Kenya: Office of the Data Protection Commissioner issued guidance note on processing of health data under Data Protection Act

On 22 December 2023, the Office of the Data Protection Commissioner (ODPC) adopted the "Guidance Note on the Processing of Health Data" clarifying obligations under the Data Protection Act, 2019. The guidance outlines the principles for lawful processing, including the necessity for consent or legal obligations, and ensures that personal health data is processed transparently and for specified legitimate purposes. The guidance specifies the rights of data subjects, including the right to access, rectify, erase, and object to the processing of their health data. Additionally, it provides instructions for implementing security measures, conducting data protection impact assessments (DPIAs), and ensuring that health data is shared or transferred in compliance with data protection requirements. The guidance also emphasises the need for healthcare institutions to ensure data protection by design and by default, and to notify the ODPC in the event of a data breach.