NAIROBI, Kenya — The Office of the Data Protection Commissioner (ODPC) has found St. Luke Orthopaedic & Trauma Hospital in Eldoret liable for unlawfully disclosing a patient’s sensitive medical data, in a ruling that reinforces the strict requirements for handling personal health information under Kenyan law.
Data Commissioner Immaculate Kassait ruled in favour of complainant Merceline Akoth Odeyo, who accused the hospital of mishandling her medical records by issuing her with results belonging to a different patient and sharing her data with a third-party laboratory without proper consent.
The determination, issued on March 16, 2026, stated that the hospital had violated key provisions of the Data Protection Act, 2019, including the principles of transparency, consent, and data security.
Complaint and allegations
Odeyo told the ODPC that during two separate hospital visits, she was issued medical results belonging to another individual who shared a similar first name but had a different surname.
She further alleged that her sensitive health information was shared with an external laboratory without her informed consent, exposing her to a breach of privacy and dignity.
She argued that the incident caused her “severe harm, including loss of privacy and dignity through unauthorized disclosure of intimate health information.”
Hospital’s defence
St. Luke Orthopaedic & Trauma Hospital denied unlawfully disclosing patient data, stating that the complainant had been informed that laboratory tests would be outsourced to a third-party facility.
The hospital said samples were sent to an external lab with only minimal identifying information, and that results were later transmitted back to the hospital.
“The Complainant was informed that the services were outsourced to a third-party laboratory and was asked to collect the test results after 2 weeks,” the hospital said in its response.
It further argued that it relied on legitimate interest under the law, stating that the transfer of samples was necessary for medical service delivery.
The hospital also maintained that “the sample was delivered to the referral laboratory by a laboratory technologist from the hospital” and that patient data was protected through internal safeguards.
However, it admitted that an error occurred during processing, describing it as “an isolated case of human error during data reconciliation.”
ODPC findings
In its ruling, the Data Commissioner found that the hospital failed to prove it obtained valid consent for sharing the complainant’s sensitive medical data.
“The Respondent has failed to discharge this burden,” the ODPC stated, noting that no evidence of informed or written consent was provided.
The regulator further held that the hospital’s reliance on legitimate interest was not applicable under Section 45 of the Data Protection Act for processing sensitive data such as health records.
The ODPC also faulted the hospital for failing to properly inform the patient about the processing and sharing of her data.
“It is evident that the Respondent failed to submit evidence that the Complainant was duly notified as per Section 29 of the Act prior to sharing her sensitive personal data with any third party,” the ruling stated.
On the data mix-up, the Commissioner found that the hospital’s systems were inadequate to safeguard accuracy and integrity of patient records.
“The existence of an administrative error demonstrates a failure to implement adequate technical and organisational measures to secure the Complainant’s personal data,” the determination read.
Violation of data protection law
The ODPC concluded that the hospital had violated several provisions of the Data Protection Act, including unlawful disclosure of sensitive health data, lack of transparency, failure to obtain consent, and weak data security controls.
It ruled:
“The Office finds that the Respondent unlawfully disclosed the Complainant’s sensitive health data to a third party without obtaining her explicit and informed consent.”
“That there is a violation of the principle of transparency under Section 25 of the Act and the Complainant’s right to be informed under Section 29.”
Compensation order
As a result, the Data Commissioner ordered the hospital to compensate the complainant Sh 525,000, citing the nature of the breach and the distress caused.
“Having found that the Respondent has failed to prove that it obtained express consent from the Complainant, the Respondent is hereby directed to compensate the Complainant the amount of Sh 525,000,” the ruling stated.
The ODPC noted that the award took into account “the nature and extent of violation, the nature of personal data as regards unlawful processing of the Complainant’s sensitive personal data and the attendant harm.”
The ruling concluded that both parties retain the right to challenge the decision.
“Parties have the right to appeal this determination to the High Court of Kenya within thirty (30) days,” the Commissioner stated.
