Premium
Hospitals have until March 2025 to comply with privacy regulations
The Office of the Data Protection Commissioner is on an aggressive drive to enforce compliance and guard against data breaches.
What you need to know:
- Kenya's Data Protection Act came into force on November 25, 2019, paving the way for the implementation of laws governing the collection, processing, and storage of personal data by both the government and the private sector.
Owners of health facilities have until the end of March 2025 to comply with privacy laws that require them to register and obtain certification as data handlers and processors.
The Kenya Medical Practitioners and Dentists Council (KMPDC) said all newly established hospitals must obtain certification from the Office of the Data Protection Commissioner (ODPC).
“Effective January 1, 2025, all new health facility registrations must include a valid certificate of data handler/processor issued by the ODPC. Additionally, existing facilities must obtain this certification within three months, by March 31, 2025,” reads the notice signed by KMPDC chief executive David Kariuki.
“This requirement underscores the critical importance of safeguarding patient privacy, a fundamental aspect of ethical medical practice. By ensuring the responsible and lawful handling of personal data, health institutions not only adhere to regulatory standards but also strengthen patient trust and enhance safety.”
The move to force medical institutions to comply with the data rules comes amid an aggressive drive by the ODPC to enforce compliance and guard against data breaches across various sectors.
All entities that handle the personal information of individuals in the country are required to register as data processors and data controllers under the Data Protection (General) Regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations 2021 and the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021.
The regulations are aimed at telecom companies, digital ride-hailing service providers, building managers, companies operating CCTV, dispensaries, and primary and secondary schools. Others on the list include law firms, property managers, real estate agencies and financial services providers such as digital lenders, saccos and mobile money agents.
Kenya's Data Protection Act came into force on November 25, 2019, paving the way for the implementation of laws governing the collection, processing, and storage of personal data by both the government and the private sector.
According to records on the ODPC's official website, the watchdog handled 26 complaints during the period, of which 17 resulted in convictions, with the perpetrators ordering to pay a total of Sh12 million in compensation to the complainants.
