Data Protection in Kenya

Security in Kenya

Sections 41 and 42 of the Act

Data controllers and processors are required to implement the appropriate organizational and technical measures to implement data protection principles in an effective manner.

Civil registration registries are mandated to formulate written data security procedures which must include the following:  

  • Instructions concerning physical protection of the database sites and their surroundings;
  • Access authorizations to the database and database systems;
  • Description of the means intended to protect the database systems and the manner of their operation for this purpose;
  • Instructions to authorized officer of the database and database systems regarding the protection of data stored in the database;
  • The risks to which the data in the database is exposed in the course of the civil registration entity's ongoing activities;
  • The manner of dealing with information security incidents, according to the severity of the incident;
  • Instructions concerning the management and usage of portable devices;
  • Instructions with respect to conducting periodical audits to ensure that appropriate security measures, in accordance with the Procedure and the Regulations exist; and
  • Instructions regarding backup of personal data.

As far as technical measures are concerned, the General Regulations require the use of hashing and cryptography to limit the possibility of repurposing personal data. The General Regulations also require that the contract between a data controller and a data processor to include a clause on security measures subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure.

With respect to organizational measures, the General Regulations require a data controller or data processor to develop, publish and regularly update a policy reflecting their personal data handling practices. The policy may include:

  1. the nature of personal data collected and held;
  2. how a data subject may access their personal data and exercise their rights in respect to that personal data;
  3. complaints handling mechanisms;
  4. lawful purpose for processing personal data;
  5. obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya and where possible, specify such recipients;
  6. the retention period and schedule; and
  7. the collection of personal data from children, and the criteria to be applied.

The General Regulations provide for specific obligations to the data controller and data processor under the data protection principle of integrity, confidentiality and availability. These include:

  • having an operative means of managing policies and procedures for information security;
  • assessing the risks against the security of personal data and putting in place measures to counter identified risks;
  • processing that is robust to withstand changes, regulatory demands, incidents, and cyber-attacks;
  • ensuring only authorised personnel have access to the data necessary for their processing tasks;
  • securing transfers shall be secured against unauthorised access and changes;
  • securing data storage from use, unauthorised access and alterations;
  • keeping back-ups and logs to the extent necessary for information security;
  • using audit trails and event monitoring as a routine security control;
  • protecting sensitive personal data with adequate measures and, where possible, kept separate from the rest of the personal data;
  • having in place routines and procedures to detect, handle, report, and learn from data breaches; and
  • regularly reviewing and testing software to uncover vulnerabilities of the systems supporting the processing.
Back to top