Confidentiality Undertaking (Kenya)
CONFIDENTIALITY UNDERTAKING
Law of Contract Act Cap. 23 | Data Protection Act No. 24 of 2019
I, [Signatory Name], NIC No. [Signatory NIC Number], KRA PIN: [Signatory KRA PIN], of [Signatory Address], in my capacity as [Signatory Job Title] (the "Signatory"), hereby give this Confidentiality Undertaking in favour of [Organisation Name], of [Organisation Address], BRS Reg. No. [Organisation Reg Number] (the "Organisation"), on [Undertaking Date].
BACKGROUND
The Signatory is about to receive, or has already received, access to confidential information belonging to the Organisation in connection with: [Authorised Purpose] (the "Authorised Purpose"). This Undertaking sets out the Signatory's obligations with respect to that confidential information.
1. CONFIDENTIAL INFORMATION
1.1 "Confidential Information" means all information belonging to or held by the Organisation that is not in the public domain, accessed or received by the Signatory in the course of the Authorised Purpose, including: [Confidential Info Categories].
1.2 Confidential Information includes information stored on computer systems, mobile devices, cloud platforms, and physical documents, whether or not labelled or marked as confidential.
1.3 Where Confidential Information includes personal data as defined in Section 2 of the Data Protection Act No. 24 of 2019, the Signatory acknowledges that such data is subject to the additional protections in Clause 3 of this Undertaking.
2. CONFIDENTIALITY OBLIGATIONS
2.1 The Signatory undertakes to: (a) hold all Confidential Information in strict confidence; (b) not use the Confidential Information for any purpose other than the Authorised Purpose; (c) not copy, download, print, or transmit Confidential Information except as strictly necessary for the Authorised Purpose; (d) not disclose or discuss Confidential Information with any person inside or outside the Organisation without prior written authorisation; (e) immediately report any known or suspected breach of this Undertaking to the Organisation's Data Protection Officer or designated senior manager; and (f) comply with all of the Organisation's information security policies in force from time to time.
2.2 Duration: The obligations in Clause 2.1 shall continue for [Survival Period] after termination of the Signatory's employment or engagement with the Organisation. Obligations relating to genuine trade secrets and personal data shall survive indefinitely.
3. DATA PROTECTION
3.1 The Signatory acknowledges obligations under the Data Protection Act No. 24 of 2019, the ODPC's Data Protection (General) Regulations 2021, and Section 41(1)(h) of the Act, which requires the Organisation to ensure all personnel accessing personal data are bound by written confidentiality obligations.
3.2 The Signatory undertakes to: (a) process personal data only on the Organisation's documented instructions; (b) implement reasonable technical safeguards against unauthorised access or disclosure; (c) not transfer personal data outside Kenya without the Organisation's written consent; and (d) notify the Organisation of any personal data breach within 72 hours of discovery.
4. RETURN OF INFORMATION
4.1 On termination of the Signatory's employment or engagement with the Organisation, or on written demand, the Signatory shall promptly return or securely destroy all Confidential Information — including physical documents, digital copies, email attachments, and device-stored files — and certify compliance in writing to the Organisation.
5. ACKNOWLEDGEMENT OF CONSEQUENCES
5.1 The Signatory acknowledges that breach of this Undertaking will cause irreparable harm to the Organisation, entitling the Organisation to seek an urgent injunction from the High Court of Kenya or refer the dispute to the Nairobi Centre for International Arbitration (NCIA) under the Arbitration Act No. 4 of 1995 (revised 2022) without proof of specific financial loss.
5.2 Breach may also result in disciplinary action, summary dismissal under Section 44 of the Employment Act No. 11 of 2007, personal civil liability, and criminal liability under the Penal Code Cap. 63 and the Data Protection Act No. 24 of 2019.
6. EXECUTION
Signed by the Signatory on [Undertaking Date].
Witness: [Witness Name], [Witness Role].
Accepted on behalf of the Organisation by: [Authorised Representative Name].
Signatory
________________
Signature
Witness
________________
Signature
Authorised Representative (Organisation)
________________
Signature
What Is a Confidentiality Undertaking (Kenya)?
A Confidentiality Undertaking in Kenya is a unilateral signed commitment — made by an individual employee, contractor, intern, board member, professional adviser, or other person — in which the signatory promises to protect the confidential information of a named organisation and to use that information only for authorised purposes. Unlike a Confidentiality Agreement, which is bilateral and requires signatures from both parties, a Confidentiality Undertaking is a one-sided document signed only by the person who is receiving and agreeing to protect confidential information.
The Confidentiality Undertaking is enforceable as a deed or as a simple contract under the Law of Contract Act Cap. 23 (received English law of contract applicable in Kenya under Section 3 of the Judicature Act Cap. 8). Where the undertaking is signed without separate consideration — for example, by a non-employed adviser or a board observer attending a confidential meeting — it should be executed as a deed with appropriate witnessing to avoid any question about the adequacy of consideration. Where signed by an employee as part of employment onboarding, the consideration is the employment itself.
Organisations in Kenya's public sector — national government ministries, county governments, parastatal organisations, and constitutional bodies — routinely require civil servants, consultants, and secondees to sign Confidentiality Undertakings before accessing sensitive government records, security-classified information, or procurement-sensitive data regulated by the Public Procurement and Asset Disposal Act No. 33 of 2015 and the Public Procurement Regulatory Authority (PPRA).
Private sector applications are equally widespread. Financial institutions regulated by the Central Bank of Kenya (CBK) under the Banking Act Cap. 488 and the National Payment System Act No. 39 of 2011 require employees, contractors, and IT service providers to sign Confidentiality Undertakings that incorporate the CBK's Customer Privacy Guidelines. Fintech companies operating in Kenya's Silicon Savannah require developers, designers, and testers to sign Confidentiality Undertakings before accessing production systems containing customer personal and financial data.
The Data Protection Act No. 24 of 2019, enforced by the Office of the Data Protection Commissioner (ODPC), provides the statutory context for modern Confidentiality Undertakings in Kenya. Under Section 41(1)(h) of the Act, a data controller must implement appropriate technical and organisational measures — including written confidentiality commitments from all personnel who access personal data. The ODPC's Data Protection (General) Regulations 2021 specify that access to personal data must be restricted to authorised personnel bound by confidentiality obligations. A Confidentiality Undertaking signed by every member of staff or contractor who accesses personal data systems is both a legal compliance measure and an essential component of an organisation's data governance framework.
The legal framework governing the Confidentiality Undertaking (Kenya) in Kenya draws on several key statutes and regulatory bodies. Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Parties executing a Confidentiality Undertaking (Kenya) in Kenya should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Law of Contract Act Cap. 23 sets the foundational requirements.
When Do You Need a Confidentiality Undertaking (Kenya)?
A Kenya Confidentiality Undertaking is needed whenever an individual is about to gain access to sensitive information belonging to an organisation, and the organisation needs a documented personal commitment from that individual to protect the information.
The Undertaking is needed during employee onboarding — before a new employee, trainee, or intern starts work and is given access to internal systems, customer data, financial records, or proprietary processes. Section 10 of the Employment Act No. 11 of 2007 specifies the content of employment contracts, but a standalone Confidentiality Undertaking provides a dedicated document for the employee to acknowledge the specific confidentiality obligations in detail, separate from the general employment contract terms.
A Confidentiality Undertaking is required when a consultant, IT contractor, auditor, legal adviser, or other professional services provider is engaged to perform a specific assignment that requires access to confidential business information. Rather than preparing a full bilateral Confidentiality Agreement, many organisations use a unilateral Confidentiality Undertaking signed by the individual professional as a simpler and faster document for managing the confidentiality risk.
The Undertaking is needed when a board director, board observer, advisory board member, or investor representative is given access to board papers, management accounts, strategic plans, or competitive intelligence in advance of a board meeting or investor review. Board members owe fiduciary duties under the Companies Act No. 17 of 2015, but a signed Confidentiality Undertaking creates an express contractual obligation that is easier to enforce than the implied fiduciary duty.
A Confidentiality Undertaking is required by public procurement rules for suppliers and their staff who are involved in sensitive government tenders regulated by the Public Procurement and Asset Disposal Act No. 33 of 2015 — the PPRA's Standard Tender Documents include model confidentiality undertaking forms for procurement evaluators and committee members.
The Undertaking is also needed when a company is undergoing due diligence for a merger, acquisition, or investment — the acquirer's entire due diligence team (analysts, lawyers, accountants) may be required to sign individual Confidentiality Undertakings in addition to the bilateral confidentiality agreement signed by the acquirer's organisation.
Parties in Kenya should prepare a Confidentiality Undertaking (Kenya) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Confidentiality Undertaking (Kenya)
A Kenya Confidentiality Undertaking under the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019 must include the following essential provisions to be thorough, enforceable, and ODPC-compliant.
Identification of the Signatory: Full legal name, National Identity Card (NIC) number, KRA PIN, job title or role, employing or engaging organisation, and contact address and email. Clarity about the signatory's identity is essential for enforcement — an undertaking with an illegible signature and no NIC number is difficult to enforce.
Identification of the Protected Organisation: Full legal name of the organisation whose confidential information is being protected, its BRS Registration Number, and the name and role of the authorised signatory accepting the undertaking on the organisation's behalf.
Definition of Confidential Information: A thorough definition covering all categories of information the signatory may access — trade secrets, business strategies, financial data, customer and employee personal data (as defined in the Data Protection Act No. 24 of 2019), technical designs, source code, pricing, and regulatory submissions. The definition should extend to information accessed on computer systems, mobile devices, cloud platforms, and in physical documents.
Specific Confidentiality Obligations: The signatory's commitment to: hold all confidential information in strict confidence; not use it for any purpose other than the authorised purpose; not copy, download, or transmit confidential information except as strictly necessary for the authorised purpose; not discuss or disclose it to any person inside or outside the organisation without written authorisation; report any known or suspected breach immediately to the organisation's Data Protection Officer or senior manager.
Data Protection Compliance: Express acknowledgement of obligations under the Data Protection Act No. 24 of 2019 — processing personal data only on documented instructions; implementing technical safeguards against unauthorised access; notifying the organisation of any personal data breach within 72 hours; and complying with the ODPC's Data Protection (General) Regulations 2021.
Return of Information on Termination: An obligation to return or securely destroy all copies of confidential information — physical documents, digital copies, email attachments — upon termination of employment, contract, or the assignment, and to certify compliance in writing.
Survival After Termination: Confirmation that confidentiality obligations survive termination of employment or the engagement for a specified period (commonly 3 to 5 years) for general commercial information, and indefinitely for genuine trade secrets and personal data.
Acknowledgement of Consequences: The signatory's express acknowledgement that breach will cause irreparable harm to the organisation, entitling the organisation to seek an injunction from the High Court of Kenya or the Nairobi Centre for International Arbitration (NCIA) without proof of specific financial loss, and may result in disciplinary action, termination, and personal civil and criminal liability.
Signature, Date, and Witness: The signatory's signature, the date of signing, and the signature of a witness (who may be the HR officer or commissioning manager). For deed execution where the signatory is not an employee, a Commissioner for Oaths under the Oaths and Statutory Declarations Act Cap. 15 should witness the signature. Forms-legal.com provides this Confidentiality Undertaking as a practical tool for Kenyan organisations managing information security and data protection compliance.
Additional compliance elements for a Confidentiality Undertaking (Kenya) used in Kenya include: Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Forms-legal.com provides this template as a starting point for Kenya-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Confidentiality Undertaking (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/contracts/confidentiality-undertaking-kenya
"Confidentiality Undertaking (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/contracts/confidentiality-undertaking-kenya.
@misc{formslegal-confidentiality-undertaking-kenya,
author = {{Forms Legal}},
title = {Confidentiality Undertaking (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/contracts/confidentiality-undertaking-kenya}},
note = {Free legal document template}
}Frequently Asked Questions
The key difference between a Confidentiality Undertaking and a Confidentiality Agreement in Kenya is the number of parties who sign. A Confidentiality Undertaking is a unilateral document — only the person receiving and agreeing to protect the confidential information signs it. The organisation whose information is being protected accepts the undertaking but does not commit to any reciprocal obligation. A Confidentiality Agreement is bilateral — both parties sign, and in a mutual confidentiality agreement, both parties commit to protecting each other's confidential information. Confidentiality Undertakings are typically used in employment and contractor onboarding contexts, where the power relationship is asymmetric and the individual is receiving access to the organisation's information. They are also used in board and advisory settings, procurement evaluation panels, and due diligence teams. Confidentiality Agreements are used where two businesses are sharing information with each other during commercial negotiations or a partnership — both need the other's commitment. Both forms are enforceable under the Law of Contract Act Cap. 23 and the equitable duty of confidence in Kenyan law. Where the undertaking lacks separate consideration (because the signatory is not receiving any payment or employment benefit), it should be executed as a deed to be enforceable.
Yes, a Confidentiality Undertaking signed by an employee during employment is enforceable against the employee after their employment ends, subject to the principle that post-employment restrictions must be reasonable and not amount to an unreasonable restraint of trade. The Employment and Labour Relations Court (ELRC) in Kenya, established under Article 162 of the Constitution of Kenya 2010, distinguishes between two categories of post-employment confidentiality obligation. First, protection of genuine trade secrets — formulas, source code, customer lists, and technical processes that give the employer a sustained competitive advantage — may be protected by a confidentiality undertaking with an indefinite survival clause, because an employee cannot use or disclose information that remains a genuine secret without obtaining an unfair competitive advantage over the employer. Second, protection of ordinary business information that the employee has absorbed as general skill and knowledge during employment — courts will not prevent a former employee from using general competence and experience acquired in a role, even where a broad confidentiality undertaking was signed. The line between protectable trade secrets and non-protectable general skill is fact-specific. An Advocate should draft post-employment confidentiality obligations narrowly to protect what is genuinely confidential without unreasonably restricting the employee's freedom to work.
In Kenya, a Confidentiality Undertaking signed as a simple contract does not strictly require a witness to be legally enforceable under the Law of Contract Act Cap. 23 — the signature of the signatory is sufficient. However, witnessing is strongly recommended for several reasons. First, a witness provides independent confirmation that the signatory did actually sign the document on the stated date, which is valuable evidence in enforcement proceedings before the High Court or the Employment and Labour Relations Court (ELRC). Second, where the signatory is not receiving separate consideration — for example, an advisory board member or an unpaid consultant — the undertaking should be executed as a deed to avoid any challenge based on absence of consideration. Deed execution under Kenyan law requires the signatory to sign in the presence of a witness who attests the signature. Third, for undertakings involving access to classified government information or financial regulatory data (such as those required by CBK-licensed institutions), regulatory guidelines typically require witnessed signatures for documentary completeness. The witness should be an adult of sound mind who is not the HR officer or manager also signing on behalf of the organisation. For greater legal certainty, a Commissioner for Oaths under the Oaths and Statutory Declarations Act Cap. 15 may be used as witness.
When an employer in Kenya discovers that an employee or former employee has breached a Confidentiality Undertaking, the response should be immediate and structured to preserve legal options. First, document the breach — gather evidence of the disclosure or misuse: emails, screenshots, witness statements, computer access logs, or third-party communications that demonstrate the confidential information was shared without authorisation. Second, issue a cease-and-desist notice — a formal written demand from the company's advocates to the employee (or former employee) to immediately stop the breach, return all copies of confidential information, and confirm compliance in writing. Third, consider an urgent injunction application — if the breach involves ongoing or imminent disclosure (for example, the employee is about to hand confidential data to a competitor), apply to the High Court (Commercial Division) for an interim injunction under Order 40 of the Civil Procedure Rules. The court can grant an ex parte (without notice) injunction in genuine emergencies. Fourth, pursue disciplinary action — for a current employee, the breach may constitute gross misconduct under Section 44 of the Employment Act No. 11 of 2007, justifying summary dismissal subject to procedural fairness requirements (show-cause letter, disciplinary hearing, employee representation). Fifth, claim damages — through the High Court or the Nairobi Centre for International Arbitration (NCIA) for quantifiable financial losses caused by the breach.
Public sector employees in Kenya are bound by confidentiality obligations through several legal frameworks that supplement — and in some cases require — written Confidentiality Undertakings. The Official Secrets Act Cap. 187 imposes criminal liability on government officers who disclose official secrets — defined broadly as any document or information of a confidential nature obtained in the course of official duties. Under the Public Officer Ethics Act No. 4 of 2003, public officers are prohibited from disclosing information entrusted to them by reason of their office. The Access to Information Act No. 31 of 2016 provides a right of public access to government information subject to specified exemptions, including national security, commercial confidentiality, and personal privacy — public officers must follow the designated information disclosure procedures and cannot independently release exempted information. In addition to these statutory obligations, government ministries and state corporations typically require employees, secondees, and consultants to sign written Confidentiality Undertakings as part of the engagement process — particularly for procurement evaluation committees (regulated by the Public Procurement Regulatory Authority, PPRA), sensitive policy analysis roles, financial management positions, and national security functions. The PPRA's Standard Tender Documents include model confidentiality declarations for procurement officers.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Confidentiality Agreement (Kenya)
A Kenya Confidentiality Agreement (mutual or one-way) protecting trade secrets, business information, and personal data, compliant with the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019.
Employment Contract (Kenya)
A Kenya Employment Contract setting out terms and conditions of employment, compliant with the Employment Act No. 11 of 2007, NSSF Act 2013, SHIF Act 2024, and the Housing Levy obligations.