Executive Summary

The recognition of the privacy as a fundamental human right, especially due to an increased advancement in the ICT sector both locally and internationally, has led to the formulation of the Data Protection framework in Kenya.

The policy is meant to safeguard the Personal Data Collected by both public and private sectors

Purpose of the Policy.

The major purpose of the policy is to enforce the development of privacy and data protection laws.

It’s also meant to develop a legal framework to govern the protection of personal data and establish an independent oversight authority that will ensure compliance of the policy and sound management practices to safeguard the rights of the data subjects, including children and the vulnerable groups (People with incapacity).


The principles applying in the policy are based on global best practices in data protection. This principle includes

  • Fairness and lawfulness and Transparency
  • Purpose Limitation
  • Data Minimization
  • Storage Limitation
  • Accuracy
  • Confidentiality and Integrity
  • Accountability


The policy also has stipulated the rights assigned to the owner of the data, which is not limited to

  • Right to access to personal information;
  • Right to information as to whether personal data is being processed;
  • The right to rectification if the information held is inaccurate or incomplete or requires to be updated;
  • The right to restrict the processing of their personal data;

And much more.



The policy strives to ensure that the collection, processing, transmitting, using, storing and the disposal of personal data will be permitted only under a lawful and legitimate basis.


The section defines the key requirements of the data controller and data processor which includes:

  • A data controller’s obligations
  • Joint Data Controllers
  • Data protection by design and default
  • The protection of personal data by the Data Controller/Data Processor.
  • How Data controller should manage any personal data breaches promptly and appropriately
  • How Data controllers should uphold the rights of the data subject
  • Challenge to Compliance by the Data controllers



The policy will be the responsibility and accountability of the Cabinet Secretary in charge of matters Information, Communications and Technology.

There will be also the Office of the Data Protection Regulator which will be responsible for upholding the Bill of Rights and enforcing data protection procedures.



Any misuse of personal data, through loss, disclosure, or failure to comply with the data protection principles and the rights of data subjects, will result in a significant legal, and financial damages. Which may include penalties as per the Law.


The bill expects                Office of the Data Protection Regulator to set up the framework to detect and deter data breaches. The Data controller will designate a Data Protection Officer who will monitor new and on-going data protection risks and update the relevant risk register of Data Controller.


The Bill is still under review and the members of the public are still giving their comments, it will then be

approved to become law.

Get the Full Bill Here