Data Protection in Kenya

Data protection laws in Kenya

The Data Protection Act, 2019 (the “Act”) came into force on 25th November, 2019 and is now the primary statute on data protection in Kenya. It gives effect to Article 31 c) and d) of the Constitution of Kenya, 2010 (right to privacy).

In October 2020, by virtue of the powers conferred to him under the Act, the Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs gazetted the Data Protection (Civil Registration) Regulations, 2020 (the “Regulations”). The Regulations apply to civil registries involved in processing personal data for registrations such as births, deaths, adoptions, persons, passports and marriages.

Since the Data Protection Commissioner’s (DPC) appointment on 16 November 2020, significant efforts have been made in developing regulations for the implementation of the Act.

  • Data Protection (Complaints Handling Procedure & Enforcement) Regulation, 2021 (the “Complaints Handling Regulations”) - sets out the complaints handling procedures and enforcement mechanisms in the event of non-compliance with the provisions of the Act;
  • Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021 (the “Registration Regulations”) - provides for the registration of data controllers and data processors with the Office of the Data Protection Commissioner (ODPC). The threshold for mandatory registration is also set out under these regulations; and
  • Data Protection (General) Regulations, 2021 (the “General Regulations”) â€“ elaborates in more detail the rights of data subjects, restrictions on commercial use of personal data, duties and obligations of data controllers and data processors, elements of implementing data protection by design or default, notification of personal data breaches, transfer of personal data outside Kenya, conduct of data protection impact assessment and other general provisions.

The above regulations were gazetted in January and came into effect on 14 February 2022 with the exception of the Registration Regulations, 2021 which came into force on 14 July 2022.

The ODPC has also issued a number of guidelines, these include:

  • Guidance Note on Registration of Data Controllers and Data Processors - developed to assist entities in ascertaining if they are data controllers or data processors, and to understand their obligations with respect to mandatory registration;
  • Guidance Note on Processing Personal Data for Electoral Purposes - developed to assist data controllers and data processors dealing with voters’ personal data and members of political parties’ personal data to understand their obligations under the Act;
  • Guidance Note on Data Protection Impact Assessment - to assist data controllers and data processors to understand their obligations under the Act and the need to undertake a Data Protection Impact Assessment;
  • Guidance Note on Consent - developed to assist data controllers and data processors to understand their duties under the Act and their obligations as far as obtaining consent is concerned;
  • Guidance Note for the Communications Sector – it applies to communication service providers processing personal data in either the public or private sectors and provides considerations that must be present in when processing subscribers’ personal data, network traffic, location or geographical data, financial data, and mobile operators’ privacy policies;
  • Guidance Note for the Education Sector – developed to assist educational institutions to understand their obligations under the DPA and remain compliant. The guidance note also covers institutions offering remote e-learning solutions and services;
  • Guidance Note on the Processing of Health Data – developed to provide healthcare institutions with a clear understanding of their obligations under the DPA and applies to all healthcare institutions operating in Kenya, including hospitals & clinics, laboratories, pharmaceutical services, health insurance providers, health research and training institutions, and professional health bodies.  The guidance note also extends to the processing of digital health processing platforms such as Health Management Information System (HMIS), eHealth and mHealth applications; and
  • Guidance Note for Digital Credit Providers – sets out the compliance requirements that digital credit providers (DCPs) must implement while processing personal data in line with the administration of digital credit and in compliance with the DPA.

The ODPC has also published a Complaints Management Manual which sets out the complaints management handling procedure by the ODPC; and the Alternative Disputes Resolution Framework which provides guidance to stakeholders who wish to engage in Alternative Dispute Resolution (ADR) to resolve their disputes arising under the Act.

The ODPC is also in the process of developing the following regulations, which are currently undergoing public participation:

  • Data Protection (Conduct of Compliance Audit) Regulations, 2024 – sets out the procedure for the conduct of audits by the ODPC as well as the procedure for entities that want to be accredited by the ODPC to carry out data protection audits; and
  • Data Sharing Code – outlines the requirements that data controllers and processors are required to observe prior to sharing personal data, as well as the measures to put in place to ensure the protection of the data subject.   

Continue reading

  • no results

Back to top