Data Breach Notification (Kenya)

A Data Breach Notification in Kenya sets out the data breach notification and the obligations it places on the parties.

The Office of the Data Protection Commissioner (ODPC), established under Section 5 of the Data Protection Act No. 24 of 2019, operates the formal breach notification portal through which Kenyan data controllers and processors submit their notifications. The ODPC was fully operational by 2022 and has published breach notification guidance aligned with Section 43 of the Act and the Data Protection (General) Regulations 2021 (Legal Notice No. 46 of 2021). Processors who discover a breach affecting data they process on behalf of a controller must notify that controller without undue delay, enabling the controller to meet its own 72-hour obligation to the ODPC.

The Computer Misuse and Cybercrimes Act No. 5 of 2018 intersects with breach notification obligations where the breach was caused by a criminal cyberattack — such as ransomware, phishing under Section 28 of the Act, or unauthorised access under Section 3. In such cases, the controller must simultaneously notify the Directorate of Criminal Investigations (DCI) Cybercrime Unit and the National Computer and Cybercrimes Coordination Committee (NC4) established under Section 53 of the Computer Misuse and Cybercrimes Act, in addition to the ODPC notification.

A Kenya Data Breach Notification Template is distinct from a Cybersecurity Policy — which is a proactive governance document defining preventive controls — and from a Data Processing Agreement — which allocates responsibility for breach notification between a controller and its processors before any breach occurs. All three documents are components of a complete data protection compliance framework under the Data Protection Act No. 24 of 2019. The notification template activates the reactive phase of the framework when a breach has occurred despite the preventive controls.

Kenyan courts have not yet produced extensive case law specifically on the Data Protection Act No. 24 of 2019 breach notification obligation, but the High Court of Kenya (Constitutional and Human Rights Division) has jurisdiction over constitutional privacy claims under Article 31 of the Constitution of Kenya 2010, and ODPC enforcement decisions are subject to judicial review before the High Court. Data subjects who suffer material or non-material harm from a breach may pursue compensation from the controller before the ODPC under Section 56 of the Data Protection Act or before the courts. Financial institutions additionally face parallel reporting obligations to the Central Bank of Kenya (CBK) under the Banking Act (Cap. 488) and CBK Prudential Guidelines following cybersecurity incidents affecting customer data.

A Kenya Data Breach Notification must be submitted whenever a personal data breach occurs, and Section 43(6) of the Data Protection Act No. 24 of 2019 requires notification to the ODPC within 72 hours of the controller becoming aware of the breach — without unnecessary delay.

A Data Breach Notification is required when a cyberattack — ransomware, hacking, or phishing under Section 28 of the Computer Misuse and Cybercrimes Act No. 5 of 2018 — results in unauthorised access to or exfiltration of personal data held by the organisation. Both the scale of the breach and the sensitivity of the data affected determine whether notification to data subjects is also required, but ODPC notification is mandatory regardless of scale where personal data has been compromised.

A Data Breach Notification is needed when an employee accidentally sends an email containing personal data — customer records, employee NIC numbers, KRA PINs, or health information — to the wrong recipient. Even accidental disclosures constitute personal data breaches under the Data Protection Act No. 24 of 2019, and the notification obligation applies equally to human-error breaches as to deliberate attacks.

A Data Breach Notification is required when a data processor — cloud hosting provider, payroll bureau, or IT services company — suffers a security incident that compromises personal data it processes on behalf of the controller. Under Section 43(5) of the Data Protection Act No. 24 of 2019, the processor must notify the controller without undue delay, and the controller then has the 72-hour window to notify the ODPC.

A Data Breach Notification is needed when physical documents containing personal data — patient records, employee files, or customer contracts — are lost, stolen, or improperly disposed of. Physical breaches carry the same notification obligations as digital breaches under the Data Protection Act No. 24 of 2019.

A Data Breach Notification is required when a system misconfiguration — for example, a cloud storage bucket inadvertently made publicly accessible — exposes personal data, even if there is no evidence that the data has been accessed by an unauthorised party. The breach is the unauthorised availability of the data, not the confirmed access to it.

A Data Breach Notification is needed when a financial institution regulated by the Central Bank of Kenya (CBK) suffers a breach affecting customer account data, transaction records, or KYC information. The CBK Guidance on Cybersecurity for Payment Service Providers (2021) requires simultaneous notification to the CBK alongside the mandatory ODPC notification under the Data Protection Act No. 24 of 2019.

A Kenya Data Breach Notification submitted to the Office of the Data Protection Commissioner (ODPC) under Section 43 of the Data Protection Act No. 24 of 2019 must contain the following prescribed elements to satisfy the regulatory requirement and support the ODPC's investigation.

Controller Identity and Contact Details: Full legal name, BRS registration number, KRA PIN, registered address, ODPC registration number, and contact details of the designated Data Protection Officer (DPO) appointed under Section 24 of the Data Protection Act No. 24 of 2019. Where the breach was discovered by a processor acting on the controller's behalf, the processor's details must also be included.

Nature of the Breach: A factual description of the type of breach — whether it involved unauthorised access, accidental disclosure, loss, destruction, or alteration of personal data — and the circumstances in which it occurred. For breaches caused by cyberattacks under the Computer Misuse and Cybercrimes Act No. 5 of 2018, the type of attack (ransomware, phishing, unauthorised access) should be identified.

Categories and Volume of Personal Data Affected: The categories of personal data involved — for example, names, National Identity Card (NIC) numbers, KRA PINs, health records, financial data, biometric data — and the approximate number of personal data records compromised. Sensitive personal data categories under Section 2 of the Data Protection Act No. 24 of 2019 must be specifically identified, as they trigger enhanced notification obligations.

Categories and Approximate Number of Data Subjects Affected: The categories of data subjects whose data was compromised — customers, employees, patients, students — and the estimated number of affected individuals. Where data subjects are located outside Kenya, the ODPC notification should identify the countries concerned and the applicable cross-border transfer provisions under Section 49 of the Data Protection Act.

Likely Consequences of the Breach: An assessment of the likely impact on affected data subjects — including risks of identity theft, financial fraud, discrimination, physical harm, or reputational damage. The severity of the consequences determines whether notification directly to data subjects is also required under Section 43(7) of the Data Protection Act No. 24 of 2019.

Measures Taken or Proposed: A description of the technical and organisational measures taken or proposed to contain the breach, recover compromised data where possible, and prevent recurrence. This should reference the Cybersecurity Policy and incident response procedures in place. The ODPC's investigation will assess whether the response was adequate and proportionate.

Notification to Data Subjects: Where the breach is likely to result in high risk to the rights and freedoms of data subjects, the controller must also notify affected individuals directly without undue delay. The notification to data subjects must be in plain language and include the name and contact details of the DPO, a description of the breach, the likely consequences, and the measures taken. The forms-legal.com Data Breach Notification template includes a separate data subject notification letter aligned with the ODPC's requirements.

Timeline of Discovery and Response: A chronological record of when the breach occurred (if known), when it was first detected, when senior management and the DPO were informed, and when the ODPC notification was submitted. This timeline demonstrates compliance with the 72-hour notification window under Section 43(6) of the Data Protection Act No. 24 of 2019 and is the first item the ODPC examines when assessing whether enforcement action is warranted.

Parallel Notifications: Where the breach involves a criminal cyberattack, confirmation that the Directorate of Criminal Investigations (DCI) Cybercrime Unit and the National Computer and Cybercrimes Coordination Committee (NC4) have been notified. For financial institutions, confirmation of simultaneous notification to the Central Bank of Kenya (CBK) or other sectoral regulators as required by applicable Prudential Guidelines.