Health Data Protection in Kenya: Strategic Compliance for Insurers, Reinsurers and Insurance Service Providers under the Data Protection Act Cap. 411C and Digital Health Act No. 15 of 2023

Kenya’s data protection regime is moving decisively from policy to enforcement.

The Office of the Data Protection Commissioner (ODPC) recently reported having handled over 9,000 complaints and 184 compensation orders issued to data subjects. Recent enforcement actions have also included administrative fines running into millions of shillings, binding enforcement notices, and mandatory corrective action plans, signalling a clear shift from advisory oversight to active regulatory sanction. Viewed alongside numerous penalty and enforcement notices issued by the ODPC, there is clearly a growing willingness to impose remedies that carry a real cost. At the same time, the Insurance Regulatory Authority (IRA) is staffing up in cybersecurity supervision, an indicator that scrutiny around information risk is likely to intensify for insurers and insurance intermediaries in the coming year.

However, the bar for compliance is much higher for health insurers, who are expected to abide by both the general Data Protection Act 2019 (the DPA), the sector-specific Digital Health Act 2023 (the DHA), their respective subsidiary regulations, and guidelines issued by the ODPC and the Digital Health Agency (the Agency). In 2026, the practical interaction between these frameworks is no longer theoretical, regulators are now expecting demonstrable operational alignment, documented governance structures, and board-level accountability for health data compliance.

The basics of health data handling in Kenya

To ensure compliance, any entity handling health data in Kenya must begin by satisfying the DPA’s requirement for registration in the appropriate capacity, whether as a data controller or as a data processor. Health insurers will ordinarily qualify as data controllers while insurance intermediaries and third-party administrators (TPAs) will typically fall within the definition of data processors, hence all are required to register with the ODPC and maintain a valid registration certificate. This registration must be notified to the Agency within seven (7) days, which maintains a register of health data controllers. In addition to their own registration, insurers, intermediaries and TPAs must disclose all entities reasonably expected to be involved in data processing and ensure that these entities are duly registered. This requirement was established in the Worldcoin case (ODPC v Tools for Humanity Corporation (Worldcoin) & 2 others), where the High Court held that failure to properly register and disclose opens an entity up to criminal penalties and fines. The decision has also been interpreted as reinforcing the principle that data protection compliance is assessed across the entire processing chain, not merely at the point of collection.

Kenya’s data protection emphasises purposive and justifiable data processing, subject to legitimate purpose assessment. Health insurers must therefore clearly establish what data they need and why they need it before processing is done. Best practice would likely be to determine at least one lawful basis for each processing purpose, for example, contractual obligation for claims processing or legitimate interest for fraud checks. Where reliance is placed on legitimate interest, a documented legitimate interest assessment should be maintained to demonstrate balancing of insurer interests against data subject rights. 

Moreover, insurance products must be designed with the law in mind, especially the requirement for privacy both by design and by default. Key design elements like lawfulness, transparency, purpose limitation, minimisation, confidentiality, accuracy, and storage limitation must be integrated into the product from the beginning. This expectation increasingly extends to vendor procurement, system architecture decisions and API integrations with hospitals and pharmacies. Where automated decision-making is applied with ‘significant effect,’ for instance in adjudication, pricing and fraud scoring, safeguards like human review and the ability to contest must be provided for. Given the growing integration of AI-driven underwriting tools, insurers should conduct Data Protection Impact Assessments (DPIAs) specifically addressing algorithmic bias, explainability and model governance.

Health-Sector Specific Data Protection Requirements

Building on the DPA, the DHA creates sector-specific compliance standards. The Court of Appeal stayed the High Court’s decision that had declared aspects of the Act unconstitutional, thereby allowing the DHA to operate pending determination of the appeal. As such, the Agency, which is established in the DHA, is in operation and seems to be working towards the DHA’s main goal, the Comprehensive Integrated Health Information System (CIHIS). CIHIS is intended to manage the digital systems necessary for health information exchange by bringing together and integrating all entities involved in the health sector: the government, healthcare providers, and financial services. To facilitate smooth onboarding, parties involved will be required to format their data records to harmonise coding and terminology for interoperability across their own and the Agency’s platforms. This is likely to require material investment in legacy system upgrades, data standardisation, and structured data migration for insurers operating older claims management systems. 

Furthermore, the Cabinet Secretary has the power to dictate the security measures applied in the CIHIS, including calling for multi-factor authentication and other methods of ascertaining the identity of all persons seeking to access health data in their custody. The Agency will likely implement these through its official certification program, the Digital Health Certification for Safer Healthcare, which evaluates domains on set criteria and provides a certification on a scale ranging from compliant to future ready. CIHIS is thus set to become the sector standard for administration structure and security, as its certification is likely to guide the assessment of other entities. Insurers that fail to align early risk operational bottlenecks during onboarding and potential supervisory intervention.

Beyond holding all of Kenya’s health data, the Agency intends to use CIHIS to regulate access to health data. The Agency is mandated to maintain a record of every health data controller, manage their access to CIHIS components, and onboard the various health data processors onto their respective platforms. Furthermore, health data controllers are required to maintain a register of all the processors with whom they engage, and to regulate their processors’ role-based access. The mandatory registration is likely to be the initial sorting hat for the role-based access system, as reasons provided for health data processing during registration with the ODPC will likely be considered when determining what level of access an entity or its representatives have to the information in CIHIS. Thus, by having data processors answer to data controllers and data controllers answering to the Agency, the goal is to create a harmonious system with information disclosure on a strict need-to-know basis at every level. This layered accountability model effectively embeds regulatory supervision into system architecture. The rollout of the various systems that form part of CIHIS, while a key step toward integrated digital health management, has faced criticism over procurement transparency, high costs, technical glitches, and limited governance oversight, highlighting operational, technical, and accountability challenges that stakeholders must address.

Health data is expressly classified as sensitive under the DPA, requiring stricter data protection measures in terms of collection, use, distribution or transfer, and retention. The DHA builds on this foundation, making specific requirements for health data processing. Data controllers have the unique responsibility to protect health data through reasonable safeguards and are required to retain health data for at least 20 years, solidifying a legal requirement for data retention hinted at in the DPA. Additionally, while the Data Protection Act permits cross-border transfers of personal data, such transfers are only allowed where specific conditions are satisfied. In particular, the transfer must be necessary for the intended processing purpose, carried out with the informed consent of the data subject, or undertaken subject to appropriate data protection safeguards. Where personal data is transferred to a third country or an international organisation, the data controller or processor must ensure that adequate safeguards are in place to guarantee a level of protection comparable to that provided under the Act. In particular, the Act establishes national and county health data banks and requires health data controllers to transfer records to these repositories within the timelines set out in the Digital Health (Health Information Management Procedures) Regulations. Under this framework, controllers must transfer health records to the national health data bank within one year of the Regulations coming into force, and to the relevant county health data banks within twenty-four months after those county systems become operational. Although the national and county infrastructure is still being rolled out, the Digital Health Agency has already operationalised several registries and data platforms, indicating that the national system is nearing full implementation. Consequently, entities that process health data should already be prepared for eventual compliance with the statutory transfer requirements.

A further localisation provision within the Act is, however, less clearly articulated and potentially inconsistent with the existing regulatory framework. The Digital Health Act appears to limit the cross-border transfer of personal health information to circumstances involving health tourism. This represents a marked departure from the position adopted by the Office of the Data Protection Commissioner in its Guidance Note on the Processing of Health Data, which allows cross-border transfers where the data subject has provided informed consent, where the transfer is necessary, or where adequate safeguards exist in the receiving jurisdiction. If section 47 were interpreted strictly, it could significantly affect organisations that rely on offshore storage or foreign cloud infrastructure and may particularly disrupt the operations of health data processors or insurers operating in Kenya without a local data presence.

That said, an alternative interpretation is that the restriction is intended to apply primarily to the Digital Health Agency itself, limiting the circumstances under which the Agency may transfer the health data it holds, rather than imposing an outright prohibition on other health data controllers. In light of this ambiguity, organisations relying on foreign-hosted systems should reassess their data storage arrangements to determine the extent of their exposure to localisation requirements and to ensure that appropriate transfer impact assessments and safeguards are in place.

Lastly, the DHA introduces a new and more prescriptive incident response framework. The Agency, through the Chief Executive Officer, must be notified of breaches within forty-eight (48) hours of becoming aware of the breach. Within seventy-two (72) hours of the initial notification, the controller is also required to provide details on the corrective measures taken, mitigation actions adopted, and timelines for rectification of the breach. The DPA’s general incident reporting requirements continue to apply, with the ODPC to be notified within seventy-two (72) hours and the data subject informed within a reasonable timeframe. Moreover, both the ODPC and the Agency have internal complaints procedures. As such, health data processors must be aware that administrative shortcomings contrary to the DHA (such as providing false or misleading information or impeding the operations of officers acting under the DHA) will be handled by the Agency, whereas complaints relating specifically to data breaches will be referred to the DPA and fall under the ODPC’s oversight. Under the DHA, anyone found guilty of an offence may face a fine of up to one million shillings, imprisonment for up to fifteen (15) years, or both. For breaches of the DPA where no specific penalty is prescribed, the offender may be liable to a fine of up to three million shillings, imprisonment for up to ten years, or both. In addition, the Court has the authority to forfeit any equipment used in the offence or issue orders to halt ongoing violations.

Implications on the structuring of health insurance operations

The rising compliance requirements will impact various aspects of health insurance. The Agency is coming in as a data custodian, though the impact of this new actor on others already in the health data handling space remains to be seen. The Agency and the ODPC will be working in tandem to ensure the security of health data. However, outside of notifying both entities of data breaches, data protection concerns will still be handled exclusively by the ODPC, even where such complaints are filed with the Agency. Offences under the DHA are limited to administrative snafus, such as providing false information or interfering with the performance of obligations under the DHA. Furthermore, the Worldcoin case implies the increased likelihood of joint liability for any failure to comply with data protection requirements at any point in the chain of control. As such, contracts between data controllers and processors must be in writing and must cover purpose limitation, security, audits, assistance with rights claims and breaches, and return or deletion of data at the end of engagement as well as the data controller’s instructions to the data processor. Sub-processing must receive prior authorisation from the data controller. Furthermore, parties must be keen to assess when the restrictions in the Data Protection (General) Regulations relating to what processing must be done in Kenya apply to their processing activities. In practice, this may require insurers to revisit outsourcing models, particularly where claims adjudication or data analytics functions are performed offshore.

The practical position on cross-border transfers of health data must be closely monitored. As the DHA proposes tighter restrictions on cross-border transfers of health data, health insurers and other actors in the sector should work closely with the Agency and the ODPC to ensure continued compliance. Standard contractual clauses, transfer impact assessments, and documented adequacy evaluations should form part of the compliance toolkit.

Practical Next Steps 

Considering the shift discussed above, health insurers should take the time to verify their compliance. Here are some quick starting points for consideration:

1. First, ensure proper ODPC registration and certification.
   Health insurers must be registered with the ODPC as data controllers or processors and maintain a valid registration certificate. Entities that process data on behalf of health insurers must also be registered as data processors and hold valid certification. Health insurers, in their capacity as data controllers, should regularly verify the registration status of all processors they engage to ensure ongoing compliance.
2. Notify the Agency of your ODPC registration.
   Although there is no publicly accessible platform for updating the register of health data controllers, notifications may be submitted to the Agency through its designated communication channels.
3. Review controller-processor and sub-processing agreements for compliance.
   Health insurers should also review controller-processor and sub-processing agreements to confirm compliance with legal requirements. Contracts should clearly outline the scope of work, responsibilities for data handling, and obligations during and after engagement with processors or sub-processors.
4. Review internal policies and align them with statutory requirements.
   Internal policies must likewise be reviewed and aligned with statutory requirements. Data retention policies should provide for the secure retention of health data for the mandated 20-year period, while privacy policies should ensure role-based access to sensitive information.
5. Set up safeguards for automated decisions.
   With increasing use of technology and artificial intelligence in insurance operations, it is essential to set up safeguards for automated decision-making. Accessible channels for human review and appeal should be established for decisions that have significant impact on data subjects.

In conclusion, Kenya’s health data protection framework now combines the principles-based DPA with the more prescriptive sector-specific requirements of the DHA, together with detailed guidance from the ODPC, collectively requiring demonstrable accountability, rigorous privacy safeguards and clear evidence of control throughout the insurance lifecycle. Stakeholders within the health insurance space and related sectors should therefore maintain comprehensive and current lawful basis maps, DPIAs, processor agreements, security logs, data subject rights workflows, and cross-border transfer safeguards to ensure sustained compliance as the regulatory landscape continues to evolve.

For organisations or individuals requiring guidance or support on insurance matters, data protection or broader compliance issues, please contact Jared Kangwana at jared.kangwana@clydeco.com or Nelly Tuitoek at nelly.tuitoek@clydeco.com for professional assistance.