I&M Bank House, 7th Floor, 2nd Ngong Avenue

+254 716 209 673


The Data Protection Act: A Series

CM Advocates > Cyber Security, Privacy & Data Protection  > The Data Protection Act: A Series

The Data Protection Act: A Series

The Data Protection Act, No. 24 of 2019 (the DPA) was enacted into law on 11 November 2019 through Gazette Supplement Number 181. The provisions of the DPA gives life to Article 31 (c) and (d) of the Constitution of Kenya which guarantees the right to privacy including the right of a person not to have information relating to their family or private affairs unnecessarily required or revealed and the right not to have the privacy of their communications infringed.

Since its enactment, there has been slow implementation of the provisions thereon primarily due to the lack of establishment of the Office of the Data Commissioner, who is mandated to oversee the implementation of and be responsible for the enforcement of the DPA. This has however been cured in light of the recent appointment of the first Data Protection Commissioner on 16 November 2020 who is the head and chief accounting officer of the Office of the Data Commissioner. This development is instrumental to further empowering the principles enshrined under DPA.

In January 2021, the Office of the Data Protection Commissioner issued a Guidance Note on personal data protection in light of the Covid-19 pandemic and its implications on health data. In the Note, the Commissioner highlighted the key principles that govern data protection including accountability; integrity and confidentiality; storage limitation; purpose limitation; accuracy; data minimization; lawfulness, fairness and transparency.

The Guidance Note provides the mechanism of obtaining data from individuals. The Note emphasizes that personal data should be collected directly from individuals, subject to their express consent which should be documented through a form created by the Office of the Data Commissioner.

The Note further recommends that personal data sharing should be guided by a valid agreement drafted in line with the DPA. The Note also prohibits the selling or transfer of data out of the country without the consent of the data subject.

In implementing the policy guidance, the Office of the Data Commissioner directs as follows:

  • public entities request for personal data shall be channeled through the relevant line ministries;
  • A person requesting personal data is expected to enter into a data protection and sharing agreement with the entity or person having control of the personal data; and
  • A person possessing personal data of individuals is expected to comply with the provisions of the DPA.

In the coming weeks we shall through a series of articles demystify the DPA and its implications on data privacy in the corporate world. For more information, please contact our corporate team through email or


× How can I help you?