Kenya's e-Citizen platform. Photo | screengrab.
Kenya’s national e-Citizen platform, the government’s official payment gateway for public services, has been flagged for glaring data security weaknesses and financial irregularities.
This raises concerns over the protection of millions of citizens’ personal information and the integrity of public funds.
A special audit conducted by Auditor-General Nancy Gathungu reveals that the Government Digital Payments Unit (GDPU), which manages the e-Citizen platform, is not registered as a data controller or processor with the Office of the Data Protection Commissioner despite handling extensive personal data, including passport details, ID applications, and marriage certificates.
The audit also found that the GDPU lacks a clear data protection framework, contravening Kenya’s Data Protection Act of 2019. It noted that there was no written agreement between the government and third-party data processors working on the platform, a gap that significantly increases the risk of data misuse or breach.
The Auditor-General further raised a red flag over financial discrepancies, including a missing Sh144 million in collections processed through the platform. The report also cited over Sh1.9 billion in incomplete, duplicated, or improperly reconciled payments, pointing to a lack of oversight and weak internal controls.
The e-Citizen platform, which was launched in 2014 to centralize and streamline government payments, has grown in prominence after a directive by President William Ruto in August 2023 that all government service payments must be made exclusively through the system.
However, the audit has revealed that the platform is largely controlled by private vendors and that the government’s limited oversight is hindering the onboarding of more services and posing a potential threat to public revenue.
ALSO READ: Nigeria’s Access Bank Acquires Kenya’s Nation Bank
In July 2023, the system suffered a Distributed Denial of Service (DDoS) attack that disrupted access to several government portals, exposing its vulnerability to cyber threats. With the government now rolling out additional services through e-Citizen, the audit warns that the platform’s weak technical and legal safeguards could expose citizens to serious privacy breaches and misuse of sensitive information.
The Auditor-General’s report comes at a time when the country is pushing for a fully digitized public service delivery model. But the findings suggest that the rapid expansion of e-Citizen has outpaced the implementation of essential data protection and financial governance mechanisms. It recommends urgent reforms, including full registration of data handlers, enforcement of encrypted architecture, and stronger oversight of revenue flows.
The revelations have triggered concern from civil rights advocates and digital policy experts, who argue that while digitization promises efficiency, it must not come at the cost of citizens’ right to privacy and data security. As the platform becomes increasingly embedded in public life, the audit underscores the need for government agencies to lead by example in complying with the very laws they have enacted
