Summary

Electronic Medical Record (EMR) systems have been adopted in Kenya’s health sector to streamline and improve healthcare. Their introduction was informed by data complexity, volumes of patients served and the desire to have efficient health information systems. From 2010, their implementation and use was regulated solely by the Standards and Guidelines on the Implementation of EMR systems in Kenya before the enactment of the Data Protection Act (DPA) in 2019. The DPA established new rules and mechanisms for the processing of personal data that were not considered in the formulation of the Guidelines. On this basis, this policy brief sought to compare the Guidelines vis a vis the DPA, identifying gaps in relation to data protection in the processing of health data. An analysis of the findings identified that the Guidelines failed to adequately incorporate data protection principles and fully comply with the DPA’s confidentiality and security requirements. Appropriate recommendations are made to address existing gaps in the Guidelines.The information on the policy brief was primarily derived from extensive desktop research and a comparison of the Guidelines and the DPA. This policy brief is intended to inform the Ministry of Health, the Office of the Data Protection Commissioner (ODPC), and other relevant stakeholders in the health sector about the importance of aligning the Guidelines with the DPA’s data protection provisions.