Data and Information Sharing Policy

15 February 2021 4 minutes read


The Data Protection Act, 2019 seeks to create an institutional framework and legal guidelines for the processing of personal data in Kenya and those belonging to Kenyans. It also came in to give life to, and to specify the right to privacy as already enshrined in Article 31 (c) and (d) of the Constitution. It sets out the procedures for data controllers to follow in the processing of personal data.

Right to Access to Information

The right of access to information is worldwide recognized as a human right and provides that individuals have a basic human right to demand information held by government bodies. It derives from the right of freedom of expression to “seek and receive information”. Article 35 of the Constitution provides for the rights of citizens to access information and the right to the correction or deletion of untrue or misleading information that affects the person. Section 25 of the Data Protection Act sets out the principles and obligations of personal data protection. Section 26 envisages the rights of a data subject. As per these provisions, the right to information and the right to privacy have been well articulated. However, there is now need to strike a balance on the two as both are rights provided for in law.

Right to Privacy

Privacy is a fundamental human right, enshrined in numerous international human rights instruments. This right supports other fundamental rights and freedoms including the right to equal participation in political and public affairs, and the freedoms of opinion, expression, religion, peaceful assembly, and association.

Balancing the right to access to information vis a vis right to privacy

In the context of Human Rights Law, there is no preferential treatment regarding the rights accorded to persons. The rights must be decided on a case to case basis with the main aim to achieve relative importance of various interests. However, it is important to note that there are certain limitations to these rights.

Elements of Right to Access to Information

Sec 4(1) of Access to Information Act provides for the right to information and the circumstances under which the information can be obtained. Section 6 of the Act lays out the limitations of right to access information. From this, we gather that in as much as the rights are provided for, there are also limitations on the right to access to information.

Principles of Right to Privacy

The legal right to privacy is recognized in Kenya and in most international human rights treaties. There are some laid out principles governing the right to privacy:

i. Purpose specification—The purposes for which personal data are collected should be specified and the subsequent use should be limited to fulfilling those purposes. In the event of fulfilling such other purposes, the change of purpose needs to be communicated.

ii. Use limitation – Personal data should not be disclosed or made available, or otherwise used for purposes other than those specified above, except under the laid out such as the consent of the data subject, or by the authority of law.

iii. Security safeguards – Reasonable security safeguards should be used to protect personal data against such risks as loss or unauthorized access, destruction, use, modification, or disclosure.

iv. Individual participation – An individual should know if their information has been collected and must be able to access it if such data exists.


It is important to take note that the right to information and the right to privacy are not always conflicting rights. Both are internationally recognized human rights with long histories and important functions. As such, no right is accorded a greater weight than the other. The rights must be decided on a case-by -case basis with a view toward the relative importance of various interests.