e-Citizen employs encryption, multi-factor authentication, and compliance with Kenya's Data Protection Act to safeguard user data. These measures protect sensitive information during transactions on the platform.
Core Security Protocols
The platform uses end-to-end encryption for data in transit and at rest, preventing unauthorized access during uploads like passport applications or business registrations. Multi-factor authentication (MFA) requires login via password plus OTP sent to registered phones, adding a vital layer against credential theft. Regular security audits by certified providers identify vulnerabilities promptly.
Data minimization limits collection to essentials only—for instance, business name and ID for BRS filings—reducing exposure risks. Government oversight ensures no private entities access raw personal data without strict controls.
Legal Compliance Framework
e-Citizen aligns with the Data Protection Act (DPA) 2019, mandating purpose limitation, consent, and user rights like access or deletion requests. The Office of the Data Protection Commissioner (ODPC) certifies processors like Webmasters Kenya, enforcing Data Protection Impact Assessments (DPIAs) for high-risk activities. Breach reporting within 72 hours is required under DPA Section 43.
The Computer Misuse and Cybercrimes Act 2018 criminalizes hacking attempts, with swift responses to incidents like the 2023 DDoS attack that caused no data loss. Backup systems ensure recovery without compromising integrity.
User Rights and Transparency
Account holders can view, correct, or request data deletion via their dashboard, upholding the "right to be forgotten." Privacy notices detail data use upfront, building trust for Nairobi users handling KRA PIN updates or county permits. Integration with agencies like KRA shares only necessary fields, per DPA rules.
Challenges and Improvements
Audits have flagged gaps like incomplete ODPC registration and processor contracts, prompting ongoing fixes for full compliance. Government assurances emphasize state control over data, with ICTA managing technical safeguards. Proactive updates address evolving threats
