Compliance update for healthcare providers: Data Protection Act requirements

The Kenya Medical Practitioners and Dentists Council (the KMPDC) has issued a directive that introduces a new compliance requirement for healthcare providers under the Data Protection Act, 2019 (the Act). This directive underscores the increasing focus on data privacy and patient rights within the healthcare sector and represents a significant shift in regulatory expectations.

Effective 1 January 2025, all new health facility registrations must include a valid Certificate of Data Handler and/or Processor issued by the Office of the Data Protection Commissioner (the ODPC). Existing healthcare facilities must achieve compliance by 31 March 2025. This certification requirement ensures the adoption of robust data management practices, safeguarding sensitive patient information while aligning with global data protection standards.

Data privacy is a cornerstone of ethical medical practice, especially in the healthcare sector, where sensitive patient information is routinely collected, processed and stored. The directive highlights the importance of responsible and lawful handling of personal data, enhancing patient trust and institutional credibility while minimising risks associated with data breaches.

The Act establishes the legal framework for processing health data in Kenya and emphasises principles such as lawfulness, fairness and transparency in processing personal data. Further, it highlights purpose limitation to ensure data is collected only for specific and legitimate purposes, data minimisation to limit the collection to only what is necessary and accountability to demonstrate adherence to these principles. 

Under the Act “sensitive personal data” is broadly defined to encompass details such as a person's race, health status, ethnic or social origin, conscience, beliefs, genetic data, biometric data, property details, marital status, family information, sex or sexual orientation. Additionally, “health data” refers to information concerning an individual’s physical or mental health, encompassing records of their past, present or future health status. This includes data gathered during registration or the delivery of healthcare services, as well as information linking an individual to specific health services. Under the Act, personal data relating to health may only be processed by or under the responsibility of a healthcare provider or by a person subject to the obligation of professional privilege under law. Such processing is permitted if it is necessary for public interest in the area of public health or carried out by another person who owes a duty of confidentiality under any law.

Mandatory Compliance and Penalties

To comply with these requirements, healthcare providers must undertake several critical steps. First, they need to familiarise themselves with the ODPC’s certification requirements, which include documentation and operational standards. Conducting a data audit is crucial to assess current practices in data collection, storage and processing and identifying any gaps in compliance. Implementing data protection measures, such as robust policies and procedures, ensures adherence to the Act’s principles. Training employees who handle personal data on their responsibilities is essential for fostering a culture of compliance. Finally, seeking professional guidance can streamline the certification process and help adopt the best practices tailored to the healthcare sector.

Data controllers or data processors whose annual turnover / revenue is below KES 5 million (approximately USD 38,610) and employ less than 10 people, are exempt from the mandatory registration under the registration regulations. However, organisations processing personal data in the health industry including health administration and provision of patient care, etc., fall under the mandatory category of entities that are not subject to exemptions. 

The registration fees depend on the category within which the healthcare facility falls. This includes:

1. Micro and small data controllers / processors (those with an annual turnover / revenue of KES 5 million (approximately USD 38,610) and one to 50 employees) – a fee of KES 4,000 (approximately USD 31);
2. Medium data controllers / processors (those with an annual turnover/revenue of above KES 5 million (approximately USD 38,610) but less than KES 50 million (approximately USD 386,100) and 51 to 99 employees) – a fee of KES 16,000 (approximately USD 124);
3. Large data controllers/processors (those with an annual turnover/revenue of more than KES 50 million (approximately USD 386,100) and more than 99 employees) – a fee of KES 40,000 (approximately USD 309); and 
4. Charities and religious entities offering charity or religious functions (Regardless of revenue/turnover) – a fee of KES 4,000 (approximately USD 31). 

The penalties for non-compliance are significant and may include fines of up to KES 5 million (approximately USD 38,610) or one per cent of the entity’s annual turnover, whichever is lower and criminal penalties of up to KES 3 million (approximately USD 23,200) in fines, 10 years of imprisonment or both. 

Conclusion

The KMPDC’s directive is a significant step toward enhancing patient privacy and aligning Kenya’s healthcare sector with global data protection standards. By proactively addressing these requirements, healthcare providers can meet regulatory obligations while building trust and confidence among their patients.

If you have any questions on data privacy laws, please contact Jared Kangwana or Nelly Tuitoek.