Acceptable Use Policy (Kenya)
ACCEPTABLE USE POLICY
Computer Misuse and Cybercrimes Act No. 5 of 2018 | Data Protection Act No. 24 of 2019
Organisation: [Organisation Name] (BRS No: [BRS Number])
Address: [Organisation Address]
Effective Date: [Effective Date]
Next Review Date: [Review Date]
Policy Owner: [Policy Owner]
Data Protection Officer: [DPO Contact]
1. PURPOSE AND LEGAL FRAMEWORK
1.1 This Acceptable Use Policy ("Policy") governs the use of information technology systems, networks, devices, data, and communications platforms owned or operated by [Organisation Name] (the "Organisation").
1.2 This Policy is issued pursuant to the Computer Misuse and Cybercrimes Act No. 5 of 2018, the Data Protection Act No. 24 of 2019 (enforced by the Office of the Data Protection Commissioner (ODPC)), the Employment Act No. 11 of 2007, and the Communications Authority of Kenya Cybersecurity Regulations 2022.
1.3 Compliance with this Policy is a condition of accessing the Organisation's IT systems. Breach of this Policy constitutes misconduct under Section 41 of the Employment Act No. 11 of 2007 and may also constitute a criminal offence under the Computer Misuse and Cybercrimes Act No. 5 of 2018.
2. SCOPE
2.1 This Policy applies to: [Covered Users].
2.2 The following IT systems and assets are covered by this Policy: [Covered Systems].
2.3 Personal device (BYOD) access: [BYOD Policy].
3. PERMITTED USE
3.1 Authorised users may use the Organisation's IT systems for legitimate work purposes, including: communicating with colleagues, clients, and suppliers using approved platforms; accessing approved software tools and data; storing work files on approved cloud or on-premises storage; and attending authorised video conferences and online meetings.
3.2 Personal use: [Personal Use Policy].
3.3 Social media: [Social Media Policy].
4. PROHIBITED USE
4.1 The following activities are strictly prohibited and may constitute offences under the Computer Misuse and Cybercrimes Act No. 5 of 2018:
(a) Unauthorised access to any computer system, server, or data repository — Section 3 of the Computer Misuse and Cybercrimes Act No. 5 of 2018 (penalty: up to KES 5,000,000 or 3 years imprisonment).
(b) Unlawful interception of data transmissions — Section 7 of the Computer Misuse and Cybercrimes Act No. 5 of 2018.
(c) Computer fraud, including creating or using false electronic records to obtain financial advantage — Section 14 of the Computer Misuse and Cybercrimes Act No. 5 of 2018.
(d) Publishing false or misleading information through electronic means — Section 22 of the Computer Misuse and Cybercrimes Act No. 5 of 2018.
(e) Cyber harassment, intimidation, or sending unsolicited communications — Sections 27 and 28 of the Computer Misuse and Cybercrimes Act No. 5 of 2018.
(f) Downloading, installing, or distributing unlicensed or malicious software, including ransomware, spyware, or cryptocurrency mining applications.
(g) Sharing login credentials, passwords, or access tokens with any unauthorised person.
(h) Transferring personal data of clients, employees, or third parties to unauthorised recipients or unapproved systems, in violation of the Data Protection Act No. 24 of 2019.
(i) Accessing, downloading, or distributing illegal content, including content prohibited under the Films and Stage Plays Act Cap. 222 or the Sexual Offences Act No. 3 of 2006.
4.2 Additional prohibited activities specific to this Organisation: [Additional Prohibited Activities].
5. SECURITY OBLIGATIONS
5.1 Password requirements: All system passwords must be a minimum of [Password Min Length] and must be changed [Password Rotation]. Passwords must not be shared, written down in accessible locations, or reused across different systems.
5.2 Screen locking: Workstations and devices must be locked when unattended, using password-protected screen lock.
5.3 Remote access: [Remote Access Requirements].
5.4 Incident reporting: Any suspected security incident, data breach, lost or stolen device, or unusual system activity must be reported to the Data Protection Officer ([DPO Contact]) within [Incident Reporting Deadline] of discovery. The Organisation is required to notify the Office of the Data Protection Commissioner (ODPC) of reportable personal data breaches within 72 hours under Section 43 of the Data Protection Act No. 24 of 2019.
5.5 Software updates: Authorised users must not prevent or delay the installation of approved security updates and patches.
6. MONITORING AND PRIVACY
6.1 [Monitoring Disclosure]
6.2 Monitoring activities will be conducted in accordance with the Data Protection Act No. 24 of 2019 and the ODPC's Guidelines on Processing of Personal Data in Employment Contexts. Employees retain rights as data subjects under Section 26 of the Data Protection Act No. 24 of 2019, including the right to access information about monitoring activities.
7. DATA PROTECTION OBLIGATIONS
7.1 All authorised users must process personal data only in accordance with this Policy, the Organisation's Data Protection Policy, and the Data Protection Act No. 24 of 2019.
7.2 Personal data must be stored only on approved systems and must not be transferred to unauthorised third parties, personal email accounts, or unapproved cloud storage services.
7.3 Any request from a data subject to exercise rights under Sections 26–34 of the Data Protection Act No. 24 of 2019 (access, rectification, erasure, restriction, objection) must be escalated immediately to the Data Protection Officer.
8. CONSEQUENCES OF BREACH
8.1 Breach of this Policy constitutes misconduct under Section 41 of the Employment Act No. 11 of 2007. Disciplinary proceedings will be conducted by [Disciplinary Authority] in accordance with the Organisation's Disciplinary Procedure, including: a written show-cause letter; a disciplinary hearing at which the employee may be represented by a fellow employee or trade union representative; and a written outcome.
8.2 Depending on the severity of the breach, consequences may range from a formal written warning to summary dismissal without notice under Section 44 of the Employment Act No. 11 of 2007.
8.3 Where a breach involves a suspected offence under the Computer Misuse and Cybercrimes Act No. 5 of 2018, the Organisation reserves the right to refer the matter to the Directorate of Criminal Investigations (DCI) for prosecution by the Director of Public Prosecutions (DPP) under Article 157 of the Constitution of Kenya 2010.
8.4 Disputes about enforcement of this Policy that are not resolved internally may be referred to the Employment and Labour Relations Court (ELRC), established under Article 162 of the Constitution of Kenya 2010.
9. ACKNOWLEDGMENT
9.1 By signing below, the authorised user confirms that they have read, understood, and agree to comply with this Acceptable Use Policy in its entirety.
Organisation: [Organisation Name]
Governing Law: The laws of Kenya. Jurisdiction: Courts of Kenya.
Authorised Signatory (Organisation)
________________
Signature
Authorised User (Employee / Contractor)
________________
Signature
Witness
________________
Signature
What Is a Acceptable Use Policy (Kenya)?
An Acceptable Use Policy (Kenya) is a formal organisational document that establishes the rules, permissions, and prohibitions governing how employees, contractors, and authorised users may access and use an organisation's information technology systems, networks, internet connections, email platforms, data repositories, and electronic devices. In Kenya, the primary statute governing cyber conduct and computer misuse is the Computer Misuse and Cybercrimes Act No. 5 of 2018, which criminalises unauthorised access to computer systems, unlawful interception of data, cyber fraud, cybersquatting, and publication of false information through computer systems.
Section 3 of the Computer Misuse and Cybercrimes Act No. 5 of 2018 establishes the offence of unauthorised access to a computer system, carrying a penalty of up to KES 5,000,000 or imprisonment for up to three years or both. Section 4 addresses access with intent to commit a further offence, while Section 5 prohibits unauthorised interference with computer systems. An Acceptable Use Policy sets the boundary between authorised and unauthorised use within an organisation — conduct that falls outside the policy's permitted scope can support both internal disciplinary action under the Employment Act No. 11 of 2007 and criminal prosecution under the Computer Misuse and Cybercrimes Act.
The Data Protection Act No. 24 of 2019, enforced by the Office of the Data Protection Commissioner (ODPC), imposes statutory duties on data controllers and data processors to implement appropriate technical and organisational measures to protect personal data. Section 41 of the Data Protection Act requires data controllers registered with the ODPC to implement information security policies. An Acceptable Use Policy is one of the key organisational measures that demonstrates compliance with the data protection accountability principle under Section 25 of the Data Protection Act No. 24 of 2019. Failure to implement adequate security policies exposes the organisation to enforcement action by the ODPC, including administrative fines and public reprimands.
The Communications Authority of Kenya (CA), established under the Kenya Information and Communications Act (Cap. 411A), regulates internet service providers and telecommunications networks in Kenya. Organisations that provide internet access to employees are, in effect, secondary access providers and bear responsibility for confirming that access is used lawfully. The CA's Cybersecurity Regulations 2022 require internet service providers and operators of critical information infrastructure to maintain security policies — an Acceptable Use Policy forms part of the broader cybersecurity framework.
Beyond criminal and regulatory exposure, an Acceptable Use Policy serves essential employment law functions in Kenya. Under Section 41 of the Employment Act No. 11 of 2007, an employer must conduct a fair disciplinary process before terminating employment for misconduct. The Employment and Labour Relations Court (ELRC) has held in multiple decisions that an employer cannot rely on IT misuse as grounds for summary dismissal under Section 44 of the Employment Act without evidence that: the employee was aware of the applicable IT conduct standards; the employee was issued with a show-cause letter; and a disciplinary hearing was conducted. An Acceptable Use Policy that has been communicated to the employee and acknowledged in writing provides the foundational evidence for a fair disciplinary process.
For organisations processing sensitive categories of data — health records, financial data, or data relating to children — an Acceptable Use Policy must additionally address obligations under the Children Act No. 29 of 2022 and any sector-specific data handling standards issued by the Central Bank of Kenya (CBK) for financial institutions or the Communications Authority of Kenya (CA) for telecommunications operators. The Kenya National Bureau of Statistics (KNBS) and the Kenya Revenue Authority (KRA) maintain separate data protection standards for organisations that interface with government data systems.
When Do You Need a Acceptable Use Policy (Kenya)?
An Acceptable Use Policy (Kenya) is required whenever an organisation provides employees, contractors, or third parties with access to its IT systems, and several situations make implementation urgent.
An Acceptable Use Policy is required when a company registered with the Business Registration Service (BRS) hires employees who will use company-provided computers, smartphones, email accounts, or internet access. Without a written policy communicated to employees before or at commencement of employment, the organisation has limited recourse if employees misuse IT resources — visiting inappropriate websites, exfiltrating customer data, or using company devices for personal business activities.
An Acceptable Use Policy is needed when an organisation handles personal data of Kenyan residents and is required to register with the Office of the Data Protection Commissioner (ODPC) as a data controller or data processor under Section 19 of the Data Protection Act No. 24 of 2019. The ODPC's enforcement framework includes the power to issue compliance orders, conduct audits, and impose penalties. A documented Acceptable Use Policy is cited in ODPC guidance as a baseline organisational measure that every registered data controller should maintain.
An Acceptable Use Policy is required when an organisation discovers or suspects that an employee has committed a computer-related offence under the Computer Misuse and Cybercrimes Act No. 5 of 2018 — such as accessing customer databases without authorisation or forwarding confidential information to a competitor. The policy establishes the internal conduct standard against which the employee's behaviour is assessed in disciplinary proceedings before the ELRC.
An Acceptable Use Policy is needed when a company operates remote-working arrangements — increasingly common across Nairobi's technology and professional services sector — where employees access corporate systems from personal devices or home networks. The policy addresses bring-your-own-device (BYOD) risks, virtual private network (VPN) requirements, and obligations to report security incidents.
An Acceptable Use Policy is required for schools, universities, hospitals, and government agencies in Kenya that provide internet access to students, patients, or the public, particularly given the CA Cybersecurity Regulations 2022 requirements for operators of public access networks.
Parties in Kenya should prepare a Acceptable Use Policy (Kenya) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Acceptable Use Policy (Kenya)
A thorough Acceptable Use Policy (Kenya) under the Computer Misuse and Cybercrimes Act No. 5 of 2018 must include the following elements to be effective and enforceable.
Scope and Covered Systems: A precise definition of the IT systems, devices, networks, software platforms, cloud services, and data covered by the policy — including company-owned hardware, licensed software, corporate email accounts, cloud storage (such as Google Workspace or Microsoft 365 tenancies), and any third-party systems accessed through single sign-on credentials. The scope section should distinguish between company-owned devices and personal devices used to access company systems (BYOD).
Authorised Use: A clear statement of what employees and authorised users are permitted to do — accessing systems for legitimate work purposes, using approved software tools, sending business-related communications, and storing work files on approved platforms. Limited personal use may be permitted during breaks, subject to the conditions specified in the policy.
Prohibited Conduct: A specific list of prohibited activities referencing offences under the Computer Misuse and Cybercrimes Act No. 5 of 2018: unauthorised access to restricted systems (Section 3); interception of data (Section 7); cyber fraud (Section 14); publication of false information (Section 22); cybersquatting (Section 29); and sending unsolicited communications (Section 28). Additional prohibitions should address: downloading unlicensed software; accessing adult, gambling, or illegal content; mining cryptocurrency on company systems; and sharing login credentials.
Data Protection Obligations: Employee duties under the Data Protection Act No. 24 of 2019 and the ODPC's data subject rights framework — including obligations to handle personal data lawfully, to report data breaches promptly to the organisation's data protection officer, and to store personal data only on approved systems with appropriate access controls.
Email and Communication Standards: Rules governing the use of corporate email — prohibiting phishing, spam distribution, and dissemination of offensive content — and the organisation's right to monitor business communications subject to the Data Protection Act No. 24 of 2019. Reference to the National Cybersecurity Strategy 2022–2027 published by the Ministry of Information, Communications and the Digital Economy.
Security Obligations: Password standards (minimum length, complexity, rotation frequency), screen-locking requirements, mandatory use of VPN on public networks, prohibition on connecting unauthorised USB devices, and obligation to install approved security updates promptly.
Incident Reporting: The employee's duty to report any suspected security incident, data breach, lost device, or unusual system behaviour to the IT department or data protection officer within a specified timeframe — supporting the organisation's obligation under Section 43 of the Data Protection Act No. 24 of 2019 to notify the ODPC of personal data breaches within 72 hours.
Consequences of Breach: A statement that violations of the policy constitute misconduct under the Employment Act No. 11 of 2007, subject to disciplinary action up to and including summary dismissal under Section 44, and that criminal conduct may be referred to the Directorate of Criminal Investigations (DCI) and the DPP for prosecution under the Computer Misuse and Cybercrimes Act No. 5 of 2018.
Acknowledgment and Review: A signed employee acknowledgment section confirming that the employee has read, understood, and agrees to comply with the policy. Forms-legal.com provides this Acceptable Use Policy template as a practical starting document for Kenyan organisations implementing cybersecurity governance frameworks.
The policy should be reviewed annually or whenever the Computer Misuse and Cybercrimes Act No. 5 of 2018 is amended, the Data Protection Act No. 24 of 2019 regulations are updated, or the Communications Authority of Kenya issues new cybersecurity guidance.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Acceptable Use Policy (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/policies/acceptable-use-policy-kenya
"Acceptable Use Policy (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/policies/acceptable-use-policy-kenya.
@misc{formslegal-acceptable-use-policy-kenya,
author = {{Forms Legal}},
title = {Acceptable Use Policy (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/policies/acceptable-use-policy-kenya}},
note = {Free legal document template}
}Also available for these jurisdictions:
Frequently Asked Questions
No single Kenyan statute mandates an Acceptable Use Policy by that exact name, but several laws create practical and legal requirements that an Acceptable Use Policy satisfies. The Data Protection Act No. 24 of 2019, enforced by the Office of the Data Protection Commissioner (ODPC), requires data controllers to implement appropriate technical and organisational security measures under Section 41. The ODPC's Data Controllers and Processors Registration Regulations 2021 reference the need for internal policies governing data access and use. The Computer Misuse and Cybercrimes Act No. 5 of 2018 criminalises specific categories of IT misuse — an organisation without a written policy cannot demonstrate to the Employment and Labour Relations Court (ELRC) or to a criminal court that it communicated conduct standards to its employees. The Communications Authority of Kenya's Cybersecurity Regulations 2022 require operators of critical information infrastructure to maintain documented security policies. For all practical purposes, any organisation employing staff who use IT systems in Kenya should have a written Acceptable Use Policy — the absence of one is an organisational governance failure that creates employment law and data protection liability.
Yes, but with significant conditions imposed by Kenyan law. The Data Protection Act No. 24 of 2019, enforced by the Office of the Data Protection Commissioner (ODPC), requires that any processing of personal data — including monitoring employee communications — must have a lawful basis under Section 30 of the Act. For workplace monitoring, the lawful basis is typically legitimate interest (Section 30(1)(f)) or contractual necessity (Section 30(1)(b)). Critically, employees must be informed of the monitoring in advance — covert surveillance without prior notice is likely to constitute unlawful processing of personal data. The Acceptable Use Policy is the primary mechanism for informing employees that communications on company systems may be monitored for security, compliance, or business continuity purposes. The Computer Misuse and Cybercrimes Act No. 5 of 2018, Section 7, prohibits the unlawful interception of data — but interception conducted in accordance with a properly disclosed Acceptable Use Policy and within the employer's own systems falls within the lawful access exception. The Employment and Labour Relations Court (ELRC) has accepted evidence of email monitoring in dismissal cases where employees were pre-notified through an IT policy.
The Computer Misuse and Cybercrimes Act No. 5 of 2018 is Kenya's principal cybercrime statute. Key offences and penalties include: Section 3 — unauthorised access to a computer system (up to KES 5 million or 3 years imprisonment); Section 4 — access with intent to commit a further offence (up to KES 10 million or 7 years); Section 5 — unauthorised interference with a computer system (up to KES 5 million or 3 years); Section 7 — unlawful interception of data (up to KES 5 million or 3 years); Section 11 — cyber espionage (up to KES 10 million or 10 years); Section 14 — computer fraud (up to KES 10 million or 10 years); Section 16 — identity fraud using electronic means (up to KES 5 million or 3 years); Section 22 — publishing false information (up to KES 5 million or 2 years); Section 27 — cyber harassment (up to KES 20 million or 10 years); Section 29 — cybersquatting (up to KES 200,000 or 2 years). Prosecution is conducted by the Director of Public Prosecutions (DPP) under Article 157 of the Constitution of Kenya 2010. The National Computer and Cybercrimes Coordination Committee (NC4) established under Section 56 of the Act coordinates Kenya's national response to cybercrime. An Acceptable Use Policy that references these specific offences gives employees clear legal notice of the criminal consequences of IT misuse.
Yes, but the employer must follow the procedural fairness requirements of the Employment Act No. 11 of 2007. The Employment and Labour Relations Court (ELRC) applies a two-part test for fair termination: substantive fairness (was there a valid reason for dismissal?) and procedural fairness (was a fair process followed?). To establish substantive fairness for an IT misuse dismissal, the employer must show: the employee breached the Acceptable Use Policy; the breach was a serious form of misconduct; and the Acceptable Use Policy was communicated to the employee before the breach. For procedural fairness, Section 41 of the Employment Act requires: a written show-cause letter setting out the alleged breach; a disciplinary hearing at which the employee can present their case and be represented by a fellow employee or trade union representative; and a written outcome letter. For very serious breaches — such as installing malware, stealing customer data, or committing a Computer Misuse and Cybercrimes Act offence — summary dismissal without notice may be justified under Section 44 of the Employment Act, but procedural fairness remains mandatory. Without a written Acceptable Use Policy acknowledged by the employee, the ELRC is unlikely to uphold summary dismissal for IT conduct issues.
The Acceptable Use Policy is one of the key internal governance instruments through which a Kenyan organisation demonstrates compliance with the Data Protection Act No. 24 of 2019. The Data Protection Act, enforced by the Office of the Data Protection Commissioner (ODPC), requires data controllers and processors to implement technical and organisational security measures appropriate to the risk of processing personal data — this obligation arises under Sections 41 and 42 of the Act and the Data Protection (General) Regulations 2021. An Acceptable Use Policy addresses the organisational dimension by: restricting who may access personal data and under what conditions; prohibiting the transfer of personal data to unauthorised recipients or third-party services; requiring employees to use only approved, secure platforms for storing and transmitting personal data; mandating prompt reporting of data breaches to the organisation's Data Protection Officer (DPO); and establishing that breach of data protection rules constitutes misconduct subject to disciplinary action. The ODPC has the power under Section 56 of the Data Protection Act to issue compliance orders, conduct audits, and, where serious violations are found, to impose administrative penalties. Organisations registered with the ODPC as data controllers should include their Acceptable Use Policy in the documentation provided during ODPC audits as evidence of the accountability principle compliance required by Section 25 of the Act.
Remote working and bring-your-own-device (BYOD) arrangements present specific cybersecurity and data protection risks that an Acceptable Use Policy for Kenyan organisations must address explicitly. For remote working, the policy should require: mandatory use of a Virtual Private Network (VPN) approved by the organisation when accessing corporate systems from outside the office; prohibition on using public Wi-Fi networks without VPN protection; requirement to maintain a physically secure work environment to prevent unauthorised persons from viewing confidential information; and an obligation to lock screens when leaving the workstation. For BYOD, the policy should specify: which personal devices may be used to access corporate systems (smartphones, tablets, laptops); the requirement to install the organisation's approved mobile device management (MDM) software; the organisation's right to remotely wipe company data from a personal device in the event of loss, theft, or employment termination — subject to the employee's own data protection rights under the Data Protection Act No. 24 of 2019; and prohibition on storing personal data of clients or colleagues on personal device storage not controlled by the organisation. The National Cybersecurity Strategy 2022–2027 of Kenya, published by the Ministry of Information, Communications and the Digital Economy, identifies remote access security as a national priority.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Non-Disclosure Agreement (Kenya)
A Kenya Non-Disclosure Agreement protecting confidential business information, governed by the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019, enforceable in Kenya courts.
Employment Contract (Kenya)
A Kenya Employment Contract setting out terms and conditions of employment, compliant with the Employment Act No. 11 of 2007, NSSF Act 2013, SHIF Act 2024, and the Housing Levy obligations.
Human Resources Policy (Kenya)
A Kenya Human Resources Policy establishing workplace rules, recruitment, leave, discipline, and termination procedures compliant with the Employment Act No. 11 of 2007 and the Labour Institutions Act No. 12 of 2007.