Kenya: Cloud in Public Sector

The State Department of ICT and Innovation together with the ICT Authority (together the “ICT Agencies”) are the government agencies responsible for providing centralised information technology, information systems, and related services in a maintained information systems security environment according to approved policy and standards.

The ICT Authority specifically has developed a “GOK e-Readiness Assessment Tool” which provides guidance to government ministries, institutions, and agencies to ensure that all digital services are provided in accordance with the Government Enterprise Architecture (GEA) Framework¹⁰. The ICT Standards that have been developed in response to the GEA Framework include: the GEA Standard; Cloud ndard; Data Centre Standard; Electronic Records and Data Management Standard; End-User Equipment Standard; ICTY Human Capital and Workforce Development standard; Information Security Standard; IT Governance Standard; ICT Network Standard; and Systems and Applications Standard.

The Cloud Computing Standard¹¹ requires all government agencies to ensure that they fully comply with the standard for efficient and effective service delivery to citizens. This Standard also requires the ICT Authority to carry out quarterly audits in all Ministries, Counties and agencies (“MCAs”) to ensure their compliance with the Standard. One of the requirements under the Standard is that MCAs should ensure that cloud service providers adhere to regulatory law in relation to privacy and public record keeping requirements.¹²

The ICT Agencies have recognised the need for cloud services across government to eliminate the unnecessary duplication of information technology goods and services and to increase transparency and efficiency, as well as improving productivity and governance in all key sectors.¹³

Yes, cloud services are permitted. A move to cloud services would facilitate the achievement of a number of government policy objectives and regulatory requirements relating to co-operative governance, public participation and procedural fairness, information security, service delivery, rational decision-making and administrative efficiency. It will also enable the Government to achieve its objective of promoting the availability and access to efficient, reliable and affordable ICT infrastructure at the county, national and international levels. However, certain processes may need to be followed and certain requirements may need to be met prior to migrating to cloud services as noted in this overview.

At present there is no specific legislation governing the provision of cloud services in Kenya. There are however certain guidelines and regulations that would be relevant with respect to the provision of cloud services.

(i) Public procurement

A public sector body must, amongst other things, ensure that when it contracts for information, communication, and technology services it does so in a manner that achieves value for money in terms of cost, quality, quantity, and timeliness of the delivered works, goods or services. ¹⁴ Importantly, a public sector body must ensure that a procurement contract should only be awarded to a service provider that has the necessary qualifications, capability, experience, resources, equipment, and facilities to provide what is being procured. It follows that any public sector body must ensure that all public tenders regarding the procurement process must also incorporate the ICT Standards established by the ICT Authority which establish a blueprint for improving management of Government programs and processes. Even though open tendering is recognised as the preferred procurement method for procurement of goods, works and services an alternative procurement procedure may be used if it is allowed under the relevant law.¹⁵ In this regard, it may be possible to deviate from a competitive public tender process and approach a supplier directly in limited circumstances and as long as the purpose is not to avoid competition. Direct procurement is permitted in certain instances set out in the relevant legislation which include events where: (i) the goods, works, or services are available only from a particular supplier or contractor or where a particular supplier or contractor has exclusive rights in respect of the goods, works, or services and no reasonable alternative or substitute exists¹⁶; (ii) the procuring entity, procures goods, equipment, technology, or services from a supplier or contractor for reasons of standardization or because of the need for compatibility, and taking into account the effectiveness of the original procurement, the limited size of the proposed procurement in comparison to the original procurement, the reasonableness of the price and unsuitability of alternative goods or services.¹⁷

(ii) Access to information, transparency, and public participation

A public entity is inter alia required to facilitate access to information held by such an entity and publish all relevant facts while formulating important policies or announcing the decisions which affect the public¹⁸. The public has the right of access to information held by public sector bodies and to information held by another person and which is required for the exercise or protection of any of their rights or fundamental freedoms.¹⁹ Information held by a public or private body must be provided expeditiously and at a reasonable cost²⁰ unless it is found to be exempt from the disclosure requirements set out in the relevant legislation.
Public sector bodies may be faced with requests for a significant number of records. Storage of information on the cloud will ensure that all information held by the public body is accessible, searchable, and easy to find with minimal effort to ensure that access to information requests can be addressed timeously.

(iii) Data security

The ICT Authority’s Information Security Standard sets out the standards to which it encourages all public sector bodies to adhere for the protection of information from security risks.²¹ These standards require all public bodies to have in place an information security policy, an information security plan, and the establishment of an information asset register for the purposes of ensuring proper data security across all classifications schemes. Thus before making a decision to move data to the cloud, a public sector body should consider what types of data will be stored in the cloud, the manner in which the information will be stored (using private cloud infrastructure, including on-premises, or hyperscale cloud infrastructure), and whether the cloud service provider meets the relevant security requirements for the type of information that will be stored.
All public bodies are required to ensure full compliance to the standards set out by the ICT Authority. The ICT Authority will carry out quarterly audits to determine compliance with the GEA Standards.²² All compliant agencies will be issued with a certificate of compliance whilst non-compliant agencies will receive a report detailing the inefficiencies and discrepancies, which will then be presented to the Standards Review Board. The board will determine the action to be taken against the non-compliant institution.

(iv) Co-operative governance and interoperability

The Constitution of Kenya recognises governments at the national and county levels as distinct and inter-dependent and requires them to conduct their mutual relations on the basis of consultation and cooperation²³.
All spheres of government and all organs of state within each sphere are required to act in accordance with the values and principles of public services as enshrined in the Constitution of Kenya (“CoK”) which include: high standards of professional ethics; involvement of the people in the process of policy making; responsive, prompt, effective, impartial, and equitable provision of services and accountability for administrative acts.²⁴
The GEA Standards seeks to implement the GEA Principles which include the importance of providing quality information and technology, protecting privacy, maintaining secure information, and providing a service to the public. In turn, the principles are intended to contribute to the aligning and cross-services and solutions with goals and strategies concluded across all governmental levels. The Integration Architecture Principles identify common components which seek to align the interoperability domains, standards, and procedures.
All of these obligations can be met cost effectively and comprehensively through the use of Microsoft's cloud services.

At the moment, there are no restrictions on the transfer of data outside Kenya. However, the draft Data Protection Bill, 2018²⁵ contemplates possible future restrictions on the flow of personal data outside Kenya save in specified circumstances, such as where:²⁶

• the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
• the data subject consents to the transfer;
• the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and
• the transfer is for the benefit of the data subject.

Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, will likely constitute adequate measures. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

As noted above, Microsoft has also initiated plans to deliver the Microsoft Cloud from data centres located on the African continent.