Skip to content

New Kenyan Law Affects How Researchers Conduct their Work

Passed in 2019, the Kenya Personal Data Protection Act was designed to bring the protection of personal data from misuse in Kenya into the 21st century. It’s a significant step forward because it facilitates lawful use of personal data, including research, thus strengthening individuals’ fundamental rights. The appointment of Kenya’s first Data Protection Commissioner in November finally operationalised the law. The Act governs the use, processing, and archiving of personal data, establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data, stipulates the data producers’ rights, and specifies the obligations of the data controllers and processors. It has significant implications for researchers in general, and for those involved in the health sector in particular. The Act defines health data as data related to the state of physical or mental health of the data subjects. In research, health data can be from reviewing patient records or accessing the national health databases’ information. The issue of what data is collected, and what’s done with it, has become much more urgent in the light of accelerated efforts to find a COVID-19 vaccine. Draft regulations have been issued by Kenya’s new commissioner for COVID-19 research. These provide a litmus test on how the new law could affect research and what the data processors and controllers need to be aware of. The proposed regulations for COVID-19 reflect the laws new requirements. These are that researchers can only collect data from individuals and that personal data may only be used to detect, contain and prevent the spread of COVID-19.