Public trust in data governance crucial for Kenya's digital future

While progress seems limited in many parts of the world, this year’s Data Privacy Conference demonstrated Kenya’s growing maturity in digital governance. Two areas need the nation's attention, police and electoral data governance. This #StandardSettingKE opinion was co-written with Advocate Danford Momanyi.

One of Kenya’s youngest independent offices, the Office of the Data Protection Commissioner, brought together over 100 leaders from state, corporate, academic, and civic sectors this week. Most argued that public trust is central to our digital future. As businesses, government decisions and services increasingly rely on personal data, trust is non‑negotiable. Maisha Namba, eCitizen, IFMIS, SHA, KRA iTax, and Ardhi Sasa has left Kenyans with no choice but to become digital natives.

Kenyans can be proud that the six-year-old Data Protection Act remains far superior to any legislation in Africa or those in older digital economies like the United States of America. However, laws alone do not sustain trust. Only responsible state and corporate behaviour can do this. When police detectives snoop into our phones, vendors spam us with adverts, political parties lie that we are their members, friends or strangers share intimate photos without our consent, trust dips. Exposed or feeling unsafe online, we retreat. With each step, the promise of the digital economy and the very idea of digital citizenship shrinks.

Ensuring our right to privacy, security and managing risk is built into institutional policies and practices is critical. Our laws must also accelerate innovation, offer legal certainty and investment predictability. Keeping the Office of the Data Protection Commissioner politically and commercially neutral is central. Recently, they supervised the deletion of the sensitive iris biometric data unlawfully harvested by Tech for Humanity WorldCoin following a court order. With this track record, Kenya seems set to be the first African country to sign a Data Adequacy Agreement with the European Union, a pre-condition for an enhanced trade partnership.

Last year, the IEBC invoked the Elections Act to register 150,000 voters using iris biometrics for the first time. They argue some fingerprints, particularly those of elderly and manual labourers, are often too faint to capture. Listening to electoral officials, I was left with the sense of an impending train wreck. Iris patterns never change. Unlike a stolen password, pin or ID number, stolen iris data can never be replaced. A future breach would expose us to lifelong risks of impersonation, identity theft and covert surveillance. Why, then, is the IEBC collecting such sensitive data en masse instead of using it only when fingerprints genuinely fail? Has a Data Protection Impact Assessment been conducted, submitted to the ODPC, and publicly explained to voters?

Over the past two years, the Directorate of Criminal Investigations, National Intelligence Services and other law enforcement agencies have repeatedly violated privacy rights to target protesters, filmmakers, journalists and political opponents. Terrorism charges against Boniface Mwangi collapsed after officers searched his premises, seized devices without a court order and produced no evidence. In May 2025, four producers were detained and released only after a court order. They allege police installed surveillance software on their personal devices.

While thousands of arrested protesters have had charges dropped, many still fear their fingerprints remain in the police crime database. Without deletion, they will not obtain the certificate of good conduct required for jobs, visas and passports. Kenya urgently needs new policing practices in line with the Data Protection Act. A starting point would be to enforce the “right to be forgotten”. Allow citizens to request the deletion of personal data that is outdated or false.

Public trust in our data governance system is best designed, not repaired especially across our sensitive security and elections management sectors. If state agencies remain opaque and intrusive, not even the Data Protection Act, will maintain the public’s trust. Once our right to privacy or choose is violated, the contract between digital citizen, state and business may never be rectified.

This joint opinion was also published in the Saturday Standard, 31 January 2026.