Every day, Kenyans hand over personal information names, ID numbers, phone numbers at the entrances of government offices, malls, private residences, universities, schools, libraries, museums, NGOs, and workplaces. Whether you’re in Mombasa or Turkana, this routine data collection is so normalized that many of us never stop to ask: where does this data go? Who stores it? Is it protected? What happens when the black books used to record these details are full? Who has access to them, and could they be misused? The truth is unsettling.
This seemingly benign habit of surrendering personal information has deeper implications in a country experiencing rapid digital growth but still grappling with gaps in enforcement and awareness of data protection laws. From the Kenya Revenue Authority (KRA) and the National Transport and Safety Authority (NTSA) to mobile money agents and telcos, every institution is harvesting our personal data. Banks and SACCOs have it. Employers do. Even M-Pesa agents demand to see and record your ID. But what governs their use of that data? And what happens when your number ends up in the hands of a scammer texting you from prison? (Yes, that happened. In 2022, several fraud cases were traced back to inmates using illicitly acquired personal data.)
Let’s be clear: Kenya does have a data protection law. The Data Protection Act, 2019, was enacted to align with Article 31 of the Constitution of Kenya, which guarantees the right to privacy. The law provides for the regulation of the processing of personal data and established the Office of the Data Protection Commissioner (ODPC) to oversee compliance. Additional regulations passed in 2021 and 2022 further operationalized the Act.
So why does it still feel like we’re exposed?
Despite this legal framework, implementation remains weak. For many citizens, the law is distant, and its protections feel abstract. Walk into a government office, and you’ll likely still be asked to write your name, phone number, ID number, and car registration in a paper logbook left on a security desk. That’s not just poor practice it’s potentially illegal under the Data Protection Act, especially when this data is not collected with clear consent, stored securely, or used for a specific lawful purpose.
Many private institutions, including telcos, declare in their privacy policies that they will not share your data without consent. But do they always comply? The evidence suggests otherwise. The ODPC has already issued fines and warning notices to companies misusing personal information. In early 2023, OPPO Kenya was fined KSh 5 million for violating data protection laws.
Kenyans have a right to know who the custodian of their data is, how it is used, and for what purpose. Yet this right is routinely violated or ignored in practice. Even the rollout of Huduma Namba, Kenya’s national digital ID project, was marred by legal controversy. In Nubian Rights Forum & Others v Attorney General & Others [2020], the High Court ruled that the rollout of Huduma Namba without a comprehensive regulatory framework contravened the Constitution. The court temporarily halted the process, underscoring the need for safeguards when collecting and processing personal data.
Let’s not forget TOS v Maseno University [2016], a landmark privacy case in which the High Court ruled that using an individual’s image without consent violated their right to privacy. This ruling reinforced the importance of consent in data collection and disclosure, even within academic institutions.
The Kenyan state is not the only culprit. Even private citizens and businesses engage in systemic mishandling of data. In universities, for instance, your data is collected at admission and stored in multiple digital and physical records. If you’ve ever registered a company, taken a student loan through HELB, applied for CRB clearance, or voted, your data sits in at least ten different databases.
The lack of transparency and accountability in how this information is handled is dangerous. It leaves the door open for identity theft, unauthorized marketing, profiling, surveillance, and fraud.
This brings us to the heart of the matter: enforcement. Kenya’s data protection crisis isn’t about the absence of laws it’s about the lack of enforcement muscle, limited public awareness, and insufficient political will to hold violators accountable. Even during major data collection efforts, such as the national census or e-Citizen platform upgrades, the government has done little to educate the public on their data rights. The silence is telling.
We must demand better. The Data Protection Act must not remain a document on paper. Public institutions, private companies, and individuals must be compelled to adhere to its principles: purpose limitation, data minimization, accuracy, storage limitation, and integrity. And citizens must be educated about their rights.
In an era where personal information is currency, Kenya cannot afford to be complacent. We are not data points. We are citizens. And our data deserves protection.
Ohaga Ohaga is a Kenyan Journalist, Writer, and Communication Specialist with special interest in Media Law and Political Communication. He remains a close observer of, and participant in, Journalism and the Media.
