Questions have arisen over the government’s move to splash billions on digitising service delivery while leaving the control of critical public portals to private firms.
Questions have arisen over the government’s move to splash billions on digitising service delivery while leaving the control of critical public portals to private firms.
This move has prompted Auditor-General Nancy Gathungu and several governance experts to raise the alarm. The e-Citizen, Electronic Government Payment System (e-GPS), the National Transport and Safety Authority (NTSA) system, and the Social Health Authority (SHA) health information system are some of those whose control has been left to private contractors. Independent Electoral and Boundaries Commission (IEBC) servers are also not sited in Kenya.
Auditor General Nancy Gathungu.
Former Attorney-General and Public Service Cabinet Secretary Justin Muturi noted that having critical government digital systems in private hands is a serious breach of the Data Protection Act.
“It is a scheme informed by private financial interests of those in power. In a word, corruption,” said Mr Muturi, also the former National Assembly Speaker.
The government has on-boarded over 20,000 services to the e-Citizen platform from more than 100 ministries, departments and agencies (MDAs). Data Protection Commissioner Immaculate Kassait noted that while the Data Protection Act does not prohibit outsourcing, data protection safeguards must be complied with. “The conditionality is on a certain category of data, a copy of which must be kept in the country. This is called data localisation,” says Ms Kassait. “On breaches, the law requires institutions to put in place mechanisms that protect data and to report a breach within 72 hours.”
Kitutu Chache South MP Anthony Kibagendi said he will petition the House, once it resumes, to direct Ms Gathungu to undertake a special audit of the NTSA system.
National Treasury Cabinet Secretary John Mbadi revealed that the e-GPS, procured in April 2022 at about Sh375 million, is not government-owned yet. For him, an Indian firm, i-Sourcing Technologies, is the main developer of the system in partnership with Sybyl, a Kenyan firm. “The system belongs to the government but has not been fully handed over because it is still being developed.”
The CS noted that the government had a contract of three years from 2022 to 2025, “but because of the delays in implementing it from 2022, we sought an extension for another three years”.
“At the end of the three years, the system is supposed to be handed over fully, with access codes surrendered to the government, during which time we will have enough capacity to run the system independently,” he said.
In 2024, giant telco Safaricom announced that it had been hired, alongside the UAE’s Apeiro Ltd and Kenya’s Konvergenz Network Solutions to develop a system integrating Kenya’s public health ecosystem. The Integrated Healthcare Information Technology System (Ihits) project is at the core of President William Ruto’s ambitious Universal Health Coverage (UHC) plan, and will cost taxpayers Sh104.8 billion over 12 years. The sum is for implementation, maintenance and support of the IHTS system for 10 years but has a two-year implementation window.
President William Ruto during the unveiling of e-Citizen Services, GavaMkononi App and Gava Express on June 30, 2023 at KICC in Nairobi.
Apeiro Ltd is owned by Sirius International Holding. Sirius International is owned by International Holding Company – listed on the Abu Dhabi Securities Exchange through which several influential individuals, including members of the UAE royal family, have invested in the firm.
Tahnoon bin Zayed Al Nahyan, a UAE royal family member, owns 61.1 per cent of International Holding Company (IHC) through his Pal Group. He chairs IHC. Konvergenz Network Solutions Ltd was incorporated on April 2, 2014, with Asha Abdi Sheikh, Pitfield Auto Ltd, Commtech Consortium Ltd and Galva Investments.
Konvergenz Network Solutions CEO Abdullahi Sheikh during a meeting announcing a cyber security program.
Apeiro is the majority shareholder in the consortium with a 59.55 per cent shareholding based on disclosed work plans, while Safaricom and Konvergenz have 22.56 per cent and 17.89 per cent stakes respectively. Apeiro, registered in the United Arab Emirates (UAE), has established Apeiro Kenya Technologies Ltd to undertake the assignment. Health CS Aden Duale said all government health systems, including SHA, are under the custody of the Digital Health Agency, a government agency within his ministry “in line with the Digital Health Act”.
“Data protection is central to our digitisation agenda. The Ministry of Health and the Digital Health Agency are fully compliant with the Data Protection Act and the Digital Health Act on matters of data privacy and protection.”
He said his ministry has undertaken a comprehensive Data Protection Impact Assessment in line with the Data Protection Act, “which has been reviewed and cleared by the Office of the Data Protection Commissioner in accordance with the law”.
“All health data is stored on a secure Sovereign Health Cloud hosted within the country. We implement a Zero Trust strategy for data storage, transmission, and use, and all data at every level is fully encrypted,” Mr Duale said.
Social Health Authority (SHA) signage at Mutuini Hospital in Dagoretti South Sub-County, Nairobi, on August 27, 2025.
“All health data, including SHA, is, therefore, secure and fully compliant with the Data Protection Act and the Digital Health Act.”
Ihits entails the use of ICT to deploy a hospital information system and supporting the ICT infrastructure to benefit public hospitals nationwide, towards accelerating the achievement of the Kenya Kwanza’s e-Health Strategy, a national Healthcare IT blueprint. In 2017, the government awarded a contract to local company Seven Seas Technologies to roll out a similar system at Sh4.9 billion. That was later cancelled by the Health ministry after a dispute arose in the contract document. Seme MP James Nyikal – before he became Health Committee chair – had raised gaps in the due diligence process of Ihits.
“It was unclear to us how the entity awarded the contract became the sole recipient of the request for proposal. Why were other companies not considered?” he asked.
A recent special audit before Parliament has poked loopholes in the ownership of e-Citizen. The audit, covering the financial years 2021/22, 2022/23 and 2023/24, other than raising questions on the ownership of the government e-payment system, exposes irregularities and weaknesses that include irregular payments of e-citizen platform support and maintenance contracts.
The State’s e-Citizen payment platform.
It notes that the development was financed by the World Bank through its International Finance Corporation (IFC) intermediary, which contracted Webmasters Kenya Limited to provide software development and maintenance support services. In 2017, the IFC handed over instruments, including contracts, source code, business case and handover notes, to the Treasury. This saw the government take possession and ownership of the platform in August 2017. However, the audit established that on January 13, 2023, the Ministry of Information Communications and Digital Economy and Webmasters Kenya Limited entered into a handover agreement where Webmasters, being the vendor of e-citizen, agreed to unconditionally handover the platform to the government.
e-Citizen and Webmaster Chief Executive Officer James Ayugi during an interview on February 28, 2025 in Kilimani, Nairobi.
“It was not explained how the ownership and control of the e-citizen platform ended up back in the hands of the vendor after having already been handed over to the National Treasury by OIFC in 2017,” the audit reads.
It accused the Treasury of failing to provide “some key documents and information required for the audit,” which members of the Public Accounts Committee (PAC) believe could be in the hands of the private entities controlling the e-Citizen platform. “This limitation primarily impacted the assessment of the adequacy and effectiveness of IT controls designed to protect information assets.”
It was also established that despite the transfer of ownership by Webmasters Kenya in January 2023, the government did not obtain full control of the systems, “resulting in continued over-reliance on the vendor”.
“What has been revealed by the auditor-general is a disaster,” said Aldai MP Marianne Kitany, a member of PAC, with her Rarieda counterpart, Dr Otiende Amolo, remarking, “This is total fraud.”
Digitising revenue collection was an initiative of the government, with the special audit meant to assess measures put in place in the government digital payments platform to enhance revenue collection by the MDAs and counties.
The audit involved review of processes at GDP unit, directorate of e-citizen services, ICT Authority and MDAs, analysis of data maintained by e-citizen platform and review of the impact of onboarding on revenue collection and service delivery by MDAs.
Members of the Administration and Internal Security Committee of the National Assembly have also identified loopholes in the e-citizen ecosystem’s consultancy agreement that the government entered into, saying it will cost taxpayers colossal sums. They noted that the e-Citizen contract the government signed “is centric to the interests of the suppliers” – the consortium of developers – “as opposed to those of the country,” raising questions about how it was negotiated and signed. The e-payment system handles hundreds of millions of shillings daily – being payments for services offered by the government.
Of concern is that the e-Citizen deal was signed by Stanley Kamanguya, the CEO of the ICT Authority, on behalf of the government and witnessed by Thomas Odhiambo, acting director at ICT Authority and Isaac Ochieng, the Director-General of E-Citizen. Missing on the contract presented to Parliament is the signature of the Attorney-General, the government’s chief legal adviser.
“You cannot have an agreement [over a platform] through which trillions of shillings are going without the signatures of the Attorney-General, the Cabinet Secretaries of the National Treasury and the Interior ministry. It is scary,” said a committee member, who did not want to go on record.
Also missing are the signatures of the CSs in charge of the National Treasury and Interior ministry, notwithstanding the contracts financial and security implications to the country. The contract shows that the e-citizen ecosystem is supported by a consortium of developers registered as ECS (Electronic Services Solutions) LLP, including Webmasters Kenya, Pesaflow and Olive Tree. Previously, Kisumu West MP Rozzah Buyu, a member of the Administration and Internal Security Committee, accused Immigration and Citizen Services PS Belio Kipsang of failing to provide the correct information on the ownership of e-Citizen. “We oversee you on behalf of the people. Kenyans want to know where the money they pay goes,” she said.
While the e-Citizen contract is supposed to last for three years (2023–26), it does not state the exact effective and due dates, with the MPs pointing to the loophole they fear “could be explored at the government’s expense”.
The IEBC still has its servers hosted abroad. The Computer Misuse and Cybercrimes Regulations, which provide for localisation of Kenya’s critical information, has yet to be approved by Parliament.
The agreement provides for termination of the contract by either of the two parties involved – the government and the consortium of developers- in any eventuality.
Losing data
However, the committee fears that the government runs the risk of losing data on the platform should the consortium of developers- the suppliers- end it without any reference to the government.
“In the event of termination, howsoever occurring, the suppliers shall be entitled to rescind, withdraw or otherwise uninstall all their proprietary infrastructure and resources including all technical infrastructure and resources including all technical infrastructure whether software or otherwise defined in the Service Level Agreement,” the contract reads.
The IEBC, which is in charge of elections and referenda in the country and therefore undertakes critical exercises that include registration of voters and voting, still has its servers hoisted outside the country.
This is because the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024, which provide for the localization of the country’s critical information, is yet to be approved by parliament.
During the hearing of the 2017 presidential election petition at the Supreme Court for instance, IEBC declined to open its servers despite the court orders.
At some point, Senior Counsel Paul Muite, appearing for IEBC lawyer in the petition, confirmed to the Supreme Court that the IEBC servers in the 2017 election were hosted in France and it would require some time to have them opened.
“My lords, the servers are in Europe. We are not refusing to give access. Europe is a couple of hours behind and we have to wait for them to start working,” Mr Muite then told the court.
“They have to set up the access window with safeguards,” he added.
Tharaka MP Mr Gitonga Murugara, who chairs the Justice and Legal Affairs Committee (JLAC) of the National Assembly, which oversees IEBC, promised to respond “once properly informed.”
“I need to be well-informed about these before I respond. Allow me time please,” Mr Murugara said.
