Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
The overarching legislation on data privacy in Kenya is the Data Protection Act, 2019 (DPA), which was assented to by the president on 8 November 2019. The DPA governs the collection, handling, transfer and destruction of data of natural persons.
The following regulations which supplement the DPA were published on 14 January 2022 and came into effect on 11 February 2022:
The Data Protection (Registration of Data Controllers and Data Processors) Regulations will come into effect in July 2022.
Yes, to a limited extent. The banking sector is bound by additional confidentiality and data privacy provisions contained in the Central Bank of Kenya Act and the Central Bank of Kenya's Prudential Guidelines.
The insurance sector is bound by confidentiality and data privacy provisions contained in the Insurance Regulatory Authority's Guideline on Market Conduct for Insurers.
Telecommunications providers are bound by the confidentiality and data privacy requirements contained in the National Payment Systems Act and the National Payment Systems Regulations 2014.
There are no sector-specific laws relating to data privacy applicable to the healthcare or advertising sectors.
No. Kenya is a member of the African Union, but is yet to sign the African Union Convention on Cyber Security and Personal Data Protection (‘Malabo Convention').
Although Kenya is not a signatory to the Malabo Convention, under the Data Protection (General) Regulations, 2021, a country or a territory that has ratified the Malabo Convention is deemed to have adequate safeguards for the purposes of cross-border data transfers.
The DPA established the Office of the Data Protection Commissioner (ODPC) for the implementation and administration of the DPA. The ODPC has the power to:
The ODPC has broad powers of oversight relating to the provisions of the DPA and is empowered to investigate and impose administrative fines for contravention of the provisions of the DPA. It is also responsible for the registration of data controllers and data processors.
The DPA allows the ODPC to issue guidelines or codes of practice for data controllers, data processors and data protection officers. In addition, the ODPC may develop sector-specific guidelines in consultation with relevant stakeholders in different industries such as health, financial services, education, social protection and any other area that it determines. However, the data protection regulatory framework is still in its infancy and we are yet to see such sector-specific guidelines being issued. Since the DPA borrows heavily from the EU General Data Protection Regulation, industry standards and best practices adopted by EU member states will be of persuasive value in Kenya.
The Data Protection Act (DPA) applies to all data controllers and processors, regardless of the legal form taken by the entity (natural or legal person, public authority, agency or other body) that processes the personal data of data subjects located in Kenya, whether or not the data controller or processor is located in or ordinarily resident in Kenya. However, the protection under the DPA extends only to ‘personal data', which is defined in the act as data relating only to identified or identifiable natural persons.
Section 51 of the DPA provides for the following exemptions:
The principles of processing personal data do not apply where:
The Data Protection (General) Regulations, 2021 go on to create two new exemptions on the ground of public interest:
Despite these exemptions, a data controller or data processor will not be exempt from the requirement to comply with data protection principles relating to:
Yes. Section 4(b) of the DPA sets out the territorial scope of the act. The DPA applies to the processing of personal data by data controllers and data processors that are not established or ordinarily resident in Kenya, but that process the personal data of data subjects located in Kenya.
(a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as:
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.
(d) Data subject
An identified or identifiable natural person who is the subject of personal data.
(e) Personal data
Any information relating to an identified or identifiable natural person.
(f) Sensitive personal data
Data revealing a natural person's:
(g) Consent
Any manifestation of express, unequivocal, free, specific and informed indication of the data subject's wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.
Data controllers and processors must be registered with the Office of the Data Protection Commissioner (ODPC) if they meet the threshold for mandatory registration. As such, a data controller or processor must be registered if any of the following conditions is met:
Data controllers and data processors that meet the registration threshold must apply online for registration with the ODPC using a standard form, accompanied by the registration fees. The registration fees are based on the scale of the applicant's operations (which is determined by the number of employees and the annual revenue of the applicant). The current categories are as follows.
The ODPC will verify the details provided in the application and, if satisfied that the applicant fulfils the requirements for registration, will issue a certificate, which will remain valid for a period of 24 months from the date of issuance.
The ODPC must maintain a register of data controllers and processors. There are no provisions for public access to the register of controllers and processors.
Section 30 of the Data Protection Act (DPA) sets out the lawful bases for processing personal data, as follows:
The DPA sets out the basic principles for the processing of personal data, as follows:
These principles remain consistent regardless of the type of data and do not depend on whether the processing is outsourced. Data controllers must ensure that all data processors abide by the same principles.
Under the Data Protection (General) Regulations, 2021, a data controller or data processor that processes personal data for the purpose of the ‘strategic interest' of the state must either:
‘Strategic interest ‘has been defined to include:
The Data Protection Act (DPA) imposes no restrictions on the transfer of data to third parties. However, the data controller is ultimately responsible for the personal data collected that is transferred to third parties. Thus, contracts between data controllers and third parties accessing data should, at a minimum, set out:
Part VI of the DPA, read together with Part VII of the Data Protection (General) Regulations, 2021, provides that data can be transferred outside of Kenya only if the following requirements are met:
Adequate safeguards are deemed to be present where:
A country is automatically taken to have adequate safeguards if it has:
A list of countries that meet the adequacy requirements has not yet been published by the ODPC.
Data transfers should be well documented, setting out the obligations and responsibilities of each party with respect to the transferred data.
Under the Data Protection Act, data subjects have the right to:
These rights are not absolute and may be limited where a data controller or processor demonstrates a compelling legitimate interest which overrides the data subject's interests. In such cases, the data controller or processor must inform the data subject of its inability to fulfil the request. Notably, the right to erasure does not apply if the processing is necessary:
The Data Protection (General) Regulations, 2021 provide data subject rights request forms through which a data subject may make a request to a data controller/processor. However, these are generic forms and the data controller/processor is not restricted from providing alternative mechanisms through which the data subject may make the relevant requests. The regulations also provide for specific timelines within with a data subject request must be acted upon.
If a data subject feels aggrieved by the actions of a data controller/processor, a complaint may be lodged under the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021. The complaint must be made to the Office of the Data Protection Commissioner (ODPC) in a prescribed form. The ODPC has also launched an online complaint tool on its portal.
Regulation 14(3) of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 sets out the remedies to which a complainant is entitled if, upon investigation by the ODPC, the complaint is determined in his or her favour. These include:
A data controller/processor is not mandated to appoint a data protection officer (DPO) unless:
The Office of the Data Protection Commissioner (ODPC) is empowered to issue guidelines and codes of practice for data protection officers. However, these have not yet been issued. There are no fines or penalties set out for failure to appoint a DPO.
There are no mandatory qualifications for a DPO under Kenyan law. The Data Protection Act (DPA) provides that a person may be appointed a DPO if he or she possesses the relevant academic or professional qualifications, which may include knowledge and technical skills in matters relating to data protection. The ODPC is empowered to issue guidelines or codes of practice for DPOs. These have not yet been issued.
A DPO's main responsibilities are to:
There are no restrictions on outsourcing the DPO function. Companies can structure this arrangement as they see fit, as long as the DPO:
Under the DPA, a data controller or data processor must develop, publish and regularly update a policy reflecting its personal data handling practices. This policy should cover issues such as:
The DPA contains no provisions that require data controllers or processors to keep a record of processing activities. However, it empowers the ODPC to conduct periodic audits over the processes and systems of data controllers and processors. Thus, we recommend that data controllers/processors maintain a record of processing activities.
In addition, the DPA requires data controllers to maintain records in relation to personal data breaches. These records must include the facts relating to the breach, its effects and any remedial action taken subsequent to the breach.
Data controllers and processors must also establish and maintain a data retention schedule which takes into account the purpose for which the data was collected and determines the need for continued retention of the data.
Data controllers and processors are expected to implement appropriate technical and organisational measures designed to implement the data protection principles effectively and to integrate the necessary safeguards into the processing activities.
In considering the nature of the safeguards to be put in place, data controllers and processors must take into account:
Data controllers and processors must ensure that any person employed by them or acting under their authority complies with the relevant security measures put in place by them.
The Data Protection Act requires a data controller to notify the Office of the Data Protection Commissioner (ODPC) without delay within 72 hours of becoming aware of a breach. A data processor must notify the controller without delay within 48 hours of becoming aware of a breach. The ODPC has created an online breach notification platform on its website. The following information must be uploaded to the platform when reporting a breach:
Where there is a real risk of harm to the data subjects as a result of the breach, the breach should be communicated in writing to the data subjects within a reasonably practical period, unless their identity cannot be established. Notification of a breach to the data subject is not mandatory where the data controller has implemented appropriate security safeguards such as encryption of the data. The breach notifications must have sufficient information to allow the data subject to take protective measures against the consequences of the data breach, including:
It is advisable for a data controller/processor to develop an incident response policy and create a data breach playbook to inform its response to a data breach. This should be disseminated to staff, vendors, third parties and data processors.
No special requirements or restrictions apply to employee information. The general principles of data protection will apply. However, a data breach revealing the remuneration paid or payable to a data subject will amount to a notifiable breach and, as such, the data controller will be obliged to notify the person to whom the data relates.
Under the Data Protection Act (DPA), there is no specific prohibition on the monitoring of data subjects. However, surveillance is grounds for mandatory registration as a data controller/processor. Furthermore, under the Guideline issued by the Office of the Data Protection Commissioner on the Conduct of Data Protection Impact Assessments, a data protection impact assessment should be carried out by any employer seeking to deploy a surveillance/monitoring system.
The DPA does not distinguish between the personal data of employees and that of any other data subject. As such, the treatment of the personal data of employees will depend on the nature of the data collected and the lawful basis relied on for processing.
No specific requirements or restrictions apply to the use of cookies under Kenyan law.
The Data Protection Act contains no provisions relating to cloud service providers (CSPs). The Office of the Data Protection Commissioner has not released any guidance notes or codes of conduct for CSPs. We recommend that the responsibilities of the CSP with respect to privacy measures should be defined, documented and assigned in the cloud services agreement. Controllers should only use CSPs as processors that provide sufficient guarantees to implement appropriate technical and organisational measures.
The Data Protection Regulations set out the basic safeguards that should be in place for all contracts between controllers and processors, such as provisions on the following:
A data controller or data processor can use personal data (other than sensitive personal data) for direct marketing where:
A data controller or processor may not transmit direct marketing communication where:
The Data Protection (General) Regulations, 2021 identify businesses that are wholly or mainly in direct marketing as one of the categories of businesses that meet the threshold for mandatory registration.
The Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 promote alternative dispute resolution (ADR) through negotiation, mediation or conciliation. Where a dispute is determined through ADR, the parties must sign a binding agreement in a prescribed form, which will be deemed to be a determination of the Office of the Data Protection Commissioner (ODPC).
Where ADR mechanisms fail to determine the dispute, the ODPC will proceed to issue a determination on the complaint. A determination of the ODPC will be enforced as an order of the court and will be binding on all parties.
An enforcement notice issued by the ODPC may be appealed to the High Court within 30 days of service of the enforcement notice.
The Kenyan Data Protection framework is still in its infancy and we are yet to encounter any disputes.
In January 2019 (prior to the enactment of the Data Protection Act (DPA)), the Kenyan government commenced a nationwide exercise to collect the personal and biometric data of Kenyan citizens and residents, in order to create a biometric database known as the National Integrated Management System (NIIMS). Citizens and residents were then to receive a unique identification number in order to access a number of government services (a ‘Huduma card'). Several legal challenges were filed and in January 2020, the High Court ordered the government to delay the data collection exercise until the country had enacted an appropriate and comprehensive regulatory framework for the implementation of NIIMS that was compliant with the constitutional right to privacy.
Once the DPA was enacted in November 2019, the government proceeded with the data collection exercise, claiming that a regulatory framework was now in place.
On 14 October 2021, the High Court of Kenya declared the government's continued rollout of the Huduma card unlawful on the grounds that:
The government has challenged the High Court's decision in the Court of Appeal.
We expect that the registration of data controllers and processors will commence in July 2022. Prior to registration, data controllers and processors will likely assess their internal data privacy controls in order to establish their compliance level and identify key actions to be taken to achieve compliance with the Data Protection Act (DPA).
The Office of the Data Protection Commissioner (ODPC) has been raising awareness among the Kenyan population of the provisions of the DPA. According to the ODPC's current Strategic Plan, this will remain a key area of focus, as it intends to equip stakeholders with adequate information on data protection in order to promote compliance.
The ODPC has also listed the establishment of policy frameworks as a key consideration in its Strategic Plan. We therefore anticipate the release of sector-specific guidelines in areas such as health, financial services and education.
With the Data Protection Regulations in effect, we also expect that the ODPC will begin to take enforcement actions this year based on random inspections and audits of personal data processing systems.
An overall data protection strategy should be a key consideration for many Kenyan organisations. This strategy should inform the overall route taken by the organisation regarding data protection.
With a clear strategy in place, organisations should look into taking an inventory of the data they already hold with a view to determining:
After taking an inventory of the data they hold, organisations should review how this data is processed in order to determine their data needs. Any unnecessary or excessive data should be purged, and data processes should be designed to comply with the principle of data minimisation.
Organisations should also establish adequate data security frameworks, which include breach notification procedures. Staff should be properly trained in order to ensure compliance with the obligations, especially given the tight timeframes around breach notification.
Finally, the organisational data privacy framework should not be left to institutional memory. Key strategies, policies and playbooks should be documented in order to ensure a smooth transition in the case of employee replacement.
Privacy risks should be prioritised in the boardroom and directors should ensure that data privacy is given the attention required under the Data Protection Act and Regulations. A sound data security programme should incorporate stakeholders from across the business who bring a different perspective on these issues. The board should define metrics for measuring the effectiveness of the privacy programme and review them on a quarterly basis.
Co-Authored by Charles Owino
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.