Back to archive

eCitizen data / National Data Governance Policy / ODPC / Data Protection Act / data marketplace Kenya / digital government / personal data Kenya / anonymisation / government APIs / data privacy

Is Kenya Selling eCitizen Data? What the 2026 National Data Governance Policy Actually Proposes

The headline that Kenya plans to sell eCitizen data sounds like a government putting passports, ID numbers and private applications on a digital shelf. The actual proposal is more complicated. It is less dramatic than the headline, but important enough that every Kenyan should understand it.

The Ministry of Information, Communications and the Digital Economy published a Draft Final National Data Governance Policy in May 2026. One of its major ideas is a national data marketplace. Ministries, agencies and counties would catalogue selected datasets, and approved researchers, companies, civil-society organisations and innovators could access some of them through open access, restricted access or paid licensing.

The policy says the marketplace should focus on non-personal, aggregated or anonymised data. In theory, that means a transport dataset could show movement patterns without naming individual passengers, or agricultural records could show crop performance by region without exposing a particular farmer. Personal data remains subject to Kenya's Data Protection Act.

The public concern is still reasonable. Government systems hold some of the most sensitive information a person has: identity records, family links, tax information, land transactions, health information and service histories. Anonymisation can reduce risk, but weak anonymisation, poor access controls or combining several datasets can sometimes make people identifiable again.

Key distinctionThe proposal is not supposed to authorise the open sale of your named eCitizen account, password, passport scan or individual application file. It proposes controlled access to selected non-personal or anonymised datasets. Whether the safeguards are strong enough is the real question.
May 2026
Date of the draft final national policy
July 2026
Period officials said phased implementation was expected to begin after adoption
26,000+
Government services reported as available through eCitizen
5 rights
Core data-subject rights stated in section 26 of the Data Protection Act
Why the policy exists

Government has a lot of data, but its systems often do not work together

A Kenyan can submit the same name, ID number, phone number and address to several government offices because each institution maintains its own database. One agency may have a corrected date of birth while another still holds an old record. County and national systems may collect similar statistics in different formats. The result is duplication, poor planning and repeated demands for documents the government already has.

The draft policy proposes common standards, master data management, a national catalogue and a secure API gateway so authorised systems can exchange information. It also proposes a National Data Governance and Emerging Technologies Council, a coordinating office and data-governance structures inside ministries and counties.

From the government's perspective, better organised data could improve planning and create economic value. An insurer could use aggregated weather and crop-loss data to design agricultural cover. A logistics company could use traffic patterns to plan routes. Researchers could study public-health trends. Counties could identify where schools, clinics or water projects are most urgently needed.

USE 01
Agriculture
Regional production, weather and market data could support insurance, credit, storage and extension services.
USE 02
Transport
Aggregated movement and road-use data could improve logistics, traffic design and public transport planning.
USE 03
Health research
Properly protected statistics could help identify disease patterns and direct resources without exposing patient identities.
USE 04
Business innovation
Reliable public datasets can help startups build mapping, finance, planning and service-delivery tools.
Data as infrastructure
A road can be used by many businesses without selling the people travelling on it. Public data can work in a similar way when it is aggregated, well governed and made available under clear rules. The challenge is that data can reveal people in ways a road cannot, so privacy controls must be built into the system from the beginning.
What the marketplace means

Open data, licensed data and sensitive data should not be treated as one category

Not every dataset has the same value or risk. Some information, such as national budget totals or a list of public facilities, can be published openly. Other information may be commercially valuable and licensed under conditions. Sensitive information may need to remain restricted, heavily aggregated or unavailable.

The draft policy proposes a catalogue where agencies register datasets and describe who can access them. A licensing model could generate revenue and make users accountable for how data is used. The strongest version of that system would publish the dataset description, risk assessment, buyer or licensee, purpose, price, access period and audit results. A weak version would simply move decisions behind closed doors.

Type of information Possible treatment Main concern
Public facility locations Open and downloadable Accuracy and timely updates
Aggregated traffic patterns Open or licensed depending on detail and value Fine location detail might expose routines
Regional health statistics Restricted research access with safeguards Rare conditions can identify individuals in small areas
Named identity or tax records Protected personal data, not a normal marketplace product Fraud, discrimination and severe privacy harm

The phrase anonymised data can create false confidence. Removing names and ID numbers is not always enough. A record containing a precise location, age, occupation and rare medical condition may still point to one person. Data can also be re-identified by combining it with voter rolls, company records, social media or leaked databases.

Anonymised is not automatically harmless
The smaller the group, the more detailed the location and the more unusual the information, the easier re-identification can become. High-risk releases should use independent privacy testing, minimum group sizes, limited fields, contractual restrictions and penalties for attempts to identify people.
Your legal protection

The Data Protection Act still applies to personal information

Kenya's Data Protection Act requires personal data to be handled lawfully, fairly and transparently for clear purposes. Section 26 gives a data subject the right to be informed how personal data will be used, access data held by a controller or processor, object to processing, correct false or misleading data, and seek deletion of false or misleading data.

These rights do not mean a person can demand deletion of every government record. Some information must be retained under other laws. But they do mean that an institution should be able to explain why it holds personal data, what it does with it, whom it shares it with and how errors can be corrected.

01Ask for the privacy notice before submitting sensitive information. It should identify the purpose, the responsible organisation and possible recipients.
02Request correction when a government or private database contains a false name, number, date or account link that affects you.
03Keep screenshots, emails and transaction references when you suspect misuse. Evidence makes a complaint easier to investigate.
04File a complaint with the Office of the Data Protection Commissioner when an organisation ignores a valid privacy concern or processes data unlawfully.
05Do not share passwords or one-time codes with a caller claiming to update eCitizen, power, passport or ID information. Legitimate support should not need your secret authentication code.
Useful official reading
The Ministry's call for comments on the draft policy confirms the policy process. The ODPC guide to data-subject rights explains the protections available under Kenyan law, and the ODPC also provides an official complaint process.
The trust test

What would make a national data marketplace credible?

Trust will not come from repeating that personal data is protected. It will come from rules the public can inspect and enforcement that applies to powerful institutions as well as small businesses. Before licensing begins, the government should publish a classification framework showing which datasets are open, restricted, licensable or prohibited.

Every high-risk dataset should undergo a privacy impact assessment. Independent experts should test whether anonymised records can be re-identified. The catalogue should record who received data and why. Contracts should ban attempts to identify individuals, onward sale and use for discriminatory profiling. Breaches should lead to suspension, notification and meaningful penalties.

There is also a fairness question. Government data was collected through public services and funded by taxpayers. If a private company earns money from it, the public should receive more than a licensing fee buried in general revenue. The benefit might be better services, lower costs, published research, local jobs or a requirement that useful results return to the public domain.

The right question is not simply whether government data can create value. It is who receives that value, who carries the privacy risk and who can demand answers when something goes wrong.
Is the government selling my personal eCitizen profile?
The draft policy describes a marketplace for selected non-personal or anonymised datasets. It does not openly authorise sale of named personal profiles. Personal data remains protected by the Data Protection Act.
Can anonymised data still expose me?
Yes, in some cases. Detailed records can be re-identified when combined with other information. Strong testing and access restrictions are necessary.
Is the policy already a law?
It was described as a draft final policy under consultation. A policy can guide government action, but legislation and regulations may still be needed for particular obligations and penalties.
Where can I complain about misuse of my personal information?
The Office of the Data Protection Commissioner accepts complaints from data subjects and publishes the process on its official website.
The bottom line

The policy could improve services, but secrecy would make it dangerous

Kenya needs better data governance. Citizens should not repeatedly submit the same documents because government databases cannot communicate. Researchers and businesses can create useful products from reliable public information. Counties need accurate evidence to plan services. Those are legitimate reasons for the policy.

The proposed marketplace becomes dangerous when commercial value is prioritised over privacy, or when the public cannot see what was shared. The safest path is to begin with low-risk datasets, publish licences and impact assessments, involve the ODPC, and prove that anonymisation works before releasing more detailed information.

So, is Kenya selling eCitizen data? The accurate answer is that the government has proposed a system for licensing selected anonymised and non-personal public datasets. That is not the same as selling your account. It is also not a reason to stop asking hard questions. A trusted digital state must show citizens what it collects, what it shares, who benefits and how a person can challenge misuse.

Published July 3, 2026. The National Data Governance Policy discussed here was presented as a draft final policy and had gone through public consultation. It should not be described as a fully implemented law unless formal adoption and commencement are confirmed. This article provides general information, not legal advice.