Kenya’s Ministry of Information, Communications, and the Digital Economy recently pulled back the curtain on its Draft National Data Governance Policy.
Developed with technical backing from the European Union and the GIZ Digital Transformation Center, the draft represents an ambitious attempt to unify a historically fractured digital landscape.
The policy aims to catapult Kenya into a new era by treating data not just as digital exhaust, but as a strategic national asset. However, beneath the polished prose of this tech-forward blueprint lie critical structural tensions. As the public review window ticks down to the June 5, 2026 deadline, a closer look reveals that Kenya’s digital future hangs on a very fine line between progressive governance and unintended consequences.
The vision
For years, Kenya’s public and private sectors have operated in data silos. Your health records, tax returns, mobile money transactions, and national ID details exist in isolated digital kingdoms. The 2026 policy brilliantly diagnoses this fragmentation and introduces the Once-Only principle.
Under this framework, citizens provide their information to the government just once. An integrated, shared infrastructure then allows authorized agencies to securely access that data, eliminating redundant paperwork and streamlining bureaucratic bottlenecks.
Furthermore, the policy wisely expands its horizon beyond personal data. While the Data Protection Act of 2019 successfully safeguarded personally identifiable information (PII) via the Office of the Data Protection Commissioner (ODPC), it left aggregate, non-personal data out in the cold. The new draft brings macro-level datasets, like regional crop yields, traffic patterns, and public health statistics, into the governance fold. This unlocks massive potential for researchers, policymakers, and local AI startups hungry for high-quality training data.
The critique
While the policy’s diagnosis is spot on, its proposed cure introduces several high-stakes vulnerabilities.
1. The honeypot risk
The Promise: Streamlined public registries and seamless citizen experiences across platforms like eCitizen, KRA, and national health services.
The Peril: Centralizing access to disparate databases creates an irresistible target for cybercriminals. If a single central API layer or a highly connected government node is breached, an individual’s entire life profile is compromised at once.
The Legislative Gap: The draft heavily romanticizes the idea of data sharing but remains remarkably vague on strict cryptographic benchmarks, zero-trust architecture requirements, or a clear liability framework for when a government agency suffers a breach.
2. Data sovereignty vs. technological isolation
The Promise: Protecting national interests and ensuring data generated within Kenya contributes directly to the domestic economy, aligning with the African Union Data Policy Framework.
The Peril: If the policy leans too aggressively into forced data localization, requiring all corporate and aggregate data to sit strictly on local servers, it could choke the local tech ecosystem.
The Legislative Gap: Most Kenyan startups rely on global cloud giants (AWS, Azure, Google Cloud) for affordable scaling and cutting-edge AI tools. Forcing a premature migration to a nascent local cloud infrastructure could drive up operating costs and cause investors to look elsewhere. The draft currently fails to draw a clear line between where private corporate intellectual property ends and “national asset data” begins.
3. Institutional harmony vs. regulatory turf wars
The Promise: Establishing a specialized National Data Governance and Emerging Technologies Council, alongside a Chief Data Officer, to elevate data management to the executive level.
The Peril: Kenya’s digital space is already crowded with regulators, including the ODPC, the Communications Authority (CA), and the ICT Authority.
The Legislative Gap: The draft does not clearly demarcate boundaries between the new Council and the existing ODPC. If a major security breach exposes a mix of personal and non-personal data, who takes the lead? Who issues the penalties? Without explicit hierarchy, Kenya risks entering a phase of regulatory gridlock and compliance confusion for businesses.
4. The illusion of anonymity
The Promise: Opening up anonymized, non-personal datasets to fuel innovation and feed into Kenya’s National AI Strategy.
The Peril: In the age of advanced machine learning, true anonymity is a myth. By cross-referencing two or three anonymized public datasets, such as public transit patterns and hospital admission times, bad actors can easily re-identify specific individuals.
The Legislative Gap: The policy lacks rigorous technical definitions for pseudonymization and fails to explicitly criminalize or heavily penalize intentional re-identification attacks by private or state entities.
5. The devolution disconnect
Perhaps the most glaring operational blind spot in the current draft is the assumption of uniform readiness. The policy mandates strict data governance, risk-based audits, and standardized infrastructure across both national and county levels.
However, Kenya’s 47 counties operate on wildly unequal financial and technological footing. Forcing advanced data mandates onto underfunded, rural county registries without providing ring-fenced national funding creates an unfunded mandate. It risks either widespread non-compliance or a widening digital divide between Nairobi and the rest of the country.