Protecting sensitive personal health data: An examination of Kenya’s Digital Health Bill

  • 4 Sep 2023
  • 3 Mins Read
  • 〜 by Kennedy Osore

In Kenya, the Digital Health Bill for 2023 has emerged as a crucial stride in safeguarding sensitive personal information and ensuring the responsible handling of health data. Yet, just like with any set of rules, it’s vital to carefully examine its contents in relation to best practices. We examine the privacy, security, and confidentiality aspects outlined in the Bill, drawing comparisons to regulations in other nations. By doing so, we aim to shed light on potential gaps and challenges and suggest ways to enhance the proposed legislation.

Data security and privacy have become paramount in the digital age, especially in the healthcare sector where sensitive personal health information is at stake. The Digital Health Bill outlines measures to ensure the confidentiality, privacy, and security of sensitive personal data within the healthcare system. While this is commendable, it is important to benchmark these provisions against global standards to ensure they effectively mitigate risks.

Comparative Analysis

Several countries have implemented similar legislation to protect sensitive health data. Let’s examine a few examples and the challenges they’ve faced, shedding light on areas where Kenya’s regulatory regime could be enhanced.

  • European Union (EU) General Data Protection Regulation (GDPR)

The GDPR establishes extensive rules for safeguarding personal data, encompassing health-related information as well. While implementing the GDPR, a notable hurdle emerged in achieving uniform compliance across EU member states. In Kenya, there already exists a Data Protection Act and corresponding regulations. Learning from the EU’s strategy of aligning data protection laws, Kenya can seek to ensure consistency and reduce ambiguity among stakeholders.

  • United States Health Insurance Portability and Accountability Act (HIPAA)

HIPAA enforces the safeguarding and privacy of health data. However, a challenge experienced under HIPAA is the ever-evolving landscape of technology and associated risks, demanding an ongoing enhancement of security measures. Kenya’s Digital Health Bill should exhibit a forward-looking approach, capable of embracing technological progress and addressing emerging threats.

  •  India’s Personal Data Protection Law

India’s legislation aims to establish a comprehensive framework for data protection. A challenge here lies in balancing data utilisation for research and public health purposes while safeguarding individual rights. Kenya should strive for a nuanced approach that promotes data utilisation for public benefits while ensuring individual privacy.

Gaps in the Digital Health Bill

While Kenya’s proposed legislation addresses critical aspects of data security and privacy, there are potential gaps that need attention.

  • Data Breach Notification

The Bill doesn’t establish a precise mandate for promptly notifying data breaches to the appropriate authorities and the individuals affected. There’s also ambiguity regarding whether data breaches should be reported to the Data Protection Commissioner or the Cabinet Secretary, who holds custodianship of health data as outlined in the Bill. In contrast, the Data Protection Act necessitates notifying both the Data Commissioner and the affected data subjects. Introducing a provision that enforces prompt notification of data breaches would contribute to transparency and enable individuals to take appropriate measures.

  •  International Data Transfers

As the healthcare sector increasingly operates on a global scale, the Bill should include provisions on international data transfers. Defining safeguards for cross-border data flows and adhering to international standards can prevent data compromise.

  • Data Retention Period

While the Bill specifies a minimum retention period for data, it is crucial to define clear guidelines for the disposal of data after the retention period. Ambiguity in this area could lead to inadvertent data retention and potential privacy breaches. It is expected that these guidelines will be introduced through regulations.

  • Consent Mechanisms

The Bill emphasises informed consent, but it could benefit from specifying standardised formats for obtaining and recording consent. Clear consent mechanisms can enhance clarity and minimise misunderstandings between data subjects and data controllers.

  • Technological Security Measures

While the Bill touches on security measures, it could provide more comprehensive guidance on implementing modern technological safeguards, such as encryption, intrusion detection, and regular security audits.


The provision in the Digital Health Bill 2023 geared towards ensuring security, privacy, and disclosure of health data is a significant stride towards safeguarding sensitive personal data. However, to create a robust regulatory framework that aligns with best practices, it is essential to address potential gaps and challenges. By learning from the experiences of other countries, Kenya can refine its legislation to better protect individual rights, facilitate data-driven research, and foster public trust in the healthcare system. As technology evolves and data privacy concerns intensify, crafting forward-looking legislation is paramount to ensuring the responsible and secure management of health data in the digital age.