Data Sharing Agreement (Kenya)

A Data Sharing Agreement in Kenya records the obligations the parties accept and the terms governing their arrangement.

A Data Sharing Agreement differs fundamentally from a Data Processing Agreement in the legal relationship it governs. Under a Data Sharing Agreement, both parties act as independent controllers and each bears direct responsibility under the Data Protection Act No. 24 of 2019 for its own processing of the shared data. Under a Data Processing Agreement, by contrast, one party (the processor) acts solely on the instructions of the other (the controller) and has no independent authority over the data. Where two Kenyan hospitals share patient records for specialist referral purposes, each hospital is a controller and a Data Sharing Agreement governs the transfer. Where a hospital engages a cloud records management company, a Data Processing Agreement governs that relationship.

The legal basis for data sharing in Kenya is grounded in Section 30 of the Data Protection Act No. 24 of 2019, which requires that every instance of processing — including the disclosure of personal data to another controller — have at least one lawful basis. The most common lawful bases for inter-controller data sharing in Kenya are: consent of the data subject; performance of a contract to which the data subject is a party; compliance with a legal obligation under Kenyan law; vital interests of the data subject or another person; or legitimate interests pursued by one or both controllers where not overridden by the data subject's rights. Data subjects retain their full rights under Sections 26 to 35 of the Data Protection Act — including the right of access, rectification, and erasure — against both sharing parties independently.

The High Court of Kenya (Constitutional and Human Rights Division) has jurisdiction over constitutional privacy claims under Article 31 of the Constitution of Kenya 2010, which protects the right of every person to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed. Data subjects who suffer harm from unlawful data sharing may also seek compensation from either or both controllers before the ODPC or the courts. The Kenya Revenue Authority (KRA) and the Central Bank of Kenya (CBK) are among the public bodies authorised to require sharing of financial and tax data under specific enabling legislation outside the general consent framework of the Data Protection Act.

Sensitive personal data — defined in Section 2 of the Data Protection Act to include health, racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, sexual orientation, and criminal records — attracts heightened protection under Section 32. Sharing sensitive data requires explicit consent or a specific legal basis, and the agreement must reflect this heightened standard.

A Kenya Data Sharing Agreement is required whenever personal data is disclosed by one data controller to another, and the Data Protection Act No. 24 of 2019 mandates that this disclosure be governed by a written legal framework before the transfer occurs.

A Data Sharing Agreement is required when two or more organisations co-deliver a service and each needs access to common customer or beneficiary data. For example, a Kenyan insurance company and a hospital network that share patient admission and claims data to process medical insurance claims are both independent controllers — each processes the data for its own purposes — and must execute a Data Sharing Agreement governing the categories of data shared, the permitted uses, and the retention period.

A Data Sharing Agreement is needed when a government agency or county government in Kenya shares personal data with a private sector partner under a public-private partnership (PPP) arrangement. The Constitution of Kenya 2010 (Article 31) and the Data Protection Act No. 24 of 2019 apply to government data processing, and the Data Protection (General) Regulations 2021 require public bodies to execute formal data sharing agreements before disclosing citizen personal data to private entities.

A Data Sharing Agreement is required when a company conducts due diligence before a merger, acquisition, or joint venture and needs to share employee, customer, or supplier personal data with the counterparty. The due diligence data room typically involves disclosure of sensitive commercial and personal data, and a Data Sharing Agreement — often combined with a Non-Disclosure Agreement — governs the legal framework for that disclosure under the Data Protection Act No. 24 of 2019.

A Data Sharing Agreement is needed when a research institution, university, or hospital in Kenya shares anonymised or pseudonymised data with an academic partner or international research consortium for scientific research purposes. Section 30(e) of the Data Protection Act permits processing for public interest purposes, but the agreement must document the specific public interest basis, the anonymisation standards applied, and the security measures protecting the shared data.

A Data Sharing Agreement is required when a fintech company or mobile money operator registered with the Central Bank of Kenya (CBK) shares transaction data or customer KYC information with a credit reference bureau licensed by the CBK, a fraud prevention network, or a banking partner, consistent with the Banking Act (Cap. 488) and CBK consumer protection requirements.

A Data Sharing Agreement is needed when a Kenyan employer shares employee data with a group parent company, affiliated company, or third-party benefits provider — such as a pension administrator regulated by the Retirement Benefits Authority (RBA) or a medical insurer regulated by the Insurance Regulatory Authority (IRA) — as part of mandatory or voluntary benefits administration.

A Kenya Data Sharing Agreement under the Data Protection Act No. 24 of 2019 must include the following essential provisions to comply with the ODPC's requirements and protect both sharing parties.

Identification of Controllers: Full legal names, BRS registration numbers, KRA PINs, physical addresses, and ODPC registration numbers of all data controllers party to the agreement. Both parties must confirm their status as independent data controllers and each must warrant that they hold a valid ODPC registration under Section 17 of the Data Protection Act No. 24 of 2019 where required.

Description of Personal Data Shared: A precise description of the categories of personal data being shared — for example, names, National Identity Card (NIC) numbers, KRA PINs, health records, financial transaction data — and the categories of data subjects to whom the data relates (customers, employees, patients, beneficiaries). Vague descriptions do not meet the specificity requirements of the Data Protection (General) Regulations 2021.

Purpose and Lawful Basis: The specific purpose for which each controller will use the shared data and the lawful basis under Section 30 of the Data Protection Act No. 24 of 2019 — for example, contractual necessity, legal obligation, or legitimate interests. Both controllers must have an independent lawful basis for their processing of the shared data. Where sensitive personal data is shared, Section 32 requires explicit consent or a specific legal basis beyond the general lawful bases.

Data Minimisation and Use Limitation: Shared data must be limited to what is necessary for the stated purpose (data minimisation principle under Section 25 of the Data Protection Act), and neither controller may use the shared data for purposes incompatible with the purposes stated in the agreement without obtaining a fresh lawful basis.

Data Subject Rights: The agreement must specify how each controller will handle data subject rights requests — access, rectification, erasure, restriction, portability, and objection — received from data subjects in relation to the shared data. Where a data subject submits a request to the wrong controller, the agreement should require prompt referral to the correct party. Data subjects in Kenya may enforce their rights before the Office of the Data Protection Commissioner (ODPC) under Section 56 of the Data Protection Act No. 24 of 2019.

Security Obligations: Both controllers must implement appropriate technical and organisational security measures under Section 41 of the Data Protection Act — including encryption of data in transit and at rest, access controls, audit logging, and incident response procedures. The Data Protection (General) Regulations 2021 specify enhanced security requirements for sensitive personal data.

Personal Data Breach Notification: Each controller must notify the other without undue delay — and in any event within 72 hours — of becoming aware of a personal data breach affecting the shared data, so that the affected controller can comply with its notification obligations to the ODPC under Section 43(6) of the Data Protection Act No. 24 of 2019. The forms-legal.com Data Sharing Agreement template includes a coordinated breach response procedure.

Retention and Deletion: Agreed data retention periods for each category of shared data, consistent with the data retention limitation principle in Section 25 of the Data Protection Act, and a process for secure deletion or return of data at the end of the retention period or on termination of the agreement.

Cross-Border Transfers: Where either controller is located outside Kenya or may transfer the shared data to a third country, the agreement must confirm compliance with Section 49 of the Data Protection Act — either by reference to an adequacy determination by the ODPC or by incorporating standard contractual clauses approved by the ODPC.

Dispute Resolution: Governing law (Kenya), jurisdiction for disputes (High Court of Kenya or Nairobi Centre for International Arbitration (NCIA) under the Arbitration Act No. 4 of 1995), and a tiered dispute resolution process requiring good-faith negotiation before formal proceedings.