Categories: Business

Kenya’s e-Citizen Platform Flagged for Critical Data Protection Weaknesses

.Kenya’s national e-Citizen payment platform-the mandatory gateway for all government service payments-operates with dangerous data security vulnerabilities that put millions of citizens’ personal information at risk, according to a damning special audit by Auditor-General Nancy Gathungu.

The report reveals fundamental gaps in the system’s IT security and governance framework, including no evidence that the platform is registered with the Data Commissioner as either a data controller or processor, despite handling extensive sensitive personal data from passport applications to marriage certificates.

Most concerning, the audit found no data protection framework outlining how the Government Digital Payments unit handles personal information, and no written contract exists between e-Citizen and its data processors.

These revelations come at a particularly sensitive time, as President William Ruto directed in August 2023 that all government service payments be channeled exclusively through e-Citizen to enhance efficiency and prevent revenue leakages.

The platform, which has been operational since 2014 but whose ownership and control have remained controversial, was subjected to a Distributed Denial of Service (DDoS) attack by hackers nearly two years ago-highlighting its vulnerability.

With Kenya’s Data Protection Act regulations enacted in March 2022 requiring all data handlers to register with the Office of the Data Protection Commissioner, the audit’s conclusion that it “could not confirm GDP controls with respect to safeguarding personal data” raises serious questions about compliance with national data protection laws and citizens’ right to privacy as the government rapidly onboards more critical services to this centralized yet inadequately secured platform.

The e-Citizen platform was designed to centralize convenience-but it now centralizes risk. As President Ruto pushes for full digital onboarding of government services, citizens are being funnelled into a system whose legal and technical safeguards lag far behind its ambition.

The DDoS attacks of 2023 were a
warning shot; this audit confirms the door is still wide open. The solution requires an overhaul: clear governance structures, mandatory audits, encrypted architecture, and binding accountability across all
processors. Because trust in digital government is built by protecting the people behind the data.

Branislav Moses Opudo

Recent Posts

Kenya to hike civil servant salaries, risk allowances

Thousands of civil servants and local administrators are set for a substantial pay rise following…

3 hours ago

NTSA Removes Instant Traffic Fines From eCitizen Platform to Curb Motorist Fraud

The National Transport and Safety Authority (NTSA) has officially removed instant traffic fine payments from…

3 hours ago

High Court Postpones Bail For Utumishi Girls Minors As Judicial Scrutiny Mounts Over Arson Tragedy

The Kibera High Court has officially deferred its bail ruling for eight minors from Utumishi…

3 hours ago

Kenya Interior PS Raymond Omollo Denies State Involvement in Abductions

Interior Principal Secretary Dr. Raymond Omollo has firmly denied state involvement in recent abductions, asserting…

3 hours ago

Telkom Kenya Rolls Out Low-Cost Unlimited Data Plans to Win Heavy Internet Users

Telkom Kenya has introduced new unlimited internet packages for prepaid customers. The move is aimed…

2 days ago

World Bank Approves $750 Million to Support Kenya’s Governance and Reform Agenda

The World Bank has approved fresh funding to support Kenya's reform programme. The financing is…

2 days ago