Social Media Policy (Kenya)
SOCIAL MEDIA POLICY
[Organisation Name] [Organisation Address] BRS No.: [BRS Number] Effective Date: [Effective Date] Next Review Date: [Review Date] Policy Owner: [HR Contact Name] | [HR Contact Email] Approved by: [Approved By] Date of Approval: [Approval Date]
1. Purpose and Legal Framework
[Organisation Name] (the "Organisation") recognises that social media is an integral part of modern communication. This Social Media Policy sets out the rules and standards governing the use of social media by all employees, directors, contractors, interns, and agents (collectively "Personnel") in connection with their association with the Organisation. This Policy is adopted in compliance with: - Computer Misuse and Cybercrimes Act No. 5 of 2018 (CMCA) - Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021 - Employment Act No. 11 of 2007 - National Cohesion and Integration Act No. 12 of 2008 - Defamation Act Cap. 36 - Kenya Information and Communications Act Cap. 411A Violations of this Policy may constitute misconduct or gross misconduct under Section 44 of the Employment Act No. 11 of 2007 and may result in criminal liability under the CMCA.
2. Scope
This Policy applies to: - All Personnel of [Organisation Name], whether permanent, temporary, or contracted - All social media platforms including Facebook, X (Twitter), Instagram, LinkedIn, TikTok, YouTube, WhatsApp, Telegram, and all other current and emerging platforms - All devices — Organisation-provided and personal devices — where use relates to the Organisation, its clients, competitors, or Personnel - Applies outside working hours: [Covers Outside Hours] - Applies to personal devices used for work (BYOD): [Covers Personal Devices]
3. Personal Social Media Use
Personal social media use on Organisation devices during working hours: [Personal Use Policy] Personnel who choose to discuss work-related matters on personal social media accounts must: (a) Make clear that views expressed are personal and do not represent the Organisation. (b) Not disclose confidential information, client data, or internal business matters. (c) Comply with all prohibitions in Section 5 of this Policy at all times.
4. Official Organisation Social Media Accounts
Organisation operates official social media accounts: [Official Accounts Exist] Authorised to post on official accounts: [Authorised Posters] Content approval process: [Content Approval Process] All account credentials must be held in the Organisation's password management system. Access to official accounts must be revoked immediately upon Personnel departure. Unauthorised posting on official accounts constitutes gross misconduct.
5. Prohibited Conduct
The following conduct is prohibited and may result in disciplinary action up to and including summary dismissal: 5.1 CONFIDENTIALITY BREACHES - Disclosing confidential business information, trade secrets, pricing, client data, or internal strategies on any social media platform. Breach may also constitute an offence under Section 16 of the Computer Misuse and Cybercrimes Act No. 5 of 2018. 5.2 FALSE OR MISLEADING INFORMATION - Publishing false or misleading information about the Organisation, its products, services, or personnel. Such conduct is an offence under Section 22 of the CMCA, punishable by a fine up to KES 5,000,000 or imprisonment for up to two years. 5.3 HARASSMENT AND CYBERSTALKING - Using social media to harass, intimidate, threaten, or cyberstalk any colleague, client, competitor, or third party. These constitute offences under Sections 23 and 24 of the CMCA. 5.4 HATE SPEECH - Posting content that constitutes ethnic, racial, or religious hate speech contrary to Section 13 of the National Cohesion and Integration Act No. 12 of 2008. 5.5 DATA PROTECTION VIOLATIONS - Sharing photographs, names, or personal data of colleagues, clients, or other individuals without consent, in breach of the Data Protection Act No. 24 of 2019, s.47. 5.6 OBSCENE MATERIAL - Publishing or sharing obscene, pornographic, or indecent material, contrary to Section 27 of the CMCA. 5.7 DEFAMATION - Making false statements of fact that are defamatory of any person or organisation, contrary to the Defamation Act Cap. 36. 5.8 UNAUTHORISED ACCOUNT ACCESS - Accessing the Organisation's social media accounts without authorisation, or disclosing account passwords or access codes contrary to Section 33 of the CMCA. Additional Organisation-specific prohibitions: [Additional Prohibitions] Grace period for self-reporting accidental disclosures: [Disclosure Grace Period] hours from discovery.
6. Disciplinary Consequences
Violations of this Policy will be dealt with in accordance with the Organisation's disciplinary procedure and Section 41 of the Employment Act No. 11 of 2007 (right to fair hearing before sanction). Minor breach (first offence): [Minor Breach Sanction] Gross misconduct breach: [Gross Misconduct Sanction] Factors considered in determining the appropriate sanction include: the severity of the violation, the extent of actual or potential harm, whether the Personnel member self-reported, the Personnel member's disciplinary record, and whether criminal liability arises under the Computer Misuse and Cybercrimes Act No. 5 of 2018.
7. Reporting Obligations
7.1 Internal Reporting: Personnel who become aware of a suspected Policy violation must report it promptly to [HR Contact Name] at [HR Contact Email]. 7.2 Cybercrime Reporting: Where conduct may constitute a criminal offence under the Computer Misuse and Cybercrimes Act No. 5 of 2018, the Organisation may report the matter to the National Computer and Cybercrimes Coordination Committee (NC4) or the Directorate of Criminal Investigations (DCI). 7.3 Data Breach Notification: Where a social media incident involves a personal data breach, the Organisation must notify the Office of the Data Protection Commissioner (ODPC) within 72 hours under Regulation 12 of the Data Protection (General) Regulations 2021 and must notify affected data subjects without undue delay.
8. Personnel Acknowledgement
I acknowledge that I have read, understood, and agree to comply with the [Organisation Name] Social Media Policy. Full Name: _______________________ Job Title: _______________________ Signature: _______________________ Date: _______________________
Approving Officer
________________
Signature
HR Manager / Policy Owner
________________
Signature
What Is a Social Media Policy (Kenya)?
A Social Media Policy in Kenya records the organisation's binding rules on the matter it addresses.
A Kenya Social Media Policy derives its legal foundation from several overlapping statutes. The Computer Misuse and Cybercrimes Act No. 5 of 2018 (CMCA) is the primary cybercrime statute in Kenya, administered by the National Computer and Cybercrimes Coordination Committee (NC4) under the Ministry of Information, Communications and the Digital Economy. The CMCA criminalises a range of online conduct relevant to social media use: Section 22 prohibits the publication of false information likely to cause public alarm or damage to reputation; Section 23 prohibits cyber harassment; Section 24 prohibits cyberstalking; Section 27 prohibits the publication of obscene material; and Section 33 prohibits the disclosure of passwords and access codes. An employee who violates these provisions while acting in connection with their employment may expose both themselves and the employer to criminal liability.
The Data Protection Act No. 24 of 2019 (DPA), administered by the Office of the Data Protection Commissioner (ODPC), governs the processing of personal data. Social media activity that involves sharing photographs, names, or other identifying information about colleagues, clients, or third parties constitutes processing of personal data under Section 2 of the DPA. An employee who posts such information without authorisation may breach the employer's obligations as a data controller under Section 25 of the DPA, and the employer may be liable to regulatory action by the ODPC.
The Employment Act No. 11 of 2007 governs the employment relationship in Kenya and underpins the disciplinary framework within which a Social Media Policy operates. Section 44 of the Employment Act lists gross misconduct, which includes wilful disobedience of a lawful and reasonable order given by the employer — such as an instruction not to disclose confidential business information on social media. Section 41 requires that before any disciplinary action is taken, the employee must be informed of the alleged misconduct and given a fair hearing.
The Defamation Act Cap. 36 and the common law of defamation as applied in Kenya through the courts govern false statements of fact that injure a person's or organisation's reputation. A social media post by an employee that makes false and defamatory statements about a competitor, supplier, client, or colleague may give rise to a defamation claim against both the employee and the employer under the principle of vicarious liability where the post was made in the course of employment.
The National Cohesion and Integration Act No. 12 of 2008 administered by the National Cohesion and Integration Commission (NCIC) prohibits hate speech and incitement to discrimination on social media platforms. Section 13 of the Act makes it an offence to use threatening, abusive, or insulting language that is likely to stir up ethnic hatred. Employees who post such content on personal social media accounts face prosecution under the NCIC Act, and the employer must have a policy making clear that such conduct is contrary to company values and will result in disciplinary action up to and including summary dismissal.
Kenya's Social Media Policy landscape is also shaped by the Kenya Information and Communications Act Cap. 411A, administered by the Communications Authority of Kenya (CA), which regulates electronic communications including content transmitted over online platforms. The CA has issued the Kenya Information and Communications (Consumer Protection) Regulations 2010 and the proposed Online Content Regulations that impose content moderation obligations on platform operators and, indirectly, on employers who operate branded social media accounts.
When Do You Need a Social Media Policy (Kenya)?
A Social Media Policy in Kenya is needed by every organisation that employs staff or engages contractors who use social media — which in practice means every business operating in the Kenyan market today. The ubiquity of smartphone use and mobile internet access in Kenya, with over 65% internet penetration and over 11 million active social media users according to the Communications Authority of Kenya's sector statistics, means that the risks of unregulated employee social media use are substantial.
A Social Media Policy is needed when a business wants to protect its confidential information and trade secrets. Employees routinely share information about clients, pricing, internal processes, and business strategies on personal social media accounts, sometimes without appreciating that such sharing constitutes a breach of their contractual duty of confidentiality. A clear policy, signed by the employee, establishes the legal basis for disciplinary action under Section 44 of the Employment Act No. 11 of 2007 and for a civil injunction to prevent further disclosure under the Law of Contract Act Cap. 23.
A Social Media Policy is required when a business operates branded social media accounts managed by employees. Without a policy, the business has no clear rules on who is authorised to post, what content is permissible, how complaints are handled, and what happens to account credentials when an employee leaves. Access disputes over company social media accounts have been litigated before the Employment and Labour Relations Court as intellectual property and employment claims.
A Social Media Policy is needed when an employer wants to manage reputational risk. A single employee post criticising a client, disclosing internal financial difficulties, or making offensive statements can go viral and cause lasting damage to the employer's brand. The policy sets out consequences for reputational harm and makes clear that the employer does not endorse the employee's personal social media views.
A Social Media Policy is required as part of compliance with the Data Protection Act No. 24 of 2019. Where employees process personal data of customers, patients, students, or other data subjects as part of their work, the policy must include specific rules on social media conduct that could involve such data — for example, prohibiting the photographing of patients in a hospital setting or the sharing of client names in a professional services context.
A Social Media Policy is needed by public benefit organisations (PBOs) registered under the Public Benefit Organisations Act No. 18 of 2013, government contractors, and regulated entities such as banks supervised by the Central Bank of Kenya and insurance companies supervised by the Insurance Regulatory Authority (IRA), all of which face enhanced regulatory scrutiny of their communications including social media output.
What to Include in Your Social Media Policy (Kenya)
A Kenya Social Media Policy under the Computer Misuse and Cybercrimes Act No. 5 of 2018 and the Data Protection Act No. 24 of 2019 must contain the following elements to be legally effective and practically enforceable.
Scope and Application: A clear statement that the policy applies to all employees, directors, contractors, interns, and agents of the organisation — on all devices (personal and employer-provided) — where social media use relates to the organisation, its clients, competitors, or colleagues, or where the employee identifies themselves as being associated with the organisation. The policy must also state that it applies outside working hours when the conduct has a sufficient connection to the employment relationship.
Permitted and Prohibited Conduct: An explicit list of prohibited activities, including: disclosing confidential business information, trade secrets, or client data without authorisation (breach of Section 44 of the Employment Act and potential criminal liability under Section 16 of the Computer Misuse and Cybercrimes Act No. 5 of 2018); posting false or misleading information about the organisation, its products, or competitors (Section 22, CMCA); engaging in harassment or cyberstalking of colleagues or clients (Sections 23 and 24, CMCA); posting content that constitutes ethnic or religious hate speech contrary to the National Cohesion and Integration Act No. 12 of 2008; sharing photographs or personal data of colleagues, clients, or third parties without their consent (Data Protection Act No. 24 of 2019, s.47); and accessing the organisation's social media accounts without authorisation.
Personal Social Media Use: A statement on whether personal social media use is permitted during working hours and on work devices, and any restrictions that apply — for example, a prohibition on accessing personal social media accounts on corporate network connections during business hours.
Official Social Media Accounts: The procedure for creating, managing, and posting on official organisational accounts, including who is authorised to post on behalf of the organisation, the approval process for content, and the brand guidelines that apply. Account credentials must be managed through a password management policy, and access must be revoked immediately upon an employee's departure under the organisation's offboarding procedure.
Data Protection Compliance: Rules on handling personal data encountered on social media in accordance with the Data Protection Act No. 24 of 2019 and the Data Protection (General) Regulations 2021 published by the Office of the Data Protection Commissioner (ODPC). Employees must not share, download, or repurpose personal data of clients, colleagues, or other individuals encountered through social media without a lawful basis under Section 30 of the DPA.
Disciplinary Consequences: A clear statement that violations of the policy constitute misconduct or gross misconduct under Section 44 of the Employment Act No. 11 of 2007, with a range of sanctions from a formal written warning to summary dismissal depending on the severity of the breach. All disciplinary proceedings must comply with the fair hearing requirement of Section 41 of the Employment Act.
Reporting Obligations: A procedure for employees to report suspected policy violations, cybercrime incidents, or data breaches — including reporting to the National Computer and Cybercrimes Coordination Committee (NC4) as required under Section 36 of the Computer Misuse and Cybercrimes Act No. 5 of 2018, and to the Office of the Data Protection Commissioner (ODPC) within 72 hours of a personal data breach under Regulation 12 of the Data Protection (General) Regulations 2021.
Policy Review: A statement that the policy will be reviewed at least annually and updated to reflect changes in the law, social media platforms, and organisational needs. The forms-legal.com Kenya Social Media Policy template covers all mandatory elements required under the Computer Misuse and Cybercrimes Act No. 5 of 2018, the Data Protection Act No. 24 of 2019, and the Employment Act No. 11 of 2007.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Social Media Policy (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/policies/social-media-policy-kenya
"Social Media Policy (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/policies/social-media-policy-kenya.
@misc{formslegal-social-media-policy-kenya,
author = {{Forms Legal}},
title = {Social Media Policy (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/policies/social-media-policy-kenya}},
note = {Free legal document template}
}Also available for these jurisdictions:
Frequently Asked Questions
Yes, a Kenya employer can discipline an employee for personal social media posts where the post has a sufficient connection to the employment relationship and causes harm to the employer's legitimate business interests. The Employment Act No. 11 of 2007 does not limit the employer's disciplinary authority to conduct at the workplace — Section 44 lists wilful disobedience of lawful orders and gross misconduct as grounds for summary dismissal without notice, and a clear Social Media Policy constitutes a lawful and reasonable order that employees are bound to obey as a term of their employment. The Employment and Labour Relations Court has upheld dismissals of Kenyan employees for social media posts that disclosed confidential information, made defamatory statements about clients, or brought the employer's reputation into disrepute — provided the employer followed the fair hearing procedure under Section 41 of the Employment Act before imposing the disciplinary sanction. An employer who proceeds to dismiss without a fair hearing risks a finding of unfair termination and a compensation order of up to twelve months' gross pay under Section 49 of the Employment Act, even if the misconduct itself was genuine.
The Computer Misuse and Cybercrimes Act No. 5 of 2018 (CMCA) creates several criminal offences directly relevant to social media conduct in Kenya. Section 22 makes it an offence to publish false information with the intent to deceive or to cause panic, chaos, or damage to reputation — punishable by a fine not exceeding KES 5,000,000 or imprisonment for up to two years, or both. Section 23 criminalises cyber harassment — using social media to convey threatening or intimidating messages — with a fine up to KES 20,000,000 or imprisonment up to ten years. Section 24 criminalises cyberstalking, including persistent unwanted contact via social media. Section 27 prohibits publishing obscene material online. Section 27A (added by amendment) addresses non-consensual sharing of intimate images (revenge porn) — a significant workplace concern. Section 33 prohibits disclosure of passwords and access credentials. Separately, the National Cohesion and Integration Act No. 12 of 2008 criminalises hate speech under Section 13, and the Defamation Act Cap. 36 provides civil remedies for defamatory social media posts. Employees prosecuted under the CMCA may also face dismissal under the employer's Social Media Policy and the Employment Act No. 11 of 2007.
Yes. The Data Protection Act No. 24 of 2019 (DPA) applies whenever a person processes personal data — and social media activity that involves sharing names, photographs, contact details, or other identifying information about individuals constitutes processing of personal data under Section 2 of the DPA. An employee who posts photographs of colleagues, shares client names, or reveals details of another person's health, finances, or private life on social media without consent is processing sensitive personal data without a lawful basis under Section 30 of the DPA, exposing both themselves and the employer (as data controller) to regulatory action by the Office of the Data Protection Commissioner (ODPC). The Data Protection (General) Regulations 2021 require data controllers to implement appropriate organisational measures to prevent unauthorised processing — and a written Social Media Policy communicated to all employees is a core component of those organisational measures. Failure to maintain such a policy may constitute a breach of the DPA's accountability principle under Section 25(2)(h) and may be cited by the ODPC in a regulatory investigation.
Monitoring of employee social media accounts in Kenya is permissible within limits set by the Data Protection Act No. 24 of 2019, the Kenya Constitution 2010, and the Employment Act No. 11 of 2007. Article 31 of the Constitution of Kenya 2010 protects the right to privacy, including the right not to have the privacy of communications infringed. An employer who secretly monitors a public-facing personal social media account may rely on the fact that the information is publicly visible, but covert monitoring of private messages, direct messages, or password-protected accounts without consent would likely breach the DPA's data processing principles under Section 25 and the constitutional right to privacy. A transparent Social Media Policy that informs employees that organisational devices and network connections are subject to monitoring, and that public social media posts relating to the organisation may be reviewed, provides the notice necessary to reduce privacy claims. The policy must be communicated clearly before monitoring begins — surprise monitoring is particularly vulnerable to challenge before the Employment and Labour Relations Court as a breach of the duty of trust and confidence implied into every employment contract under Kenyan common law.
When a Kenya employer discovers a Social Media Policy violation, the response must follow the disciplinary procedure mandated by Section 41 of the Employment Act No. 11 of 2007 to avoid an unfair termination finding. The employer should first preserve evidence — screenshot the offending post with a timestamp and URL before it is deleted. The employer should then assess the severity of the violation: a first minor breach (e.g. Posting mild criticism of the company) may warrant a written warning, while gross misconduct (e.g. Disclosing client data, posting criminally offensive content) may justify summary dismissal. Before any sanction is imposed, the employer must notify the employee in writing of the specific allegation, give the employee reasonable time to prepare a response, and conduct a fair hearing at which the employee may present their case. Where the violation also constitutes a criminal offence under the Computer Misuse and Cybercrimes Act No. 5 of 2018 — for example, publication of false information under Section 22 — the employer should consider whether to report the matter to the National Computer and Cybercrimes Coordination Committee (NC4) or the Directorate of Criminal Investigations (DCI). Where personal data has been breached, the employer must notify the Office of the Data Protection Commissioner (ODPC) within 72 hours under the Data Protection (General) Regulations 2021.
Yes. A Kenya Social Media Policy should explicitly address WhatsApp, Telegram, Signal, and other instant messaging applications because they are among the most widely used communication tools in Kenyan workplaces and carry the same legal risks as publicly visible social media platforms. WhatsApp groups — including staff groups, client groups, and industry groups — are a primary channel through which confidential business information is inadvertently or deliberately shared in Kenya. The Computer Misuse and Cybercrimes Act No. 5 of 2018 applies equally to messages sent via WhatsApp as to posts on Facebook or X: Section 22 (false information), Section 23 (cyber harassment), and Section 33 (unauthorised disclosure of access codes) are all capable of being committed via messaging apps. The Data Protection Act No. 24 of 2019 applies to personal data shared through messaging apps, including photographs, voice notes, and documents containing client information. The policy should address: the use of official WhatsApp Business accounts, the prohibition on adding clients or colleagues to personal groups without consent, the requirement to promptly report any accidental disclosure of confidential information received via messaging apps, and the prohibition on forwarding internal documents via personal messaging apps on personal devices without encryption or authorisation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Cybersecurity Policy (Kenya)
A Kenya Cybersecurity Policy setting out an organisation's rules for protecting information systems, networks, and data, compliant with the Computer Misuse and Cybercrimes Act No. 5 of 2018 and the Data Protection Act No. 24 of 2019.
Employee Handbook (Kenya)
A Kenya Employee Handbook setting out workplace policies, conduct standards, and statutory entitlements under the Employment Act No. 11 of 2007, OSHA No. 15 of 2007, and the Data Protection Act No. 24 of 2019.