Data Policy and Governance Centre

In recent years, there has been an explosion of digital solutions offered by businesses as well as an uptick in the uptake of digital platforms by Governments in serving their citizens in the East African region. Along with this has come new legislation to govern this digital sphere. There is a need for independent actors in this landscape that will serve the various sectors in numerous capacities to ensure that citizens’ rights are upheld and the spirit of the legislation is met while also ensuring that innovation is not stifled. The Data Policy and Governance Centre (DPGC) seeks to serve in this capacity.

The long-term goal of the DPGC is to contribute to the body of evidence available for those influencing policy in the areas of data protection, data bias, open data, and other issues pertaining to data governance with a focus on issues relevant to the Global South. All research objectives and outcomes of the centre are designed to be fact-based and politically – neutral. The DPGC aims to add evidence and impartial analysis to the ongoing local, national, and continent-level debates around data. The centre is currently focused on issues of Data Protection and Privacy, specifically on issues of implementation and enforcement of data protection laws within the region, in addition to commenting on the framing of data protection regulations.

Data Protection in the Kenyan Banking System

The executive summary for the report:

Banking institutions, as with many other entities, are increasingly handling personal data owing to an increased use of different technologies to offer banking services. Increased handling of such personal data coupled with new statutory requirements relating to data protection have placed renewed emphasis on the efforts used by banks to create and communicate policies for handling data subjects’ information. This report analyses the publicly available data policies of commercial banks in Kenya, providing an overview of the approaches taken by the studied banks with respect to data protection for existing and prospective customers.

This report compares the banks’ data policy provisions against a data protection standard developed using the provisions of existing national and international data protection regimes, including the Kenya Data Protection Act 2019 (DPA) and the European General Data Protection Regulation (GDPR). This standard comprises three broad indicators: data collection, data sharing, and the rights of data subjects. Compliance with these indicators is measured using tabulated analyses showing the individual and aggregated performance of the banks.

The report’s conclusions are derived from research conducted in Kenya in 2019 and 2020. A total of 32 policies were identified and analyzed, all of which were in existence prior to the enactment of the Kenya DPA. This report is therefore a baseline study of the policies; the report anticipates that there will be changes in banking policies as the DPA is put into practice. The findings in this report will be useful for comparative purposes as the DPA is implemented and enforced.

Key Findings

On average, the banks were found to be more likely to have unclear or incomplete policy provisions in all categories. Provisions relating to data collection were the most compliant while provisions relating to rights of data subjects had the lowest compliance score.

There is a notable variance in the performance of banks with regard to rights of data subjects. A large number of banks lacked any policy provisions in this category while a similarly large number of banks were clustered at the higher scores. This disparity suggests that the banks took two general approaches, i.e., to exclude policy provisions relating to data subjects’ rights altogether, or to incorporate such provisions clearly and completely.

Overall, provisions relating to the purpose of processing data were the most compliant among all provisions in all categories. Provisions relating to the rights of data subjects to object to the outcome of an automated decision were the least compliant. Clarity or completeness of provisions was a problem for a large number of the policies, and the overall readability of the policies may present challenges to banking customers that are likely to have a wide range of formal education.

Although the report highlights that the banking sector falls short of what we consider internationally-recognized norms in data protection, the data also show that data protection policies are widely present in the sector, and can be modified to become compliant.

Options for the Review of Commercial Use of Personal Data (Direct Marketing) Laws in Kenya


The increased use of digital platforms in Kenya has changed the manner in which marketing is conducted. Many companies and individuals have embraced direct marketing because it is affordable, enables one to attract new customers fast and one can reach target customers efficiently. The importance of direct marketing to a marketer is that it allows him to promote the product or service directly to his target audience. The availability of various marketing tools and the benefits that accrue with direct marketing has attracted many businesses thus causing many to incorporate the practice in their daily activities.

The purpose of this policy brief was to identify existing Kenyan laws that are applicable to the practice of direct marketing, identify any gaps in these legislations and come up with policy recommendations based on comparison with other jurisdictions. The approach used involved doctrinal research which was useful in analysing existing Kenyan laws to identify direct marketing provisions. A comparative analysis approach was also employed and it was useful in coming up with appropriate policy recommendations based on the gaps identified.

The findings from the policy brief indicate that:

  • Kenya already has four laws that are applicable to the practice of direct marketing.

  • Key definitions which are fundamental ingredients of direct marketing are not included in the legislations analysed.

  • The existence of big data has transformed how marketing is conducted.

  • External jurisdictions have made an effort to protect data subjects in the commercial use of personal data.

  • Numerous jurisdictions have updated their privacy laws and subsequently included direct marketing provisions so as to protect consumer data and measure up with global marketing privacy standards.

The full policy brief attached herein contains the detailed analysis of the findings that were obtained and the policy recommendations that were made.


Published on: 4th July 2023

Commercial Use of Personal Data (direct marketing) in Kenya.


SMEs (small and mid-size enterprises) play a crucial role in job creation and contribution towards the Gross Domestic Product (GDP) in Kenya. In order to reach many customers, SMEs have embraced digitalization and some are utilizing personal data to advertise products to potential customers. Various direct marketing tools are now being used to reach customers and this has been made possible through the use of social media, email and also applications designed for sending text messages. The use of personal data for commercial purposes means that SMEs are required to comply with data protection requirements.

This SME Manual on commercial use of personal data (direct marketing) in Kenya is meant to inform SMEs of the legal and regulatory landscape that govern the commercial use of personal data. It is also designed to enable SMEs grasp fundamental terminologies involved in direct marketing and the data protection requirements they are supposed to comply with when engaging in direct marketing practices. For compliance purposes, the manual contains a checklist formulated in accordance with the Data Protection Act 2019 and the Data Protection General Regulations 2021 that will enable marketers to comply with the law and avoid sending unsolicited communication to potential customers.

Privacy Score Card Report

Privacy Score Card Report


Together with Unwanted Witness (UW) the Center for Intellectual Property and Information Technology Law (CIPIT) contributed to towards the 2022 Privacy Score Card report where we evaluated data protection compliance in three sectors in Kenya and Uganda. The evaluation focused on the financial services, telecommunication and e-commerce sectors. The primary methodology for the evaluation looked at the privacy policies of 2 select companies within the sectors and assessing the privacy policies through five core indicators.

Existence of an accessible public, readable, and noticeable privacy policy

Informed consent: this looked at the company’s contact details, purpose of data collection, type of data being collected, rights of the data subject

Data Collection and Third – party data transfer: Information on which parties have access to collected data

Data Security: security of the web browser, validity of the website, technical and organizational measures utilized to secure data.

Accountability: Published transparency report in the year under review.

The primary findings from the report showed,

There is ongoing compliance with data protection laws, however, there are gaps and areas of improvement that need to be addressed.

The compliance of the Kenyan sectors stood at 47.4%

Compliance in the Kenyan financial sector stood at 49%, the e-commerce sector stood at 53.8% and the telecommunication sector stood at (39.4%)

The percentages reflected above are a measure of compliance of the companies in the respective sectors on account of the evaluation on their respective publicly available privacy policies and not internal data protection and privacy policies.

This report reflects the findings from Kenya. The findings of both Kenya and Uganda are reflected in the 2022 Privacy Score Card.

Data Protection in the Kenyan Health Sector
Electronic Medical Record(EMR) systems have been adopted in Kenya’s health sector to streamline and improve healthcare. Their introduction was informed by data complexity, volumes of patients served and the desire to have efficient health information systems. From 2010, their implementation and use was regulated solely by the Standards and Guidelines on the Implementation of EMR systems in Kenya before the enactment of the Data Protection Act(DPA) in 2019. The DPA established new rules and mechanisms for the processing of personal data that were not considered in the formulation of the Guidelines. On this basis, this policy brief sought to compare the Guidelines vis a vis the DPA, identifying gaps in relation to data protection in the processing of health data. An analysis of the findings identified that the Guidelines failed to adequately incorporate data protection principles and fully comply with the DPA's confidentiality and security requirements. Appropriate recommendations are made to address existing gaps in the Guidelines.The information on the policy brief was primarily derived from extensive desktop research and a comparison of the Guidelines and the DPA. This policy brief is intended to inform the Ministry of Health, the Office of the Data Protection Commissioner (ODPC), and other relevant stakeholders in the health sector about the importance of aligning the Guidelines with the DPA's data protection provisions.
Developing Data Protection Guidelines For The Health Sector In Kenya
Kenya adopted the Data Protection Act (DPA) in 2019, fortifying individuals’ right to privacy and strengthening protection of their personal data. The DPA introduced new standards for processing of personal data for which health data is a special category, sensitive personal data. With the continued adoption and use of technology in the Kenyan health sector, it is inevitable that there will be a continued rise in the production and processing of data. Sector specific guidelines on data protection are vital in ensuring the implementation and compliance with the provisions of the act throughout personal data processing activities. This policy brief highlights, the existing laws and policies in the health sector, and the extent to which they provide for data protection highlighting the need for sector specific guidelines. It identifies existing policy gaps and makes recommendations on areas that must be considered in the development of data protection guidelines for the health sector in Kenya.
IMAGE RIGHTS - Release Form Information Pack


This comprehensive info pack offers an essential guide to understanding and using image rights release forms effectively. Learn about image rights release forms, including what they are, why they are important, how to use them, and common mistakes to avoid. The info pack includes a variety of resources, including sample image rights release forms and tips for drafting and negotiating image rights release agreements.
Contextualising Political Advertising Policy to Political Micro-Targeting in Kenyan Elections

Contextualising Political Advertising Policy to Political Micro-Targeting in Kenyan Elections


The changing nature of election campaigns in Kenya over the years fuelled an investigation as to how data driven campaigns have been utilised by political parties to reach the electorate. Technological advancements have made political actors to utilise online communication to reach voters through social media platforms such as Facebook and even Twitter. The rise of these social media platforms and the existence of big data have also contributed to the practice of political microtargeting. The purpose of the report was to find out the extent of political microtargeting in the 2022 Kenyan general election campaigns, to analyse the laws applicable to microtargeting in Kenya together with their existing shortcomings and to find out how external policy initiatives can inform Kenya’s regulatory approach on political microtargeting.

The methodology used involved the collection of data through desktop research, doctrinal research which was useful in analysing existing Kenyan laws and comparative research which was used in assessing policy initiatives from other countries and making appropriate recommendations. The investigation also involved data collection that focused on paid Facebook advertisements for political candidates that took part in the 2022 presidential and gubernatorial elections held in each of the 47 counties in Kenya.

The findings from the report indicate that:

  • The data collected showed that political microtargeting took place in the 2022 general elections to a certain extent.

  • There are laws in Kenya which are applicable to the regulation of political microtargeting.

  • External policy initiatives will play a fundamental role in informing Kenya’s regulatory approach to political microtargeting.

The full report contains the detailed analysis of the study that was conducted and the findings that were obtained.

Contextualising Political Advertising Policy to Political Micro-Targeting in Kenyan Elections Pamphlet

Contextualising Political Advertising Policy to Political Micro-Targeting in Kenyan Elections


Mapping of Automated Decision Making (ADM) in African Countries

The rapid advancement of technology has increased the use of Automated Decision Making (ADM) systems in various sectors. These refer to using algorithms, machine learning, and artificial intelligence (AI) systems to make decisions or assist in decision-making processes. This project mapped the various applications of Automated Decision Making (ADM) systems in Africa, in the fields of agriculture, education, finance, healthcare and public administration. The project also mapped countries with legal provisions governing ADM, in recognition of the fact that while these systems can improve efficiency and decision-making, they also raise concerns about bias, accountability, and privacy rights.

International Data Transfer Principles in Kenya

International Data Transfer Principles in Kenya

Project description

The research project sought to establish a clear framework for conducting lawful international personal data transfers (IPDTs) under the existing provisions of the Kenya Data Protection Act (DPA). Section 48(b) DPA states that transfers of personal data outside Kenya are permitted only where the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and with respect to jurisdictions with commensurate data protection laws. However, the Kenyan data protection framework fails to enumerate the metrics for determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Importance of project

The inadequate nature of the current IPDT framework under the Kenyan DPA enables organizations to flagrantly conduct cross border data transfers without concern for their data subjects and the possible violation of their privacy-related rights in foreign jurisdictions. The rationale for the implementation of an IPDT regulation arises from the realisation that it is pointless to establish a framework to protect personal data if those protections could be effectively circumvented by simply moving the data of the people it was designed to protect to another jurisdiction. The policy brief proposes an evaluation criterion that shall be relied upon by the ODPC when determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Research methodology

This study determined principles that are necessary to evaluate the proportionality of a foreign jurisdiction’s data protection framework by conducting a comparative and situational analysis of the DPA and the EU GDPR and its supplemental guidelines (Article 29 Data Protection Working Party Adequacy Referential Guidelines) on cross border data transfers.

Main findings

The policy brief outlines 13 principles that need to be present within a foreign jurisdiction’s data protection framework in order to be considered ‘adequate’ to the Kenyan DPA and its subsequent regulations. The principles can be categorised into Content Principles and Procedural and Enforcement principles.

Data Governance in Africa

Data Governance in Africa

The aim of the Data Governance Resource Centre (DGRC) is to contribute to the body of evidence available for those influencing policy in data protection, data bias, open data, & other issues pertaining to data governance with a focus on issues relevant to the Global South, in particular Africa. In response to this overarching aim the DGRC has embarked on a Data Governance Principles Project that will provide introductory and background information on what Data Governance is in the global context as well as in Africa. The research collates studies on data governance that have already been conducted, as well as provide understanding of data governance from both theory and practice by engaging with stakeholders within data governance on the continent.

As a result of the mapping and engagement with Stakeholders the DGRC visually represents the Regulators across the continent that provide for the regulation of both personal and other data. These regulators include Data Protection Regulations and Other Regulators tasked with regulating the provision of electronic communication services and products, sets standards for the ICT sector and protecting the rights and interests of consumers, service providers, suppliers, and manufacturers. This stakeholder map can be used to analysed and understand which regulators are involved in and responsible for the governance of data, development of policies for the governance of data and handling of complaints in relation to the governance of data.

Understanding Cybersecurity and Data Protection in Mauritius, Kenya, and Zimbabwe

Understanding Cybersecurity and Data Protection in Mauritius, Kenya, and Zimbabwe


Data governance relies heavily on security. However, due to a lack of precise definitions in legislation, there is frequent confusion between data protection and cybersecurity. These two topics are misunderstood and confused due to a lack of understanding of how to approach them effectively. As a result, because the approach is derived from the comprehension, it typically varies significantly from country to country.

Over time, legal policies and frameworks have lagged behind technological advances, especially in cybersecurity and data protection. Long-term, this could create legislative gaps regarding data governance and emerging technologies. This study examined the cybersecurity and data protection laws in Mauritius, Kenya, and Zimbabwe in an effort to comprehend their perspectives on cybersecurity and cybercrime, as well as the reasons for their disparities. It identified current issues at the intersection of cybersecurity and data protection in the studied countries and evaluated their cybersecurity and data protection approaches.

 Understanding Cybersecurity and Data Protection in Mauritius, Kenya, and Zimbabwe

Understanding the Law in Upholding Image Rights: Perspectives from Around the World and Kenya.


How well do you understand your image rights and the best way to protect your image rights? Read our latest research on understanding your image rights. This report gives a diversified understanding of global and local perspectives on the protections offered to image rights and how to exercise and protect your image in the ever-evolving digital world.

IMAGE RIGHTS - Release Form Information Pack Introduction

Brief description

This comprehensive info pack offers an essential guide to understanding and using image rights release forms effectively. Learn about image rights release forms, including what they are, why they are important, how to use them, and common mistakes to avoid. The info pack includes a variety of resources, including sample image rights release forms and tips for drafting and negotiating image rights release agreements.

Research on the Data Governance Structures of AI Across Africa

Research on the Data Governance Structures of AI Across Africa.

The fast developing AI ecosystem in Africa promises to address the challenges on the continent by, in part, driving growth and development in the key sectors of agriculture, healthcare, public service and financial services. Data is at the core of the development and use of AI technologies.

Data governance (DG) is the process of managing the availability, usability, integrity, and security of the data based on data standards and policies that also control data usage.” 1 DG is the foundation of trustworthy AI as its development and use relies solely on data input. DG structures serve to prevent the misuse and or exploitation of data and play a significant role in the protection of the fundamental rights and freedoms of data subjects.

Developments in AI in Africa are predominantly driven by the private sector. There is growing interest from African governments in engendering strategies to govern AI locally, regionally, and across the continent.

Some African countries (22 out of the 54) have enacted of data protection legislation. National and regional data governance frameworks, e.g., the Supplementary Act on Personal Data Protection adopted by the Economic Community of West Africa States (ECOWAS), the SADC Model Law on Data Protection developed by the Southern Africa Development Community (SADC) in 2010 and adopted in 2013, the EAC Framework on Cyber Laws adopted by the East African Community (EAC), and the AU laws on data protection have played a big role in the creation of data governance structures within the continent. There is, however, as yet, no legislation specific to the regulation of AI on the continent.

Legislation will influence and impact development, adoption and growth of AI technologies in Africa. We seek to understand policies relating to data governance specific to AI on the continent; recommend policies to local, regional and global that will allow for equitable data practices, and the evolution of data practices in relation to AI technologies in both the private and public sectors.

1 Craig Stedman, Jack Vaughan , ‘What is Data Governance and Why does it Matter?’ (Tech Target , February 2020) <>

Automated Decision-Making Policies in Africa



The rapid advancement of technology has increased the use of Automated Decision-Making (ADM) systems in various sectors such as healthcare, finance, and government service delivery in Africa. While they improve efficiency, ADM systems raise concerns about human rights violations, bias and accountability. Currently, data protection laws regulate ADM systems on the African continent by requiring transparency and accountability from data controllers and processors involved in ADM. Laws such as the South African Protection of Personal Information Act (POPIA), the Nigerian Data Protection Regulation (NDPR), the Ghana Data Protection Act and the Kenya Data Protection Act include data subjects’ right not to be subjected to decisions impacting them, which are based solely on ADM. However, there remain specific gaps in these laws, where some such as the Ghana Act, lacks provisions for Data Protection Impact Assessments (DPIAs) when conducting high-risk data processing such as ADM. Thus, the requirement of DPIAs must be included in African laws to cater for the risks associated with ADM, such as bias and discrimination. African nations must also increase their adoption of AI governance policies and best practices such as the General Data Protection Regulation (GDPR) ADM principles, the OECD Principles on Artificial Intelligence, and the UNESCO Recommendation on the Ethics of Artificial Intelligence to alleviate these risks.

Why Data Protection Matters for Development: The Case for Strengthening Inclusion and Regulatory Capacity

Why Data Protection Matters for Development: The Case for Strengthening Inclusion and Regulatory Capacity.

A policy note from Centre For Global Development that draws on insights gained from the Governing Data for Development project. The note summarizes key takeaways from the interviews, roundtables, and working group meetings we held over the last two years with more than 100 experts working on different facets of data policy. It also offers suggestions for policymakers seeking to regulate data use while keeping up with rapidly evolving digital practices and provides recommendations for how the international development community and high-income countries can promote a more inclusive digital economy and a level regulatory playing field.

National Statistical Offices in the Digital Era

National Statistical Offices in the Digital Era

The Digital Era and Data: Considerations for National Statistical Office (NSOs) in the Digital Data Ecosystem.

This report focuses on the digital transformation in National Statistical Offices NSOs in the digital era, focusing on changes in their data collection practices, and the transition from traditional roles to new roles introduced through digitization. The research report highlights the changes and challenges facing NSOs in leveraging new data sources, and in the adoption and implementation of new technologies in carrying out their function as the official statistical body. As producers of official statistics, NSOs play a significant role in informing stakeholders' decision-making processes especially as the decisions relate to societal needs and policy formulation. Transitioning to digitized processes and approaches of collecting processing and disseminating statistical information suggests the ability to leverage new data sources for modernized statistical systems, this will influence and improve data collection processing and dissemination processes. Part of this report focuses on Kenya’s national statistical office, the Kenya National Bureau of Statistics (KNBS), the principal agency of the government of Kenya for collecting, analyzing, and disseminating official statistical information. The main focus is to evaluate the changes that have been adopted with reference to its overall functioning role with the adoption of technology and digitization from a technical and organizational perspective, further looking at its legislative composition and relation to data protection. It also looks at traditional modalities that have been replaced with technology and makes recommendations with respect to any identified gaps. This is in consideration of the legal systems that enable the adoption of technology and use of data with a primary focus on the offices' data governance structures and data protection policies.

The Digital Era and Data: Considerations for National Statistical Office (NSOs) in the Digital Data Ecosystem