Skip to document content Go to main menu Go to search

The Elections (Technology) Regulations

Legal Notice 68 of 2017

This is the latest version of this Legal Notice.
The Elections (Technology) Regulations
Citation
Legal Notice 68 of 2017
Primary work
Elections Act
Date
Language
English
Type
Legal Notice
Original enactment
Download original enactment (PDF) (502.0 KB)
Related documents
Skip to document content
LAWS OF KENYA

ELECTIONS ACT

THE ELECTIONS (TECHNOLOGY) REGULATIONS

LEGAL NOTICE 68 OF 2017

  • Published in Kenya Gazette Vol. CXIX—No. 56 on 5 May 2017
  • Commenced on 5 May 2017
  1. [Revised by 24th Annual Supplement (Legal Notice 221 of 2023) on 31 December 2022]

Part I – PRELIMINARY

1. Citation.

These Regulations may be cited as the Elections (Technology) Regulations.

2. Interpretation.

In these Regulations, unless the context otherwise requires—"biometric" means unique identifiers or attributes including fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures;"Commission" means the Independent Electoral and Boundaries Commission established by Article 88 of the Constitution:"Committee" means the Elections and Technology Advisory Committee as established in regulation 31;"control" means standard operating procedures, security measures, validation rules, best practices, and other procedures and policies put in place by the Commission to guide and support use of election technology;"data" means an attribute to an entity recorded a format in which can be processed to produce information by equipment in response to instructions given for that purpose, and includes representations of facts in form of quantities, characters, symbols and images, transmitted in the form of electrical signals and stored on magnetic, optical or mechanical recording media or as defined in the Kenya Information and Communication Act (Cap. 411A);"election technology" means a system that includes a biometric voter registration system, a biometric voter identification system, a system that enables the nomination and registration of candidates and electronic results transmission system; and"systems audit" means an examination of all controls within information technology systems and infrastructure including networks, applications, databases and processes.

Part II – ACQUISITION, STORAGE AND DEPLOYMENT

3. Assessment.

(1)The Commission shall regularly conduct a requirements analysis to determine the specific requirements to upgrade or supplement existing election technology, or to acquire new election technology with the purpose of enhancing the integrity, efficiency and transparency of the election process.
(2)Based on the requirements analysis conducted under subregulation (1), the Commission shall prepare a solution design and feasibility report for any required upgrades or acquisitions.

4. Procurement.

(1)Based on the requirements analysis conducted under regulation 3(1) and the solution design and feasibility report conducted under regulation 3(2), the Commission shall develop specifications for the procurement of new or updated election technology, in accordance with the Public Procurement and Asset Disposal Act (Cap. 412C) and its regulations.
(2)The specifications developed under subregulation (1) shall ensure that the election technology is accessible to and inclusive of all citizens, including persons with disabilities and persons with special needs, to participate in the election process.

5. Deployment.

(1)Following the completion of the procurement process, the Commission shall initiate the deployment and implementation of the election technology according to the specifications and an approved deployment plan to be developed by the Commission.
(2)The deployment plan under subregulation (1) may include installation and configuration of the election technology, description of activities, timelines and responsible persons.

6. Maintenance.

The Commission shall carry out regular inspections and servicing of the election technology, as well as establish a support and maintenance contract with a service level agreement to ensure the serviceability, reliability and availability of the election technology.

7. Disposal of Assets.

The Commission shall comply with the Public Procurement and Asset Disposal Act (Cap. 412C) and its regulations during the disposal of election technology assets.

Part III – TESTING AND CERTIFICATION

8. Testing.

The Commission shall carry out timely end-to-end testing of election technology before deployment for the election process.

9. Transparency.

(1)The Commission shall issue a public notice specifying the date, time and place of the testing and invite stakeholders to attend.
(2)The Commission shall publish the information required under subregulation (1)-
(a)on its official website;
(b)through electronic and print media of national circulation;
(c)by posting the notice outside of the Commission's offices; and
(d)assign any other easily accessible mechanism.

10. Certification.

(1)After the conduct of the necessary testing, the Commission shall prepare a report to certify that the election technology meets the user requirements and specifications developed under regulation 4, and that it is accessible.
(2)The Commission shall request assurance by a professional reputable firm to certify that the election technology meets user requirements and specifications developed under regulation 4.

Part IV – CONDUCT OF AN AUDIT

11. Audit of technology.

The Commission shall conduct annual audits of the election technology, or as may be required, to—
(a)guarantee data integrity;
(b)ensure that the technology functions effectively as specified; and
(c)ensure that the internal controls of the technology are effective.

12. Firm to conduct audit.

(1)The Commission shall engage a professional reputable firm to conduct a systems audit of the election technology annually.
(2)The Commission shall conduct the systems audit to evaluate the confidentiality, integrity and availability of the election technology by assessing—
(a)the security access to the system;
(b)the vulnerability of the system configurations;
(c)the accuracy and the completeness of the data; and
(d)any other mechanisms that may be determined by the Commission.
(3)Where the Commission engages a professional reputable firm under subregulation (1), the firm shall present its audit findings to the Commission, which findings shall be incorporated into a report as set out in regulation 13.

13. Audit report.

The Commission shall prepare an audit report which shall include—
(a)a statement on the principles set out in regulation 12(2); and
(b)recommendations to reduce or eliminate any risks that could affect the functioning of the election technology.

Part V – INFORMATION SECURITY AND DATA STORAGE

14. Information security.

(1)The Commission shall put in place mechanisms to ensure data availability, accuracy, integrity, and confidentiality as set out in the First Schedule.
(2)For the purpose of subregulation (1), the Commission shall adopt tools to detect, prevent and protect against attacks and compromise of the election technology.

15. Data storage and access to information.

(1)The Commission shall store and classify data in accordance with the principles set out in the Access to Information Act (Cap. 7M).
(2)An application to access information shall be in writing in English or Kiswahili and shall be made in the Form set out in the Second Schedule providing details and sufficient particulars for the public officer or any other official to understand what information is being requested.
(3)Where an applicant is unable to make a written request for access to information in accordance with subregulation (2), because of illiteracy or disability, the information officer shall take the necessary steps to ensure that the applicant makes a request in the manner that meets their needs.
(4)The information officer shall reduce to writing, the request made under subregulation (3) in the Form set out in the Second Schedule and the information officer shall then furnish the applicant with a copy of the written request.

16. Request for information.

A person may request for information from the Commission, in accordance with section 27 of the Independent Electoral and Boundaries Commission Act (Cap. 7C)

Part VI – DATA RETENTION AND DISPOSAL

17. Data retention and archive.

All electronic data relating to an election shall be retained in Data retention and safe custody by the Commission for a period of three years after the results of the elections have been declared, and shall, unless the Commission or the court otherwise directs, be archived in accordance with procedures prescribed by the Commission subject to the Public Archives and Documentation Service Act (Cap. 19) and the Kenya Information and Communications Act (Cap. 411).

Part VII – ACCESS TO SOFTWARE SOURCE CODES

18. Accessibility and security.

(1)The access to the source codes shall, for proprietary software, be in accordance with the Industrial Property Act (Cap. 509) and section 44(3) of the Act.
(2)The Commission shall ensure access to open source codes in accordance with procedures prescribed by the Commission under regulation 15.

Part VIII – TELECOMMUNICATION NETWORK

19. Disclosure of existing agreements.

(1)The Commission shall publish on its official website of the telecommunication network service providers to be used during an election.
(2)A telecommunication network service provider or a member of a consortium of telecommunication network service providers who intends to provide services to the Commission pursuant to subregulation (1) shall disclose to the Commission any existing agreements with political parties, agents, or candidates before engagement for telecommunication services in an election.

20. Delivery of services.

A telecommunication network service provider shall be under obligation to provide and deliver services as may be requested by the Commission.

21. Telecommunication network service availability.

(1)The Commission shall identify and communicate in a timely manner to all stakeholders the network service available at different polling stations.
(2)In areas where there is no telecommunication network, the Commission shall inform the stakeholders and publish this information in a timely manner.
(3)In order to enhance network availability during the election period, the Commission may engage the services of a consortium of telecommunication network service providers.
(4)Where the Commission engages a consortium telecommunication network service providers in the manner specified in subregulation (3), the Commission shall require the consortium to use internal roaming services.

22. Appropriate infrastructure.

The Commission in collaboration with a telecommunication net work service provider or providers shall put in place the appropriate telecommunication network infrastructure to facilitate the use of election technology for voter validation and results transmission and shall publish the network coverage at least forty-five days before the date of a general election.

23. Obligations for service providers.

The telecommunication network service providers shall ensure the security, traceability and availability of the network during the election period or during any other period as may be required by the Commission.

Part IX – DATA RECOVERY AND OPERATIONS CONTINUITY PLAN

24. Operations continuity plan and testing.

(1)The Commission shall establish an operations continuity plan, deleting both operational and technical processes, procedures and tools.
(2)The operations continuity plan established under subregulation (1) shall provide mitigation and contingency measures, including preparedness, prevention, response and recovery measures for potential failures of technology.
(3)The Commission shall test the operations continuity plan in a timely manner to ensure that all operational procedures are working as intended.

25. Data recovery.

The Commission shall—
(a)maintain an external data recovery site for all electoral information systems;
(b)establish such data recovery processes as may be necessary to ensure quick and efficient systems and data recovery in the event of election technology malfunctions;
(c)maintain such physical documentation records to enable reconstruction of the information in the event of data loss during transmission;
(d)ensure that such other failover technologies or procedures are in place to ensure operations continuity; and
(e)communicate failover technologies or procedures to stakeholders.

26. Suspension, termination and public notice.

(1)The Commission shall suspend or terminate the use of election technology if the reliability of a system cannot be assured according to the requirements of the Act and these Regulations.
(2)Before suspending or terminating the use of election technology under subregulation (1)—
(a)the clerk at the polling station shall inform the presiding officer of the failure of the technology;
(b)the presiding officer at the polling station shall retry the system to confirm the failure of the technology;
(c)the presiding officer at the polling station shall document the incident on a incident report in the polling station diary which shall be signed by all the agents;
(d)the presiding officer shall notify the returning officer of the failure and submit a copy of the incident report;
(e)the returning officer shall inform the director in charge of information communication and technology of the incident and the director shall investigate the incident and advise on the suspension or termination of the use of the election technology;
(f)the returning officer shall approve the request for suspension of the use of technology based on the advice under paragraph (e) and invoke the complementary mechanism.
(3)Where the Commission suspends or terminates the use of the election technology, the Commission shall immediately notify the public and stakeholders of the suspension and of the measures put in place to restart the, or of any failover technologies or procedures to be used according to the operations continuity plan.
(4)Where the Commission has made a decision to suspend the voting where there is failure of the election technology the Commission shall extend the hours of polling at the Polling Station where polling has been interrupted by the amount of time which has been lost.
(5)The Commission shall publish a notice, through electronic or print media of national circulation, or any other easily accessible medium, to notify the public of the suspension or termination or of failover technologies or procedures to be used according to the operations continuity plan.
(6)The Commission shall inform the returning officer of the decision accordingly.

27. Notice by individuals.

(1)Any person or telecommunication network service provider who is or becomes aware of any election technology vulnerability, failure or challenge shall immediately notify the Commission in writing or any other means available.
(2)Where a person or telecommunication network service provider is not able to make a notification in writing, the Commission shall prepare a written record of the notification.

28. System support and maintenance agreement.

The Commission shall ensure that adequate and continuous service level support agreements with a telecommunication network service provider or providers are established for the effective and sustainable use of election technology.

Part X – CAPACITY BUILDING AND TRAINING

29. Capacity Building.

The Commission shall implement a continuous and comprehensive training program on election technology for its staff.

30. Training curriculum and trainers.

(1)The training on election technology shall utilize a comprehensive training curriculum approved by the Commission.
(2)The Commission shall ensure that the curriculum specified in subregulation (1) includes both practical training as well as theoretical aspects for a period prescribed by the Commission.
(3)The technical training under subregulation (2) shall be conducted by—
(a)qualified personnel on the subject matter; and
(b)service providers and vendors of such election technology.

Part XI – THE ELECTIONS TECHNOLOGY ADVISORY COMMITTEE

31. Establishment of Committee.

The Committee established under section 44(8) of the Elections Act (Cap. 7) shall be known as the Elections Technology Advisory Committee.

32. Mandate and functions of the committee.

(1)The Committee shall advise the Commission on adoption and implementation of election technology which may include—
(a)the development of policies for the progressive use of election technology in the electoral process;
(b)the participation of stakeholders in the implementation and deployment of election technology; and
(c)the development of an operations continuity plan, as set out in regulation 24.
(2)The Committee shall—
(a)regularly engage with stakeholders in order to sensitize them on the progress of adoption and use of election technology in the electoral process; and
(b)receive regular updates on the status of election technology.

33. Composition of the Committee.

The Committee shall be composed of—
(a)at least three members of the Commission and designated staff of the commission;
(b)the Registrar of Political Parties;
(c)a representative of the—
(i)Majority Party in Parliament;
(ii)Minority Party in Parliament;
(iii)Political Parties Liaison Committee; and
(iv)Information Communication Technology professional bodies.

34. Engagement of experts or consultants.

The Commission may engage the services of experts or consultants in respect of any of the functions of the Committee.

35. Chairperson and secretariat.

The Commission shall chair the Committee's meetings and provide secretariat services.

36. Meetings.

(1)The Committee shall hold meetings in such place, time and manner as the Commission may consider necessary for the discharge of its functions under these Regulations.
(2)The Committee shall meet not more than four times in a year.
(3)Decisions and recommendations from the meetings of the committee shall be recorded and made public on the Commission's website.

37. Code of Conduct.

The members of the Committee shall subscribe to the code of conduct for staff set out in the Independent Electoral and Boundaries Commission Act (Cap. 7C), with any necessary modifications.

Part XII – MISCELLANEOUS PROVISIONS

38. Duty to cooperate.

Every public officer, public or private entity or political party has a duty—
(a)to co-operate with the Commission in its activities relating to election technology; and
(b)not to hinder the Commission from carrying out its functions.

39. Non-disclosure agreement.

A member of the Committee established under regulation 31 shall safeguard information relating to the election technology that comes into their possession and protect it from improper or inadvertent disclosure.

40. Voter education.

Pursuant to section 4 (g) of Independent Electoral and Boundaries Commission Act (Cap. 7C), the Commission shall carry out voter education related to election technology.

FIRST SCHEDULE [r. 14(1)]

INFORMATION SECURITY AND DATA STORAGE

1. The Commission shall put in place the mechanisms outlined below to ensure data availability, accuracy, integrity, and confidentiality.
2. These mechanisms may be reviewed from time to time as the Commission may determine.
SNDomainGuiding Principles
1.NetworkThe commission shall protect its data from external risks using intrusion detection and prevention mechanisms, which shall include but not limited to firewalls, this allows only authorized access to the Commission's network. The network and security experts in the Commission shall monitor network activities and report any exceptions to the Commission.
2.Data Centre FacilityAccess to the data Centre facility shall be restricted to only authorized personnel. Access shall be controlled through use of modern access control system and access control register.
3.Database Management SystemsThe Electoral systems and Databases shall be protected from internal and external attacks by implementing security controls as outlined in the policies and procedures manuals of the Commission. Scheduled backups shall be undertaken to ensure prompt recovery in the event of disaster.
4.Websites and online SystemsThe commission's internet facing systems shall be protected against external interference by ensuring that the communication between web servers and web browsers is secured using standard security technologies including but not limited to digital certificates. The information exchange shall be concealed from unauthorized users.
5.ICT GovernanceThe Commission shall enforce relevant ICT Policies, standards and procedures in the management of information security. Policies, standards and procedures shall be reviewed annually to comply with international best practices and industry trends

SECOND SCHEDULE [r. 15]

INFORMATION REQUEST FORM

REQUESTOR DETAILS
First name Last name 
Personal ID No Nationality 
Telephone No Organization 
Email Address Signature 
INFORMATION REQUESTED
Information Category 
Purpose 
APPROVAL FROM IEBC
APPROVED BY
Name Designation 
Date Signature 
▲ To the top

History of this document

31 December 2022 this version
05 May 2017
Commenced
Read this version

Cited documents 1

Act 1
1. Ethics and Anti-Corruption Commission Act 307 citations

Documents citing this one 0