Sector Analysis
e-Government
25%
SECTOR PERFORMANCE
36
COMPANIES ASSESSED
Overview of the Sector & Data Collectors Evaluated
The e-government sector across East, Southern, and parts of West Africa continues to expand rapidly, driven by the increasing use of digital technologies to improve public service delivery, operational efficiency, and administrative transparency. Governments are deploying digital platforms to deliver essential services such as tax administration, civil registration, public health systems, social protection, immigration services, and land management, with the aim of improving accessibility and responsiveness to citizens.
This digital transformation, however, has significantly increased the volume and sensitivity of personal data collected by public institutions, raising critical concerns around privacy, data protection, and accountability. The latest scorecard assessment reveals that while e-government adoption is accelerating, privacy practices and compliance with data protection laws remain uneven across countries and platforms.
The assessment highlights inconsistent implementation of data protection safeguards, with wide disparities in transparency, data security, third-party data sharing, and breach response mechanisms. In Uganda, e-government platforms continue to face significant transparency challenges. Many services provide limited information about the categories of data collected, the purposes of processing, retention periods, and third-party access. While Uganda has made progress in digitising public services, insufficient public-facing disclosures undermine compliance with data protection standards and weaken public trust. Kenya remains one of the more advanced jurisdictions in terms of digital government infrastructure and legal frameworks. However, the assessment identifies persistent risks associated with extensive reliance on third-party service providers. Inadequate disclosure of vendor relationships and weak oversight mechanisms heighten the risk of data misuse. Strengthening contractual safeguards, public disclosure, and accountability of third-party processors remains a priority.
In Mauritius, relatively mature e-government systems coexist with ongoing data security concerns. Despite a well-established data protection law, gaps remain in the implementation of technical safeguards, including secure storage, transmission controls, and routine security audits. These weaknesses expose government systems to potential breaches and unauthorised access. Zimbabwe continues to face structural challenges in both the development and protection of e-government services. Many platforms remain underdeveloped, and existing data protection legislation is outdated, limiting effective enforcement. The lack of modern security infrastructure and regulatory clarity poses heightened risks to citizens' personal data.
Rwanda has made notable strides in digital governance and service integration. However, the assessment finds ongoing gaps in data transparency and user awareness, particularly around how personal data is collected, shared, and retained. While policies exist, clearer communication and stronger technical security measures are needed to ensure full compliance and public confidence. In Tanzania, the e-government sector remains in a developmental phase, with limited infrastructure and evolving regulatory frameworks. Weak data protection safeguards, unclear compliance obligations, and insufficient security controls present significant privacy risks, particularly as digital service uptake increases.
The inclusion of Nigeria, Ghana, and Botswana in the current assessment expands the regional perspective and underscores similar systemic challenges. In Nigeria, e-government platforms operate within a rapidly evolving regulatory environment following the enactment of the Nigeria Data Protection Act. While some platforms demonstrate improved policy availability and registration compliance, implementation gaps persist, particularly in transparency reporting, breach response mechanisms, and control over third-party data processors. Ghana shows moderate progress, supported by an established data protection authority and registration regime. However, the assessment reveals weak enforcement and limited transparency across many e-government platforms, with insufficient disclosure of data practices and underdeveloped internal breach-handling mechanisms. In Botswana, digital government initiatives are expanding, but privacy compliance remains uneven. While some platforms demonstrate strong transparency and policy accessibility, others lack clear privacy notices, defined data subject rights, and structured breach response frameworks, limiting effective protection of citizen data.
Across all assessed countries, a common pattern emerges: the expansion of e-government services has outpaced the consistent implementation of robust data protection safeguards. While countries such as Kenya, Mauritius, Nigeria, and Ghana have enacted data protection laws, enforcement remains inconsistent, and institutional capacity varies widely. In contrast, countries like Zimbabwe and Tanzania continue to face foundational legal and infrastructural gaps. E-government initiatives across the region hold substantial promise for improving public service delivery and citizen engagement. However, the assessment makes clear that privacy and data protection must be treated as core governance priorities, not secondary considerations.
Analysis of Compliance With Each Criterion
This assessment is based on a total of 36 entities, with four (4) entities selected for evaluation from each participating country, namely: Federal Inland Revenue Service, Nigeria Customs Service, Nigeria Immigration Service and Independent National Electoral Commission from Nigeria; Ghana Revenue Authority, Passport Office, SSNIT Self Service Portal (Social Security and National Insurance Trust) and Ghana Immigration Services from Ghana; Botswana Unified Revenue Service, Botswana Communications Regulatory Authority, 1Gov e-Services Portal and Independent Electoral Commission of Botswana from Botswana; IremboGov, RSSB (Rwanda Social Security Board), Rwanda Revenue Authority (RRA) and Rwanda Information Society Authority from Rwanda; e–Immigration Tanzania, TCAA (Tanzania Civil Aviation Authority), TCRA (Tanzania Communications Regulatory Authority) and Tanzania Work Permit Application Portal from Tanzania; Mauritius Revenue Authority (MRA), MauPass (Mauritius Personal Access), ICTA (Information and Communication Technology Authority) and Passport & Immigration Office Mauritius from Mauritius; e-Visa Zimbabwe, NSSA (National Social Security Authority) Self Service Portal, Zimbabwe Revenue Authority (ZRA) and eGP System Zimbabwe (Electronic Government Procurement System) from Zimbabwe; e-Citizen, Huduma, Kenya Revenue Authority (KRA) and ETA Kenya (Electronic Travel Authorisation – Kenya); and Immigration Uganda, NIRA, Electoral Commission Uganda and UBOS (Uganda Bureau of Statistics).
Sector Findings - eGovernment Services
e-Government Services - Nigeria
Federal Inland Revenue Service, Nigeria Customs Service, Nigeria Immigration Service and Independent
National Electoral Commission in Nigeria
The assessment reveals significant disparities in data protection compliance among the four agencies. Only the Independent National Electoral Commission (INEC) achieved full compliance (100%) with registration requirements with the national data protection regulator. All other entities scored 0% in this category, indicating a fundamental compliance gap that exposes them to regulatory risk and weakens institutional accountability.
In terms of accessibility of privacy policies, only the Nigeria Immigration Service (NIS) (88%) and the Federal Inland Revenue Service (FIRS) (75%) demonstrated meaningful effort. The absence of accessible privacy policies within the remaining entities reflects a lack of transparency and limits public understanding of how personal data is processed, contrary to core data protection principles.
Similarly, compliance with data subject rights was limited to NIS (74%) and FIRS (35%). The other agencies showed no measurable effort in this area. Given that data subject rights are central to modern data protection frameworks, the low scores indicate systemic weaknesses in empowering individuals to access, correct, or challenge the use of their personal data.
All four entities engage in third-party data sharing. However, compliance levels in this area remain critically low. NIS and FIRS led with only 50% each, while the Nigeria Customs Service (NCS) and INEC scored 0%. This is particularly concerning because third-party transfers especially involving sensitive categories such as immigration, tax, customs, and electoral data require clear legal bases, safeguards, and transparency mechanisms under data protection laws. Regarding data security safeguards, all entities demonstrated some effort. INEC scored highest at 45%, followed by FIRS and NCS (39% each), while NIS scored 28%. Although these efforts suggest awareness of security obligations, the relatively low percentages indicate that technical and organizational measures remain underdeveloped and may not meet the threshold of "appropriate security" required under data protection legislation.
Notably, none of the entities publishes transparency reports or maintains a clear internal data breach resolution mechanism. The absence of documented breach response frameworks and public accountability reporting significantly undermines compliance with statutory obligations relating to breach notification, risk mitigation, and institutional transparency. Overall, while pockets of progress exist, the findings point to fragmented compliance efforts and limited institutionalization of data protection governance across the agencies.
Nigeria Immigration Service (NIS) demonstrates the strongest overall privacy compliance profile among the assessed agencies. Its privacy framework reflects a structured and detailed approach tailored to the complex nature of immigration data processing. The Service provides comprehensive contact information, including passport offices, visa centers, and dedicated communication channels. It clearly catalogs the extensive categories of personal data collected — identity documents, biometric data, travel history, employment information, visa records, and security screening data — and links these categories to defined processing purposes such as immigration control, visa processing, border management, and international cooperation. NIS also provides comparatively strong transparency on data retention, aligning retention periods with legal and operational requirements. It discloses third-party sharing arrangements, including transfers to international immigration authorities, security agencies, airlines, and diplomatic missions, while referencing the legal bases and safeguards for such disclosures. Furthermore, NIS operationalizes data subject rights through defined procedures for access, correction, and complaint escalation. It also clarifies circumstances under which law enforcement and security agencies may access immigration data, referencing applicable legal frameworks and oversight mechanisms. However, despite these strengths, the absence of full regulatory registration compliance and formalized breach response transparency indicates that its governance structure still requires strengthening to achieve comprehensive legal alignment.
Independent National Electoral Commission (INEC) demonstrates strong regulatory alignment in registration compliance (100%), positioning it as the most compliant agency in this specific legal obligation. Its privacy policies reflect an understanding of the unique sensitivities associated with electoral data. The Commission clearly outlines categories of voter data collected and explains processing purposes, including voter registration, election administration, constituency delimitation, and candidate verification. INEC provides transparency regarding retention periods in line with electoral law and explains data-sharing arrangements, particularly the provision of voter registration data to political parties for legitimate electoral purposes. It also implements electoral-context data subject rights, such as record access, correction, and voter transfer between constituencies. However, despite strong performance in regulatory registration, INEC scored 0% in third-party data-sharing compliance and demonstrated limited security safeguards (45%). These gaps create potential vulnerabilities in the handling of highly sensitive voter data and may expose the Commission to legal and reputational risk if not addressed through clearer safeguards and documented transfer controls.
Federal Inland Revenue Service (FIRS) demonstrates moderate compliance. It provides accessible privacy information and basic contact channels and outlines general categories of taxpayer data collected for tax assessment, enforcement, and compliance purposes. The Service acknowledges data sharing with other government agencies and implements standard taxpayer rights, including access and correction procedures. However, its lower score in data subject rights (35%) indicates partial rather than comprehensive implementation. Although FIRS scored relatively higher in third-party sharing (50%) and security safeguards (39%) compared to some agencies, these figures remain below optimal compliance standards. Given the sensitivity of financial and taxpayer data, stronger governance, clearer legal bases for transfers, and more robust technical safeguards are necessary to ensure full alignment with data protection requirements.
Nigeria Customs Service (NCS) faces significant compliance challenges. Despite processing large volumes of personal and commercial data through import/export operations, border control, and trade facilitation, accessible privacy disclosures remain limited. Its 0% score in both regulatory registration and third-party sharing compliance highlights serious governance deficiencies. The limited transparency creates a gap between the scale of data processing activities and the safeguards publicly articulated to protect such data. This disconnect increases legal exposure, reduces stakeholder trust, and heightens the risk of non-compliance with statutory transparency, accountability, and lawful processing obligations.
The assessment indicates that data protection compliance across the agencies remains uneven and largely procedural rather than systemic. While NIS and INEC demonstrate comparatively stronger frameworks in specific areas, all entities exhibit structural weaknesses particularly in third-party data governance, breach response mechanisms, transparency reporting, and comprehensive regulatory alignment.
To achieve full compliance with data protection laws, agencies must move beyond policy publication toward institutionalized data governance structures, including:
The assessment reveals significant disparities in data protection compliance among the four agencies. Only the Independent National Electoral Commission (INEC) achieved full compliance (100%) with registration requirements with the national data protection regulator. All other entities scored 0% in this category, indicating a fundamental compliance gap that exposes them to regulatory risk and weakens institutional accountability.
In terms of accessibility of privacy policies, only the Nigeria Immigration Service (NIS) (88%) and the Federal Inland Revenue Service (FIRS) (75%) demonstrated meaningful effort. The absence of accessible privacy policies within the remaining entities reflects a lack of transparency and limits public understanding of how personal data is processed, contrary to core data protection principles.
Similarly, compliance with data subject rights was limited to NIS (74%) and FIRS (35%). The other agencies showed no measurable effort in this area. Given that data subject rights are central to modern data protection frameworks, the low scores indicate systemic weaknesses in empowering individuals to access, correct, or challenge the use of their personal data.
All four entities engage in third-party data sharing. However, compliance levels in this area remain critically low. NIS and FIRS led with only 50% each, while the Nigeria Customs Service (NCS) and INEC scored 0%. This is particularly concerning because third-party transfers especially involving sensitive categories such as immigration, tax, customs, and electoral data require clear legal bases, safeguards, and transparency mechanisms under data protection laws. Regarding data security safeguards, all entities demonstrated some effort. INEC scored highest at 45%, followed by FIRS and NCS (39% each), while NIS scored 28%. Although these efforts suggest awareness of security obligations, the relatively low percentages indicate that technical and organizational measures remain underdeveloped and may not meet the threshold of "appropriate security" required under data protection legislation.
Notably, none of the entities publishes transparency reports or maintains a clear internal data breach resolution mechanism. The absence of documented breach response frameworks and public accountability reporting significantly undermines compliance with statutory obligations relating to breach notification, risk mitigation, and institutional transparency. Overall, while pockets of progress exist, the findings point to fragmented compliance efforts and limited institutionalization of data protection governance across the agencies.
Nigeria Immigration Service (NIS) demonstrates the strongest overall privacy compliance profile among the assessed agencies. Its privacy framework reflects a structured and detailed approach tailored to the complex nature of immigration data processing. The Service provides comprehensive contact information, including passport offices, visa centers, and dedicated communication channels. It clearly catalogs the extensive categories of personal data collected — identity documents, biometric data, travel history, employment information, visa records, and security screening data — and links these categories to defined processing purposes such as immigration control, visa processing, border management, and international cooperation. NIS also provides comparatively strong transparency on data retention, aligning retention periods with legal and operational requirements. It discloses third-party sharing arrangements, including transfers to international immigration authorities, security agencies, airlines, and diplomatic missions, while referencing the legal bases and safeguards for such disclosures. Furthermore, NIS operationalizes data subject rights through defined procedures for access, correction, and complaint escalation. It also clarifies circumstances under which law enforcement and security agencies may access immigration data, referencing applicable legal frameworks and oversight mechanisms. However, despite these strengths, the absence of full regulatory registration compliance and formalized breach response transparency indicates that its governance structure still requires strengthening to achieve comprehensive legal alignment.
Independent National Electoral Commission (INEC) demonstrates strong regulatory alignment in registration compliance (100%), positioning it as the most compliant agency in this specific legal obligation. Its privacy policies reflect an understanding of the unique sensitivities associated with electoral data. The Commission clearly outlines categories of voter data collected and explains processing purposes, including voter registration, election administration, constituency delimitation, and candidate verification. INEC provides transparency regarding retention periods in line with electoral law and explains data-sharing arrangements, particularly the provision of voter registration data to political parties for legitimate electoral purposes. It also implements electoral-context data subject rights, such as record access, correction, and voter transfer between constituencies. However, despite strong performance in regulatory registration, INEC scored 0% in third-party data-sharing compliance and demonstrated limited security safeguards (45%). These gaps create potential vulnerabilities in the handling of highly sensitive voter data and may expose the Commission to legal and reputational risk if not addressed through clearer safeguards and documented transfer controls.
Federal Inland Revenue Service (FIRS) demonstrates moderate compliance. It provides accessible privacy information and basic contact channels and outlines general categories of taxpayer data collected for tax assessment, enforcement, and compliance purposes. The Service acknowledges data sharing with other government agencies and implements standard taxpayer rights, including access and correction procedures. However, its lower score in data subject rights (35%) indicates partial rather than comprehensive implementation. Although FIRS scored relatively higher in third-party sharing (50%) and security safeguards (39%) compared to some agencies, these figures remain below optimal compliance standards. Given the sensitivity of financial and taxpayer data, stronger governance, clearer legal bases for transfers, and more robust technical safeguards are necessary to ensure full alignment with data protection requirements.
Nigeria Customs Service (NCS) faces significant compliance challenges. Despite processing large volumes of personal and commercial data through import/export operations, border control, and trade facilitation, accessible privacy disclosures remain limited. Its 0% score in both regulatory registration and third-party sharing compliance highlights serious governance deficiencies. The limited transparency creates a gap between the scale of data processing activities and the safeguards publicly articulated to protect such data. This disconnect increases legal exposure, reduces stakeholder trust, and heightens the risk of non-compliance with statutory transparency, accountability, and lawful processing obligations.
The assessment indicates that data protection compliance across the agencies remains uneven and largely procedural rather than systemic. While NIS and INEC demonstrate comparatively stronger frameworks in specific areas, all entities exhibit structural weaknesses particularly in third-party data governance, breach response mechanisms, transparency reporting, and comprehensive regulatory alignment.
To achieve full compliance with data protection laws, agencies must move beyond policy publication toward institutionalized data governance structures, including:
- Formal registration with the regulator
- Documented data-sharing agreements with safeguards
- Comprehensive data subject rights implementation
- Structured breach detection and notification frameworks
- Regular transparency reporting
- Stronger technical and organizational security measures
e-Government Services - Ghana
Ghana Revenue Authority, Passport Office, SSNIT Self Service Portal (Social Security and National Insurance Trust) and Ghana Immigration Services in Ghana
The assessment of Ghana's key e-government institutions reveals uneven and largely partial compliance with data protection obligations. While some agencies demonstrate structured efforts in specific areas, systemic weaknesses persist particularly in third-party data governance, breach response mechanisms, and transparency reporting. Compliance with registration requirements shows a mixed picture. Ghana Immigration Services (GIS) leads with full compliance (100%) and maintains an active registration valid until November 26, 2025. By contrast, the Ghana Revenue Authority (GRA) and SSNIT Self Service Portal each scored 50%, reflecting expired certifications (August 13, 2025, and September 20, 2024, respectively). The Passport Office scored 0%, having never registered.
From a compliance perspective, expired or absent registration undermines institutional accountability and may constitute a direct breach of statutory obligations under Ghana's data protection framework. Registration is a foundational requirement; failure to maintain active certification weakens regulatory oversight and exposes agencies to legal and reputational risks.
Efforts to provide accessible privacy policies also vary significantly. GRA leads (88%) with the most structured and visible policy. SSNIT and GIS follow (63% each), while the Passport Office has no publicly available privacy policy (0%). Although Immigration's policy exceeds 1,900 words suggesting detail and substantive content, readability scores (Hemingway grades 11–12) indicate bureaucratic and difficult-to-read language across agencies. The absence of any policy at the Passport Office represents a serious transparency failure, effectively denying citizens notice of how their data is processed. In practical terms, limited accessibility or absence of policies undermines the principle of transparency and informed consent, core pillars of data protection law.
Compliance with data subject rights demonstrates relative strength in some institutions but remains incomplete overall. SSNIT leads (72%), followed by GIS (67%), GRA (31%), and the Passport Office (0%).
All entities share personal data with third parties, yet compliance in this area is critically low. GIS leads with only 28%, followed by SSNIT (18%), while GRA and the Passport Office scored 0%.
All institutions demonstrate some technical security measures, though implementation quality varies.
None of the assessed agencies (GRA, Passport Office, SSNIT, or GIS) has published a transparency report since 2024, resulting in 0% scores across the board. The absence of transparency reporting weakens public accountability and obscures how frequently data is shared, accessed by law enforcement, or subjected to breaches. This limits oversight and undermines public trust.
Internal breach resolution mechanisms are largely absent.
The assessment demonstrates that Ghana's public sector agencies are at different stages of privacy maturity, but none achieves comprehensive compliance across all indicators. Key systemic weaknesses include:
The assessment of Ghana's key e-government institutions reveals uneven and largely partial compliance with data protection obligations. While some agencies demonstrate structured efforts in specific areas, systemic weaknesses persist particularly in third-party data governance, breach response mechanisms, and transparency reporting. Compliance with registration requirements shows a mixed picture. Ghana Immigration Services (GIS) leads with full compliance (100%) and maintains an active registration valid until November 26, 2025. By contrast, the Ghana Revenue Authority (GRA) and SSNIT Self Service Portal each scored 50%, reflecting expired certifications (August 13, 2025, and September 20, 2024, respectively). The Passport Office scored 0%, having never registered.
From a compliance perspective, expired or absent registration undermines institutional accountability and may constitute a direct breach of statutory obligations under Ghana's data protection framework. Registration is a foundational requirement; failure to maintain active certification weakens regulatory oversight and exposes agencies to legal and reputational risks.
Efforts to provide accessible privacy policies also vary significantly. GRA leads (88%) with the most structured and visible policy. SSNIT and GIS follow (63% each), while the Passport Office has no publicly available privacy policy (0%). Although Immigration's policy exceeds 1,900 words suggesting detail and substantive content, readability scores (Hemingway grades 11–12) indicate bureaucratic and difficult-to-read language across agencies. The absence of any policy at the Passport Office represents a serious transparency failure, effectively denying citizens notice of how their data is processed. In practical terms, limited accessibility or absence of policies undermines the principle of transparency and informed consent, core pillars of data protection law.
Compliance with data subject rights demonstrates relative strength in some institutions but remains incomplete overall. SSNIT leads (72%), followed by GIS (67%), GRA (31%), and the Passport Office (0%).
- SSNIT clearly outlines data categories, processing purposes, and limited third-party sharing (NIA and GHIPSS), and recognizes core user rights. However, vague retention timelines, absence of complaint mechanisms, and silence on law enforcement access weaken its compliance posture.
- GIS provides comprehensive contact details, extensive data categories, and acknowledges rights such as access, rectification, and erasure. Nonetheless, vague retention standards, absence of structured complaint channels, and provisions for targeted marketing introduce compliance gaps.
- GRA offers only basic information on purposes and contact details, without clarity on retention, third-party sharing safeguards, complaint processes, or law enforcement access.
- Passport Office provides no privacy framework at all.
All entities share personal data with third parties, yet compliance in this area is critically low. GIS leads with only 28%, followed by SSNIT (18%), while GRA and the Passport Office scored 0%.
- GRA's policy omits essential disclosures on third-party sharing, law enforcement access, data categories transferred, and breach reporting procedures, indicating non-compliance with basic transparency requirements.
- SSNIT specifies sharing with NIA and GHIPSS for identity verification and payment processing, excluding advertisers and analytics platforms. However, it fails to clarify data categories transferred, safeguards, or breach procedures.
- GIS discloses sharing with MDAs, SOEs, MMDAs, and payment processors, and allows law enforcement access when reasonably requested. Yet, procedural safeguards and breach notification processes remain undefined.
- Passport Office provides no disclosure at all.
All institutions demonstrate some technical security measures, though implementation quality varies.
- GIS leads (67%) with an A SSL rating, partial security header implementation (28%), and policy references to protective measures.
- GRA follows (61%) with an A SSL rating but failing security headers (F).
- SSNIT scored 39% with a B SSL rating and failing security headers.
- Passport Office scored lowest (22%) with a B SSL rating and no policy reference to personal data security.
None of the assessed agencies (GRA, Passport Office, SSNIT, or GIS) has published a transparency report since 2024, resulting in 0% scores across the board. The absence of transparency reporting weakens public accountability and obscures how frequently data is shared, accessed by law enforcement, or subjected to breaches. This limits oversight and undermines public trust.
Internal breach resolution mechanisms are largely absent.
- SSNIT and GIS scored 8% each, referencing general security measures but lacking defined procedures, reporting timelines, user notification protocols, or independent review safeguards.
- GRA and Passport Office scored 0%, providing no guidance at all.
The assessment demonstrates that Ghana's public sector agencies are at different stages of privacy maturity, but none achieves comprehensive compliance across all indicators. Key systemic weaknesses include:
- Expired or absent regulatory registration
- Limited clarity in third-party data transfer safeguards
- Vague retention policies
- Absence of structured complaint and redress mechanisms
- Lack of transparency reporting
- Weak or undocumented breach response frameworks
e-Government Services - Botswana
Botswana Unified Revenue Service, Botswana Communications Regulatory Authority, 1Gov e-Services Portal and Independent Electoral Commission of Botswana in Botswana
The assessment reveals uneven and generally low levels of compliance with core data protection principles among Botswana's key public institutions: Botswana Unified Revenue Service (BURS), Botswana Communications Regulatory Authority (BOCRA), 1Gov e-Services Portal, and Independent Electoral Commission of Botswana (IEC). While some progress is observable, particularly in policy publication and stated security commitments, significant structural deficiencies remain in transparency, data subject rights, third-party accountability, and breach response mechanisms.
Demonstrable efforts to provide accessible privacy policies were strongest at BOCRA and BURS (both scoring 88%), followed by the 1Gov e-Services Portal (63%), while the IEC scored 0%. However, accessibility alone does not equate to compliance. Under the Botswana Data Protection Act, transparency requires that data controllers clearly inform data subjects about: categories of personal data collected, lawful basis and purposes of processing, retention periods, data subject rights, third-party recipients, and complaint and redress mechanisms.
Although BURS has an accessible privacy policy, the content is vague. It does not clearly define categories of data collected, specific purposes, retention timelines, or breach reporting procedures. This undermines the principle of informed consent and transparency. The absence of specificity limits accountability and may place the institution in partial non-compliance with statutory disclosure requirements.
BOCRA demonstrates stronger alignment with transparency obligations. Its policy specifies data categories, purposes, contact details, and acknowledges data subject rights. It explicitly references compliance with the Data Protection Act. However, the absence of clearly defined retention periods and breach notification timelines suggests incomplete compliance.
While a policy exists for 1Gov e-Services Portal, it is broadly framed and lacks substantive detail. It permits marketing uses and third-party sharing without specifying recipients, creating risks of function creep and opaque processing practices.
The absence of a privacy policy for the IEC represents a fundamental transparency failure. For an institution handling highly sensitive voter data, this gap raises serious concerns about lawfulness, fairness, and accountability.
BOCRA scored highest (77%) in recognising data subject rights, followed distantly by 1Gov (14%), while BURS and IEC scored 0%. The Data Protection Act grants individuals rights including access, rectification, erasure, restriction of processing, and the right to lodge complaints. By explicitly referencing these rights and complaint procedures, BOCRA demonstrates partial alignment with statutory requirements. This enhances accountability and empowers citizens to exercise control over their personal information. The failure by BURS and 1Gov to clearly articulate these rights significantly weakens legal compliance. Without procedural clarity, data subjects may be unaware of how to request access, correction, or deletion. This creates a compliance gap and increases institutional liability.
The absence of any documented rights framework in respect of IEC suggests a complete lack of procedural safeguards for voters, which may be incompatible with statutory obligations.
All entities share personal data with third parties, yet compliance levels were critically low. BOCRA led with 34%, while all others scored 0%.
Third-party sharing represents one of the highest-risk areas under data protection law. Compliance requires: identification of recipients or categories of recipients, clear lawful basis for sharing, and safeguards through contractual controls and restrictions on onward transfer. BOCRA limits sharing to government bodies, service providers, and legal proceedings, reflecting some degree of necessity and proportionality. However, the absence of detailed safeguards or contractual transparency remains a weakness. Both BURS and 1Gov permit sharing with advertisers without identifying recipients. This creates heightened risk of misuse, profiling, or unauthorized secondary use. The lack of disclosure undermines transparency and could constitute non-compliance with accountability principles. IEC has no policy disclosure, so citizens have no visibility into whether or how voter data is shared. Collectively, these findings suggest systemic weaknesses in third-party governance frameworks across institutions.
Demonstrable efforts to ensure data security were observed across all institutions, with BOCRA scoring highest (72%), followed by BURS (56%), 1Gov (45%), and IEC (39%). BOCRA specifies encryption, audits, and access controls, indicating relatively mature security governance. BURS and 1Gov reference "security measures" but lack specificity, making it difficult to assess adequacy or compliance with technical and organizational safeguard requirements.
IEC has no publicly articulated safeguards, so voter data security remains opaque and potentially vulnerable. Security transparency is a core accountability requirement. Generic statements without demonstrable controls weaken institutional credibility and public trust.
All entities lack publicly available transparency reports and fail to demonstrate internal data breach resolution mechanisms. This represents a critical compliance gap. The Data Protection Act requires timely notification of breaches to the regulator and, where applicable, affected individuals. The absence of defined reporting procedures, timelines, or internal escalation protocols increases legal exposure, reputational risk, and citizen vulnerability in the event of unauthorized access. Without breach response frameworks, even institutions with stronger security controls remain operationally non-compliant.
BOCRA emerges as the strongest performer, demonstrating meaningful alignment with transparency, rights recognition, and security safeguards. Nonetheless, its compliance remains incomplete due to undefined retention periods and breach notification procedures. BURS and 1Gov e-Services Portal exhibit partial compliance through policy publication but fail to meet core accountability and rights-based standards. IEC demonstrates a systemic compliance failure, lacking even foundational transparency measures despite managing highly sensitive voter data. The findings indicate that Botswana's public sector institutions are at varying stages of data protection maturity, with most lacking fully operational compliance frameworks. The weaknesses observed suggest inadequate internal governance structures for data protection, weak enforcement or oversight mechanisms, limited integration of privacy-by-design principles, and potential exposure to legal, reputational, and cybersecurity risks.
Given the volume and sensitivity of citizen data processed — tax records, communications data, identity information, and voter registration data — the current compliance gaps may undermine public trust and institutional legitimacy. While incremental progress is evident, particularly at BOCRA, systemic improvements are urgently required. To achieve substantive compliance with the Botswana Data Protection Act, these institutions must enhance transparency and specificity in privacy notices, operationalize data subject rights procedures, strengthen third-party governance and contractual safeguards, establish formal breach detection and notification frameworks, and publish transparency and accountability reports. Without these reforms, government data controllers remain exposed to compliance risks, and citizens remain inadequately protected in the digital governance environment.
The assessment reveals uneven and generally low levels of compliance with core data protection principles among Botswana's key public institutions: Botswana Unified Revenue Service (BURS), Botswana Communications Regulatory Authority (BOCRA), 1Gov e-Services Portal, and Independent Electoral Commission of Botswana (IEC). While some progress is observable, particularly in policy publication and stated security commitments, significant structural deficiencies remain in transparency, data subject rights, third-party accountability, and breach response mechanisms.
Demonstrable efforts to provide accessible privacy policies were strongest at BOCRA and BURS (both scoring 88%), followed by the 1Gov e-Services Portal (63%), while the IEC scored 0%. However, accessibility alone does not equate to compliance. Under the Botswana Data Protection Act, transparency requires that data controllers clearly inform data subjects about: categories of personal data collected, lawful basis and purposes of processing, retention periods, data subject rights, third-party recipients, and complaint and redress mechanisms.
Although BURS has an accessible privacy policy, the content is vague. It does not clearly define categories of data collected, specific purposes, retention timelines, or breach reporting procedures. This undermines the principle of informed consent and transparency. The absence of specificity limits accountability and may place the institution in partial non-compliance with statutory disclosure requirements.
BOCRA demonstrates stronger alignment with transparency obligations. Its policy specifies data categories, purposes, contact details, and acknowledges data subject rights. It explicitly references compliance with the Data Protection Act. However, the absence of clearly defined retention periods and breach notification timelines suggests incomplete compliance.
While a policy exists for 1Gov e-Services Portal, it is broadly framed and lacks substantive detail. It permits marketing uses and third-party sharing without specifying recipients, creating risks of function creep and opaque processing practices.
The absence of a privacy policy for the IEC represents a fundamental transparency failure. For an institution handling highly sensitive voter data, this gap raises serious concerns about lawfulness, fairness, and accountability.
BOCRA scored highest (77%) in recognising data subject rights, followed distantly by 1Gov (14%), while BURS and IEC scored 0%. The Data Protection Act grants individuals rights including access, rectification, erasure, restriction of processing, and the right to lodge complaints. By explicitly referencing these rights and complaint procedures, BOCRA demonstrates partial alignment with statutory requirements. This enhances accountability and empowers citizens to exercise control over their personal information. The failure by BURS and 1Gov to clearly articulate these rights significantly weakens legal compliance. Without procedural clarity, data subjects may be unaware of how to request access, correction, or deletion. This creates a compliance gap and increases institutional liability.
The absence of any documented rights framework in respect of IEC suggests a complete lack of procedural safeguards for voters, which may be incompatible with statutory obligations.
All entities share personal data with third parties, yet compliance levels were critically low. BOCRA led with 34%, while all others scored 0%.
Third-party sharing represents one of the highest-risk areas under data protection law. Compliance requires: identification of recipients or categories of recipients, clear lawful basis for sharing, and safeguards through contractual controls and restrictions on onward transfer. BOCRA limits sharing to government bodies, service providers, and legal proceedings, reflecting some degree of necessity and proportionality. However, the absence of detailed safeguards or contractual transparency remains a weakness. Both BURS and 1Gov permit sharing with advertisers without identifying recipients. This creates heightened risk of misuse, profiling, or unauthorized secondary use. The lack of disclosure undermines transparency and could constitute non-compliance with accountability principles. IEC has no policy disclosure, so citizens have no visibility into whether or how voter data is shared. Collectively, these findings suggest systemic weaknesses in third-party governance frameworks across institutions.
Demonstrable efforts to ensure data security were observed across all institutions, with BOCRA scoring highest (72%), followed by BURS (56%), 1Gov (45%), and IEC (39%). BOCRA specifies encryption, audits, and access controls, indicating relatively mature security governance. BURS and 1Gov reference "security measures" but lack specificity, making it difficult to assess adequacy or compliance with technical and organizational safeguard requirements.
IEC has no publicly articulated safeguards, so voter data security remains opaque and potentially vulnerable. Security transparency is a core accountability requirement. Generic statements without demonstrable controls weaken institutional credibility and public trust.
All entities lack publicly available transparency reports and fail to demonstrate internal data breach resolution mechanisms. This represents a critical compliance gap. The Data Protection Act requires timely notification of breaches to the regulator and, where applicable, affected individuals. The absence of defined reporting procedures, timelines, or internal escalation protocols increases legal exposure, reputational risk, and citizen vulnerability in the event of unauthorized access. Without breach response frameworks, even institutions with stronger security controls remain operationally non-compliant.
BOCRA emerges as the strongest performer, demonstrating meaningful alignment with transparency, rights recognition, and security safeguards. Nonetheless, its compliance remains incomplete due to undefined retention periods and breach notification procedures. BURS and 1Gov e-Services Portal exhibit partial compliance through policy publication but fail to meet core accountability and rights-based standards. IEC demonstrates a systemic compliance failure, lacking even foundational transparency measures despite managing highly sensitive voter data. The findings indicate that Botswana's public sector institutions are at varying stages of data protection maturity, with most lacking fully operational compliance frameworks. The weaknesses observed suggest inadequate internal governance structures for data protection, weak enforcement or oversight mechanisms, limited integration of privacy-by-design principles, and potential exposure to legal, reputational, and cybersecurity risks.
Given the volume and sensitivity of citizen data processed — tax records, communications data, identity information, and voter registration data — the current compliance gaps may undermine public trust and institutional legitimacy. While incremental progress is evident, particularly at BOCRA, systemic improvements are urgently required. To achieve substantive compliance with the Botswana Data Protection Act, these institutions must enhance transparency and specificity in privacy notices, operationalize data subject rights procedures, strengthen third-party governance and contractual safeguards, establish formal breach detection and notification frameworks, and publish transparency and accountability reports. Without these reforms, government data controllers remain exposed to compliance risks, and citizens remain inadequately protected in the digital governance environment.
e-Government Services - Rwanda
IremboGov, RSSB(Rwanda Social Security Board), Rwanda Revenue Authority(RRA) and Rwanda Information Society Authority in Rwanda
In 2025, accessibility of privacy policies remains strongest at RSSB and RISA, both maintaining scores of 88%, unchanged from 2024. Their policies are publicly available, relatively readable, and sufficiently detailed to meet baseline transparency standards. By contrast, IremboGov's score declined from 88% in 2024 to 63% in 2025. This decline is not due to lack of substantive content but rather reduced visibility and accessibility of the policy to users, which undermines practical transparency. RRA continues to score 0%, as it does not provide a publicly accessible privacy policy. From a compliance perspective, the absence of a privacy policy constitutes a fundamental breach of transparency obligations under data protection law. Even where policies exist, reduced accessibility weakens informed consent and fair processing standards.
With respect to pre-collection transparency and data subject rights, the 2025 assessment reveals moderate improvement for some entities but significant regression for others. IremboGov leads with a score of 66%, up from 54% in 2024, reflecting clearer articulation of data categories, purposes of processing, and recognition of certain user rights. RSSB follows closely at 63%, a slight improvement from 60% last year, demonstrating continued effort to describe data types and processing purposes. However, both entities still lack fully developed complaint mechanisms, detailed deletion procedures, and explicit regulatory recourse pathways, which limits the enforceability of user rights in practice. RISA's performance declined sharply from 40% in 2024 to 15% in 2025, indicating a substantial reduction in transparency concerning user rights and retention practices. RRA remains at 0%, providing no visible pre-collection disclosures.
The uneven performance in this domain suggests that while awareness of data subject rights is growing in certain institutions, rights realisation mechanisms remain underdeveloped and inconsistent across the sector.
Third-party data sharing remains an area of high risk and uneven compliance. In 2025, RSSB significantly improved its score from 10% to 48% by identifying categories of third-party recipients, such as government bodies and financial institutions, and clarifying that processing occurs under its instructions. IremboGov also improved from 10% to 38%, disclosing categories of service providers and affiliates. However, both entities fail to specify the exact types of personal data shared or provide sufficiently detailed safeguards governing these transfers. RISA experienced the most dramatic regression, dropping from 60% in 2024 to 0% in 2025, indicating either removal or dilution of previously disclosed third-party safeguards. RRA again scores 0% due to the absence of a policy framework addressing transfers. These findings are particularly significant because third-party transfers often trigger heightened accountability and lawful processing requirements. Limited disclosure in this area increases legal exposure and reduces public confidence in data governance practices.
Regarding technical and organisational security measures, all four entities maintain strong SSL encryption ratings, demonstrating effective protection of personal data in transit. However, website security header implementation remains uniformly weak, with predominantly failing scores, indicating insufficient deployment of additional HTTP security protections. In terms of overall security disclosure and implementation, IremboGov and RSSB each scored 45%, unchanged from 2024. RISA declined from 56% to 39%, while RRA improved marginally from 22% to 28% but continues to lag significantly behind.
Although encryption standards are commendable, vague policy statements and weak supplementary technical safeguards suggest limited progress toward comprehensive privacy-by-design implementation. Strong encryption alone is insufficient to demonstrate full compliance with risk-based security obligations.
Accountability mechanisms remain the weakest area across all entities. As in 2024, none of the assessed institutions has published a transparency report. Structured internal data breach resolution procedures are not publicly documented. RSSB references breach notification but does not specify timelines or procedural steps, while the remaining entities provide little to no information regarding breach handling. The absence of defined breach governance frameworks constitutes a significant compliance vulnerability, as timely notification, documentation, and remediation processes are core requirements under modern data protection regimes. The continued failure to institutionalise transparency reporting and breach management indicates that accountability mechanisms have not matured alongside policy development.
Overall, the 2025 assessment demonstrates incremental but uneven progress. RSSB and IremboGov show measurable improvement in areas such as data subject rights and third-party disclosure, suggesting gradual strengthening of internal compliance awareness. However, this progress is offset by RISA's marked regression and RRA's continued structural non-compliance. Encryption standards remain consistently strong, yet broader web security practices and accountability frameworks show little advancement. The sector's overall trajectory can therefore be characterised as selectively progressive rather than systematically reformative.
From a compliance standpoint, the most urgent priorities include the publication of a comprehensive privacy policy by RRA, restoration and strengthening of third-party disclosure practices by RISA, development of clearly articulated breach notification procedures across all entities, publication of transparency reports, and improved implementation of website security headers. Without these structural reforms, improvements in policy language and selective transparency will not be sufficient to achieve full alignment with data protection law or to sustain public trust in digital government services.
In 2025, accessibility of privacy policies remains strongest at RSSB and RISA, both maintaining scores of 88%, unchanged from 2024. Their policies are publicly available, relatively readable, and sufficiently detailed to meet baseline transparency standards. By contrast, IremboGov's score declined from 88% in 2024 to 63% in 2025. This decline is not due to lack of substantive content but rather reduced visibility and accessibility of the policy to users, which undermines practical transparency. RRA continues to score 0%, as it does not provide a publicly accessible privacy policy. From a compliance perspective, the absence of a privacy policy constitutes a fundamental breach of transparency obligations under data protection law. Even where policies exist, reduced accessibility weakens informed consent and fair processing standards.
With respect to pre-collection transparency and data subject rights, the 2025 assessment reveals moderate improvement for some entities but significant regression for others. IremboGov leads with a score of 66%, up from 54% in 2024, reflecting clearer articulation of data categories, purposes of processing, and recognition of certain user rights. RSSB follows closely at 63%, a slight improvement from 60% last year, demonstrating continued effort to describe data types and processing purposes. However, both entities still lack fully developed complaint mechanisms, detailed deletion procedures, and explicit regulatory recourse pathways, which limits the enforceability of user rights in practice. RISA's performance declined sharply from 40% in 2024 to 15% in 2025, indicating a substantial reduction in transparency concerning user rights and retention practices. RRA remains at 0%, providing no visible pre-collection disclosures.
The uneven performance in this domain suggests that while awareness of data subject rights is growing in certain institutions, rights realisation mechanisms remain underdeveloped and inconsistent across the sector.
Third-party data sharing remains an area of high risk and uneven compliance. In 2025, RSSB significantly improved its score from 10% to 48% by identifying categories of third-party recipients, such as government bodies and financial institutions, and clarifying that processing occurs under its instructions. IremboGov also improved from 10% to 38%, disclosing categories of service providers and affiliates. However, both entities fail to specify the exact types of personal data shared or provide sufficiently detailed safeguards governing these transfers. RISA experienced the most dramatic regression, dropping from 60% in 2024 to 0% in 2025, indicating either removal or dilution of previously disclosed third-party safeguards. RRA again scores 0% due to the absence of a policy framework addressing transfers. These findings are particularly significant because third-party transfers often trigger heightened accountability and lawful processing requirements. Limited disclosure in this area increases legal exposure and reduces public confidence in data governance practices.
Regarding technical and organisational security measures, all four entities maintain strong SSL encryption ratings, demonstrating effective protection of personal data in transit. However, website security header implementation remains uniformly weak, with predominantly failing scores, indicating insufficient deployment of additional HTTP security protections. In terms of overall security disclosure and implementation, IremboGov and RSSB each scored 45%, unchanged from 2024. RISA declined from 56% to 39%, while RRA improved marginally from 22% to 28% but continues to lag significantly behind.
Although encryption standards are commendable, vague policy statements and weak supplementary technical safeguards suggest limited progress toward comprehensive privacy-by-design implementation. Strong encryption alone is insufficient to demonstrate full compliance with risk-based security obligations.
Accountability mechanisms remain the weakest area across all entities. As in 2024, none of the assessed institutions has published a transparency report. Structured internal data breach resolution procedures are not publicly documented. RSSB references breach notification but does not specify timelines or procedural steps, while the remaining entities provide little to no information regarding breach handling. The absence of defined breach governance frameworks constitutes a significant compliance vulnerability, as timely notification, documentation, and remediation processes are core requirements under modern data protection regimes. The continued failure to institutionalise transparency reporting and breach management indicates that accountability mechanisms have not matured alongside policy development.
Overall, the 2025 assessment demonstrates incremental but uneven progress. RSSB and IremboGov show measurable improvement in areas such as data subject rights and third-party disclosure, suggesting gradual strengthening of internal compliance awareness. However, this progress is offset by RISA's marked regression and RRA's continued structural non-compliance. Encryption standards remain consistently strong, yet broader web security practices and accountability frameworks show little advancement. The sector's overall trajectory can therefore be characterised as selectively progressive rather than systematically reformative.
From a compliance standpoint, the most urgent priorities include the publication of a comprehensive privacy policy by RRA, restoration and strengthening of third-party disclosure practices by RISA, development of clearly articulated breach notification procedures across all entities, publication of transparency reports, and improved implementation of website security headers. Without these structural reforms, improvements in policy language and selective transparency will not be sufficient to achieve full alignment with data protection law or to sustain public trust in digital government services.
e-Government Services - Tanzania
e–Immigration Tanzania, TCAA (Tanzania Civil Aviation Authority), TCRA (Tanzania Communications
Regulatory Authority) and Tanzania Work Permit Application Portal in Tanzania
The 2025 findings reveal a persistent pattern from 2024: government agencies continue to score zero in nearly all transparency and accountability-related metrics. As was the case last year, none of the assessed entities demonstrates measurable effort to publish accessible privacy policies, articulate data subject rights, establish internal data breach resolution mechanisms, issue transparency reports, or comply with third-party data transfer disclosure requirements.
The only area where performance is recorded is technical data security. This indicates that, structurally, compliance remains narrowly focused on cybersecurity safeguards while neglecting the broader legal obligations under Tanzania's Personal Data Protection Act. Notably, the Act does not exempt government agencies from compliance, except under narrowly defined exceptions provided under Sections 23(3) and 25(2). The continued absence of transparency and accountability measures therefore raises serious compliance concerns.
In both 2024 and 2025, all assessed agencies scored 0% in accessible privacy policies and pre-collection transparency. No publicly available, comprehensive privacy policy frameworks were identified, nor were there adequate disclosures regarding categories of personal data collected, lawful bases for processing, retention periods, or complaint mechanisms.
Compared to last year, there has been no improvement in this domain. The absence of visible privacy policies directly undermines the principles of transparency, fairness, and lawful processing. Without clear disclosures, data subjects cannot meaningfully understand how their personal data is handled, nor can they exercise their rights effectively. This persistent zero performance signals systemic non-compliance rather than isolated gaps.
As in 2024, none of the agencies demonstrates compliance with requirements relating to data subject rights or third-party data transfers. There is no clear articulation of rights such as access, correction, deletion, objection, or restriction of processing. Similarly, there is no disclosure of categories of third-party recipients, safeguards governing transfers, or legal bases for sharing personal data.
The lack of improvement from 2024 to 2025 suggests that data governance frameworks within these institutions have not evolved to incorporate rights-based compliance mechanisms. This is particularly concerning because third-party transfers represent high-risk processing activities that demand enhanced accountability and safeguards under data protection law. The continued absence of transparency in these areas exposes agencies to legal risk and undermines citizens' ability to challenge misuse of their personal data.
The 2025 assessment confirms that, as in 2024, none of the agencies has published transparency reports or established visible internal data breach resolution mechanisms. There is no evidence of structured breach notification timelines, escalation protocols, or publicly accessible incident reporting procedures. The failure to implement breach governance frameworks constitutes a significant accountability gap. Data protection law requires not only the prevention of breaches but also documented procedures for responding to and reporting them. Without such mechanisms, compliance cannot be demonstrated, even if security controls exist. The absence of transparency reporting further weakens public oversight and trust.
Data security remains the only measurable area of effort. In 2025, e-Immigration Tanzania and Tanzania Civil Aviation Authority each scored 56%, unchanged from 2024. Tanzania Communications Regulatory Authority declined from 61% in 2024 to 50% in 2025, indicating regression. Tanzania Work Permit Application Portal maintained a low score of 22%, unchanged from last year.
While it is positive that agencies continue to invest in technical safeguards, the stagnation and regression in some cases indicate that security maturity is not advancing. Moreover, even the highest score of 56% remains below what would be considered robust compliance under a risk-based data protection framework.
Importantly, security safeguards alone do not equate to compliance. Data protection law requires a holistic approach incorporating transparency, accountability, lawful processing, and enforceable rights. A narrow focus on cybersecurity, without parallel governance reforms, results in partial and insufficient compliance.
A comparison between the two years shows near-total stagnation in transparency and accountability measures. In 2024, all agencies scored zero in privacy policy accessibility, third-party disclosure, transparency reporting, and breach management. In 2025, this remains unchanged. The only notable shift is the decline of TCRA's security score from 61% to 50%. e-Immigration Tanzania and TCAA maintained their 56% scores, while the Tanzania Work Permit Application Portal remained at 22%. Thus, there is no evidence of systemic reform, only maintenance of existing technical safeguards with minor fluctuations.
The 2025 findings confirm a troubling compliance imbalance. Government agencies expected to lead by example in implementing the Personal Data Protection Act remain largely non-compliant in areas fundamental to data protection governance. The absence of accessible privacy policies, rights frameworks, third-party disclosure mechanisms, breach resolution systems, and transparency reports reflects a failure to operationalize core principles of accountability and transparency. Given that the law does not provide blanket exemptions for public authorities, continued non-compliance may expose agencies to regulatory enforcement risks and reputational harm.
Most critically, the current approach emphasizes technical security while neglecting legal and procedural safeguards. This creates an incomplete compliance model that protects data in transit or storage but fails to guarantee lawful, fair, and transparent processing.
The 2025 assessment demonstrates that, compared to 2024, there has been no meaningful progress in aligning Tanzania's government digital platforms with comprehensive data protection standards. While some agencies maintain moderate data security practices, structural gaps in transparency, accountability, and rights protection persist unchanged.
Unless deliberate institutional reforms are undertaken, particularly in publishing privacy policies, formalizing data subject rights procedures, regulating third-party transfers, and establishing breach governance frameworks, government agencies will continue to fall short of full compliance with Tanzania's data protection laws and principles.
The 2025 findings reveal a persistent pattern from 2024: government agencies continue to score zero in nearly all transparency and accountability-related metrics. As was the case last year, none of the assessed entities demonstrates measurable effort to publish accessible privacy policies, articulate data subject rights, establish internal data breach resolution mechanisms, issue transparency reports, or comply with third-party data transfer disclosure requirements.
The only area where performance is recorded is technical data security. This indicates that, structurally, compliance remains narrowly focused on cybersecurity safeguards while neglecting the broader legal obligations under Tanzania's Personal Data Protection Act. Notably, the Act does not exempt government agencies from compliance, except under narrowly defined exceptions provided under Sections 23(3) and 25(2). The continued absence of transparency and accountability measures therefore raises serious compliance concerns.
In both 2024 and 2025, all assessed agencies scored 0% in accessible privacy policies and pre-collection transparency. No publicly available, comprehensive privacy policy frameworks were identified, nor were there adequate disclosures regarding categories of personal data collected, lawful bases for processing, retention periods, or complaint mechanisms.
Compared to last year, there has been no improvement in this domain. The absence of visible privacy policies directly undermines the principles of transparency, fairness, and lawful processing. Without clear disclosures, data subjects cannot meaningfully understand how their personal data is handled, nor can they exercise their rights effectively. This persistent zero performance signals systemic non-compliance rather than isolated gaps.
As in 2024, none of the agencies demonstrates compliance with requirements relating to data subject rights or third-party data transfers. There is no clear articulation of rights such as access, correction, deletion, objection, or restriction of processing. Similarly, there is no disclosure of categories of third-party recipients, safeguards governing transfers, or legal bases for sharing personal data.
The lack of improvement from 2024 to 2025 suggests that data governance frameworks within these institutions have not evolved to incorporate rights-based compliance mechanisms. This is particularly concerning because third-party transfers represent high-risk processing activities that demand enhanced accountability and safeguards under data protection law. The continued absence of transparency in these areas exposes agencies to legal risk and undermines citizens' ability to challenge misuse of their personal data.
The 2025 assessment confirms that, as in 2024, none of the agencies has published transparency reports or established visible internal data breach resolution mechanisms. There is no evidence of structured breach notification timelines, escalation protocols, or publicly accessible incident reporting procedures. The failure to implement breach governance frameworks constitutes a significant accountability gap. Data protection law requires not only the prevention of breaches but also documented procedures for responding to and reporting them. Without such mechanisms, compliance cannot be demonstrated, even if security controls exist. The absence of transparency reporting further weakens public oversight and trust.
Data security remains the only measurable area of effort. In 2025, e-Immigration Tanzania and Tanzania Civil Aviation Authority each scored 56%, unchanged from 2024. Tanzania Communications Regulatory Authority declined from 61% in 2024 to 50% in 2025, indicating regression. Tanzania Work Permit Application Portal maintained a low score of 22%, unchanged from last year.
While it is positive that agencies continue to invest in technical safeguards, the stagnation and regression in some cases indicate that security maturity is not advancing. Moreover, even the highest score of 56% remains below what would be considered robust compliance under a risk-based data protection framework.
Importantly, security safeguards alone do not equate to compliance. Data protection law requires a holistic approach incorporating transparency, accountability, lawful processing, and enforceable rights. A narrow focus on cybersecurity, without parallel governance reforms, results in partial and insufficient compliance.
A comparison between the two years shows near-total stagnation in transparency and accountability measures. In 2024, all agencies scored zero in privacy policy accessibility, third-party disclosure, transparency reporting, and breach management. In 2025, this remains unchanged. The only notable shift is the decline of TCRA's security score from 61% to 50%. e-Immigration Tanzania and TCAA maintained their 56% scores, while the Tanzania Work Permit Application Portal remained at 22%. Thus, there is no evidence of systemic reform, only maintenance of existing technical safeguards with minor fluctuations.
The 2025 findings confirm a troubling compliance imbalance. Government agencies expected to lead by example in implementing the Personal Data Protection Act remain largely non-compliant in areas fundamental to data protection governance. The absence of accessible privacy policies, rights frameworks, third-party disclosure mechanisms, breach resolution systems, and transparency reports reflects a failure to operationalize core principles of accountability and transparency. Given that the law does not provide blanket exemptions for public authorities, continued non-compliance may expose agencies to regulatory enforcement risks and reputational harm.
Most critically, the current approach emphasizes technical security while neglecting legal and procedural safeguards. This creates an incomplete compliance model that protects data in transit or storage but fails to guarantee lawful, fair, and transparent processing.
The 2025 assessment demonstrates that, compared to 2024, there has been no meaningful progress in aligning Tanzania's government digital platforms with comprehensive data protection standards. While some agencies maintain moderate data security practices, structural gaps in transparency, accountability, and rights protection persist unchanged.
Unless deliberate institutional reforms are undertaken, particularly in publishing privacy policies, formalizing data subject rights procedures, regulating third-party transfers, and establishing breach governance frameworks, government agencies will continue to fall short of full compliance with Tanzania's data protection laws and principles.
e-Government Services - Mauritius
Mauritius Revenue Authority (MRA), MauPass(Mauritius Personal Access), ICTA (Information and Communication TechnologyAuthority) and Passport & Immigration Office Mauritius in Mauritius
The comparative assessment of government agencies this year reveals incremental yet uneven progress in privacy governance and compliance with the Data Protection Act 2017. While certain institutions have demonstrated measurable improvements, systemic weaknesses persist across key transparency and accountability indicators.
The Mauritius Revenue Authority (MRA) and MauPass emerged as the strongest performers under the accessible privacy policy indicator, each scoring 88%. MRA maintained its performance from last year, when it was the only agency credited with having an accessible privacy policy. MauPass, by contrast, recorded the most significant improvement, rising from 0% last year to 88% this year. This shift reflects a substantial advancement in transparency practices. Both institutions now provide publicly available privacy policies that outline how personal data is collected, used, stored, and shared.
MRA's privacy policy remains concise and structured around compliance with Mauritian laws and regulations. It identifies the categories of data processed, including personal identifiers, contact details, financial information, and survey-related data. It clarifies that information may be collected directly from individuals or indirectly from third parties such as government entities or public sources. The policy also explains that data may be shared with statutory, regulatory, and law enforcement authorities where legally required, and that retention periods are governed by applicable legislation. However, while the policy demonstrates a baseline level of legal compliance, it provides limited detail regarding specific security safeguards or internal data breach procedures, which constrains full accountability under the Data Protection Act.
MauPass's privacy policy is comparatively more comprehensive. It specifies the collection of personal identifiers, contact details, derivative data such as IP addresses and access logs, and mobile device information. It explains that information is obtained directly through the National Authentication Framework or indirectly through usage logs and third-party integrations.
The policy outlines purposes including secure authentication, fraud prevention, service improvement, statistical analysis, and lawful disclosure. It also affirms users' rights to review, update, or delete their account information and describes secure storage at the Government Online Centre. This marked improvement from last year strengthens MauPass's compliance posture, particularly in relation to transparency and user rights.
In contrast, the Information and Communications Technology Authority (ICTA) and the Passport and Immigration Office Mauritius again scored 0% for accessible privacy policies, reflecting no progress from the previous year. The continued absence of publicly accessible privacy notices presents a significant compliance gap. Transparency is a foundational obligation under the Data Protection Act, and failure to provide clear notice regarding data processing activities undermines lawful processing and exposes these institutions to regulatory and reputational risks.
Progress is also visible in the area of data subject rights, though unevenly distributed. MRA improved from 21% last year to 39%, while MauPass advanced from 0% to 54%. These improvements suggest a growing recognition of statutory rights such as access, rectification, and erasure. MauPass, in particular, has embedded clearer mechanisms for users to manage their data. However, partial scores indicate that operational clarity and comprehensiveness remain limited. ICTA and the Passport and Immigration Office maintained 0% in this category, signaling continued deficiencies in recognizing and facilitating data subject rights. This stagnation raises concerns regarding compliance with core rights guaranteed under the Data Protection Act and risks eroding public confidence.
Transparency regarding third-party data sharing has improved modestly. MRA increased from 14% last year to 38%, and MauPass rose from 0% to 24%. Both institutions now provide clearer acknowledgment that data may be shared with other government entities or law enforcement authorities where required by law. Nevertheless, scores remain below half of the total possible, indicating limited disclosure regarding safeguards, oversight mechanisms, or the terms governing such transfers. ICTA and the Passport and Immigration Office again recorded 0%, reflecting continued opacity in this critical area. Given the sensitivity of regulatory and immigration-related data, the absence of visible safeguards heightens compliance risks.
All four agencies demonstrated efforts to ensure data security. MauPass now leads with 72%, up from 45% last year, indicating strengthened technical and organizational measures.
The Passport and Immigration Office maintained its previous score of 61%, remaining relatively strong in security safeguards. ICTA also maintained its score of 56%, while MRA improved modestly from 39% to 44%. These results suggest that preventive security controls are comparatively more developed than transparency and accountability mechanisms. However, none of the agencies provide evidence of internal data breach resolution frameworks or publish transparency reports. As in the previous year, all scored 0% in these categories. The absence of documented breach response mechanisms and public reporting reflects a persistent accountability gap and limits demonstrable compliance with the Act's requirements for responsible data governance.
In comparison to last year's findings, the most notable change is MauPass's substantial advancement across multiple indicators, particularly in privacy policy accessibility, data subject rights, and third-party transparency. MRA has shown steady, incremental improvement while maintaining its leadership in policy accessibility. However, ICTA and the Passport and Immigration Office have remained largely stagnant, with no measurable progress in core transparency indicators. Additionally, sector-wide weaknesses in transparency reporting and internal breach management remain unchanged.
Overall, while this year's assessment indicates gradual movement toward stronger data governance practices, compliance remains partial rather than comprehensive. Improvements in policy accessibility and security safeguards are encouraging, yet persistent deficiencies in transparency reporting, breach response mechanisms, and full operationalization of data subject rights suggest that accountability structures are still underdeveloped. Without sustained institutional reform, particularly within ICTA and the Passport and Immigration Office, regulatory exposure and public trust risks will continue to shape the privacy landscape within Mauritius' public sector.
The comparative assessment of government agencies this year reveals incremental yet uneven progress in privacy governance and compliance with the Data Protection Act 2017. While certain institutions have demonstrated measurable improvements, systemic weaknesses persist across key transparency and accountability indicators.
The Mauritius Revenue Authority (MRA) and MauPass emerged as the strongest performers under the accessible privacy policy indicator, each scoring 88%. MRA maintained its performance from last year, when it was the only agency credited with having an accessible privacy policy. MauPass, by contrast, recorded the most significant improvement, rising from 0% last year to 88% this year. This shift reflects a substantial advancement in transparency practices. Both institutions now provide publicly available privacy policies that outline how personal data is collected, used, stored, and shared.
MRA's privacy policy remains concise and structured around compliance with Mauritian laws and regulations. It identifies the categories of data processed, including personal identifiers, contact details, financial information, and survey-related data. It clarifies that information may be collected directly from individuals or indirectly from third parties such as government entities or public sources. The policy also explains that data may be shared with statutory, regulatory, and law enforcement authorities where legally required, and that retention periods are governed by applicable legislation. However, while the policy demonstrates a baseline level of legal compliance, it provides limited detail regarding specific security safeguards or internal data breach procedures, which constrains full accountability under the Data Protection Act.
MauPass's privacy policy is comparatively more comprehensive. It specifies the collection of personal identifiers, contact details, derivative data such as IP addresses and access logs, and mobile device information. It explains that information is obtained directly through the National Authentication Framework or indirectly through usage logs and third-party integrations.
The policy outlines purposes including secure authentication, fraud prevention, service improvement, statistical analysis, and lawful disclosure. It also affirms users' rights to review, update, or delete their account information and describes secure storage at the Government Online Centre. This marked improvement from last year strengthens MauPass's compliance posture, particularly in relation to transparency and user rights.
In contrast, the Information and Communications Technology Authority (ICTA) and the Passport and Immigration Office Mauritius again scored 0% for accessible privacy policies, reflecting no progress from the previous year. The continued absence of publicly accessible privacy notices presents a significant compliance gap. Transparency is a foundational obligation under the Data Protection Act, and failure to provide clear notice regarding data processing activities undermines lawful processing and exposes these institutions to regulatory and reputational risks.
Progress is also visible in the area of data subject rights, though unevenly distributed. MRA improved from 21% last year to 39%, while MauPass advanced from 0% to 54%. These improvements suggest a growing recognition of statutory rights such as access, rectification, and erasure. MauPass, in particular, has embedded clearer mechanisms for users to manage their data. However, partial scores indicate that operational clarity and comprehensiveness remain limited. ICTA and the Passport and Immigration Office maintained 0% in this category, signaling continued deficiencies in recognizing and facilitating data subject rights. This stagnation raises concerns regarding compliance with core rights guaranteed under the Data Protection Act and risks eroding public confidence.
Transparency regarding third-party data sharing has improved modestly. MRA increased from 14% last year to 38%, and MauPass rose from 0% to 24%. Both institutions now provide clearer acknowledgment that data may be shared with other government entities or law enforcement authorities where required by law. Nevertheless, scores remain below half of the total possible, indicating limited disclosure regarding safeguards, oversight mechanisms, or the terms governing such transfers. ICTA and the Passport and Immigration Office again recorded 0%, reflecting continued opacity in this critical area. Given the sensitivity of regulatory and immigration-related data, the absence of visible safeguards heightens compliance risks.
All four agencies demonstrated efforts to ensure data security. MauPass now leads with 72%, up from 45% last year, indicating strengthened technical and organizational measures.
The Passport and Immigration Office maintained its previous score of 61%, remaining relatively strong in security safeguards. ICTA also maintained its score of 56%, while MRA improved modestly from 39% to 44%. These results suggest that preventive security controls are comparatively more developed than transparency and accountability mechanisms. However, none of the agencies provide evidence of internal data breach resolution frameworks or publish transparency reports. As in the previous year, all scored 0% in these categories. The absence of documented breach response mechanisms and public reporting reflects a persistent accountability gap and limits demonstrable compliance with the Act's requirements for responsible data governance.
In comparison to last year's findings, the most notable change is MauPass's substantial advancement across multiple indicators, particularly in privacy policy accessibility, data subject rights, and third-party transparency. MRA has shown steady, incremental improvement while maintaining its leadership in policy accessibility. However, ICTA and the Passport and Immigration Office have remained largely stagnant, with no measurable progress in core transparency indicators. Additionally, sector-wide weaknesses in transparency reporting and internal breach management remain unchanged.
Overall, while this year's assessment indicates gradual movement toward stronger data governance practices, compliance remains partial rather than comprehensive. Improvements in policy accessibility and security safeguards are encouraging, yet persistent deficiencies in transparency reporting, breach response mechanisms, and full operationalization of data subject rights suggest that accountability structures are still underdeveloped. Without sustained institutional reform, particularly within ICTA and the Passport and Immigration Office, regulatory exposure and public trust risks will continue to shape the privacy landscape within Mauritius' public sector.
e-Government Services - Zimbabwe
e-Visa Zimbabwe, NSSA (National Social Security Authority) self-service portal, Zimbabwe Revenue Authority(ZRA) and eGP System Zimbabwe (Electronic Government procurement System) in Zimbabwe
The current assessment of Zimbabwean government digital platforms reveals modest progress in selected areas of privacy governance, but continued structural weaknesses that raise concerns regarding sustained compliance with data protection laws. While certain entities have strengthened transparency and security controls compared to last year, overall performance across the sector remains inconsistent and, in critical areas, stagnant.
In relation to accessible privacy policies, visible effort was made this year. The National Social Security Authority (NSSA) recorded the strongest improvement, rising from 50% last year to 88%. This marks a substantial enhancement in policy accessibility and suggests a deliberate effort to improve transparency around data processing practices.
The e-Government Procurement (eGP) System Zimbabwe maintained its prior-year performance at 75%, indicating stability but no further advancement. In contrast, the Zimbabwe Revenue Authority (ZIMRA) experienced a notable decline, dropping from 88% last year to 63%. This reduction may reflect either diminished visibility of its privacy framework or reduced comprehensiveness in its disclosures.
Compared to last year, when ZIMRA led the sector in policy accessibility, this year's results show a shift in leadership to NSSA. While three agencies previously demonstrated accessible privacy policies, the redistribution of scores indicates both improvement and regression within the sector. From a compliance perspective, accessible privacy notices are central to the transparency principle embedded in data protection legislation. Improvements by NSSA and the maintained performance of eGP strengthen their legal footing; however, ZIMRA's decline signals potential backsliding in maintaining clear, user-facing data protection commitments.
With respect to data subject rights, performance improved across most entities, although scores remain moderate. ZIMRA led in this category at 47%, improving from 32% last year. The eGP System Zimbabwe rose slightly from 37% to 39%, while NSSA increased from 19% to 27%. eVisa Zimbabwe, however, maintained a score of 0%, indicating no visible mechanisms to facilitate access, rectification, or erasure rights.
These incremental improvements suggest a growing institutional awareness of the need to operationalize user rights. Nevertheless, partial scores below 50% indicate that rights frameworks are not yet fully embedded or clearly actionable. The continued absence of any measurable effort by eVisa Zimbabwe is particularly concerning, as the platform processes highly sensitive travel and identity information. Failure to provide accessible mechanisms for data subject rights may expose the institution to regulatory risk and undermine the fairness and lawfulness principles required under data protection laws.
All entities share personal data with third parties and demonstrated some level of disclosure regarding such transfers. NSSA remained the strongest performer in this category, maintaining a high score of 80% from last year. ZIMRA's score declined marginally from 39% to 38%, while eGP maintained 24%. Although these figures show that third-party transfers are acknowledged, they also reveal limited progress in strengthening safeguards or expanding transparency. Compared to last year, when ZIMRA led this category at 70% and NSSA followed at 60%, this year reflects a reordering of compliance performance but no systemic strengthening across the board.
The implications for privacy practice are significant. Third-party transfers present heightened risks of misuse, especially where contractual safeguards, oversight mechanisms, and cross-border protections are unclear. While NSSA appears to have institutionalized stronger disclosure practices, the moderate to low scores for ZIMRA and eGP suggest that citizens may not be fully informed about how and under what safeguards their information is shared.
Data security measures present a mixed but somewhat encouraging trend. The eGP System Zimbabwe recorded the most substantial improvement, increasing from 39% last year to 67% this year, thereby emerging as the sector leader in security safeguards. eVisa Zimbabwe demonstrated marked improvement, rising from 11% to 61%, indicating enhanced technical protections despite its broader governance deficiencies. ZIMRA maintained its previous score of 39%, while NSSA declined from 39% to 28%.
These shifts indicate that while some platforms are investing in technical safeguards, others may be deprioritizing or insufficiently documenting their security controls. The decline in NSSA's security score, despite its strong transparency performance, suggests an imbalance between policy visibility and technical implementation.
Effective compliance requires both transparent governance frameworks and robust technical safeguards; improvements in one area cannot compensate for weaknesses in another.
As in the previous year, all entities scored 0% for transparency reporting and internal data breach resolution mechanisms. This persistent absence of accountability structures is one of the most significant compliance gaps across the sector. Transparency reports and clearly articulated breach response procedures are essential components of modern data protection regimes. Their continued absence signals limited institutional maturity in incident management and oversight. Without documented breach handling processes, citizens remain uncertain about how incidents would be addressed, notified, or remedied.
Overall, although measurable improvements have been recorded in privacy policy accessibility, data subject rights, and security safeguards for certain agencies, the sector's performance remains fragmented. NSSA has made notable gains in transparency, eGP has strengthened its security posture, and ZIMRA has moderately improved its recognition of data subject rights despite a decline in policy accessibility. However, eVisa Zimbabwe continues to perform poorly overall, with no visible registration safeguards, no accessible privacy policy, no pre-collection transparency, and no mechanisms for data subject rights, despite improvements in security controls.
Compared to last year's findings, progress is evident but not transformative. Leadership positions have shifted, some scores have improved, and security investment appears more pronounced in certain platforms. However, the systemic weaknesses identified previously, particularly the absence of transparency reporting, inadequate breach management frameworks, and weak pre-collection transparency, remain largely unchanged.
These ongoing deficiencies raise concerns about sustained compliance with data protection laws and the ability of public institutions to demonstrate accountability. While incremental progress is commendable, comprehensive reform is necessary to align operational practices with legal requirements. Without stronger oversight mechanisms, clearer articulation of user rights, and institutionalized breach response frameworks, Zimbabwe's government digital platforms risk continued regulatory exposure and erosion of public trust in their handling of personal data.
The current assessment of Zimbabwean government digital platforms reveals modest progress in selected areas of privacy governance, but continued structural weaknesses that raise concerns regarding sustained compliance with data protection laws. While certain entities have strengthened transparency and security controls compared to last year, overall performance across the sector remains inconsistent and, in critical areas, stagnant.
In relation to accessible privacy policies, visible effort was made this year. The National Social Security Authority (NSSA) recorded the strongest improvement, rising from 50% last year to 88%. This marks a substantial enhancement in policy accessibility and suggests a deliberate effort to improve transparency around data processing practices.
The e-Government Procurement (eGP) System Zimbabwe maintained its prior-year performance at 75%, indicating stability but no further advancement. In contrast, the Zimbabwe Revenue Authority (ZIMRA) experienced a notable decline, dropping from 88% last year to 63%. This reduction may reflect either diminished visibility of its privacy framework or reduced comprehensiveness in its disclosures.
Compared to last year, when ZIMRA led the sector in policy accessibility, this year's results show a shift in leadership to NSSA. While three agencies previously demonstrated accessible privacy policies, the redistribution of scores indicates both improvement and regression within the sector. From a compliance perspective, accessible privacy notices are central to the transparency principle embedded in data protection legislation. Improvements by NSSA and the maintained performance of eGP strengthen their legal footing; however, ZIMRA's decline signals potential backsliding in maintaining clear, user-facing data protection commitments.
With respect to data subject rights, performance improved across most entities, although scores remain moderate. ZIMRA led in this category at 47%, improving from 32% last year. The eGP System Zimbabwe rose slightly from 37% to 39%, while NSSA increased from 19% to 27%. eVisa Zimbabwe, however, maintained a score of 0%, indicating no visible mechanisms to facilitate access, rectification, or erasure rights.
These incremental improvements suggest a growing institutional awareness of the need to operationalize user rights. Nevertheless, partial scores below 50% indicate that rights frameworks are not yet fully embedded or clearly actionable. The continued absence of any measurable effort by eVisa Zimbabwe is particularly concerning, as the platform processes highly sensitive travel and identity information. Failure to provide accessible mechanisms for data subject rights may expose the institution to regulatory risk and undermine the fairness and lawfulness principles required under data protection laws.
All entities share personal data with third parties and demonstrated some level of disclosure regarding such transfers. NSSA remained the strongest performer in this category, maintaining a high score of 80% from last year. ZIMRA's score declined marginally from 39% to 38%, while eGP maintained 24%. Although these figures show that third-party transfers are acknowledged, they also reveal limited progress in strengthening safeguards or expanding transparency. Compared to last year, when ZIMRA led this category at 70% and NSSA followed at 60%, this year reflects a reordering of compliance performance but no systemic strengthening across the board.
The implications for privacy practice are significant. Third-party transfers present heightened risks of misuse, especially where contractual safeguards, oversight mechanisms, and cross-border protections are unclear. While NSSA appears to have institutionalized stronger disclosure practices, the moderate to low scores for ZIMRA and eGP suggest that citizens may not be fully informed about how and under what safeguards their information is shared.
Data security measures present a mixed but somewhat encouraging trend. The eGP System Zimbabwe recorded the most substantial improvement, increasing from 39% last year to 67% this year, thereby emerging as the sector leader in security safeguards. eVisa Zimbabwe demonstrated marked improvement, rising from 11% to 61%, indicating enhanced technical protections despite its broader governance deficiencies. ZIMRA maintained its previous score of 39%, while NSSA declined from 39% to 28%.
These shifts indicate that while some platforms are investing in technical safeguards, others may be deprioritizing or insufficiently documenting their security controls. The decline in NSSA's security score, despite its strong transparency performance, suggests an imbalance between policy visibility and technical implementation.
Effective compliance requires both transparent governance frameworks and robust technical safeguards; improvements in one area cannot compensate for weaknesses in another.
As in the previous year, all entities scored 0% for transparency reporting and internal data breach resolution mechanisms. This persistent absence of accountability structures is one of the most significant compliance gaps across the sector. Transparency reports and clearly articulated breach response procedures are essential components of modern data protection regimes. Their continued absence signals limited institutional maturity in incident management and oversight. Without documented breach handling processes, citizens remain uncertain about how incidents would be addressed, notified, or remedied.
Overall, although measurable improvements have been recorded in privacy policy accessibility, data subject rights, and security safeguards for certain agencies, the sector's performance remains fragmented. NSSA has made notable gains in transparency, eGP has strengthened its security posture, and ZIMRA has moderately improved its recognition of data subject rights despite a decline in policy accessibility. However, eVisa Zimbabwe continues to perform poorly overall, with no visible registration safeguards, no accessible privacy policy, no pre-collection transparency, and no mechanisms for data subject rights, despite improvements in security controls.
Compared to last year's findings, progress is evident but not transformative. Leadership positions have shifted, some scores have improved, and security investment appears more pronounced in certain platforms. However, the systemic weaknesses identified previously, particularly the absence of transparency reporting, inadequate breach management frameworks, and weak pre-collection transparency, remain largely unchanged.
These ongoing deficiencies raise concerns about sustained compliance with data protection laws and the ability of public institutions to demonstrate accountability. While incremental progress is commendable, comprehensive reform is necessary to align operational practices with legal requirements. Without stronger oversight mechanisms, clearer articulation of user rights, and institutionalized breach response frameworks, Zimbabwe's government digital platforms risk continued regulatory exposure and erosion of public trust in their handling of personal data.
e-Government Services - Kenya
e-Citizen, Huduma, Kenya Revenue Authority (KRA) and ETA Kenya (Electronic Travel Authorisation –
Kenya)
The current assessment of Kenya's key government digital service platforms demonstrates measurable progress in certain compliance areas, yet continued structural weaknesses in transparency and accountability. Although some institutions have strengthened alignment with data protection requirements compared to last year, overall performance remains uneven, revealing significant disparities in privacy governance despite uniform legal obligations under Kenya's Data Protection Act.
With respect to registration with the national regulator, there was demonstrable improvement. e-Citizen, Huduma, and the Kenya Revenue Authority (KRA) each scored 100%. KRA maintained its perfect score from last year, confirming sustained compliance and institutional maturity in meeting formal regulatory requirements. In contrast, e-Citizen and Huduma improved from 0% last year to full compliance this year, representing a notable strengthening of their legal posture. Registration with the regulator is a foundational obligation under the Data Protection Act, and these improvements reflect enhanced recognition of statutory accountability requirements. However, the Electronic Travel Authorization (ETA) system maintained a score of 0%, unchanged from last year, signaling continued non-compliance with one of the most basic regulatory obligations.
In relation to accessible privacy policies, visible effort was again demonstrated. e-Citizen, KRA, and ETA Kenya each maintained a score of 88%, consistent with last year's results. This stability indicates that these entities have preserved their public-facing transparency frameworks. Huduma, however, continues to lag behind, with no accessible privacy policy documentation. The presence of privacy policies for e-Citizen, KRA, and ETA suggests formal acknowledgment of transparency requirements, yet the maintenance of identical scores year-on-year implies limited enhancement in policy depth or clarity. Accessibility alone does not guarantee comprehensive compliance; policies must evolve to reflect changing operational practices, emerging risks, and enhanced regulatory expectations.
Performance in facilitating data subject rights reveals a more dynamic picture. ETA Kenya led this category with 68%, improving from 56% last year, indicating strengthened mechanisms for access, correction, or other statutory rights. e-Citizen recorded a slight decline, dropping from 72% to 67%, while KRA experienced a more pronounced reduction from 58% to 42%. Huduma again maintained 0%, demonstrating no visible effort to operationalize data subject rights. These mixed results suggest that while some entities are enhancing procedural pathways for individuals to exercise their rights, others may be experiencing implementation gaps or reduced transparency. Given that data subject rights are central to lawful and fair processing, declining scores in this area raise concerns about sustained compliance, particularly for KRA, which otherwise demonstrates strong institutional governance.
Third-party data sharing remains an area of weakness across all entities. Although all platforms share personal data with other government bodies or service providers, compliance levels are low. e-Citizen improved from 20% to 34%, indicating incremental progress in disclosing inter-agency or service provider data transfers. ETA Kenya, however, declined from 44% to 34%, while KRA dropped from 40% to 26%. Huduma once again scored 0%. Compared to last year, the general trend reflects either stagnation or regression rather than systemic improvement. Given the complexity of inter-agency collaboration within government digital ecosystems, insufficient disclosure about third-party transfers poses risks related to accountability, data minimization, and cross-border safeguards. Weak performance in this area undermines citizens' ability to understand how their information circulates across state systems and external partners.
Data security safeguards present a relatively stable but modest compliance landscape. e-Citizen and ETA Kenya both scored 56%, with e-Citizen maintaining last year's performance and ETA declining slightly from 61%. KRA maintained 45%, and Huduma remained at 22%. Compared to last year, when ETA led with 44% and KRA followed at 40%, this year reflects incremental strengthening for some entities but no transformative enhancement of security maturity. While the presence of technical and organizational safeguards is evident, scores below full compliance suggest that documentation, risk assessments, encryption protocols, or independent audits may not be sufficiently robust or publicly articulated.
As in the previous year, all entities scored 0% for transparency reporting and internal data breach resolution mechanisms. This persistent gap is one of the most concerning findings. Transparency reports, breach notification procedures, and documented internal resolution frameworks are essential to demonstrating accountability and preparedness. Their absence indicates that although certain preventive measures may exist, reactive and oversight mechanisms remain underdeveloped. This exposes agencies to regulatory risk and limits public confidence in the event of security incidents.
Taken together, the findings reveal highly variable privacy protection standards across Kenya's government digital services. KRA continues to demonstrate relatively strong overall compliance, supported by comprehensive governance structures such as Data Protection Officer designation, detailed retention policies, and complaint escalation pathways. Its consistent regulatory registration and sustained policy accessibility reflect institutional commitment, though recent declines in data subject rights facilitation and third-party transparency suggest areas requiring renewed attention.
e-Citizen's performance reflects meaningful progress, particularly in achieving full regulatory registration and modest improvements in third-party disclosure. However, the slight decline in data subject rights and stagnant security performance indicate that operational consistency remains a challenge. ETA Kenya demonstrates moderate compliance, with improvements in data subject rights but regression in third-party transparency and slight decline in security safeguards. Given the sensitive nature of immigration and travel-related data, enhanced specificity in retention practices and cross-border data sharing arrangements is essential to mitigate legal and reputational risk.
Huduma's continued weak performance remains particularly concerning. Although it achieved full regulatory registration this year, it still lacks an accessible privacy policy, data subject rights mechanisms, third-party transparency, and robust security safeguards. For a platform handling sensitive services such as identity documentation and civil registration, these deficiencies represent significant compliance and trust risks.
Compared to last year, the most notable improvements are the expansion of regulatory registration compliance and incremental gains in certain rights-based frameworks. However, declines in third-party transparency and stagnation in accountability mechanisms indicate that progress is neither uniform nor comprehensive. The continued absence of transparency reporting and breach resolution processes across all entities highlights a systemic governance weakness that remains unaddressed.
In conclusion, while Kenya's government digital platforms demonstrate growing awareness of data protection obligations, compliance remains partial and uneven. Stronger institutionalization of accountability mechanisms, clearer third-party transfer disclosures, consistent facilitation of data subject rights, and development of formal breach response frameworks are necessary to ensure sustained alignment with the Data Protection Act and to preserve citizen trust in digital public services.
The current assessment of Kenya's key government digital service platforms demonstrates measurable progress in certain compliance areas, yet continued structural weaknesses in transparency and accountability. Although some institutions have strengthened alignment with data protection requirements compared to last year, overall performance remains uneven, revealing significant disparities in privacy governance despite uniform legal obligations under Kenya's Data Protection Act.
With respect to registration with the national regulator, there was demonstrable improvement. e-Citizen, Huduma, and the Kenya Revenue Authority (KRA) each scored 100%. KRA maintained its perfect score from last year, confirming sustained compliance and institutional maturity in meeting formal regulatory requirements. In contrast, e-Citizen and Huduma improved from 0% last year to full compliance this year, representing a notable strengthening of their legal posture. Registration with the regulator is a foundational obligation under the Data Protection Act, and these improvements reflect enhanced recognition of statutory accountability requirements. However, the Electronic Travel Authorization (ETA) system maintained a score of 0%, unchanged from last year, signaling continued non-compliance with one of the most basic regulatory obligations.
In relation to accessible privacy policies, visible effort was again demonstrated. e-Citizen, KRA, and ETA Kenya each maintained a score of 88%, consistent with last year's results. This stability indicates that these entities have preserved their public-facing transparency frameworks. Huduma, however, continues to lag behind, with no accessible privacy policy documentation. The presence of privacy policies for e-Citizen, KRA, and ETA suggests formal acknowledgment of transparency requirements, yet the maintenance of identical scores year-on-year implies limited enhancement in policy depth or clarity. Accessibility alone does not guarantee comprehensive compliance; policies must evolve to reflect changing operational practices, emerging risks, and enhanced regulatory expectations.
Performance in facilitating data subject rights reveals a more dynamic picture. ETA Kenya led this category with 68%, improving from 56% last year, indicating strengthened mechanisms for access, correction, or other statutory rights. e-Citizen recorded a slight decline, dropping from 72% to 67%, while KRA experienced a more pronounced reduction from 58% to 42%. Huduma again maintained 0%, demonstrating no visible effort to operationalize data subject rights. These mixed results suggest that while some entities are enhancing procedural pathways for individuals to exercise their rights, others may be experiencing implementation gaps or reduced transparency. Given that data subject rights are central to lawful and fair processing, declining scores in this area raise concerns about sustained compliance, particularly for KRA, which otherwise demonstrates strong institutional governance.
Third-party data sharing remains an area of weakness across all entities. Although all platforms share personal data with other government bodies or service providers, compliance levels are low. e-Citizen improved from 20% to 34%, indicating incremental progress in disclosing inter-agency or service provider data transfers. ETA Kenya, however, declined from 44% to 34%, while KRA dropped from 40% to 26%. Huduma once again scored 0%. Compared to last year, the general trend reflects either stagnation or regression rather than systemic improvement. Given the complexity of inter-agency collaboration within government digital ecosystems, insufficient disclosure about third-party transfers poses risks related to accountability, data minimization, and cross-border safeguards. Weak performance in this area undermines citizens' ability to understand how their information circulates across state systems and external partners.
Data security safeguards present a relatively stable but modest compliance landscape. e-Citizen and ETA Kenya both scored 56%, with e-Citizen maintaining last year's performance and ETA declining slightly from 61%. KRA maintained 45%, and Huduma remained at 22%. Compared to last year, when ETA led with 44% and KRA followed at 40%, this year reflects incremental strengthening for some entities but no transformative enhancement of security maturity. While the presence of technical and organizational safeguards is evident, scores below full compliance suggest that documentation, risk assessments, encryption protocols, or independent audits may not be sufficiently robust or publicly articulated.
As in the previous year, all entities scored 0% for transparency reporting and internal data breach resolution mechanisms. This persistent gap is one of the most concerning findings. Transparency reports, breach notification procedures, and documented internal resolution frameworks are essential to demonstrating accountability and preparedness. Their absence indicates that although certain preventive measures may exist, reactive and oversight mechanisms remain underdeveloped. This exposes agencies to regulatory risk and limits public confidence in the event of security incidents.
Taken together, the findings reveal highly variable privacy protection standards across Kenya's government digital services. KRA continues to demonstrate relatively strong overall compliance, supported by comprehensive governance structures such as Data Protection Officer designation, detailed retention policies, and complaint escalation pathways. Its consistent regulatory registration and sustained policy accessibility reflect institutional commitment, though recent declines in data subject rights facilitation and third-party transparency suggest areas requiring renewed attention.
e-Citizen's performance reflects meaningful progress, particularly in achieving full regulatory registration and modest improvements in third-party disclosure. However, the slight decline in data subject rights and stagnant security performance indicate that operational consistency remains a challenge. ETA Kenya demonstrates moderate compliance, with improvements in data subject rights but regression in third-party transparency and slight decline in security safeguards. Given the sensitive nature of immigration and travel-related data, enhanced specificity in retention practices and cross-border data sharing arrangements is essential to mitigate legal and reputational risk.
Huduma's continued weak performance remains particularly concerning. Although it achieved full regulatory registration this year, it still lacks an accessible privacy policy, data subject rights mechanisms, third-party transparency, and robust security safeguards. For a platform handling sensitive services such as identity documentation and civil registration, these deficiencies represent significant compliance and trust risks.
Compared to last year, the most notable improvements are the expansion of regulatory registration compliance and incremental gains in certain rights-based frameworks. However, declines in third-party transparency and stagnation in accountability mechanisms indicate that progress is neither uniform nor comprehensive. The continued absence of transparency reporting and breach resolution processes across all entities highlights a systemic governance weakness that remains unaddressed.
In conclusion, while Kenya's government digital platforms demonstrate growing awareness of data protection obligations, compliance remains partial and uneven. Stronger institutionalization of accountability mechanisms, clearer third-party transfer disclosures, consistent facilitation of data subject rights, and development of formal breach response frameworks are necessary to ensure sustained alignment with the Data Protection Act and to preserve citizen trust in digital public services.
e-Government Services - Uganda
Immigration Uganda, NIRA, Electoral Commission Uganda and UBOS (Uganda Bureau of Statistics)
The current assessment of key Ugandan government agencies reveals modest progress in formal compliance measures but continued systemic weaknesses in transparency, accountability, and operational safeguards. Although certain institutions have improved their alignment with statutory requirements compared to last year, overall performance across the sector remains low. This is particularly concerning given the volume and sensitivity of personal data processed by these agencies, including biometric, electoral, immigration, and national identification records.
With respect to registration with the national regulator, demonstrable compliance was recorded for the National Identification and Registration Authority (NIRA) and the Uganda Bureau of Statistics (UBOS), both of which maintained a perfect score of 100% from last year. This sustained performance reflects continued adherence to one of the foundational requirements under Uganda's Data Protection and Privacy Act. In contrast to last year, when Immigration Uganda, the Electoral Commission, and UBOS had scored 0% in registration, this year's findings confirm that NIRA and UBOS remain the only agencies fully compliant in this respect, while Immigration Uganda and the Electoral Commission continue to lag behind. Regulatory registration represents the baseline of accountability; failure to comply signals fundamental gaps in legal adherence.
A notable development this year is the improvement in accessible privacy policies. NIRA and UBOS are now the only government entities within the study with published privacy policies, each scoring 63%. NIRA improved significantly from 0% last year, marking an important step toward transparency. UBOS maintained its previous score of 63%, remaining stable but without further enhancement. Immigration Uganda and the Electoral Commission again scored 0%, reflecting the continued absence of publicly available privacy documentation. Compared to last year, when UBOS was the only agency with an accessible policy, NIRA's introduction of a policy constitutes meaningful progress. However, the overall picture remains troubling, as half of the assessed institutions still operate without any publicly articulated privacy framework.
An examination of NIRA's privacy policy reveals both strengths and notable gaps. The policy details specific technical safeguards, including encryption at the point of data capture, transmission, processing, sharing, and disposal, particularly in relation to national identification data. It also indicates that data subjects will be notified of data breaches and recognizes rights such as access, correction, erasure, and the right to lodge a complaint. However, important ambiguities remain. The policy does not define what constitutes "undue delay" in breach notification, does not outline clear investigative procedures or timelines for handling complaints, and fails to specify how breaches may be reported or which contact channels should be used. Additionally, while the policy defines personal data and provides contact details for NIRA, it does not clearly articulate the purposes of data collection, retention periods, or the identities of third parties with whom data may be shared. The absence of provisions regarding the right to restrict processing further limits its completeness.
UBOS's policy, while accessible, demonstrates more substantial limitations. It does not clearly define the categories of data collected, the purposes of processing, or the contact details of the data controller. It lacks explicit recognition of core data subject rights, including access, rectification, erasure, restriction, or withdrawal of consent. The policy does not articulate complaint procedures, nor does it specify whether law enforcement may access personal data. Although UBOS does not permit third-party access to personal data within its policy framework, the lack of clarity regarding rights and procedural safeguards weakens its compliance posture. Compared to last year, UBOS's policy remains largely unchanged, suggesting stagnation rather than improvement.
In terms of data subject rights, NIRA recorded significant progress, improving from 0% last year to 58% this year. This indicates growing institutional recognition of statutory rights and mechanisms for their exercise. UBOS maintained a modest score of 17%, reflecting limited facilitation of rights despite having a policy in place. Immigration Uganda and the Electoral Commission again scored 0%, demonstrating no visible effort to operationalize data subject rights. These findings highlight a concerning inconsistency: while certain agencies have begun to formalize rights-based protections, others remain entirely opaque, undermining citizens' ability to exercise control over their personal data.
All entities share data with third parties, yet compliance in this area remains uneven. NIRA improved from 0% last year to 60%, reflecting greater disclosure of data-sharing practices. UBOS maintained its score of 60%, continuing to demonstrate relative strength in this area compared to its peers. Immigration Uganda and the Electoral Commission maintained 0%, indicating no transparency regarding third-party data transfers. Compared to last year, when UBOS led this category and other agencies scored 0%, the inclusion of NIRA as a leading performer marks improvement. However, the absence of disclosure by Immigration and the Electoral Commission remains a significant compliance risk, particularly given the cross-border and inter-agency nature of immigration and electoral data processing.
Data security safeguards show measurable progress overall. UBOS led with 61%, improving from 39% last year. NIRA increased significantly from 22% to 56%, reflecting enhanced technical and organizational measures. The Electoral Commission maintained 39%, while Immigration Uganda remained at 22%. Compared to last year, improvements in NIRA and UBOS suggest growing investment in technical security infrastructure. However, stable or stagnant scores for Immigration and the Electoral Commission indicate limited advancement in safeguarding sensitive citizen data.
As in the previous assessment, all entities scored 0% for transparency reporting and internal data breach resolution mechanisms. The continued absence of published transparency reports and documented breach-handling procedures represents a persistent accountability gap. While certain policies reference breach notification, there is no evidence of comprehensive internal frameworks detailing investigation procedures, escalation pathways, or independent oversight mechanisms. This omission undermines demonstrable compliance with accountability and responsiveness obligations under data protection law.
Government agencies remain the weakest-performing sector in the study. Immigration Uganda and the Electoral Commission continue to operate without published privacy policies and scored zero on most indicators, exposing the absence of even basic transparency safeguards. NIRA and UBOS performed comparatively better, particularly in registration compliance, security safeguards, and limited policy accessibility. However, even these agencies exhibit significant gaps in retention disclosure, clarity of purpose limitation, detailed breach procedures, and comprehensive articulation of data subject rights.
Compared to last year, the most notable changes are NIRA's introduction of a privacy policy, improvements in data subject rights recognition, and strengthened security safeguards by both NIRA and UBOS. Nevertheless, the structural weaknesses identified in the previous assessment, particularly the absence of transparency reporting, inadequate breach resolution mechanisms, and incomplete policy frameworks, remain largely unchanged.
In conclusion, while incremental improvements are evident, Uganda's government institutions continue to demonstrate fragmented and partial compliance with data protection requirements. The limited transparency and accountability mechanisms, especially within Immigration Uganda and the Electoral Commission, present ongoing risks to citizen privacy and institutional trust. Comprehensive reform, including clear articulation of data processing purposes, retention limits, enforceable rights mechanisms, and documented breach management procedures, is essential to ensure meaningful compliance and to safeguard the sensitive personal data entrusted to public authorities.
The current assessment of key Ugandan government agencies reveals modest progress in formal compliance measures but continued systemic weaknesses in transparency, accountability, and operational safeguards. Although certain institutions have improved their alignment with statutory requirements compared to last year, overall performance across the sector remains low. This is particularly concerning given the volume and sensitivity of personal data processed by these agencies, including biometric, electoral, immigration, and national identification records.
With respect to registration with the national regulator, demonstrable compliance was recorded for the National Identification and Registration Authority (NIRA) and the Uganda Bureau of Statistics (UBOS), both of which maintained a perfect score of 100% from last year. This sustained performance reflects continued adherence to one of the foundational requirements under Uganda's Data Protection and Privacy Act. In contrast to last year, when Immigration Uganda, the Electoral Commission, and UBOS had scored 0% in registration, this year's findings confirm that NIRA and UBOS remain the only agencies fully compliant in this respect, while Immigration Uganda and the Electoral Commission continue to lag behind. Regulatory registration represents the baseline of accountability; failure to comply signals fundamental gaps in legal adherence.
A notable development this year is the improvement in accessible privacy policies. NIRA and UBOS are now the only government entities within the study with published privacy policies, each scoring 63%. NIRA improved significantly from 0% last year, marking an important step toward transparency. UBOS maintained its previous score of 63%, remaining stable but without further enhancement. Immigration Uganda and the Electoral Commission again scored 0%, reflecting the continued absence of publicly available privacy documentation. Compared to last year, when UBOS was the only agency with an accessible policy, NIRA's introduction of a policy constitutes meaningful progress. However, the overall picture remains troubling, as half of the assessed institutions still operate without any publicly articulated privacy framework.
An examination of NIRA's privacy policy reveals both strengths and notable gaps. The policy details specific technical safeguards, including encryption at the point of data capture, transmission, processing, sharing, and disposal, particularly in relation to national identification data. It also indicates that data subjects will be notified of data breaches and recognizes rights such as access, correction, erasure, and the right to lodge a complaint. However, important ambiguities remain. The policy does not define what constitutes "undue delay" in breach notification, does not outline clear investigative procedures or timelines for handling complaints, and fails to specify how breaches may be reported or which contact channels should be used. Additionally, while the policy defines personal data and provides contact details for NIRA, it does not clearly articulate the purposes of data collection, retention periods, or the identities of third parties with whom data may be shared. The absence of provisions regarding the right to restrict processing further limits its completeness.
UBOS's policy, while accessible, demonstrates more substantial limitations. It does not clearly define the categories of data collected, the purposes of processing, or the contact details of the data controller. It lacks explicit recognition of core data subject rights, including access, rectification, erasure, restriction, or withdrawal of consent. The policy does not articulate complaint procedures, nor does it specify whether law enforcement may access personal data. Although UBOS does not permit third-party access to personal data within its policy framework, the lack of clarity regarding rights and procedural safeguards weakens its compliance posture. Compared to last year, UBOS's policy remains largely unchanged, suggesting stagnation rather than improvement.
In terms of data subject rights, NIRA recorded significant progress, improving from 0% last year to 58% this year. This indicates growing institutional recognition of statutory rights and mechanisms for their exercise. UBOS maintained a modest score of 17%, reflecting limited facilitation of rights despite having a policy in place. Immigration Uganda and the Electoral Commission again scored 0%, demonstrating no visible effort to operationalize data subject rights. These findings highlight a concerning inconsistency: while certain agencies have begun to formalize rights-based protections, others remain entirely opaque, undermining citizens' ability to exercise control over their personal data.
All entities share data with third parties, yet compliance in this area remains uneven. NIRA improved from 0% last year to 60%, reflecting greater disclosure of data-sharing practices. UBOS maintained its score of 60%, continuing to demonstrate relative strength in this area compared to its peers. Immigration Uganda and the Electoral Commission maintained 0%, indicating no transparency regarding third-party data transfers. Compared to last year, when UBOS led this category and other agencies scored 0%, the inclusion of NIRA as a leading performer marks improvement. However, the absence of disclosure by Immigration and the Electoral Commission remains a significant compliance risk, particularly given the cross-border and inter-agency nature of immigration and electoral data processing.
Data security safeguards show measurable progress overall. UBOS led with 61%, improving from 39% last year. NIRA increased significantly from 22% to 56%, reflecting enhanced technical and organizational measures. The Electoral Commission maintained 39%, while Immigration Uganda remained at 22%. Compared to last year, improvements in NIRA and UBOS suggest growing investment in technical security infrastructure. However, stable or stagnant scores for Immigration and the Electoral Commission indicate limited advancement in safeguarding sensitive citizen data.
As in the previous assessment, all entities scored 0% for transparency reporting and internal data breach resolution mechanisms. The continued absence of published transparency reports and documented breach-handling procedures represents a persistent accountability gap. While certain policies reference breach notification, there is no evidence of comprehensive internal frameworks detailing investigation procedures, escalation pathways, or independent oversight mechanisms. This omission undermines demonstrable compliance with accountability and responsiveness obligations under data protection law.
Government agencies remain the weakest-performing sector in the study. Immigration Uganda and the Electoral Commission continue to operate without published privacy policies and scored zero on most indicators, exposing the absence of even basic transparency safeguards. NIRA and UBOS performed comparatively better, particularly in registration compliance, security safeguards, and limited policy accessibility. However, even these agencies exhibit significant gaps in retention disclosure, clarity of purpose limitation, detailed breach procedures, and comprehensive articulation of data subject rights.
Compared to last year, the most notable changes are NIRA's introduction of a privacy policy, improvements in data subject rights recognition, and strengthened security safeguards by both NIRA and UBOS. Nevertheless, the structural weaknesses identified in the previous assessment, particularly the absence of transparency reporting, inadequate breach resolution mechanisms, and incomplete policy frameworks, remain largely unchanged.
In conclusion, while incremental improvements are evident, Uganda's government institutions continue to demonstrate fragmented and partial compliance with data protection requirements. The limited transparency and accountability mechanisms, especially within Immigration Uganda and the Electoral Commission, present ongoing risks to citizen privacy and institutional trust. Comprehensive reform, including clear articulation of data processing purposes, retention limits, enforceable rights mechanisms, and documented breach management procedures, is essential to ensure meaningful compliance and to safeguard the sensitive personal data entrusted to public authorities.