Transactions on the State’s e-Citizen payment platform are prone to privacy violations due to weak data protection controls.
Transactions on the State’s e-Citizen payment platform are prone to privacy violations due to weak data protection controls, a special audit has revealed, putting huge volumes of personal data at risk.
Auditor-General Nancy Gathungu said the platform has shaky IT security and governance systems that would not guarantee safety of huge volumes of personal information handled through the platform.
Additionally, she said, there is no evidence provided by the system administrators to indicate whether the platform was registered as a data controller or a data processor with the Data Commissioner. “Further, there was no written contract between the unit (e-Citizen) and the data processor. In addition, there was no data protection framework in place outlining Government Digital Payments (GDP’s) personal data handling practices,” Ms Gathungu said in a report on the special audit.
Auditor-General Nancy Gathungu appears before the National Assembly Cohesion and Equal Opportunities Committee at Continental House Nairobi on April 15, 2025.
“In the circumstances, the audit could not confirm GDP controls with respect to safeguarding personal data,” she added.
e-Citizen, which was launched in 2014, aims to streamline access to government services and official payments. It enables payment for a range of services, including national ID applications, passport and driving licence renewals, visa applications, business permits, tax returns, and marriage certificates.
Kenya’s data regulations, enacted by Parliament in March 2022 to enforce the Data Protection Act, 2019, require all data handlers in the country to register with the Office of the Data Protection Commissioner (ODPC).
Data handlers, who include data processors and data controllers, are defined as entities and persons that process personal data.
Auditor Gathungu says the audit on e-Citizen was informed by the current strategic importance of the platform in the financial architecture of government, adding that her office sought to establish credibility and reliability of the system.
President William Ruto, in August 2023, directed that all payments for government services by the citizenry be channeled through the e-Citizen platform as part of measures aimed at enhancing efficiency and sealing revenue leakages.
President William Ruto during the launch of e-Citizen services, GavaMkononi app and Gava Express at KICC in Nairobi on June 30.
The government thereafter embarked on an aggressive drive to onboard critical services onto the public portal whose ownership and control have been a subject of public controversy for years.
Ms Gathungu’s alarm over the safety of personal data on the platform comes nearly two years after the portal took a hit from hackers who attempted to jam the system in a Distributed Denial of Service (DDoS) attack.
DDoS is a form of cyberattack that involves flooding a target – a server or a web resource – with overwhelming traffic to make it inaccessible to the intended users.
kmwangi@ke.nationmedia.com
