NAIROBI, Kenya – Starting January 1, 2025, all new hospitals in Kenya must obtain a Certificate of Data Handler/Processor to comply with the Data Protection Act, 2019, as the government intensifies efforts to safeguard patient privacy.
The Kenya Medical Practitioners and Dentists Council (KMPDC) announced the directive on Tuesday, requiring all health facilities—both new and existing—to meet the certification requirements.
The measure aims to bolster confidentiality, regulate data handling, and reduce the risk of breaches involving sensitive patient information.
According to the KMPDC, newly registered hospitals will need the certificate at the time of registration from the Office of the Data Protection Commissioner.
Existing hospitals have been given a grace period of three months, with a compliance deadline of March 31, 2025.
“This prerequisite highlights the grave importance of ensuring patient privacy, which is a core component of medical ethics,” said David Kariuki, KMPDC’s Chief Executive Officer. “By ensuring responsible and lawful handling of personal data, health institutions not only meet regulatory standards but also strengthen patient trust and enhance safety.”
The Data Protection Act, 2019 regulates the processing of personal data to ensure privacy, setting clear guidelines for organizations handling sensitive information.
Healthcare, as a data-heavy sector, has been under growing scrutiny regarding privacy concerns.
The KMPDC, which regulates medical, dental, and oral health practices, emphasized that the move aligns with its broader mission to uphold medical ethics and protect patients.
For hospitals and health facilities, the new certification is not merely procedural but a legal obligation aimed at: preventing misuse of patient data, mitigating data breaches, and building trust in Kenya’s healthcare systems.
The Council assured health stakeholders that efforts are underway to ensure a smooth transition.
Facilities yet to comply are urged to begin preparations well ahead of the deadline to avoid penalties.
Kenya’s healthcare sector has witnessed increasing digital adoption, from electronic medical records to telehealth services, amplifying the need for robust data protection measures.
The Kenya Medical Practitioners and Dentists Council (KMPDC) announced the directive on Tuesday, requiring all health facilities—both new and existing—to meet the certification requirements.
The measure aims to bolster confidentiality, regulate data handling, and reduce the risk of breaches involving sensitive patient information.
According to the KMPDC, newly registered hospitals will need the certificate at the time of registration from the Office of the Data Protection Commissioner.
Existing hospitals have been given a grace period of three months, with a compliance deadline of March 31, 2025.
“This prerequisite highlights the grave importance of ensuring patient privacy, which is a core component of medical ethics,” said David Kariuki, KMPDC’s Chief Executive Officer. “By ensuring responsible and lawful handling of personal data, health institutions not only meet regulatory standards but also strengthen patient trust and enhance safety.”
The Data Protection Act, 2019 regulates the processing of personal data to ensure privacy, setting clear guidelines for organizations handling sensitive information.
Healthcare, as a data-heavy sector, has been under growing scrutiny regarding privacy concerns.
The KMPDC, which regulates medical, dental, and oral health practices, emphasized that the move aligns with its broader mission to uphold medical ethics and protect patients.
For hospitals and health facilities, the new certification is not merely procedural but a legal obligation aimed at: preventing misuse of patient data, mitigating data breaches, and building trust in Kenya’s healthcare systems.
The Council assured health stakeholders that efforts are underway to ensure a smooth transition.
Facilities yet to comply are urged to begin preparations well ahead of the deadline to avoid penalties.
Kenya’s healthcare sector has witnessed increasing digital adoption, from electronic medical records to telehealth services, amplifying the need for robust data protection measures.
