On Monday, 8th September 2025, Tech and Media Convergency (TMC) in collaboration with Unwanted Witness, Kigali Attorneys, The University of Dar es Salaam (UDSM) and the Personal Data Protection Commission (PDPC), hosted the Pre-Roundtable Convening of the Unwanted Witness Data Privacy Moot Court Competition 2025. The convening, designed as a breakfast meeting, was held at the University of Dar es Salaam School of Law Board Room and gathered diverse stakeholders, including advocates, ICT specialists, researchers, civil society actors, privacy practitioners, students and media practitioners. Centered on the theme “Safeguarding Personal Data in National Digital ID Systems,” the dialogue unpacked the adequacy of the legal framework, the risks of insufficient safeguards, and opportunities for strengthening data protection mechanisms in Tanzania, Kenya, Uganda and Rwanda’s growing digital identity ecosystem.
The roundtable discussion was formally officiated by Dr. Laurian Mussa, Dean of the University of Dar es Salaam School of Law. In his opening remarks, Dr. Mussa underscored the timeliness and critical importance of the dialogue, noting that digitalization has become an integral part of today’s world, carrying both immense opportunities and significant risks. He pointed to the rapid rise of artificial intelligence, automation, and the broader digital transformation as examples of the profound changes reshaping societies, economies, and governance. Dr. Mussa encouraged participants to engage actively, wishing them a fruitful deliberation as they explored this complex yet rapidly evolving technological landscape.
Ahead of the dialogue session, Freda Nalumansi delivered a presentation on a paper to which TMC had contributed. The paper consolidated research findings from the four participating EAC countries: Tanzania, Kenya, Uganda, and Rwanda highlighting common trends, challenges, and opportunities in the regional digital landscape. Her presentation not only enabled the audience to access comparative insights across the countries but also served as a springboard for knowledge exchange and deeper discussion during the dialogue.
After the presentation, Freda Nalumansi – Lead Researcher at Unwanted Witness, moderated the panel. The session featured contributions from;
- Advocate Fatma Songoro, ICT & Cyber Security Lawyer, Victory Attorneys
- Evans Rubara, Lead & Founder, Africa Transcribe
- Asha D. Abinallah, CEO & Founder, Tech & Media Convergency (TMC)
Session Overview
The discussion explored the challenges of protecting personal data within Tanzania’s and upcoming digital identity frameworks, specifically the National Identification Authority (NIDA) system and the anticipated rollout of Jamii Namba. Panelists questioned whether existing laws are sufficient to safeguard citizens’ personal data, highlighted gaps in implementation and enforcement, and proposed solutions to address issues of transparency, participation, and innovation in legal frameworks.
Speaker Insights
Advocate Fatma Songoro
Fatma addressed the legal architecture currently surrounding digital ID systems. She noted that Tanzania does not have a specific law directly addressing privacy concerns for national IDs. For NIDA, the system is governed under the Registration and Identity of Persons Act, which underwent amendments in 2023. These amendments introduced safeguards such as requiring data-sharing agreements between NIDA and third parties, outlining what these agreements should contain, and prescribing fees for accessing the data. While these amendments mark progress, she explained, they remain limited.
When it comes to Jamii Namba, which is envisioned as a digital identity system, Fatma emphasized that there is currently no dedicated law to regulate its rollout, data use, or citizen protections. The collection of biometric data falls under the Data Protection Act, which does provide a degree of protection by requiring prior written consent for sensitive data and obligating entities to uphold accountability and other core principles during collection. However, she stressed that challenges arise during implementation. For instance, it remains unclear whether the NIDA number will also serve as the Jamii Namba or if a new phase of data collection will be required, leading to confusion and potential duplication.
Fatma further raised concerns about the lack of clear frameworks detailing who controls the collected data, how it will be accessed, and under what circumstances. She called on the PDPC to urgently provide guidelines on conducting data impact assessments, noting that the absence of such guidelines currently makes it difficult for institutions to properly evaluate the risks and impacts of processing sensitive data.
Mr. Evans Rubara
Evans turned attention to the citizens’ side of the equation, pointing out that many Tanzanians do not even know what Jamii Namba is or what it entails. This lack of awareness is a major issue because it reflects the broader reality across many African countries, especially within East Africa, where public knowledge of data protection processes is still at an early stage. According to him, the laws and frameworks in place are insufficient and disconnected from citizen realities.
He raised fundamental questions to provoke reflection: Who is this data really for? Why do we need these laws? Whose project is this the citizens’ or the state’s? Evans warned that the process of making laws is already long and complex, yet the laws in place still fail to provide sufficient protections. Beyond legislation, he emphasized the importance of civic participation, freedom, and inclusion. Citizens need to feel a sense of belonging and assurance that policies in place are designed to protect their interests, as well as those of future generations.
When addressing the balance between national security and the right to privacy, Evans was candid about the state’s project-driven approach. Too often, he argued, the government treats digital ID rollouts as their own projects, sidelining civic participation and broader stakeholder engagement. This lack of inclusivity not only undermines trust but also risks perpetuating surveillance fears among citizens. For Evans, the solution lies in centering people involving them in the initial stages, being transparent about data use, and ensuring that citizens are well-informed without fear of surveillance.
Asha D. Abinallah
Asha highlighted recent steps taken by the Tanzanian government, noting that just two weeks prior, the government convened the first of four stakeholder engagements to discuss data privacy as part of drafting a National Data Governance Framework. While recognizing this as a positive move, she argued that collaboration remains the strongest tool to strengthen data privacy in digital ID systems. The mootcourt itself, which is being held in four countries, creates a space to exchange lessons on what has worked, what hasn’t, and what can be adopted or avoided.
On legal frameworks, Asha was clear: they must be innovative and forward-looking. Laws need to anticipate and adapt to emerging technologies such as AI, cloud computing, and other yet-to-come technologies, ensuring long-term resilience. She gave the example of the Cybercrimes Act of 2015, which became difficult to implement without supplemental regulations like the Online Content Regulations. This illustrates the risk of laws quickly becoming outdated when they fail to anticipate technological shifts.
Equally important, Asha stressed, is Media and Information Literacy. Citizens often provide data without fully understanding their right to consent, the ability to question data collection, or even where their data is being stored. For her, improving citizens’ awareness of their rights is just as critical as strengthening legal protections. She added that data impact assessments should be made a legal requirement for all bodies processing massive amounts of data, and that institutions must be compelled to implement such mechanisms regularly.
Asha also highlighted the need for independence and efficiency in how the PDPC handles complaints. Many complaints are submitted but not followed through to completion, yet this shows promise because it signals that citizens know where to report. Finally, she underscored the importance of equipping the professionals handling personal data with the best technical skills, as weak capacity in this area undermines the very protections laws seek to enforce.
Participant’s reflections:
Dr. John Kyaruzi – Founder, Smart Card System
Dr. Kyaruzi, who served as the designer, supervisor, and implementer of Tanzania’s national ID system for 15 years, emphasized that the Tanzanian system is recognized as one of the best in Africa and has even won multiple awards. He explained that the strength of the system lies not only in its design but also in the legal framework that underpins it. The National ID Visibility Study provided the foundation upon which the system was built, ensuring the integration of 14 key components, with the legal framework as one of its pillars.
What makes Tanzania’s national ID unique, according to Dr. Kyaruzi, is its protection of three distinct assets under the law, while most countries safeguard only one. These assets include:
- The server– which houses and protects the national ID database, considered a critical national asset that must remain secure at all times.
- The ID number– which is not a random string but a unique identifier tied directly to an individual’s personal data and therefore requires strict protection.
- The physical card– which carries an expiration date to allow for the updating of biometric data that may change over time due to aging or accidents. Dr. Kyaruzi stressed that this feature ensures both accuracy and security in identity management.
Alembe Joseph
Alembe raised concerns about the lack of awareness and education on data protection and digital rights. He observed that while young people are taught many foundational subjects at primary school, knowledge as critical as digital rights, privacy, and managing one’s digital footprint is absent from the curriculum. In an era where digitalization defines how citizens interact with institutions, Alembe argued that introducing such knowledge early is essential. By equipping young people with awareness of their rights and responsibilities in the digital sphere, Tanzania can better safeguard its future citizens from vulnerabilities and exploitation.
Dr. Protus – UDSM School of Law
Dr. Protus focused on the regional dimension, particularly the harmonization of digital identity laws across East Africa. He noted that efforts have already begun under the East African Community Treaty Framework, which upholds the principle of variable geometry allowing member states to integrate at different speeds based on their readiness. The community has agreed that, in time, national IDs should serve as official travel documents within the region.
Currently, only Rwanda, Uganda, and Kenya are implementing this decision, while other member states plan to adopt it later. Dr. Protus underscored that the real challenge now lies in accelerating harmonization processes and ensuring that national legal frameworks are aligned to make this integration effective. He urged that the debate focus not just on adoption but also on how laws can be structured and expedited to enable seamless use of national IDs across the region.
Key Takeaways
- No specific law for Jamii Namba: Existing laws like the Registration and Identity of Persons Actand Data Protection Act provide partial protections but leave major gaps for digital ID systems.
- Implementation challenges: Uncertainty persists around whether the NIDA number will double as Jamii Nambaor require new data collection.
- Citizens’ awareness gap: Many Tanzanians are unaware of what Jamii Nambais, undermining civic participation and trust.
- Civic participation is lacking: Government-driven projects often exclude citizens and stakeholders, creating suspicion and weakening legitimacy.
- Innovative frameworks are needed: Legal frameworks must anticipate emerging technologies to remain effective long-term.
- Media and information literacy: Citizens must understand their rights to consent, question, and know where their data is stored.
- Mandatory data impact assessments: Institutions handling sensitive data must conduct assessments as a legal requirement.
- Technical expertise: Professionals managing data must be equipped with advanced skills to safeguard sensitive information.
Conclusion
The Pre-Roundtable Convening provided a critical platform for frank conversations on the future of Tanzania’s digital ID systems. The panelists underscored that safeguarding personal data requires more than laws on paper it demands active civic participation, innovative and adaptive frameworks, informed citizens, and strong enforcement mechanisms. As Tanzania navigates the rollout of Jamii Namba and strengthens its digital governance, the dialogue from this convening serves as a call to ensure that data privacy is safeguarded as a fundamental right and not compromised in the pursuit of national digital identity systems.
