ODPC Registration (MANDATORY)

Appoint Data Protection Officer

Emergency Privacy Fixes

Parental Consent System

Photography Consent

Comprehensive Data Mapping

Legal Basis Documentation

• Consent: Express, explicit, unequivocal, free, specific, informed
• Legal Obligation: Academic records, statutory reporting
• Public Interest: Government education mandates
• Legitimate Interests: Security, fundraising (with balancing test)

Privacy Notices

Technical Security

Health Data Management

Biometric & Special Categories

Rights Implementation

Procedures Setup

Due Diligence

Contractual Requirements

Reporting Requirements

Response Procedures

Legal Framework Overview

Kenya Data Protection Act 2019: The primary legislation governing data protection, closely modeled after EU GDPR. It applies to all processing of personal data by data controllers or processors established in Kenya.

Article 31(c) & (d) of Constitution: Establishes the right to privacy as a fundamental right, which the DPA gives effect to.

ODPC Regulations 2021: Detailed implementation rules covering general provisions, registration, complaints handling, and enforcement procedures.

Why Schools Are High-Risk

Educational institutions process data from over 16 million children and youth with nearly 500,000 teachers across 90,000 schools. The sector handles:

• Children's Data: Requires heightened protection under the Act
• Sensitive Data: Health records, behavioral data, family information
• Large Volumes: Academic records, attendance, performance data
• Multiple Stakeholders: Students, parents, staff, vendors, government agencies

ODPC Registration - Legal Basis

Section 26 & Registration Regulations 2021: Mandatory registration for all educational institutions regardless of size. The ODPC maintains a public register of data controllers and processors.

Consequences of Non-Registration:

• Administrative fines up to KES 5 million
• Potential criminal liability for data controllers
• Inability to demonstrate compliance
• Reputational damage and loss of stakeholder trust

Consent Requirements - Legal Context

Section 30 & ODPC Guidance on Consent: For minors, consent must be provided by parents/guardians and must be:

• Express: Clear affirmative action required
• Explicit: Unambiguous indication of agreement
• Unequivocal: No room for doubt about intention
• Free: Given without coercion or negative consequences
• Specific: Related to particular processing purposes
• Informed: Data subject understands what they're consenting to

Verification Requirements: Schools must verify the authority of parents/guardians through government-issued identification or signed documentation.

Privacy Violations - Case Studies

Recent ODPC Enforcement Actions:

• School Photo Case (KES 4.55M fine): Posting images of minors without parental consent
• Restaurant Case (KES 1.85M fine): Using customer image without consent
• Digital Credit Provider (KES 2.97M fine): Using contact information without consent

Common School Violations:

• Displaying exam results on public notice boards
• Sharing sensitive data via WhatsApp groups
• Publishing photos without proper consent
• Excessive CCTV surveillance in boarding facilities
• Inadequate data security measures

Data Protection Principles - Detailed Requirements

Lawfulness, Fairness, and Transparency (Section 25):

• Must have valid legal basis for all processing
• Processing must not be detrimental to data subject
• Clear information about processing purposes and methods

Purpose Limitation: Data can only be used for the specific purposes communicated to data subjects

Data Minimization: Collect only what is necessary for the stated purpose

Accuracy: Data must be current, complete, and regularly updated

Storage Limitation: Retain data only as long as necessary for the purpose

Security: Appropriate technical and organizational measures for protection

Sensitive Data - Special Protections

Section 31 - Sensitive Personal Data Definition: Health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, sex, or sexual orientation.

Additional Consent Requirements: Sensitive data requires explicit consent as an additional legal basis, even when other lawful bases exist.

Enhanced Security: Higher level of protection required, including:

• Encryption of sensitive data at rest and in transit
• Strict access controls and audit trails
• Regular security assessments and penetration testing
• Staff training on sensitive data handling

Data Subject Rights - Implementation Details

Right to Access (Section 26): 7-day response timeline, must provide copy of data and information about processing

Right to Rectification: Correct inaccurate data without delay

Right to Erasure: Delete data when no longer necessary, unlawfully processed, or consent withdrawn

Right to Data Portability (Section 38): Provide data in structured, machine-readable format

Right to Object: Allow objection to processing, especially for direct marketing

Automated Decision-Making: Right not to be subject to purely automated decisions with legal effects

Breach Notification - Legal Requirements

Section 43 - Notification Timeline: 72 hours to ODPC, reasonable time to data subjects

Required Information:

• Date and circumstances of discovery
• Chronological account of response steps
• Details of how breach occurred
• Number of affected data subjects
• Types of personal data affected
• Potential harm assessment
• Mitigation measures taken

Communication Methods: Online forms at www.odpc.go.ke, email, or postal mail

International Data Transfers

Section 49 & General Regulations: Transfers outside Kenya require:

• Adequacy decisions from ODPC
• Appropriate safeguards (binding corporate rules, contractual clauses)
• Specific consent for sensitive data transfers
• Assessment of destination country protections

Cloud Services: Many educational technology platforms may involve international transfers requiring additional safeguards

Vendor Management - Legal Obligations

Section 42 & General Regulations: Written contracts required with data processors including:

• Subject matter and duration of processing
• Nature and purpose of processing
• Types of personal data and categories of data subjects
• Security measures and staff confidentiality
• Assistance with data subject rights
• Data deletion or return at contract end
• Audit and inspection rights

Ongoing Compliance Monitoring

Documentation Requirements:

• Records of processing activities (Article 41)
• Data protection impact assessments for high-risk processing
• Consent records and withdrawal mechanisms
• Data subject request logs and responses
• Breach incident documentation
• Staff training records
• Vendor compliance assessments

Regular Reviews: Annual policy updates, quarterly compliance assessments, ongoing staff training

Essential Documents Needed

Sample Privacy Notice Elements

Must Include:

• School identity and contact details
• Data Protection Officer contact information
• Categories of personal data collected
• Purposes and legal basis for processing
• Recipients of data (including third countries)
• Retention periods or determination criteria
• Data subject rights and exercise procedures
• Right to withdraw consent
• Right to lodge complaints with ODPC
• Source of data if not collected directly

Staff Training Program Outline

Module 1: Data Protection Fundamentals

• Kenya DPA overview and school obligations
• Personal data definition and examples
• Children's data special requirements

Module 2: Day-to-Day Compliance

• Consent collection and verification
• Data sharing guidelines and restrictions
• Photography and media consent procedures

Module 3: Security and Incidents

• Technical and organizational security measures
• Breach identification and reporting
• Data subject rights handling

Consent Form Template Requirements

Photography Consent Form Must Include:

• Clear description of photo/video usage purposes
• Specific platforms where images will be published
• Duration of image retention and usage rights
• Easy withdrawal mechanism and contact details
• Parent/guardian signature and date
• Child's name and class information
• Option to consent to some but not all uses

General Data Processing Consent Form Must Include:

• Specific purposes for data collection and use
• Types of personal data to be processed
• Third parties who may receive the data
• Data retention periods and deletion schedules
• Data subject rights information
• Contact details for data protection queries
• Clear language appropriate for target audience

Data Security Checklist

Technical Measures:

Organizational Measures:

Vendor Due Diligence Questions

Key Questions for EdTech and Service Providers:

• Do you have ISO 27001 or equivalent security certifications?
• Where is student data stored geographically?
• What encryption standards do you use for data transmission and storage?
• How do you handle data subject rights requests?
• What is your data breach notification procedure?
• Do you have cyber insurance coverage?
• Can you provide data processing agreements compliant with Kenya DPA?
• What happens to data when the contract ends?
• Do you conduct regular security audits and penetration testing?
• How do you train staff on data protection?

Photography and Media Violations

❌ Common Mistakes:

• Taking photos at events without prior consent
• Using general "blanket consent" for all photo uses
• Posting photos on social media without specific consent
• Including children in promotional materials without permission
• Sharing photos with media outlets without consent

✅ Best Practices:

• Obtain specific consent for each type of photo use
• Create photo consent database with easy lookup
• Train event photographers on consent verification
• Provide colored wristbands or tags for consenting students
• Have clear opt-out procedures for events

Exam Results and Academic Data

❌ Common Mistakes:

• Public display of exam results on notice boards
• Reading out results in class or assemblies
• Publishing top performers in newspapers without consent
• Sharing detailed academic information in parent groups
• Allowing unauthorized access to student records

✅ Best Practices:

• Private, secure communication of individual results
• Obtain explicit consent before any public recognition
• Use secure parent portals for result access
• Implement access controls for academic records
• Train staff on confidentiality requirements

WhatsApp and Social Media Groups

❌ Common Mistakes:

• Sharing sensitive student information in parent groups
• Discussing individual students' behavioral issues
• Posting photos of students without consent
• Sharing financial or family information
• Using personal devices for school communications

✅ Best Practices:

• Establish clear guidelines for group communications
• Use school-managed communication platforms
• Train staff on appropriate information sharing
• Regular monitoring of group communications
• Separate channels for different types of information

CCTV and Surveillance Overreach

❌ Common Mistakes:

• CCTV cameras in private areas (dormitories, bathrooms)
• No clear policy on surveillance purposes
• Excessive retention of CCTV footage
• Unauthorized access to surveillance systems
• Using surveillance for non-security purposes

✅ Best Practices:

• Limit CCTV to common areas and security needs
• Clear signage about surveillance areas
• Regular review and deletion of footage
• Access controls and audit logs for CCTV systems
• Privacy impact assessment for surveillance

Data Sharing and Third Parties

❌ Common Mistakes:

• Sharing student data with vendors without contracts
• Allowing unlimited access to student information systems
• Using cloud services without data protection agreements
• Sharing data internationally without safeguards
• No due diligence on third-party security

✅ Best Practices:

• Written data processing agreements with all vendors
• Regular security assessments of third parties
• Minimum necessary data sharing principles
• Clear contractual obligations for data protection
• Regular monitoring of vendor compliance

Key Deadlines & Timelines

• ODPC Registration: Immediate (overdue for most schools)
• Data Subject Access Requests: 7 days maximum response
• Breach Notification to ODPC: 72 hours from discovery
• Breach Notification to Individuals: Reasonable time after discovery
• Consent Withdrawal: Must be processed immediately
• Data Deletion Requests: Without unreasonable delay

Essential Contact Information

Office of the Data Protection Commissioner (ODPC):

• Website: www.odpc.go.ke
• Physical Address: Britam Towers, 12th Floor, Hospital Road, Upperhill, Nairobi
• Postal Address: Available on website
• Phone: Check website for current numbers
• Email: Multiple contact emails available on website

Online Services:

• Registration Portal: Available on ODPC website
• Breach Notification Forms: Online submission available
• Complaint Filing: Online forms and procedures
• Guidance Documents: Education sector guidance and templates

Legal Resources & Professional Support

When to Seek Legal Counsel:

• Significant data breaches affecting multiple students
• ODPC investigation or enforcement action
• Complex international data transfer arrangements
• Major system implementations or vendor changes
• Parental complaints or disputes about data use

Professional Services to Consider:

• Data protection legal counsel
• Cybersecurity consultants for technical assessments
• Privacy consultants for policy development
• Training providers for staff education
• IT security firms for system audits