Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Kenya - Data Protection Overview
Back

Kenya - Data Protection Overview

February 2024

1. Governing Texts

The Constitution of Kenya ('the Constitution') guarantees the right to privacy as a fundamental right. To give effect to this constitutional right under Article 31(c) and (d), the Data Protection Act, 2019 ('the Act') was enacted and came into effect on November 25, 2019. Progress towards implementation started in November 2020 with the appointment of the Data Protection Commissioner ('the Commissioner') and setting up of the Office of the Data Protection Commissioner ('ODPC'). The ODPC is now fully operational.

The Data Protection (General) Regulations, 2021 ('General Regulations'); the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 ('Complaints Handling and Enforcement Procedures Regulations'); and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021('Registration of Data Controllers and Data Processors Regulations') collectively the Data Protection (Civil Registration) Regulations, were published in the National Gazette on January 14, 2022 and were approved by the National Assembly on March 14, 2022. The General Regulations and Complaints Handling and Enforcement Procedures Regulations came into effect immediately upon approval whilst the Registration of Data Controllers and Data Processors Regulations came into effect on July 14, 2022.

1.1. Key acts, regulations, directives, bills

The Act came into effect in November 2015 and the Regulations under the Act came into effect in 2022.

The Kenya Information and Communications Act, 1998 ('the Kenya Information and Communications Act') came into effect in February 1999. The Kenya Information and Communications Act is the overarching law for the information and communications technology industry in Kenya. It outlines the requirements and compliance standards by which licensed information and communication service providers who are data collectors and controllers must abide. The provisions of the Kenya Information and Communications Act are enforced through its regulations, including, the Kenya Information and Communications (Consumer Protection) Regulations of 2010 ('the Kenya Information and Communications Regulations') and the Kenya Information and Communications Act (Registration of SIM Cards) Regulations 2015 ('the SIM Cards Regulations').

The processing of medical data (which is personal data) is regulated under:

In the financial sector, processing of financial data is regulated under the National Payment System Act, 2011 ('the National Payment System Act') and the National Payment System Regulations, 2014 ('the National Payment System Regulations') under the National Payment System Act. The National Payment System Act governs payment systems and payment system providers. A 'payment system' is defined as a system or arrangement that enables payments to be effected between a payer and a beneficiary, or facilitates the circulation of money, and includes any instruments and procedures that relate to the system. Financial institutions are subject to the Act.

The Consumer Protection Act, 2012 provides for the protection of consumers of all services. The provisions of the Act are cross-cutting in all sectors.

1.2. Guidelines

The ODPC issues data protection guidelines from time to time, on various issues.

Through the ICT Advisory Committee on COVID-19, the ODPC developed the Guidance Note on Access to Personal Data During COVID-19 Pandemic ('COVID-19 Guidelines'). The COVID-19 Guidelines were put out for public and stakeholder consultation on January 12, 2021, and closed on February 9, 2021.

The ODPC has so far published the Guidance Note on the following:

The ODPC has also developed a Complaints Management Manual to provide guidance on filing of complaints with the ODPC and the procedure for complaints handling the ODPC is implementing; and the ODPC Service Charter.

The Central Bank of Kenya's ('CBK') Central Bank of Kenya: Prudential Guidelines for Institutions Licensed under the Banking Act ('the Prudential Guidelines') apply to banking institutions. The Prudential Guidelines provide basic standards that financial institutions must implement to safeguard customer data under the Consumer Protection Guidelines. There are also Guidelines on Cybersecurity for the Banking Sector that require banks to put in place measures to protect customer data.

The CBK's Guideline on Cybersecurity for Payment Service Providers ('Cybersecurity Guideline') requires a risk assessment to address customer privacy for Payment Services providers.

The Health Information System Policy ('the Health Policy') guides the collection and processing of medical data of patients. The Health Policy promotes the use of technology in healthcare but requires medical institutions and personnel to uphold the utmost confidentiality of patient data. It requires that all patient data be de-identified before processing.

On August 7, 2020, the Ministry of Information, Communications and Technology published in the Kenya Gazette the National ICT Policy Guidelines 2020. The policy is intended to provide a proactive ICT framework that is in tandem with current technological realities and dynamics and guide the orderly development of the ICT sector and recognizes the individual's indefeasible right to privacy and ownership of all data about them and commits to upholding the constitutional right to privacy, and to determine how and whether data is used, distributed, analyzed, enhanced, or converted to other forms.

1.3. Case law

There have been cases premised on the provisions of the Constitution on the right to privacy under Article 31 as well as the Act and some are pending before the courts. Notably;

  • In December the High Court halted the implementation of the Digital ID (locally referred to as 'Maisha Namba') on grounds that the government had not conducted a DPIA. The implementation of the Digital ID has been subject to various challenges on grounds of violation of constitutional provisions including infringement on the right to privacy. Maisha Namba was launched in November 2023, following the April 2021 Court determination that an earlier similar project dubbed 'Huduma Namba' was unconstitutional.

2. Scope of Application

2.1. Personal scope

The Act applies to all processing of personal data by any data controller or data processor established or resident in Kenya and who processes personal data while in Kenya, or not established or residing in Kenya but processing personal data of data subjects located in Kenya.

The Kenya Information and Communications Act applies to telecommunication service providers that have been granted an operation license from the Communications Authority ('CA'). Licensed providers include mobile network operators, content service providers, applications service providers, submarine cable landing rights-holders, and international gateway systems service providers.

The National Payment System Act and the National Payment System Regulations apply to payment systems and payment service providers (which include mobile service providers through their mobile money services). Payment service providers are regulated and licensed by the CBK under the National Payment System Act.

The Public Health Act, the Health Act, and the HIV and AIDS Prevention and Control Act apply to medical institutions, their staff, and third parties contracted by medical institutions.

The Prudential Guidelines apply to financial institutions while the Digital Credit Providers Regulations apply to digital credit providers licensed and regulated by the CBK.

The objective of the Digital Health Act is to establish a framework to support provision of digital health services and establish an integrated digital health information system. The Digital Health Act incorporates compliance with the Act's principles of data protection particularly on handling sensitive personal health data and cross references the Act to support its provisions.

The Digital Health Act establishes the Digital Health Agency, which shall be the custodian of all health data in Kenya and whose mandate includes administration of the Integrated Health Information System ('the IHIS'). The System shall operate as a point of collection, collation, analysis, reporting, storage, usage, retrieval, archival of health data in Kenya.  The Digital Health Act provides legal requirements for provision of medical services using mobile technologies ('m-health'), telemedicine, telehealth, e-learning, e-waste management, e-health service delivery, transfer of medical records to and from facilities outside Kenya ('health tourism') among other provisions.

As the Digital Health Act was passed recently, the regulations to support implementation have not been passed.  Presumably, the primary sources of the data administered under the Digital Health Act would include:

  • the soon to be established Social Health Insurance Fund under the recently passed Social Health Insurance Act 2023;
  • records from medical services providers;
  • records from medical insurance providers; and
  • the registration of persons database.

2.2. Territorial scope

Please refer to section on personal scope above.

2.3. Material scope

The regulated actions cover:

  • data collection;
  • consent;
  • type of data to be collected;
  • security of collected data;
  • disclosure of data;
  • retention of data;
  • accuracy of the data;
  • deletion of data;
  • transfer of data;
  • confidentiality;
  • use of data;
  • governance of data;
  • updating of data; and
  • disposal of data.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The ODPC is established under Part II of the Act. The Commissioner was appointed in November 2020 and the office of the ODPC is now fully operational, providing overall enforcement of Privacy and Data Protection compliance in Kenya.

The provisions of the various sectoral laws are enforced on a basic level by the respective sectoral regulatory bodies that are also now increasingly requiring compliance with the Act of their licensees as far as internal processes are concerned.

The CA, established under the Kenya Information and Communications Act, is the oversight body in the technology and telecommunications sector.

The CBK regulates all financial service providers as well as payment systems providers and digital credit providers.

Health institutions are under the regulation of the Director of Medical Services at the Ministry of Health.

The Director of Medical Services regulates medical institutions and personnel and oversees compliance with the laws, regulations, and policies in the health sector. The Digital Health Agency established under the Digital Health Act will fall under the Ministry of Health as well.

3.2. Main powers, duties and responsibilities

The Commissioner's powers, duties, and responsibilities include;

  • enforcement of the provisions of the Act;
  • the maintenance of the register of data controllers and data processors;
  • oversight and assessment on data processing to ensure it is in accordance with the Act either on its own motion or on request by a data subject or on request of a private or public body;
  • the promotion of self-regulation among data controllers and processors;
  • investigation of complaints by any person on infringement of rights under the Act;
  • to raise public awareness of the provisions of the Act;
  • to set the requirements for the appointment of data protection officers ('DPOs');
  • to act as a bridge for, and promote, international cooperation in matters relating to data protection, and to ensure Kenya complies with its international obligations in relation to data protection; and
  • to undertake research on developments in data processing of personal data to mitigate any risks of such developments on the rights of data subjects.

The CA is responsible for:

  • enforcement of the provisions of the Kenya Information and Communications Act;
  • licensing of telecommunication service providers;
  • monitoring and evaluation of compliance by licensees; and
  • development and enforcement of sector guidelines.

The CBK is responsible for enforcement of all regulations in the financial sector, licensing of financial institutions and payment system providers, and development and enforcement of sector guidelines.

The Digital Health Agency will be responsible for;

  • establishing registries in consultation with other authorities to create a single source of truth in respect of clients, health facilities, healthcare providers, health products, and technologies;
  • developing, operationalizing, and maintaining the IHIS to manage the core digital systems and infrastructure required for seamless health information exchange, supporting interoperability, and technological infrastructure necessary for core digital health services;
  • facilitating collection and analysis of data to inform policy and research in the health sector and implementation of health digitization in Kenya;
  • promoting adoption of best practices and standards for digital health that facilitate data exchange and ensure health data portability;
  • promoting the development of enterprise-class health application systems and strengthening existing health information systems by ensuring their conformity with the prescribed standards as well as integration with the comprehensive IHIS;
  • certify digital health solutions based on best practices and standards; and
  • advise the Cabinet Secretary for Health on matters related to digital health.

4. Key Definitions

Data controller: This means a natural or legal person, public authority, agency, or other body which alone, or jointly with others, determines the purpose and means of processing of personal data.

Data processor: This means a natural or legal person, public authority, agency, or other body which alone or jointly with others processes personal data on behalf of the data controller.

Personal data: Under the Act, this means any information relating to an identified or identifiable natural person. Under the Kenya Information and Communications Act, 'personal information' includes a person's full name, identity card number, date of birth, gender, physical and postal address.

Sensitive data: Under the Act, this means sensitive personal data means data revealing a person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of a person's children, parents, spouse or spouses, sex, or sexual orientation.

Health data: This means data related to the state of physical or mental health of the data subject, and includes records regarding the past, present, or future state of the health, data collected in the course of registration for, or provision of, health services, or data which associates the data subject to the provision of specific health services.

Biometric data: This means any personal data resulting from specific technical processing based on physical, physiological, or behavioral characterization including blood typing, fingerprinting, DNA analysis, earlobe geometry, retinal scanning, and voice recognition.

Pseudonymization: This is defined as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person's race, sex, pregnancy, marital status, health status, ethnic social origin, color, age, disability, religion, conscience, belief, culture, dress, language, birth, personal preferences, interests, behavior, location, or movements.

5. Legal Bases

5.1. Consent

Under Section 30(1)(a) of the Act, consent of the data subject to the processing for one or more specified purposes is one of the legal bases for processing of personal data.

5.2. Contract with the data subject

Under Section 30(1)(b) of the Act, performance of a contract to which the data subject is party to, is a legal basis for processing of personal data. In addition, the performance of a contract is deemed a legal basis where processing is necessary to take steps, at the request of the data subject, before entering a contract.

5.3. Legal obligations

Under Section 30(1)(b) of the Act, compliance with a legal obligation to which the controller is subject is a legal basis for processing of personal data. The Act does not specify instances.

5.4. Interests of the data subject

The protection of vital interests of the data subject or another natural person is a lawful basis for processing of personal data under the Act. It is also a basis for processing of sensitive personal data where the data subject or another person is physically or legally incapable of giving consent. What constitutes 'vital interest' is however not defined but may be inferred to include the data subject's rights and freedoms.

5.5. Public interest

Public interest is a legal basis for the processing of personal data. In addition, the exercise of official authority vested in the controller for the public interest is a legal basis for the processing of personal data.

5.6. Legitimate interests of the data controller

Legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed are a legal basis for the processing of personal data. The exception here is if the processing is unwarranted in any case with regard to any harm or prejudice to the rights and freedoms or legitimate interest of the data subject.

5.7. Legal bases in other instances

The Act provides two additional legal bases for processing of personal data which are:

  • for purposes of historical, statistical, journalistic, literature and art, or scientific research; or
  • for the performance of any task carried out by a public authority.

6. Principles

Section 25 of the Act sets out the principles of data protection that data controllers and processors shall abide by. These are:

  • Lawfulness, fairness, and transparency. Data should be processed lawfully, fairly, and in a transparent manner. In addition, where a valid explanation is provided whenever information relating to family or private affairs is required.
  • Purpose limitation. Data is collected for an explicit, specified, and legitimate purpose and not further processed in a manner incompatible with those purposes.
  • Minimization. Data is collected for adequate and relevant purposes and is limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy. Data collected is accurate and, where necessary, kept up to date, with all reasonable steps taken to ensure inaccurate data is erased or rectified promptly.
  • Storage limitation. Data should be kept in a form that identifies the data subject for no longer than is necessary for the purposes which it was collected.
  • Data should not be transferred cross-border. Data collected is not to be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.
  • Data should be processed in accordance with the right to privacy of the data subject.

7. Controller and Processor Obligations

Data controller rights and responsibilities include:

  • the duty to notify as detailed in section on consent above;
  • the obligation to apply for registration or renewal or certificate/license;
  • the obligation to designate a DPO as directed by the Commissioner;
  • the obligation to process data in accordance with the provisions of the Act;
  • the obligation to conduct impact assessments where a processing operation is likely to result in high risk to the rights and freedoms of a data subject;
  • to bear the burden of proof for establishing data subject consent to the processing of personal data for a specified purpose;
  • to incorporate an appropriate mechanism for the processing of personal data relating to children including consent of the child's parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • the obligation to retain data only for as long as is necessary to satisfy the purpose/s of collection, as provided by law, for any lawful purpose, with the consent of the data subject, or for historical, statistical, journalistic, literature, art, or research purposes;
  • the obligation to implement appropriate technical and organizational measures to safeguard data and comply with the provisions of the Act;
  • to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to data subjects;
  • to put in place protective measures for the processing of sensitive personal data; and
  • to ensure sufficient protective measures and provide sufficient proof to the Commissioner of the appropriate safeguards with regard to the transfer of personal data outside Kenya.

All licensed providers under the Kenya Information and Communications Act have obligations, stated in the Kenya Information and Communications Regulations, Consumer Protection Regulations, the SIM-Card Registration Regulations, and the licensing terms and conditions to:

  • obtain and retain information required for the registration of subscribers and SIM cards;
  • generate and retain accurate billing information;
  • ensure the information obtained and generated is stored in a manner that is secure and confidential;
  • adhere to the prescribed retention periods stipulated by the CA for registration details, call data records, and financial information;
  • keep customer information accurate, up to date, confidential, and secure;
  • disclose customer data only when required by customer consent, by law through a court order or Act of Parliament, when disclosed to law enforcement agencies, or to the CA for reporting purposes;
  • inform the customer of the processing of information and intended/ potential purpose/s of processing and no objection to this is made by the customer; and
  • establish a mechanism by which a customer may opt out, opt in, or withdraw consent to the processing of their data.

Under the National Payment System Act, the National Payment System Regulations, and the Prudential Guidelines, service providers must ensure the security and confidentiality of their customer's information and transactions. The Health Act and the HIV and AIDS Prevention and Control Act require that customer data be anonymized before processing to protect the patient/data subject's privacy.

Data processor

In many circumstances, data controllers will also be data processors, and data processor obligations would similarly apply. In addition, data processors have the following obligations:

  • to apply for registration and application for renewal of the certificate as required;
  • to designate a DPO as directed by the Commissioner;
  • to process data in accordance with the provisions of the Act;
  • to conduct impact assessments where a processing operation is likely to result in high levels of risk to the rights and freedoms of a data subject;
  • to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child's parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • the duty to notify, which is similar to that of data controllers;
  • to incorporate appropriate mechanisms for the processing of personal data relating to children including consent of the child's parent or guardian, protection of such data in the best interests of the child, and mechanisms for age verification and consent;
  • to retain data only for as long as is necessary to satisfy the purpose of collection, as provided by law, for any lawful purpose, with the consent of the data subject or for historical, statistical, journalistic, literature, art, or research purposes;
  • to implement appropriate technical and organizational measures to safeguard data and comply with the provisions of the Act;
  • to notify the Commissioner within 72 hours of any breach where there is a real risk of harm to a data subject;
  • to put in place protective measures for processing of sensitive personal data; and
  • to ensure sufficient protective measures and provide sufficient proof to the ODPC of the appropriate safeguards with regard to the transfer of personal data outside Kenya.

7.1. Data processing notification

Under the Act, data controllers and data processors are required to be registered with the Commissioner. The Commissioner has the mandate to prescribe the threshold for registration based on various factors, including (Section 18 of the Act):

  • the nature of the industry of the data controller or data processor;
  • the volumes of data processed;
  • whether sensitive personal data is being processed; and
  • any other factor the Commissioner may consider relevant.

The Commissioner is tasked with maintaining a register of data controllers and data processors, and with issuing data controllers and processors with certificates of registration. The Commissioner will issue a certificate of registration where a data controller or data processor meets the requirements for registration (Section 19(4) of the Act). Furthermore, the certificate will be valid for a period determined at the time of the application, after taking into account the need for the certificate, and the holder may apply for a renewal of the certificate after its expiry (Section 20 of the Act). Moreover, a data controller or data processor must notify the Commissioner of a change in the notification, which the Commissioner will amend in the Register (Sections 19(5) and 19(6) of the Act).

If a data controller or data processor meets the prescribed threshold, notification must include the following (Section 19(2) of the Act):

  • a description of the personal data to be processed by the data controller or data processor;
  • a description of the purpose for which the personal data is to be processed;
  • the category of data subjects, to which the personal data relates;
  • contact details of the data controller or data processor;
  • a general description of the risks, safeguards, security measures, and mechanisms to ensure the protection of personal data;
  • any measures to indemnify the data subject from unlawful use of data by the data processor or data controller; and
  • any other details as may be prescribed by the Commissioner.

In relation to the healthcare sector, the Health Act and the HIV and AIDS Prevention and Control Act do not require notification or registration before processing data for health research or policy purposes.

The Registration of Data Controllers and Data Processors Regulations

The Registration of Data Controllers and Data Processors Regulations outline the procedure for an application for registration of a data controller or data processor as follows (Regulation 5 of the Registration of Data Controllers and Data Processors Regulations):

  • the application shall be made through 'Form DPR1' set out in the First Schedule of the Registration of Data Controllers and Data Processors Regulations; and
  • the application shall be accompanied by:
    • the registration fees specified in the Second Schedule of the Registration of Data Controllers and Data Processors Regulations;
    • a copy of the establishment documents;
    • particulars of the data controllers or data processors including name and contact details;
    • a description of the purpose for which personal data is processed; and
    • a description of categories of personal data being processed.

The Second Schedule of the Registration of Data Controllers and Data Processors Regulations provides the amount attached to registration and renewal fees. The total amount of such fees depends on the size of the controller/processor concerned, the number of employees, and their annual turnover/revenue, and are as follows:

  • for 'micro and small data controllers/processors', i.e. a data controller/processor with between 1 and 50 employees and an annual turnover/revenue of a maximum of KES 5 million (approx. $31,152), a registration fee of KES 4,000 (approx. $25) and a renewal fee (every 2 years) of KES 2,000 (approx. $12);
  • for 'medium data controllers/processors', i.e. a data controller/processor with between 51 and 99 employees and an annual turnover/revenue of between KES 5,000,001 (approx. $ 31,153) and a maximum of KES 50 million (approx. $311,530), a registration fee of KES 16,000 (approx. $100) and a renewal fee (every 2 years) of KES 9,000 (approx. $56);
  • for 'large data controllers/processors', i.e. a data controller/processor with more than 99 employees and an annual turnover/revenue of more than 50 million (approx. $311,530), a registration fee of KES 40,000 (approx. $249) and a renewal fee (every 2 years) of KES 25,000 (approx. $155);
  • for 'public entities', i.e. a data controller/processor offering government functions (regardless of number of employees or revenue/turnover), a registration fee of KES 4,000 (approx. $25) and a renewal fee (every 2 years) of KES 2,000 (approx. $12); and
  • for 'charities and religious entities', i.e. a data controller/processor offering charity or religious functions (regardless or revenue/turnover), a registration fee of KES 4,000 (approx. $25) and a renewal fee (every 2 years) of KES 2,000 (approx. $12).

Upon receipt of the application for registration, the Commissioner shall:

  • undertake a verification process of the details provided in the application (Regulation 7 of the Registration of Data Controllers and Data Processors Regulations);
  • If the applicant fulfills the requirements for registration, the Commissioner shall within 14 days (Regulations 8 and 9 of the Registration of Data Controllers and Data Processors Regulations ):
    • issue the applicant with a certificate of registration, which will be valid for two years; and
    • enter the particulars of the successful applicant in the register; and
  • if the Commissioner declines the application for registration, it shall within 21 days from the date of the decision (Regulation 10(1) of the Registration of Data Controllers and Data Processors Regulations):
    • notify, in writing, the applicant of the refusal; and
    • provide reasons for such refusal.

Notably, the Commissioner may refuse to grant an application for registration or renewal where (Regulation10(2) of the Registration of Data Controllers and Data Processors Regulations):

  • the particulars provided for inclusion in an entry in the register are insufficient;
  • appropriate safeguards for the protection of the privacy of the data subject have not been provided by the data controller or data processor; or
  • the data controller or data processor is in violation of any provisions of the Act and the Regulations.

A data controller or data processor whose application for registration or renewal has been declined may make a fresh application upon complying with the requirements specified in the refusal notice (Regulation 10(3) of the Registration of Data Controllers and Data Processors Regulations). Additionally, a data controller or a data processor shall, within 14 days of the occurrence of any changes in their particulars, notify the Commissioner in writing (Regulation 15(1) of the Registration of Data Controllers and Data Processors Regulations). After the expiry of the certificate of registration (which is valid for two years as per Regulation 7 of the Registration of Data Controllers and Data Processors Regulations), a registered data controller or data processor must apply for a renewal of registration, the procedure for which is outlined in Regulation11(2) of the Registration of Data Controllers and Data Processors Regulations (Regulation 11(1) of the Registration of Data Controllers and Data Processors Regulations).

Finally, Regulation 11(4) of the Registration of Data Controllers and Data Processors Regulations specifies that where renewal is for a distinct purpose or categories of data other than that for which the data controller or data processor had been registered, the Commissioner shall undertake a verification process pursuant to Regulation 7 of the Registration of Data Controllers and Data Processors Regulations.

Exemptions

Under the Registration of Data Controllers and Data Processors Regulations, data controllers or data processors whose annual turnover is below KES 5 million (approx. $31,152) and employ less than ten people are exempt from the mandatory registration requirement unless they process personal data for any of the purposes in the Third Schedule of the Regulations (Regulation 13(2) of the Registration of Data Controllers and Data Processors Regulations.

However, Regulation 13(4) of the Registration of Data Controllers and Data Processors Regulations provides the above-mentioned exemption does not apply to a data controller or processor that carries out any of the following activities:

  • processing of genetic data;
  • transport services including taxi-hailing apps;
  • canvassing political support among the electorate;
  • crime prevention and prosecution of offenders including operating security CCTV systems;
  • gambling;
  • operating an educational institution;
  • health administration and provision of patient care;
  • hospitality industry firms excluding tour guides;
  • property management and selling real estate;
  • provision of financial services;
  • telecommunications network service providers; and
  • businesses wholly or mainly in direct marketing.

Please note the Commissioner has specified that data controllers and data processors can register through its website here.

7.2. Data transfers

The Act provides for conditions that must be met for the transfer of data outside Kenya, and these are where the data controller or data processor has:

  • the consent of the data subject where there is processing of sensitive personal data and confirmation of appropriate safeguards;
  • given proof to the Commissioner on appropriate safeguards with respect to the security and protection of the personal data involved including execution of cross border transfer agreements;
  • given proof to the Commissioner with respect to appropriate safeguards including jurisdictions with commensurate data protection laws; and
  • the transfer must be to jurisdictions with reciprocal data protection agreements with Kenya.

Under the General Regulations, it is further specified that cross-border transfers of data must be based on;

  • appropriate data protection safeguards, where a legal instrument with sufficient safeguards is executed and is binding on the recipient and assessment by the data controller of all circumstances surrounding the transfer of that type of personal data to another country or organization and determining appropriate safeguards are in place. The determination of appropriate safeguards is based on:
  • an adequacy decision made by the ODPC. The ODPC would make a determination on adequacy based on confirmation that the recipient country or organization has in place an adequate level of protection and may publish a list of approved countries and organizations;
  • transfer as a necessity, based on there being a specific and necessary reason for transfer as well as confirmation that no fundamental right or freedom of the data subject overrides the public interest necessitating the transfer; or
  • consent of the data subject which must be explicit and informed.

Moreover, data transfers may be permissible where necessary:

  • for the performance or implementation of pre-contractual measures of a contract between the data subject and data controller or data processor;
  • for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another person;
  • for any matter of public interest;
  • for the establishment, exercise, or defense of a legal claim;
  • to protect the vital interests of a data subject or other persons where the data subject is legally incapable of giving consent; or
  • for compelling legitimate interests pursued by the data controller or data processor that are not overridden by the rights of the data subject.

Section 50 of the Act further provides that the Cabinet Secretary may determine certain types of processing which may only be conducted through a server or data center located in Kenya on the basis of strategic interests of the State or for the protection of revenue. The requirements for data localization are detailed in the General Regulations. Data localization refers to the requirement for data to be processed through a server and data center located in Kenya and requiring at least one serving copy of the personal data to be stored in a data center located in Kenya. The requirement for data localization is imposed on processing in the following fields:

  • national civil registration systems;
  • population register and identity management;
  • facilitation of primary and secondary education;
  • management of licensed electronic payment systems;
  • revenue administration; and
  • processing of health data and critical infrastructure.

Under the Health Policy, there is a requirement that health data should not be stored outside Kenyan territory. As a matter of law, the Health Policy, while not binding, is persuasive, and in the absence of statute provisions courts are likely to be guided by policy considerations in so far as they are interpreted in line with the Constitution and legal precedent.

The Digital Health Act under Section 47, allows for disclosure of sensitive personal data to organizations outside Kenya only for purposes of health tourism.

7.3. Data processing records

Section 23 of the Act creates the duty of the Commissioner to conduct periodical audits on processes and systems of data controller or processor uses. This may require controllers and processors to maintain their processing records for purposes of providing sufficient information for such audits.

While there is no express requirement for data controllers or processors to maintain processing records, the other obligations in the Act will likely give rise to the maintenance of data processing records to ensure compliance.

7.4. Data protection impact assessment

Section 31 of the Act requires that where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, the data controller or processor must carry out a DPIA.

The Act does not set out the types of processing subject to DPIA but generally provides that the DPIA would apply to any processing that by its nature, scope, context, or purposes would result in high risk to the rights and freedoms of the data subject. The General Regulations identify that a DPIA is required in high-risk activities including;

  • automated decision making with legal or other significant effect;
  • processing of biometric or genetic data;
  • processing prevents the data subject from exercising a right;
  • systemic monitoring of a publicly accessible area;
  • use of personal data on a large scale for purposes other than the original reason for collection;
  • where there is a change in any aspect of processing that may result in higher risk to data subjects;
  • processing of sensitive data, data relating to children and vulnerable groups; and
  • financial and reputational benefits, demonstrating accountability and building trust and engagement with data subjects.

The DPIA must include (Section 31(2) of the Act):

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • the measures envisaged to address the risks and the safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.

A DPIA is not required where (Part 9(D) of the DPIA Guidelines):

  • the processing is not likely to result in a high risk to the rights and freedoms of data subjects;
  • the nature, scope, context, purpose, and risk of the processing are similar to the processing for which a DPIA has already been carried out, and in such cases, the results for a similar processing can be used; and
  • the processing falls under Section 51(2) of the Act where:
    • the processing relates to purely household activities;
    • the processing is necessary for national security or public interest; and
    • the disclosure of personal data is required by or under any written law or by the order of the court.

Prior consultation

The data controller or data processor must consult the Commissioner prior to the processing if a DPIA prepared under Section 31 of the Act indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject (Section 31(3) of the Act). DPIA reports must be submitted 60 days prior to the processing of data to the Commissioner (Section 31(5) of the Act and Regulation 51(1) of the General Regulations).

Moreover, when making the consultation, the data controller or data processor is required to provide:

  • the DPIA prepared under Section 31(1) of the Act; and
  • the respective responsibilities of the data controller or the data processors involved in the processing.

In reviewing the DPIA report, the Commissioner may make any recommendations to be incorporated prior to commencing the processing operations (Regulation 52(2) of the General Regulations). If the data controller or the data processor does not receive any communication within 60 days of submitting the DPIA report, they may commence processing operations and the assessment report shall be taken to have been approved (Regulation 52(3) of the General Regulations). Moreover, a data controller or data processor may publish on its website the DPIA Report (Regulation 52(4) of the General Regulations).

Finally, the General Regulations stipulate that where a DPIA is required, a data controller or data processor may conduct the assessment through a template set out in the Third Schedule of the General Regulations (Regulation 50(1) of the Proposed Regulations). Moreover, a DPIA should be started as early as practicable in the design of the processing operation contemplated even if some of the processing operations are still unknown. In addition, the data controller or processor is required to fill out a template before commencing any processing activities (Part 9(E) of the DPIA Guidelines).

7.5. Data protection officer appointment

The Act requires data controllers and data subjects to appoint DPOs. The requirement is however not couched in mandatory terms, and DPO appointments are dependent on the conditions and activities of the data controller or processor.

For the appointment of a DPO, the Act requires a data controller or data processor to designate a DPO on terms and conditions it may determine where:

  • processing is carried out by a public or private body, except for courts acting in their judicial capacity;
  • the core activities of the data controller or data processor if by virtue of their nature, scope, or purposes require regular and systematic monitoring of data subjects; or
  • the core activities of the data controller or the data processor consist of the processing of sensitive categories of personal data.

The data controller or processor does not need to carve out a specialized DPO position. The DPO may be a staff member and may fulfill other tasks and responsibilities, provided this does not result in conflicts of interest. In addition, a group of entities may appoint a single DPO, provided such position-holder is accessible by/available to each entity. However, is not specified where the DPO must be located. A person may be designated or appointed as a DPO if that person has relevant academic or professional qualifications, which may include knowledge and technical skills in matters relating to data protection (Section 24(5) of the Act).

The contact details of the DPO must be communicated to the Commissioner as well as published on the official website of the data controller or data processor. A data controller or data processor must publish the contact details of the DPO on the website and communicate them to the Commissioner, who must ensure that the same information is available on their official website (Section 24(6) of the Act).

DPO Role

A DPO must (Section 24(7) of the Act):

  • advise the data controller or data processor and their employees on data processing requirements provided under the Act or any other written law;
  • ensure, on behalf of the data controller or data processor, that the Act is complied with;
  • facilitate capacity building of staff involved in data processing operations;
  • provide advice on DPIAs; and
  • cooperate with the Commissioner and any other authority on matters relating to data protection.

A DPO may be a staff member of the data controller or data processor and may fulfill other tasks and duties provided that any such tasks and duties do not result in a conflict of interest (Section 24(2) of the Act). In addition to the functions set out under Section 24(7) of the Act, the Regulations provide that the responsibilities of the DPO shall include monitoring and evaluating the efficiency of the data systems in the organization and keeping written records of the processing activities of the civil registration entity (Regulation 20(1) of the General Regulations)

Further details in relation to the record keeping responsibility in Regulation 20(1)(b) of the Regulations can be found in Regulation 20(2) of the same.

7.6. Data breach notification

Where there is a real risk of harm to the data subject in case of a breach involving their personal data, there is an obligation to notify:

  • the Commissioner within 72 hours; and
  • the data subject within a reasonable time.

Under the General Regulations, a breach notification to the ODPC should include the date and circumstances of the breach, an account of steps taken and assessment of the breach, information on how the breach occurred, the number of data subjects affected, classes of affected personal data, potential harm to the affected data subjects and information on actions taken by the data controller or processor to eliminate or manage the breach and any potential harm.

The Second Schedule of the General Regulations sets out circumstances that amount to a notifiable breach and these include among others;

  • financial information such as salaries, fees, commissions, bonuses, gratuities or other remuneration, arising out of a contract of services, income from the sale payable to a data; subject credit card information; bank account numbers;
  • identifying information regarding a child as the data who is in conflict with the law subject;
  • private key of a data subject used to create an electronic record, verify integrity of an electronic record, authentication of an e-signature;
  • credit information of a data subject;
  • withdrawal or deposit of money by a data subject;
  • medical information such as sexually transmitted infections, mental disorder, substance abuse and addiction, and HIV status;
  • medical treatment involving donation or receipt of human egg or sperm, contraceptives operation or abortion;
  • suicide attempt of an individual; and
  • domestic abuse, child abuse or sexual abuse involving or allegedly involving the data subject.

Service providers under the Kenya Information Communications Act have an obligation, under the Kenya Information Communications Regulations, to notify the customer/data subject if there is a risk of breach of security to its network. If the risk is outside the scope of measures that can be undertaken by the provider, the provider must inform the data subject of the possible remedies (including an indication of the likely costs involved). The notification must be by a message delivered to the data subject.

7.7. Data retention

The Act provides for retention of data under various circumstances which are (Section 39 of the Act):

  • as long as is reasonably necessary to satisfy the purpose for which the data is collected and processed;
  • as required or authorized by law including sectoral laws;
  • as consented to by the data subject; or
  • for historical, statistical, journalistic, literature, art, or research purposes.

Under Regulation 19 of the General Regulations, a data controller or data processor is required to establish a data retention schedule with appropriate time limits for periodic review of the need for continued storage. They are also required to delete, anonymize, or pseudonymize data once the purpose for collection lapses.

Under the Kenya Information and Communications Act, data retention must ensure confidentiality, accuracy, and security. Call data records must be retained for a minimum of three years. There is no specified time limit for the retention of subscriber information. Under the National Payment System Act, financial information must be retained for a minimum of seven years.

7.8. Children's data

The Act prohibits the processing of data relating to a child unless consent is given by the child's parent or guardian and the processing is in a manner that protects and advances the rights and best interests of the child (Section 33 of the Act). A child by Kenyan law is anyone below the age of 18 years as defined in the Children Act No. 8 of 2001 and as such the age of consent is 18 years. Under Regulation 49 of the General Regulations, where children's data is to be processed, a DPIA is required. Breach of an adoption order or related information is also a notifiable breach.

7.9. Special categories of personal data

Processing of sensitive data is restricted, and sensitive data includes the data defined under the key definitions above. In addition, under Section 47 of the Act, the Commissioner has the power to determine further categories of personal data that may be classified as sensitive data, as well any special grounds that such data may be processed considering:

  • the risk of significant harm that may be caused to the data subject as a result of processing;
  • the expectation of confidentiality that may be attached to such category of data;
  • whether a significant and discernible class of data subjects may suffer harm from such processing; and
  • the adequacy of protection afforded by ordinary provisions applicable to personal data.

It is worth noting that court records are public records and many of the court cases are reported online. As such, data related to a person's court case, including criminal convictions, would not be protected under the Act. Only information regarding children is concealed in the publication of court records.

7.10. Controller and processor contracts

As part of the organizational measures a data controller or processor is required to implement for the protection of personal data, the Act requires that where a data controller is using the services of a data processor, the parties must have a written contract that specifies that the data processor may only act on instructions received from the data controller. In addition, the contract must specify that the data processor shall be bound by the obligations of the data controller.

Under Regulation 48 of the General Regulations, a data controller or data processor transferring data cross border is required to enter into a written agreement with the recipient of the personal data providing for unlimited access by the transferor to the recipient to ascertain the existence of adequate protection measures and countries to which the data may be transferred to under the agreement.

8. Data Subject Rights

8.1. Right to be informed

The Act simply provides that a data subject has the right to be informed of the use to which their personal data is to be subject.

Data controllers must notify data subjects of (Section 19(2) of the Act):

  • their rights under the Act;
  • what data is being collected;
  • whether the collection is voluntary or mandatory;
  • the consequences of failure to provide all or any part of the requested data;
  • the fact that their data is being collected and processed;
  • the uses to which their data will be put;
  • of any third parties with whom the data will be shared with;
  • the safeguards adopted in case of third-party sharing;
  • the contact information about the processor or controller; of the technical and organizational measures taken by the controller or processor to protect the data collected, whether the collection is pursuant to any law, voluntary or mandatory; and
  • of the consequences if any of refusal to provide some or all of the data.

In the event of a breach where there is a real risk of harm to data subjects, data controllers must notify data subjects of the breach (after notification to the Commissioner) in writing within a reasonably practical period.

Where an automated processing decision produces legal effects or significantly affects a data subject, the data processor must notify the data subject in writing that a decision has been taken based solely on automated processing.

Telecommunication service providers licensed under the Kenya Information and Communications Act must notify customers that their data is being processed, and further disclose the purpose for the collection.

8.2. Right to access

The data subject has the right to access their data that is in the custody of the data controller or data processor, similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

8.3. Right to rectification

The Act provides for the data subject's right to the correction of false or misleading data, to deletion of false or misleading data, and to updating their data, similar to the GDPR.

The data controller or processor has an obligation to provide means for the data subject to make requests for rectification.

8.4. Right to erasure

Just like in the GDPR, the right to erasure is not absolute and applies under specific circumstances which under the Act are:

  • where the data is inaccurate, outdated, incomplete, or misleading;
  • where the data controller or processor is no longer authorized to retain the data; or
  • the data is irrelevant, excessive, or has been obtained unlawfully.

8.5. Right to object/opt-out

Similar to the provisions of the GDPR, a data subject has the right to object to the processing of all or part of their personal data. However, the legitimate interest for the processing which overrides the data subject's rights may be applicable in limiting this right.

8.6. Right to data portability

Similar to the GDPR, a data subject has the right to receive their data in a structured, commonly used, machine-readable format, to transmit this ported data to another data controller or processor, or to request the transfer to another data controller or processor where possible.

The right to portability is limited to the extent that processing may be necessary for the performance of a public interest task, the exercise of official authority, or portability may adversely affect the rights and freedoms of others.

8.7. Right not to be subject to automated decision-making

A data subject has the right to not be subject to automated decision-making including profiling, which may produce legal effects on or may significantly affect the data subject. Where a data controller or processor makes a decision purely based on automated processing and such decision may significantly affect or produce legal effects on the data subject, the data controller or processor has no obligation to notify the data subject in writing of such decision taken based on automated processing.

The data subject has the right to request the data processor to reconsider the decision or take a new decision that is not based solely on automated processing. As a result, the data controller or processor has an obligation to consider the request, comply with it, and notify the data subject of the steps taken to comply with the request and the outcome of compliance. There is no set standard for the process of the request by a data subject but this is expected to be outlined in detail in the regulations that will supplement the Act.

Unlike the GDPR, the Act does not require a data controller or processor to provide the data subject with prior information about processing with regard to automated decision-making and does not implicitly require processors to ensure the systems are working as intended through regular checks, even though this is expected from the obligations of the data controller and processor.

8.8. Other rights

Not applicable.

9. Penalties

The Act provides for various offenses and sanctions. Additional sanctions are enforced by various sectoral regulators which may include fines and the revocation or suspension of licenses. Sectoral laws also provide for specific sanctions for breaches. The sanctions are:

The Act

Where the Commissioner is satisfied that a person has failed or is failing to comply with any provision of the Act, the Commissioner may serve an enforcement notice and a penalty notice requiring the person to pay a penalty of an amount specified in the notice. The maximum penalty that may be imposed in penalty notice is up to KES 5 million (approx. $31,152) or up to 1% of the annual turnover of the preceding financial year, whichever is lower. Additionally under the Act:

  • failure to comply with an enforcement notice is an offense and upon conviction, a person is liable to a fine not exceeding KES 5 million (approx. $31,152) or imprisonment for a term not exceeding two years, or both;
  • obstruction of a Commissioner in exercising its functions is an offense that attracts a fine not exceeding KES 5 million (approx. $31,152) or imprisonment for a term not exceeding two years, or both;
  • in relation to failure to register with the Commissioner as a data controller or data processor, unlawful disclosure, processing of personal data without lawful purpose, the sale of personal data, and publication of false or misleading information to the Commissioner, penalties are not specified, and for this reason the general penalty of a fine not exceeding KES 3 million (approx. $18,691) or imprisonment for a term not exceeding 10 years, or both is applicable;
  • a data subject is entitled to compensation for damage from the data controller or data processor for any violation of their rights; and
  • unlawful disclosure and access to personal data are offenses subject to the general penalty provided in the Act which constitutes a fine not exceeding KES 3 million (approx. $18,691) or imprisonment for up to 10 years or both.

Kenya Information Communications Act

  • A licensee who violates the requirements of any of the regulations issued under the Kenya Information Communications Act (including regulations on privacy) commits an offence and is upon conviction liable to a fine not exceeding KES 300,000 (approx. $1,869), imprisonment for a term not exceeding three years, or both;
  • under the Sim Card Regulations, any telecommunications operator who commits an offense with regard to SIM Card registration will be liable on conviction to a fine not exceeding KES 5 million (approx. $31,152); and
  • a person who commits an offense for which no specific penalty has been provided for in the Kenya Information Communications Act and regulations issued it, will on conviction, be liable to fine not exceeding KES 300,000 (approx. $1,869) or imprisonment for a term not exceeding six months, or to both.

Healthcare sector

The HIV and Aids Prevention and Control Act provides that it is an offense to breach the provisions relating to confidentiality (with the penalty not prescribed). Under the HIV and AIDS Prevention and Control Act, a person convicted of an offense for which no other penalty is provided will be liable for imprisonment for a term not exceeding two years or to a fine not exceeding KES 100,000 (approx. $623), or both.

Offenses under the Digital Health Act include:

  • breach of health data which entails tampering, abuse of access privilege, unlawful disclosure, improper disposal, loss, stealing or sharing of health data with unauthorized persons. Upon conviction, violators face a fine not exceeding KES 1,000,000 (approx. $6,230) or imprisonment for up to 15 years, or both. Where the offense is regarding sensitive personal data the penalty is as stipulated under the Act; and
  • failure to disclose conflict of interest by a member of the Digital Health Agency Board; obstruction of an employee, agent or board member mandated under the Digital Health Act; and submission of false or misleading information to the board are offenses subject to the general penalty which constitutes of a fine not exceeding KES 1,000,000 (approx. $6,230) or imprisonment for up to two years or both.

Financial sector

The National Payment System Act, a payments provider may have its license suspended or revoked if it is unable to protect the confidentiality of data or information it collects and keeps. Unauthorized disclosure of confidential customer information is subject to a fine of up to KES 1,000,000 (approx. $6,230). Use of confidential information for personal gain is subject to a fine of up to KES 500,000 (approx. $3,115), imprisonment for up to one year, or both.

9.1 Enforcement decisions

Since December 2022, the ODPC has issued various decisions. The following are some notable determinations:

  • in December 2022, the ODPC issued its first ever penalty notice imposing a fine of KES 5 million (approx. $31,152) on OPPO Kenya for using by using a data subject's photo on the company's Instagram account without consent in violation of Section 37 of the Act;  
  • the ODPC issued a determination against World Coin Foundation, following an investigation due to public concern that World Coin was collecting sensitive biometric data from members of the public in return for cash payments.  A multi-agency task force was formed to investigate the matter. The outcome included proposals to revise and strengthen various legislation, cancellation of the data controller and processor certificates issued to World Coin, take down directions for the World Coin App from Google Play Store and Apple App Store until the company meets various requirements set out in the determination;
  • in a decision dismissing a complaint of breach of privacy filed by a law firm against its former employee, the ODPC determined that a data controller or processor not registered under the Act is not precluded from the Act's provisions. Further, the ODPC found that the issues forming the basis of the complaint:
    • constituted information in the public domain;
    • related to infringement of intellectual property rights which did not fall under the jurisdiction of the ODPC; and
    • some of the complaints were not supported by evidence;
  • in 2023 the ODPC issued an enforcement notice against a school for various violations of the Act including publishing children's images in a WhatsApp group and on the school's social media pages school without valid parental consent;
  • the ODPC issued an enforcement notice against a digital credit provider for violating Section 26 of the Act by contacting the complainants, whose phone numbers they collected from third parties, without first obtaining consent from the complainants or notifying them of their rights, nature or purpose of the collected data;
  • the ODPC issued an determination requiring the Higher Education Loans Board, which is a public entity, to update and correct information held about a data subject; and
  • in September 2023, the ODPC issued an enforcement notice to a medical institution found in breach of Section 41 of the Act for sharing medical information of a patient with an unauthorized third party.
Feedback