DLA Piper Intelligence

Data Protection
Laws of the World

Law

Kenya
Kenya

Kenya does not currently have a generally applicable data protection law. However, there are various legal sources that address data protection, including the Constitution of Kenya 2010, the Access to Information Act 2016 (applicable to public bodies), Health Act 2017 and the Computer Misuse and Cybercrimes Act 2018.

Currently, there are two draft data protection bills under consideration, which are separately undergoing legislative process and stakeholder consultation. As of now it is unclear whether one of these bills will ultimately be passed.

Last modified 28 Jan 2019
Law
Kenya

Kenya does not currently have a generally applicable data protection law. However, there are various legal sources that address data protection, including the Constitution of Kenya 2010, the Access to Information Act 2016 (applicable to public bodies), Health Act 2017 and the Computer Misuse and Cybercrimes Act 2018.

Currently, there are two draft data protection bills under consideration, which are separately undergoing legislative process and stakeholder consultation. As of now it is unclear whether one of these bills will ultimately be passed.

Last modified 28 Jan 2019
Definitions

Definition of personal data

The Access to Information Act 2016, which applies to public bodies, defines personal information as recorded information about an identifiable person, which includes information about the person's:

  • Race
  • Gender
  • Sex
  • Pregnancy
  • Marital status
  • National or ethnic origin
  • Age
  • Physical, psychological or mental health
  • Well-being
  • Disability
  • Religion
  • Conscience
  • Belief
  • Culture
  • Language
  • Birth
  • Education
  • Medical, criminal or employment history
  • An identifying number, symbol or other identifiers assigned to that person
  • Fingerprints, blood type or inheritable characteristics
  • Opinion of a third party
  • Contacts
  • Personal correspondence with home or family

Definition of sensitive personal data

No specific definition at present.               

Last modified 28 Jan 2019
Authority

Kenya does not currently have a national data protection authority. However, there is draft legislation in the Senate, the Data Protection Bill 2018, that aims to establish such an authority.

Last modified 28 Jan 2019
Registration

Kenyan law does not currently require registration with a data protection authority or other governmental body.

Last modified 28 Jan 2019
Data Protection Officers

Kenyan law does not currently require data protection officers to be appointed.

Last modified 28 Jan 2019
Collection & Processing

Kenyan law does not currently address collection and processing of personal data. However, the Health Act 2017 requires the Cabinet Secretary for Health to enact legislation that will regulate, among other things, collection and use of personal health information.

Draft regulations have not yet been issued.

Persons who collect and process personal data are currently only subject to contractual provisions regarding confidentiality, court orders and the common law duty of confidentiality.

Last modified 28 Jan 2019
Transfer

Transferors need to comply with the common law duty of confidentiality when transferring data to third parties, including outside of Kenya.

Further, the Computer Misuse and Cybercrime Act 2018 prohibits the transfer of an intimate or obscene image of another person. Violations of the prohibition are punishable by fines of up to KSh200,000 (US$2,000) and imprisonment of two years. However, currently, most of the provisions of the Computer Misuse and Cybercrime Act 2018 have been suspended by Kenyan courts, pending the conclusion of a case challenging the Act.

Last modified 28 Jan 2019
Security

Kenyan law does not currently include any statutory security requirements. However, a holder of personal information may be subject to a contractual or a general obligation to ensure the technical and organizational safeguarding of such confidential information.

Last modified 28 Jan 2019
Breach Notification

Currently no requirement.

Last modified 28 Jan 2019
Enforcement

Currently, Kenyan courts are tasked with the enforcement of Kenya’s limited data protection requirements.

Last modified 28 Jan 2019
Electronic Marketing

Although Kenya’s Consumer Protection Act 2012 seeks to protect consumers from unfair trade practices and the Kenya Information and Communications Act No. 2 of 1998 governs e-commerce transactions, no Kenyan laws specifically regulate electronic marketing.

Last modified 28 Jan 2019
Online Privacy

Kenyan law does not currently regulate online privacy.

Last modified 28 Jan 2019
Contacts
Hassan Kibet
Hassan Kibet
Associate
Iseme Kamau & Maema Advocates
T +254 722 898 393
Dennis Gathara
Dennis Gathara
Associate
Iseme Kamau & Maema Advocates
T +254 722 898 393
Last modified 28 Jan 2019