Transparency in Kenya

“The Ministry of Health publishes daily Covid-19 related aggregate statistics on its website and on various social media platforms. This information includes the reported number of Covid-19 tests conducted each day; the reported number of confirmed Covid-19 positive cases; the reported number of persons who test positive for Covid-19 who are foreigners, males and females, the minimum and maximum age of persons who reportedly tested positive for Covid-19 on that particular day; the number of persons who have reportedly recovered from Covid-19; the number of persons who have died from Covid-19; the number of patients who have been admitted nationally to health facilities; the number of patients who are on home based isolation case; the number of patients on ventilatory support; and the number of patients on supplemental oxygen. The aggregate number of new Covid-19 cases is also reported for each Kenyan County.

In terms of the Ministry of Health’s Guidelines for Submission of Covid-19 Testing Data to the National Data Compilation Centre, testing laboratories are required to submit daily aggregate test results using an online platform operated by the to the National Public Health Laboratories. The Targeted Testing Strategy for Corona Virus Disease 2019 (Covid-19) in Kenya requires that all test results, whether positive or negative, should be reported to the head of the National Public Health Laboratories using the prescribed submission template as per the laboratory testing algorithm. Automated reporting systems must also be used by laboratories when they become available. A technical team then verifies the results, which are then reported by the head of the National Public Health Laboratories to the Director General of Health, who then reports to the Cabinet Secretary of Health. “

“The Kenyan government has stated that it has been tracking mobile phones of people suspected to have Covid-19 as a way of enforcing the prescribed mandatory isolation period. In this regard, Section 52 of the Computer Misuse and Cybercrimes Act 5 of 2018 governs the real-time collection of data by police officers or authorised persons when there are reasonable grounds to believe that such data is required for the purposes of a specific criminal investigation, including a contravention of the Covid-19 related laws. Such persons may compel a service provider, within its existing technical capability, to collect or record through application of technical means traffic data in real time or cooperate and assist a police officer or an authorised person in the collection or recording of traffic data, in real-time, associated with specified communications in its jurisdiction transmitted by means of a computer system.

Under the Data Protection Act 24 of 2019, personal data relating to a person’s health status is also classified as sensitive personal data. Section 46 of the Act provides that such data may only be processed by or under the responsibility of a healthcare provider or by a person subject to the obligations of professional secrecy under any law. The processing of the data must be necessary for reasons of public interest in the area of public health or be carried out by a person who, in the circumstances, owes a legal duty of confidentiality. All personal data may only be collected for explicit, specified and legitimate purposes and must also be processed lawfully, fairly and in a transparent manner in relation to any data subject.

According to the draft guidance note issued by the Office of the Data Protection Commissioner regarding Covid-19, responsible parties must collect personal information of an individual for a specific purpose, which in this context is to detect, contain and prevent the spread of COVID19. Any personal Data that requested must also only be that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is requested. Personal data shall not be kept for longer periods than is necessary to achieve the purpose for which it was collected and processed, and the data must thereafter be destroyed. The person responsible shall ensure that the personal data is de-identifiable. Personal data must be processed securely to retain confidentiality and integrity in consistency, accuracy, and trustworthiness over its entire life cycle. Any person who has access to personal data shall be responsible for its protection and must demonstrate that they have put in place proactive mechanism to appropriately safeguard the personal data.

The Public Health (Prevention, Control and Suppression of COVID-19) Rules, 2020 further oblige every owner, occupier of premises, and head of a household, who suspects that any person who is residing at his or her premises is suffering from COVID-19, to notify a medical officer, public health officer or medical practitioner or take that person to a health facility for treatment. Employers are also required to notify a medical officer, public health officer, a medical practitioner or the nearest administrator of any employee suffering from COVID-19.

Motivated in part by the need to facilitate remote learning and work, the President of Kenya has also approved Google Loon services to enable universal 4G data coverage. The Kenya Civil Aviation Authority has signed an agreement with Google Loon that allows Loon Balloons to fly over Kenyan airspace.

The World Bank, in collaboration with the Kenya National Bureau of Statistics and the University of California Berkeley, is also conducting the Kenya COVID-19 Rapid Response Phone Survey to track the socioeconomic impacts of the COVID-19 pandemic and provide timely data to inform a targeted response.

Kenya has also implemented an online system to authenticate and verify laboratory test certificates for travellers. The system is based on the Africa CDC Trusted Travel platform which was developed by PanaBIOS Consortium and Econet Group as a public-private partnership. Travellers may upload their COVID-19 test results online using the system for verification by port health and travel officials.”

“The draft guidance note issued by the Office of the Data Protection Commissioner provides that, to the extent possible, personal data must be collected directly from individuals subject to their express consent. This consent should be obtained in a prescribed form. In this regard, the Data Protection Act requires that consent to the processing of personal data by a data subject must be an express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action.

Any personal data sharing between parties should also be approved by the Office of the Data Protection Commissioner and has to be guided by a valid agreement presumably with the data subject. The agreement should govern nondisclosure, data confidentiality, data protection (including the data destruction technique to be used), a data protection impact statement based, and a data responsibility matrix. Access to personal data must be limited to those who need the information to conduct treatment, research or other responses to address the crisis (or any other relevant exemption). For the applications requesting access to personal data, the concerned person shall publish policies on what information is being collected and with whom the information may be shared. Data that is collected may not be sold to third parties or transferred out of the country without the data subjects’ consent to the transfer. The transfer of personal data to another country should also only take place where sufficient proof has been given to demonstrate that the safeguards with respect to the security and protection of the personal data are sufficient.”

On 27 March 2020, the Public Procurement Regulatory Authority of Kenya issued a circular to provide guidance regarding the procurement activities related to the preventative measures on the spreading of Covid-19. Under Kenyan procurement law, procuring entitles are required to submit mandatory reports to the Public Procurement Regulatory Authority. Executive order No. 2 of 2018 emphasizes publication of all procurement information including tender notices, contracts awarded, suppliers and their directors. In line with this order, the PPRA Public Procurement Regulatory Authority implemented a platform that would avail all this information in one place and made it possible for Procuring Entities to publish it regularly. The online platform is called The Public Procurement Information Portal. Under Kenyan procurement law, accounting officers must conduct all procurement processes with a view of ensuring realization of value for money and economy, and proper utilisation of public resources.

The Ministry of Health’s Covid-19 related data management policy is published as part of the Targeted Testing Strategy for Corona Virus Disease 2019 (Covid-19) in Kenya.

The draft guidance note issued by the Office of the Data Protection Commissioner requires public entities to channel requests for personal data through the relevant agencies. For example, health data shall be sourced from the Ministry of Health; telecommunications data from the Communications Authority of Kenya, transport data from the National Transport and Safety Authority, among others. A person requesting personal data is expected to enter into a data protection and sharing agreement with the entity or person having control of the personal data.

Various government entities who control closed government datasets do not publish aggregated data.

After an extensive desktop search of online information, no information regarding the software or algorithms used to analyse data by the Kenyan government was found.

There is limited information regarding the data collection methods or processes being used by the Kenyan government to assist with contact tracing.

After an extensive desktop search of online information, no published data sharing agreements or related documents were found.

After an extensive desktop search of online information, no instances of parliamentary, judicial or public scrutiny of intra-governmental data sharing was found.