By the Working Group on Regulations, Policy and Cyber Diplomacy (WGRP_CD)
The IEBC is granted the authority under Section 44(5) and Section 109 of the Elections Act 2011 to come up with regulations governing among others the use of technology in the electoral process. The regulations are broad and cover the election process from the acquisition of election technologies to the testing and deployment of said technologies.
This is the pre-acquisition, acquisition and deployment phase of the technology process. The commission:
- Conducts “…a requirements analysis…” whose purpose is to identify upgrades, supplements or entirely new technologies for the purpose of election management.
- On conducting the requirements analysis, solution design and feasibility report is then prepared.
- Specifications for procurement are then prepared with reference to the solution design feasibility report and requirements analysis.Procurement then follows and is guided by the Public Procurement and Disposal Act of 2015.
- A Deployment plan is then developed and the procured technology is then deployed as per the plan. The deployment is to be accompanied by regular inspections and technical support of the technology through Service Level Agreements and other contractual agreements.
The commission is obliged to carry out regular testing of their elections management technology. A defined period is not stated & this activity is tied to the period before deployment for election purposes.
The testing should be public and a public notice should be issued via the commission’s public forums for easy access indicating the time and place of the activity. A report is then generated and made publicly available. Other requirements set out in Regulation 4;the technology must meet the solution design and feasibility report parameters and specifications.Moreover, the technology must be accessible and inclusive of all Kenyans. This should be certified by an external reputable firm.
The commission shall conduct annual audits of the elections technology by engaging a reputable firm for the exercise.Among the areas to be considered in the audit include data integrity, functioning of the technology as required, data confidentiality and integrity and availability of the election technology system, system vulnerabilities among others.
The report generated by the contracted firm must form part of the Audit report which will additionally include recommendations to address any shortcomings identified in the audit.
ACCESS TO INFORMATION:
- The commission allows for request for information from the commission. A prescribed form is attached in the Second Schedule of the Elections(Technology) Regulations. The commission is obliged to store and classify data as set out in the Access to Information Act, 2016.
- The commission shall hold electronic data for up to 3 years after an election and announcement of results unless directed otherwise by via a court order. Otherwise, the data shall be archived subject to the Public Archives and Documentation Service Act and the Kenya Information and Communications Act ,1998 .
- The commission shall restrict access to proprietary source codes subject to the Industrial Property Act, 2001. However, open source codes can be requested via the Request for Information form set out in the Second Schedule.
- Telecommunications providers to be engaged by the commission are to be disclosed on its official website. The providers in return are to provide any agreements between themselves and political parties or candidates before any engagement with the commission. The commission shall publish at least 45 days before the general election network coverage in the country
DATA RECOVERY AND OPERATIONS CONTINUITY:
The commission shall develop operation continuity plans that detail operational and technical processes and tools. The plan shall provide operational continuity and mitigation measures, response and recovery measures among others. The plan is to be tested in a timely manner to ensure they work as expected.
The commission is to also have:
- An External data recovery site.
- Data Recovery processes.
- Physical documentation records to enable reconstruction in the event of data loss.
- Ensure that mitigation technologies are available to ensure operational continuity.
- Communicate the mitigation processes, procedures and technologies to relevant stakeholders.
The commission shall also have the option to suspend or terminate the use of election technology if it cannot guarantee the reliability of the election system. Regulation 26 sub-regulations (2) , (3), (4) , (5) and (6) details the process by which the suspension or termination should be undertaken.They address concerns when an issue is raised both at the polling clerk level and at the senior commission level.
Regulation 27 provides for reporting by individuals and telecommunication providers on vulnerabilities, failure or challenges with regards to the election technology.
Regulations 29 and 30 oblige the commission to continuously build the capacity of its staff via trainings by qualified personnel or service providers/product vendors.
Regulations 31, 32, 33 provide for the establishment of the Elections Technology Advisory Committee who advise “..on the adoption and implementation of election technology…” among other responsibilities, its composition, meetings among others.