Whether applying for a job, renewing a driving licence, filing taxes, or registering for government services, Kenyans are routinely required to share sensitive personal information. Yet few stop to consider what happens to that data once it is handed over.
Despite growing access to smartphones and the internet, many still rely heavily on cybercafés for digital services, often entrusting their most private documents to strangers. This continued dependence is exposing troubling gaps in the country’s data protection culture.
This growing concern is especially visible during the country’s busiest digital window, the tax filing season, or DL renewal, and when applying for passports.
Every year, as Kenya Revenue Authority (KRA) deadlines approach, thousands of Kenyans flood cybercafés and turn to self-taught tech experts to help them with the system.
Filing tax returns might seem like an annual routine, but the amount of information exchanged during the process is one to call for.
To file a tax return or complete an official online application, individuals need to provide their identification details such as their National Identity Card (ID), KRA Personal Identification Number (PIN), bank account statements, payslips, birth certificates, and even private email passwords. These are all personal documents that can tell the entire story of your identity.
But what happens to this data once the work is done? Should clients be concerned about how it is handled?
A cybercafé in Mulot, Bomet County.
Photo credit: File | Nation Media Group
Simon Mwangi, who has operated a small but busy cybercafé in Nairobi CBD for the past eight years, works behind his computer screen, processing people’s confidential documents daily.
“Sometimes I feel like I know more about a person than their family, because they give me their ID, birth certificate, academic certificates, payslips, and KRA pin, you can do anything you want using those details,” he says.
But do people realise the magnitude of information they hand over to him?
“To be honest, most people just want their work done. You will find someone handing over their personal details without blinking. Most of them as long as you look professional and the work is done, they don’t even ask what happens after,” says Simon.
He estimates that he serves almost 40 people daily during the tax season. His clientele, he says, is usually a mix of students applying for government loans, corporate employees needing urgent tax filings, or people scanning documents for job recruitment or visa requests. “When tax season comes, people line up here like a bank queue,” he laughs.
So, what happens to all the data collected after the job is complete?
According to Simon, his disposal is done but not always immediately.
“For scanned documents, yes, I try to delete immediately after printing. However, when someone wants me to email them their scanned files, I have to keep them for a while,” he says. “I have a folder where I temporarily store such documents, but I clear it often.”
Pressed further, he admits that “often” is relative. “I can’t say every day, sometimes I clear after a week.”
In his line of work, customer follow-up is part of the process, so he sometimes shares his personal phone number with clients. “I have to. How else will they find me after they leave? They call to ask if their documents are ready or to resend something.”
However, when it comes to emails, he is more cautious because it is risky.
Even so, Simom admits that at times he feels vulnerable. “When you think of it, someone could claim you tampered with their documents or leaked them. But this is how we earn our living. If we start thinking too much about it, we will fear serving people.”
“People trust me because they don’t have an option. Not everyone can file taxes or apply for documents on their own,” he adds.
Data privacy: Who protects whom?
Behind the reliance on cybercafé operators like Simon there is the concern of data protection.
Immaculate Kassait, Kenya’s Data Commissioner at the Office of the Data Protection Commissioner, notes that trusting cybercafé operators blindly is a risky gamble.
“As a citizen, upon submitting sensitive or personal data online through shared cybercafé computers, you should go to the browser’s privacy settings and 'Clear Cookies and Site Data'. Additionally, ensure you permanently delete your documents from the cybercafé’s folders,” she says.
A man at a cybercafé in Mulot, Bomet County.
Photo credit: File | Nation Media Group
According to Ms Kassait, assuming that cybercafé operators will responsibly delete files after service is misguided and dangerous. “Trusting the cybercafé owners would not be sufficient. You should take responsibility and do the permanent deletions yourself. If you’re not technically equipped, seek help from reliable friends or relatives.”
For those who feel overwhelmed by technology, the data commissioner recommends seeking help from secure entities like Huduma Centres. “The citizen can seek the same services from the nearest Huduma Centre, where confidential information is more likely to be handled securely,” she says.
Additionally, when choosing a cybercafé or service provider for sensitive applications, she urges individuals to be vigilant. “Look out for general government licensing, national and county government business permits and licences. If the cybercafé owner is a registered business, it becomes easier to trace in case of fraud or data misuse. Even better if they hold a Data Controller or Data Processor registration certificate that indicates stronger compliance with data protection standards.”
What about sharing your passwords and personal identification numbers with trustworthy operators?
“Passwords and personal identification numbers should never be shared with third parties, not even with your spouse, children or siblings. Sharing your credentials breaks the security chain, and in case of fraud, service providers like banks or telecoms will find it hard to assign liability or compensate you,” Ms Kassait warns.
