Terms of Reference

Recruitment of Individual consultant to support the Eswatini Data Protection Authority (EDPA) for the
Whistleblowing Mechanism. 

Client Address	Smart Africa Secretariat  10th Floor, Career Centre Building KG 541 ST, Kigali, Rwanda,  PO Box: 4913  Tel: +250784013646| +250 788-300-581  Email:tenderenquiries@smartafrica.org  www.smartafrica.org
RFP#:	138/SA/GIZ-Data Governance/RFP/10/2025
Budget	8,500 USD- Fixed Budget Selection
Release date:	31th October 2025
Closing date:	14th November 2025; 5:00 pm (Local time, Kigali)
Contact	For any questions or enquiries, please write to:tenderenquiries@smartafrica.org   For Proposal Submissions: procurement@smartafrica.org

1. Background 

The Smart Africa Alliance is a bold and innovative commitment from African Heads of State and Government to accelerate sustainable socio-economic development across the continent. Its ultimate goal is to transform Africa into a Single Digital Market by 2030. 

The Smart Africa Manifesto is anchored on five core principles: 

• To place ICT (Information and Communication Technologies) at the center of national development agendas; 
• To improve access to ICTs, especially broadband infrastructure; 
• To enhance transparency, efficiency, and accountability through ICT; 
• To prioritize private sector participation; 
• To leverage ICTs in advancing sustainable development. 

As of June 2025, the Smart Africa Alliance consists of 40 member states, key international partner organizations such as the African Union Commission (AUC), the International Telecommunication Union (ITU), and global private sector entities. The Smart Africa Secretariat (SAS) is headquartered in Kigali, Rwanda. 

2. National context – Eswatini 

Eswatini has made significant progress in digital governance with the enactment of the Data Protection Act, 2022 (Act No. 5 of 2022). The Act establishes the Eswatini Communications Commission (ESCCOM) as the Eswatini Data Protection Authority (EDPA). The EDPA is mandated to oversee compliance, regulate data processing, and protect citizens’ right to privacy.

Despite this milestone, assessments have identified pressing capacity gaps, including: 

• Lack of sector-specific guidelines tailored to sensitive sectors such as telecommunications, healthcare, and financial services. 
• Absence of secure and trusted reporting channels for data misuse and breaches, undermining accountability. 

Addressing these challenges will strengthen EDPA’s ability to operationalize the Act, enforce compliance, and build trust among stakeholders. 

3. Objectives of the assignment 

The overall objective is to provide targeted technical assistance to the EDPA to design a secure, anonymous, and trusted whistleblowing mechanism including policies, workflows, and protocols for reporting data misuse, breaches, and non-compliance. The mechanism should be implementable in the short term through manual or semi-digital processes, with a clear pathway to full digitalization by the EDPA at a later stage. 

4. Scope of Work 

4.1. Whistleblowing Mechanism Expert 

4.1.1. Purpose of the Tool 

A whistleblowing mechanism provides a safe, trusted, and confidential channel for reporting data misuse, breaches, or unlawful processing activities. In the absence of such a mechanism, citizens, employees, or businesses may hesitate to report violations, leaving breaches undetected and eroding trust in the data ecosystem. 

4.1.2. Value Proposition 

By creating a whistleblowing mechanism, EDPA strengthens its role as a trusted regulator. Such mechanisms: 

• Promote accountability across industries. 
• Protect whistleblowers from retaliation while ensuring anonymity. 
• Enable early detection of breaches and non-compliance, thus preventing systemic failures. • Reinforce citizen trust in EDPA’s oversight role and Eswatini’s digital governance framework. 

Given current budget constraints, the consultant will not develop a full digital platform immediately. Instead, the consultant will design a mechanism framework (policies, workflows, secure channels like hotline/email/physical drop-boxes) that can be digitalized later. 

4.1.3. Consultant’s Role and Deliverables 

• Assess existing internal reporting mechanisms within ESCCOM and regulated sectors. • Design a secure, anonymous reporting mechanism, prioritizing practical and low-cost tools (e.g., confidential hotlines, encrypted email addresses, physical secure drop-boxes). 
• Develop policies and procedures for intake, triage, case handling, escalation, and follow-up. • Ensure alignment with international standards (e.g. AU privacy frameworks, EU Whistleblower Directive, etc.). 
• Deliver training for EDPA staff on handling complaints, protecting whistleblowers, and maintaining confidentiality.
• Conduct an awareness campaign for regulated sectors and civil society to promote uptake of the mechanism. 
• Produce a roadmap for future digitalization of the whistleblowing system (e.g., integration into ESCCOM IT systems). 

5. Expected outputs 

• Designed and validated whistleblowing mechanism (manual and semi-digital processes) with supporting templates and procedures. 
• Training reports for EDPA staff and DPOs. 
• Final technical reports summarizing the assignment and providing recommendations for sustainability. 

6. Expected Outcomes 

• Strengthened regulatory authority and operational capacity of the EDPA. 
• A trusted channel for reporting misuse and breaches, increasing transparency. 
• Greater alignment of Eswatini’s data protection regime with continental frameworks (AU Data Policy Framework, Smart Africa Blueprint). 
• Enhanced trust among citizens, businesses, and international partners in Eswatini’s data governance ecosystem. 

7. Consultant Profiles 

Whistleblowing Mechanism Expert 

The consultant will design a mechanism for secure and anonymous whistleblowing, focusing on compliance and citizen trust. The consultant must meet the following minimum requirements : 

• Advanced degree (Master’s or higher) in Law, ICT, Compliance, Public Policy, or Institutional Risk Management. 
• At least 8 years of professional experience in compliance, governance, or risk management. • Demonstrated experience in designing accountability frameworks such as whistleblowing or complaint-handling systems. 
• Familiarity with international whistleblowing standards (e.g., OECD Guidelines, Transparency International frameworks) and their adaptation to local contexts. 
• Solid understanding of Eswatini’s data protection ecosystem, including the role of EDPA, Data Protection Officers, and regulated entities. 
• Experience working with public institutions in Southern Africa is an advantage. • Strong technical capacity to design practical, cost-effective mechanisms that can be digitized later. • Excellent facilitation and training skills, particularly in sensitive reporting systems and ethics. • Ability to produce clear guidelines, process manuals, and awareness-raising materials tailored for national institutions. 

8. Methodology 

The consultant is expected to adopt a participatory, context-sensitive, and practical approach, ensuring that deliverables are aligned with Eswatini’s realities while reflecting continental and international standards.

Key methodological steps: 

i. Desk Review and Benchmarking 

• Review the Eswatini Data Protection Act (2022), current enforcement mechanisms, andsectoral regulations. 
• Benchmark against regional (SADC, AU) and international standards (GDPR, OECD, UNguidelines). 

ii. Stakeholder Engagement 

• Conduct consultations with EDPA staff, sectoral regulators, Data Protection Officers(DPOs), private sector representatives, and civil society. 
• Facilitate focus group discussions to capture practical challenges and sector-specific needs. 

iii.  Drafting and Co-creation 

•  Design a manual mechanism for whistleblowing (secure and confidential reporting channels)

           that can later be digitized. 

iv. Validation Workshops 

• Organize multi-stakeholder workshops to present drafts, gather feedback, and buildconsensus. 
• Ensure ownership by EDPA and acceptance by sectoral stakeholders. 

v. Capacity Building 

• Deliver training sessions for EDPA staff and DPOs on the use of the whistleblowing mechanism. 
• Provide mentoring and coaching for long-term institutional capacity. 

vi. Finalization and Handover 

• Produce final validated whistleblowing mechanism document. 
• Deliver a training and sustainability report including recommendations for gradual digitalization of the whistleblowing system. 

9. Deliverables and timeline 

Deliverable	Timeline
Inception Report	Week 1
Draft Whistleblowing Mechanism	Week 4
Validation Workshop Report	Week 6
Final Whistleblowing Mechanism	Week 8
Training & Final Report	Week 8

10. Duration 

The consultancy will last two (2) months effective from the contract signing date, and it may be extended based on the mutual agreement of both parties, as deemed necessary. 

11. Evaluation method and criteria 

The evaluation method employed is the Fixed Budget Selection. The bidders will be evaluated on their technical offers and the highest-ranked among responsive technical proposals that fits within the fixed budget will be selected. 

11.1. Technical Evaluation Criteria

 

The financial proposals will be opened for only those firms which secure a minimum score of 75/100 in the technical

evaluation and the highest-ranked among responsive technical proposals that fits within the fixed budget will be selected. 

12. Submission Requirements for Technical & Financial Proposals 

A specific outline must be followed to facilitate the Smart Africa Secretariat’s review and evaluation of the 

responses received. 

A response to this RFP must include the following sections in the order listed: 

i) A cover letter confirming the consultant’s interest to provide the services required (Only

Individuals are required) 

ii) Mandatory Administrative documents 

• Identification document (ID or Passport) 

iii) A technical proposal containing the following content: 

• Executive summary 
• Consultants experience/Profile 
• Approach and Methodology 
• Work Plan / Schedule 
• Updated and certified Curriculum Vitae (max 3 pages with relavant experiences) and academic certificates required
• Consultant Certificates or Recommendation letters of successful completion for similar past assignments, duty signed

iv) Financial Proposal containing the following tables. 

• Summary of Costs. 
• Break down of price per user group on daily rate. 
• Break down of remuneration user group on daily rate.
• Reimbursable expenses user group applicable. 
• Miscellaneous Expenses if any 

Notes 

• Indicate your preferred payment terms under financial proposal 
• A withholding tax of 15% will be deducted from payments for Consultant not VAT-registered with Rwanda Tax Administration (RRA)
•  All Financial Proposals/offers should be password protected and Smart Africa will request for it for bidders who have been qualified in the technical evaluation 
• All Financial Offers should be quoted and submitted in USD Currency. 

13. SUBMISSION PROCESS 

Soft copies of both Technical and financial proposals must be sent to: procurement@smartafrica.org  showing each the nature of the offer concerned (technical or financial offer), not later than 14thNovember 2025 at, 5:00 PM local time (Kigali), addressed to Procurement Office of Smart Africa Secretariat, with subject marked: Ref 138/SA/GIZ-Data Governance/RFP/10/2025:Individual Consultant for the Whistleblowing Mechanism 

14. RIGHTS RESERVED 

a) This RFP does not obligate the Smart Africa Secretariat (SAS) to complete the RFP process.

b) SAS reserves the right to amend any segment of the RFP prior to the announcement of a selected Consultant. 

c) SAS also reserves the right to remove one or more of the services from consideration for this contract should the evaluation show that it is in SAS’s best interest to do so. 

d) SAS also may, at its discretion, issue a separate contract for any service or groups of services included in this RFP.

e) SAS may negotiate a compensation package and additional provisions to the contract awarded under this RFP. 

f) The Smart Africa reserves the right to debrief the applicants after the completion of the process due to expected high volume of applications and avoiding the compromise of the process. 

Late proposals will be rejected. 

15. VALIDITY 

Proposals and quotes must remain valid for 90 days after the date of closing noted above. After, the closing date and time, all proposals received by the Smart Africa Secretariat become its property. 

16. ENQUIRIES 

Any inquiries will only be received at least 3 working days before the bid submission deadline.
Prospective respondents who may have questions regarding
this RFP may submit their inquiries to tenderenquiries@smartafrica.org 

17. ANTI-CORRUPTION 

Smart Africa is committed to preventing and not tolerating any act of corruption and other malpractices and expects that all bidders will adhere to the same ethical principles.