The headline that Kenya plans to sell eCitizen data sounds like a government putting passports, ID numbers and private applications on a digital shelf. The actual proposal is more complicated. It is less dramatic than the headline, but important enough that every Kenyan should understand it.
The Ministry of Information, Communications and the Digital Economy published a Draft Final National Data Governance Policy in May 2026. One of its major ideas is a national data marketplace. Ministries, agencies and counties would catalogue selected datasets, and approved researchers, companies, civil-society organisations and innovators could access some of them through open access, restricted access or paid licensing.
The policy says the marketplace should focus on non-personal, aggregated or anonymised data. In theory, that means a transport dataset could show movement patterns without naming individual passengers, or agricultural records could show crop performance by region without exposing a particular farmer. Personal data remains subject to Kenya's Data Protection Act.
The public concern is still reasonable. Government systems hold some of the most sensitive information a person has: identity records, family links, tax information, land transactions, health information and service histories. Anonymisation can reduce risk, but weak anonymisation, poor access controls or combining several datasets can sometimes make people identifiable again.
Government has a lot of data, but its systems often do not work together
A Kenyan can submit the same name, ID number, phone number and address to several government offices because each institution maintains its own database. One agency may have a corrected date of birth while another still holds an old record. County and national systems may collect similar statistics in different formats. The result is duplication, poor planning and repeated demands for documents the government already has.
The draft policy proposes common standards, master data management, a national catalogue and a secure API gateway so authorised systems can exchange information. It also proposes a National Data Governance and Emerging Technologies Council, a coordinating office and data-governance structures inside ministries and counties.
From the government's perspective, better organised data could improve planning and create economic value. An insurer could use aggregated weather and crop-loss data to design agricultural cover. A logistics company could use traffic patterns to plan routes. Researchers could study public-health trends. Counties could identify where schools, clinics or water projects are most urgently needed.
Open data, licensed data and sensitive data should not be treated as one category
Not every dataset has the same value or risk. Some information, such as national budget totals or a list of public facilities, can be published openly. Other information may be commercially valuable and licensed under conditions. Sensitive information may need to remain restricted, heavily aggregated or unavailable.
The draft policy proposes a catalogue where agencies register datasets and describe who can access them. A licensing model could generate revenue and make users accountable for how data is used. The strongest version of that system would publish the dataset description, risk assessment, buyer or licensee, purpose, price, access period and audit results. A weak version would simply move decisions behind closed doors.
| Type of information | Possible treatment | Main concern |
|---|---|---|
| Public facility locations | Open and downloadable | Accuracy and timely updates |
| Aggregated traffic patterns | Open or licensed depending on detail and value | Fine location detail might expose routines |
| Regional health statistics | Restricted research access with safeguards | Rare conditions can identify individuals in small areas |
| Named identity or tax records | Protected personal data, not a normal marketplace product | Fraud, discrimination and severe privacy harm |
The phrase anonymised data can create false confidence. Removing names and ID numbers is not always enough. A record containing a precise location, age, occupation and rare medical condition may still point to one person. Data can also be re-identified by combining it with voter rolls, company records, social media or leaked databases.
The Data Protection Act still applies to personal information
Kenya's Data Protection Act requires personal data to be handled lawfully, fairly and transparently for clear purposes. Section 26 gives a data subject the right to be informed how personal data will be used, access data held by a controller or processor, object to processing, correct false or misleading data, and seek deletion of false or misleading data.
These rights do not mean a person can demand deletion of every government record. Some information must be retained under other laws. But they do mean that an institution should be able to explain why it holds personal data, what it does with it, whom it shares it with and how errors can be corrected.
What would make a national data marketplace credible?
Trust will not come from repeating that personal data is protected. It will come from rules the public can inspect and enforcement that applies to powerful institutions as well as small businesses. Before licensing begins, the government should publish a classification framework showing which datasets are open, restricted, licensable or prohibited.
Every high-risk dataset should undergo a privacy impact assessment. Independent experts should test whether anonymised records can be re-identified. The catalogue should record who received data and why. Contracts should ban attempts to identify individuals, onward sale and use for discriminatory profiling. Breaches should lead to suspension, notification and meaningful penalties.
There is also a fairness question. Government data was collected through public services and funded by taxpayers. If a private company earns money from it, the public should receive more than a licensing fee buried in general revenue. The benefit might be better services, lower costs, published research, local jobs or a requirement that useful results return to the public domain.
The policy could improve services, but secrecy would make it dangerous
Kenya needs better data governance. Citizens should not repeatedly submit the same documents because government databases cannot communicate. Researchers and businesses can create useful products from reliable public information. Counties need accurate evidence to plan services. Those are legitimate reasons for the policy.
The proposed marketplace becomes dangerous when commercial value is prioritised over privacy, or when the public cannot see what was shared. The safest path is to begin with low-risk datasets, publish licences and impact assessments, involve the ODPC, and prove that anonymisation works before releasing more detailed information.
So, is Kenya selling eCitizen data? The accurate answer is that the government has proposed a system for licensing selected anonymised and non-personal public datasets. That is not the same as selling your account. It is also not a reason to stop asking hard questions. A trusted digital state must show citizens what it collects, what it shares, who benefits and how a person can challenge misuse.