In 2011, the government of Lesotho passed the National Identity Cards Act 2011, which paved the way for establishing a national digital identity register and issuing national identity cards (ID cards). In 2013, the register, managed by the Department of National Identity and Civil Registry in the Ministry of Home Affairs, was established based on this law. The Act requires that all eligible persons use the national ID card issued in terms of this law to “access all services”. It is not clear if and how the mandated use of the government’s digital ID, to the exclusion of other means of identification, has affected citizens. This research explores the governance of the digital ID system established under the National Identity Cards Act 2011. It does so by applying the Centre for Internet and Society’s “Governing ID: Principles for Evaluation” framework. In general terms, the framework applies three categories of tests: a) rule of law tests, b) rights-based tests and c) risk-based tests. Findings suggest that, to a limited extent, digital ID governance in Lesotho passes some of the rule of law tests, in that it is backed by an act of parliament, even though within the Act itself there are clauses that do not pass the quality of law test; there is also a wide scope of discretion given to the minister. On the rights-based tests, Lesotho does not pass the test because the Act allows for the collection of personal data, including biometrics, and sharing of the same by several actors, while safeguards against abuse and cybersecurity threats are insufficient. On risk-based tests, the governance system in Lesotho fails a number of tests. The most concerning are risks of privacy harms, exclusion harms, mission creep and indiscriminate data sharing. The report ends with recommendations on how the government of Lesotho and other stakeholders may improve the digital ID implementation and governance in the country to minimise the identified risks while maximising the potential benefits of digital ID.
