The Office of the Data Protection Commissioner: 100 days later

  • 26 Feb 2021
  • 3 Mins Read
  • 〜 by Francis Monyango

The Office of the Data Protection Commissioner (ODPC) on Wednesday commemorated 100 days since the swearing-in of the first Data Commissioner and the establishment of the Office. On this day, the ODPC launched their Official Logo and Website, the Draft Guidance note of Data Protection Impact Assessment, the Draft Guidance Note on Consent, the Draft Manual on Complaints Management and their Service Charter.

Speaking at the event, PS Esther Koimett said that the Ministry of ICT is committed to ensuring the success of ODPC and, to that end, it has put together a multi-agency Committee to guide in setting up of this Office that is unlike any other established in Kenya to date.

The ODPC Official Logo


ODPC’s vision is to enhance public trust and be an effective personal data protection regulator while its mission is to safeguard data protection rights through provision of oversight, public awareness and promotion of self-regulation.

ODPC’s Core Values are:

  1. To uphold Values of Public Service as set out in Article 10, and in Chapter Six of our Constitution;
  2. To act lawfully consistent with our Constitution, and within duties and responsibilities set out in the Data Protection Act 2019;
  3. Be consultative in style, transparent and responsive to all stakeholders;
  4. To observe the highest standards of impartiality, integrity and objectivity in leading data processing business while maintaining its independence at all times;
  5. To cause to have in place effective systems of internal controls for effective economical and proper performance of the functions of the Office.

Draft Guidance note of Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible. A DPIA may not eliminate such risks altogether but should help to identify and manage them.There is often more than one way of designing a project.

Odpc has developed Guidelines to assist data controllers and data processers understand their obligations under the Act and appreciate the need to undertake a Data Protection Impact Assessment. Further, the guidelines aim to assist data controllers and data processors understand the risks of any processing activities undertaken and know when a Data Protection Impact Assessment is to be carried out and submitted to the Office pursuant to the provisions of the Act.

Draft Guidance Note on Consent

Consent is an essential element of Data Protection legislation and principles. The ODPC has developed guidelines to assist data controllers and data processors understand their duties under the Act and understand and appreciate their obligations as relates to obtaining consent.

Draft Manual on Complaints Management

The ODPC is mandated by law to receive and investigate any complaints by any person on infringements of the rights under the Act. Investigations are supposed to be concluded within 90 days. In light of this, they also published a Manual on Complaints Management.

The aim of the complaints handling manual is three fold:

  1. Provide a step-by-step simplified guide to promote efficiency and effectiveness in complaint’s management at the Office
  2. Provide clarity to improve management of complaints received at all levels commencing at point of lodging complaint, to preliminary enquiries level and transmission to further investigations, to resolving complaints.
  3. Offer fair and better quality coordinated services in managing complaints at Office.

Citizen Service Delivery Charter.

Like most government institutions in Kenya, the ODPC has a Service Delivery Charter. The purpose of the Charter is to:

  1. Enhance the ODPC’s customers’ awareness of the service they provide
  2. Inform their customers the standards of services they should expect from the office
  3. Outline Customer’s rights and responsibilities
  4. Explain rights and responsibilities as service providers
  5. Describe how our customers can lodge complaints and make suggestions about our service delivery.

Shortly after the launch, some privacy advocates called out the ODPC for requiring provision of personally identifiable information when filing a complaint on the website in the absence of a privacy policy.  We look forward to seeing the Privacy policy of the ODPC.