Real people. Woman and minority owned civil engineering firm with an expertise in storm water and runoff management. Services are provided for private contractors as well as government agencies.
Kenya: Cloud in public sector

Kenya: Cloud in Public Sector

An Interactive Guide for Legal and Compliance Professionals

DOWNLOAD OUR WHITEPAPER: Azure for Secure Worldwide Public Sector Cloud Adoption

Download now


Kenya’s public sector1 is currently undergoing an impressive transition as the various ministries, government agencies, and institutions, and parastatals are in the process of transitioning bricks and mortar services to digital services. This ties in with the national long-term development policy known as “Vision 2030”2 which has as its overall theme a vision of transforming Kenya into a “globally competitive and prosperous nation with a high quality of life by 2030”3. In order to progress the aims envisaged by Vision 2030, Kenya’s Information and Communication Technology (“ICT”) Authority published the Kenya National ICT Masterplan4 (Masterplan) which has as one of its overriding principles the aim of developing Kenya as an ICT hub and a “globally competitive digital economy”. The six guiding principles of the Masterplan are: partnership; equity and non-discrimination; technology neutrality; environmental protection and conservation; good governance; and incentivising.

Kenya’s Ministry of ICT has also developed a draft National ICT Policy5 in recognition of the dynamic nature of the ICT sector and the need by the Government to regularly review ICT policies to resonate with the rapid technological advances, changing public needs and evolving global trends. The objectives of the National ICT policy include the promotion of an integrated, converged, technology neutral and secure ICT infrastructure to support delivery of various services.

Cloud services can be at the forefront of the government's digital transformation. The cloud can provide cost effective access to unprecedented power to rapidly process and analyse vast quantities of data to produce actionable analysis, insights, and better decision-making. Easily accessible data storage and multiple access and communication channels provide a modern, consistent, and seamless experience for officials as well as the public, facilitating public participation and co-operative governance and inter-departmental collaboration and broadening social inclusion. The cost optimisation, data security, and potential for open government made possible by cloud services are far superior to manual paper based processes.

In an important sector such as the public sector, it is however crucial to ensure that any move to the cloud complies with applicable regulation.


We believe that no cloud services provider has more experience of delivering compliant solutions to the public sector in Kenya than Microsoft. Microsoft recognises the need to create an enabling environment for the provision of cloud services in Kenya. It is for this reason that Microsoft intends to work with governments and policy makers in developing policies that will govern cloud usage in Kenya.6 Microsoft believes that the cloud is the best option for the public sector in Kenya. Already, Government institutions in Kenya appear to be embracing cloud services pursuant to an initiative by the Government to digitize its services. Research undertaken by the Communications Authority and the Kenya National Bureau of Statistics7 found cloud usage by public sector institutions to be higher than by private businesses.8

One of the key foundations of the Masterplan is the development of an integrated ICT infrastructure which aims at improving the quality of e-Government services. Today Kenyan residents, citizens, visitors, and investors all have access to a platform known as ‘”e-Citizen” which provides online access to various government departments and services.9 E-Citizen services include business registration, marriage certificate registration, issuance of driving licences, and immigration services. Through this platform users can apply, file and pay for any registrations, endorsements, or other official actions sought online without having to incur the costs of physically visiting the various governmental institutions or having to appoint agents. Microsoft stands ready to support our public service customers in Kenya to achieve similar benefits. Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 — from data centres located on the African continent, which will offer enterprise-grade reliability and performance to customers across Africa.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory, and practical aspects of any cloud project. This is all part of our commitment to helping our public sector customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.


There is presently no uniform regulation for cloud services in Kenya with cloud adoption still being at an early stage. There are a number of laws that are relevant to any decision to move to cloud services, those that facilitate the use of cloud services and those that place constraints on the manner in which cloud services may be procured and used.

  • The State Department of ICT and Innovation together with the ICT Authority (together the “ICT Agencies”) are the government agencies responsible for providing centralised information technology, information systems, and related services in a maintained information systems security environment according to approved policy and standards.

    The ICT Authority specifically has developed a “GOK e-Readiness Assessment Tool” which provides guidance to government ministries, institutions, and agencies to ensure that all digital services are provided in accordance with the Government Enterprise Architecture (GEA) Framework10. The ICT Standards that have been developed in response to the GEA Framework include: the GEA Standard; Cloud Computing Standard; Data Centre Standard; Electronic Records and Data Management Standard; End-User Equipment Standard; ICTY Human Capital and Workforce Development standard; Information Security Standard; IT Governance Standard; ICT Network Standard; and Systems and Applications Standard.

    The Cloud Computing Standard11 requires all government agencies to ensure that they fully comply with the standard for efficient and effective service delivery to citizens. This Standard also requires the ICT Authority to carry out quarterly audits in all Ministries, Counties and agencies (“MCAs”) to ensure their compliance with the Standard. One of the requirements under the Standard is that MCAs should ensure that cloud service providers adhere to regulatory law in relation to privacy and public record keeping requirements.12

    The ICT Agencies have recognised the need for cloud services across government to eliminate the unnecessary duplication of information technology goods and services and to increase transparency and efficiency, as well as improving productivity and governance in all key sectors.13

  • Yes, cloud services are permitted. A move to cloud services would facilitate the achievement of a number of government policy objectives and regulatory requirements relating to co-operative governance, public participation and procedural fairness, information security, service delivery, rational decision-making and administrative efficiency. It will also enable the Government to achieve its objective of promoting the availability and access to efficient, reliable and affordable ICT infrastructure at the county, national and international levels. However, certain processes may need to be followed and certain requirements may need to be met prior to migrating to cloud services as noted in this overview.

  • At present there is no specific legislation governing the provision of cloud services in Kenya. There are however certain guidelines and regulations that would be relevant with respect to the provision of cloud services.

    (i) Public procurement
    A public sector body must, amongst other things, ensure that when it contracts for information, communication, and technology services it does so in a manner that achieves value for money in terms of cost, quality, quantity, and timeliness of the delivered works, goods or services.14 Importantly, a public sector body must ensure that a procurement contract should only be awarded to a service provider that has the necessary qualifications, capability, experience, resources, equipment, and facilities to provide what is being procured.
    It follows that any public sector body must ensure that all public tenders regarding the procurement process must also incorporate the ICT Standards established by the ICT Authority which establish a blueprint for improving management of Government programs and processes. Even though open tendering is recognised as the preferred procurement method for procurement of goods, works and services an alternative procurement procedure may be used if it is allowed under the relevant law.15 In this regard, it may be possible to deviate from a competitive public tender process and approach a supplier directly in limited circumstances and as long as the purpose is not to avoid competition. Direct procurement is permitted in certain instances set out in the relevant legislation which include events where: (i) the goods, works, or services are available only from a particular supplier or contractor or where a particular supplier or contractor has exclusive rights in respect of the goods, works, or services and no reasonable alternative or substitute exists16; (ii) the procuring entity, procures goods, equipment, technology, or services from a supplier or contractor for reasons of standardization or because of the need for compatibility, and taking into account the effectiveness of the original procurement, the limited size of the proposed procurement in comparison to the original procurement, the reasonableness of the price and unsuitability of alternative goods or services.17

    (ii) Access to information, transparency, and public participation
    A public entity is inter alia required to facilitate access to information held by such an entity and publish all relevant facts while formulating important policies or announcing the decisions which affect the public18.The public has the right of access to information held by public sector bodies and to information held by another person and which is required for the exercise or protection of any of their rights or fundamental freedoms.19 Information held by a public or private body must be provided expeditiously and at a reasonable cost20 unless it is found to be exempt from the disclosure requirements set out in the relevant legislation.
    Public sector bodies may be faced with requests for a significant number of records. Storage of information on the cloud will ensure that all information held by the public body is accessible, searchable, and easy to find with minimal effort to ensure that access to information requests can be addressed timeously.

    (iii) Data security
    The ICT Authority’s Information Security Standard sets out the standards to which it encourages all public sector bodies to adhere for the protection of information from security risks.21 These standards require all public bodies to have in place an information security policy, an information security plan, and the establishment of an information asset register for the purposes of ensuring proper data security across all classifications schemes. Thus before making a decision to move data to the cloud, a public sector body should consider what types of data will be stored in the cloud, the manner in which the information will be stored (using private cloud infrastructure, including on-premises, or hyperscale cloud infrastructure), and whether the cloud service provider meets the relevant security requirements for the type of information that will be stored.
    All public bodies are required to ensure full compliance to the standards set out by the ICT Authority. The ICT Authority will carry out quarterly audits to determine compliance with the GEA Standards.22 All compliant agencies will be issued with a certificate of compliance whilst non-compliant agencies will receive a report detailing the inefficiencies and discrepancies, which will then be presented to the Standards Review Board. The board will determine the action to be taken against the non-compliant institution.

    (iv) Co-operative governance and interoperability
    The Constitution of Kenya recognises governments at the national and county levels as distinct and inter-dependent and requires them to conduct their mutual relations on the basis of consultation and cooperation23.
    All spheres of government and all organs of state within each sphere are required to act in accordance with the values and principles of public services as enshrined in the Constitution of Kenya (“CoK”) which include: high standards of professional ethics; involvement of the people in the process of policy making; responsive, prompt, effective, impartial, and equitable provision of services and accountability for administrative acts.24
    The GEA Standards seeks to implement the GEA Principles which include the importance of providing quality information and technology, protecting privacy, maintaining secure information, and providing a service to the public. In turn, the principles are intended to contribute to the aligning and cross-services and solutions with goals and strategies concluded across all governmental levels. The Integration Architecture Principles identify common components which seek to align the interoperability domains, standards, and procedures.
    All of these obligations can be met cost effectively and comprehensively through the use of Microsoft's cloud services.

  • At the moment, there are no restrictions on the transfer of data outside Kenya. However, the draft Data Protection Bill, 201825 contemplates possible future restrictions on the flow of personal data outside Kenya save in specified circumstances, such as where:26

    • the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
    • the data subject consents to the transfer;
    • the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and
    • the transfer is for the benefit of the data subject.

    Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, will likely constitute adequate measures. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

    As noted above, Microsoft has also initiated plans to deliver the Microsoft Cloud from data centres located on the African continent.




We build our services from the ground up to help safeguard your data

Learn more


Our policies and processes help keep your data private and in your control

Learn more


We provide industry-verified conformity with global standards

Learn more


We make our policies and practices clear and accessible to everyone

Learn more









*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.