dedicated Digital Security Hub will also feature at the Forum with digital security and resilience experts from CIPESA, the Digital Society of Africa, the Digital Security Alliance, Internews, Jigsaw/Google and Zaina Foundation.

FIFAfrica is hosted by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), an Uganda-based technology policy think-tank with a pan-African footprint. CIPESA has previously hosted physical Forums in  Kampala, UgandaJohannesburg, South AfricaAccra, Ghana; and Addis Ababa, Ethiopia.

See the agenda

For more details email [email protected]