A practical guide to establishing a foundational Identity Database in Africa
In November 2018, The World Bank Group launched the Identification for Development (ID4D) initiative to help countries achieve the sustainable development goal of making everyone count by ensuring a unique legal identity and enabling digital ID-based services for all.
Boosted by this initiative, the ID industry in Africa is projected to have an 11.7% growth rate from 2021 to 2028 and reach $1.4 billion by that same time frame.
As some countries like Tanzania, Ghana, and Nigeria take the lead in its adoption, overall it’s still a growing field in terms of policies, technology, and processes.
Defined as a fundamental human right by the United Nations, every identity should be controlled appropriately on how it’s been acquired and what it’s been used for.
Using Nigeria as a case study, despite her applaudable accomplishments, the country is still developing in the aspects of ID acquisition and management such that an average Nigerian has given their demographic and fingerprint data to more than two agencies depending on the use case and purpose for that point in time.
For example, INEC’s Voter Registration, FRSC driver’s license and NIN (National identity number) require almost the same personal data to be processed.
This isn’t the best approach, as it increases the risk of data breaches in terms of privacy and protection.
Ultimately, every African country needs a robust and centralized system that can capture and hold foundational identity data while other dependent systems pull the required information from the foundational database.
For example, upon request for an international passport, Nigeria Immigration Service (NIS) should be able to seamlessly and cost-effectively connect to foundation databases such as the one managed by the National Identity Management Commission to retrieve the data required and then consolidate it with other secondary information that may be needed. This is where Nigeria and other progressive African countries are still growing and adapting.
We also have to consider the political will from the top down to get everyone across a nation to synergize. And then the technological aspect to ensure that there’s adequate infrastructure for easy access and security. So for most African countries, there’s a lot to be done that will require funding and a massive one at that.
Thankfully, with support from international organizations like the World Bank’s Identification for Development (ID4D) program, governments across Africa have foisted elaborate and expensive biometric ID schemes.
With the right funding in place and a strong governmental will, it is possible for all African countries to build and implement identity systems that ensure privacy, protection, and security. Here’s a detailed guide to show how to do this from top to bottom.
Getting from Point Zero (No foundational ID) to having a Foundational database.
Step One: Policy and Frameworks
Most countries have one or two identity records probably lying in silos.
But to start from the bottom, the most important fuel to kickstart a safe and secure centralized ID system for all citizens is the government’s awareness of the need for a digital foundational database.
As the saying goes, the first step to a solution is identifying the problem. African governments need to totally buy into this goal and champion it from the off through the right policies and laws that’d confer appropriate authority to an agency to acquire, establish and manage the foundational database.
This is critical because the right adoption has to be backed by law and an ‘act of establishment’ for a particular agency to implement it…
For example, In Nigeria and Tanzania, national authorities license mobile network operators (MNOs) to act as official ID enrolment partners, effectively leveraging their nationwide presence to accelerate citizen enrolment onto the national digital-ID platform – and therefore supporting the inclusion of several million people who had been previously unregistered.
It’s easy to get this part wrong as seen in Kenya in January 2020 where Kenya’s High Court halted the roll-out of the country’s controversial biometric ID, the Huduma Namba, citing the lack of a regulatory framework to protect the privacy of citizens.
So step one is to get the right policy and framework set in place.
Step Two: Strategy and Implementation
After drawing up the policies, comes the strategy stage which involves ideation and understanding the peculiarities of the ID landscape within that demography.
Are there cultural, logistical, or religious issues that could impede or facilitate widespread engagement? African governments know their people and landscape better than anyone so it’s unwise to ignore the present biases and circumstances that could play a major part in deploying a foundational database.
You cannot enroll people without consent or by force, lest in trying to ensure a human right, you take away another. It’s critical to get this stage right so a nation does not turn an important venture into a white elephant project.
Afterward, you move to the implementation stage – a two-pronged approach which is the technology that powers it and the project management part or in local parlance – administration.
The outputs from the strategy stage set the groundwork for the implementation stage.
From the technical point of view, the foundational database requires a system that determines the uniqueness of every entry into the database and how do you do that for every human?
Biometrics is one answer. From fingerprints to Iris to vein technology, the palm and the face (with facial recognition being the most randomly used as similar appearances require a combination of multiple biometric points to back it up).
A ‘backend engine’ powers this data acquisition and deploying the right one cannot be over-emphasized…
After choosing one, you think about other aggregating systems that’ll feed into your back-end engine. One of them is a front-end enrollment system like Civil Registra from Seamfix, a system where eligible applicants can get enrolled through the capture of their details, from demographics to biometrics (most countries use fingerprint, portrait, iris) to documents that provide evidence of eligibility as foundational databases don’t confer citizenship.
For example, the NIN in Nigeria is only for Nigerians and legal residents. So documentation needs to, first of all, show that a person is a citizen or legal resident of that country.
One critical learning from Nigeria’s NIN drive is that they took the time to make progress by changing their enrollment strategy. Previously it would be agent-based in local government areas, but this was severely limited as citizens had to come to them.
Although enrollment was free, the movement wasn’t.
Nigeria had to adopt a technology that could reverse the process – thereby taking the agents to go to the people instead. So they required a solution to power this drive, particularly a mobile enrollment device that doesn’t compromise on the quality of the data captured and its security.
This is where Civil Registra came in, a mobile enrollment solution that enabled agents to move around from home to home capturing high-quality data, and within 3-4 months, there was a huge increase in enrollment numbers.
As the President of Nigeria, Muhammadu Buhari, stated earlier in July 2022 ”We have now enrolled more than 85 million persons into the NIN database. The work continues, to leave behind a credible and robust foundation of digital identity for the security and prosperity of Nigeria.”
A great success so far! Yet there’s still more to be done and learned.
Step three: Verification and Layered Services
Once you’ve got the backend and frontend sorted for unique ID identification, then you need to add a system for re-engagement and feedback for when a citizen’s ID has been enrolled and completed.
The other system that’s important is the layered service on top of the foundational one. What does this mean?
A critical component of a successful foundational database is the verification service where every other third party can freely pull from the database to issue or confirm the ID of people within that country. This cuts across all other services accessed in that country from the government to finance to medical services.
On its own, verification is a robust system.
In an ideal situation, an ID should be controlled by the owner even though it’s collected and kept in a place. So before anyone collects a NIN, for example, the owner should be able to give his/her consent. So verification requires three things in place to work:
- Access to the primary data source
- Incoming request from the organization trying to verify you
- Consent from the data owner.
The consent part can also be provided by an intelligent solution like Civil Registra in terms of building a mobile e-authentication system where the data owner can manage his data and issue consent to an organization.
For example, if an organization like Seamfix wants to verify an employee, Ebuka. They’d request his NIN full details – who owns it and what data is attached to it. NIMC would then request consent from ‘Ebuka’ to provide this information to Seamfix.
Done automatically through a tripartite arrangement, the case for data protection and privacy should have fully been met and then the system in itself would become complete and thorough.
So from the back end to enrollment to verification, with all these systems in place, you’ve built a complete foundational database system for nationwide enrollment.
But we need to address one final hiccup.
Step four: Enforcement
We started with laws, strategy, and implementation. The final bit is enforcement – making sure the people using this system use it appropriately. Because when not used, all this is a wasted effort of resources.
Just because there’s nationwide enrollment with the tools to do it doesn’t always translate into the motivation for citizens to actually get enrolled as we pointed out in the strategy phase.
A World Bank study found that the primary reason people in developing countries apply for an ID is to buy a new SIM card or to register their existing SIM card having it deactivated by a government-imposed deadline (where mandatory SIM registration is enforced).
Most people who enrolled in Nigeria earlier did so due to the mandatory policies of NIMC for SIM registration, travel requirements, educational admission exams, etc.
But there’s a higher number of people who don’t fall into any of those brackets. How do you capture them?
The NIN should have been a mandatory requirement for national elections – making it more widespread in the process. Again this comes down to our previous point of setting the right policies from the government in stage one.
So the strategy and approach are super important – you must get it right. From the timeline to planning, to strategy to implementation, and to enforce.
Giving Power to the People
It’s also important to note that an agile system built on technology has to be reviewed and upgraded over time as ID management isn’t a closed circle.
Administrators should closely monitor the entire loop, monitoring feedback from users to address concerns as long as it doesn’t compromise data integrity and protection.
In an attractive market like Africa where you can acquire global funding and the urge to get in on what everybody is doing, it’s easy to take your eyes off the main reason for establishing a foundational database in the first place – making identity a right and not a privilege so every citizen can have access to essential services.
Teki Akuetteh, a Ghana-based lawyer, developed legislation for Ghana’s 2012 Data Protection Act and established the country’s data protection commission. Despite her achievements, she says that Ghana and its continental neighbors still lack comprehensive policies to protect individual privacy.
“The focus has unfortunately been more on the ID than the impact on the people,” she told Al Jazeera.
So as you build your foundational database from the ground up, be sure to have the right policies, authorities, and establishments in place to ensure no group or individual is marginalized and no data is under threat of theft, visibility, and manipulation.
This is how you build a robust system over time.