Sifuna Emphasises Privacy in Health Matters

Nairobi Senator Edwin Sifuna, the Orange Democratic Movement (ODM) Party's Secretary General, on Tuesday, October 7, 2025, urged Kenyans to exercise courtesy and restraint when discussing individuals' personal health matters. Speaking outside Parliament Buildings in Nairobi, Sifuna underscored the importance of respecting privacy in health, a principle he reiterated multiple times during his address.

This statement comes amidst ongoing public discussions and political developments in Kenya, where health-related information can often become a subject of widespread debate. Sifuna's remarks highlight a growing need for adherence to established legal frameworks governing data protection and individual rights within the country.

Legal Framework for Health Data Protection in Kenya

Kenya's legal landscape provides robust protections for health privacy. The Constitution of Kenya, 2010, in Article 31, guarantees every person the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed.

Further solidifying this right is the Data Protection Act, 2019, which serves as the primary legislation for safeguarding personal data in Kenya. This Act classifies health data as 'sensitive personal data,' mandating additional safeguards for its protection. It outlines key principles for processing personal data, including lawfulness, fairness, transparency, accuracy, data minimisation, purpose limitation, storage limitation, security, and accountability.

Complementing these laws is the Health Act of 2017, which specifically governs patient privacy in Kenya and requires healthcare providers to establish robust systems for secure health information management. More recently, the Digital Health Act, enacted in October 2023, further enhances privacy, confidentiality, and security of health data in the context of digital health services, electronic health records, and telemedicine.

Compliance and Enforcement

The Office of the Data Protection Commissioner (ODPC) is responsible for enforcing compliance with the Data Protection Act. Healthcare providers are required to obtain a Certificate of Data Handler and/or Processor from the ODPC. This certification ensures the adoption of robust data management practices, safeguarding sensitive patient information. The Kenya Medical Practitioners and Dentists Council (KMPDC) has also issued a directive, effective January 1, 2025, requiring all new health facility registrations to include this certification, with existing facilities mandated to comply by March 31, 2025.

Patient consent is generally required before disclosing health information to third parties, except in specific legally permitted circumstances, such as court orders. Healthcare facilities must implement strong security protocols, including encryption and access controls, to protect patient data from unauthorised access or breaches.

Stakeholder Perspectives and Implications

Sifuna's call for respect of health privacy aligns with the broader legal and ethical expectations for handling sensitive personal information. Analysts suggest that such pronouncements could influence public discourse and policy implementation, particularly concerning the Social Health Authority (SHA) and its operations. There have been recent concerns regarding alleged misappropriation of funds within the SHA, leading to calls for accountability from various political figures, including Senator Sifuna himself.

The emphasis on privacy is crucial for maintaining trust between patients and healthcare providers, encouraging open communication essential for quality care. Without strong privacy safeguards, patients may hesitate to seek necessary treatment, potentially affecting their health outcomes.

Evidence/Data Box

• Data Protection Act, 2019: Enacted on November 25, 2019, it is Kenya's primary data protection law, enforcing Article 31 of the Constitution.
• Digital Health Act, 2023: Enacted in October 2023, it promotes safe and effective use of technology in healthcare and enhances privacy of health data.
• KMPDC Directive: Effective January 1, 2025, requiring new health facilities to have a Data Handler/Processor Certificate; existing facilities must comply by March 31, 2025.
• Fraudulent Claims: The Association of Kenya Insurers (AKI) estimates that 30% of medical payouts are linked to fraudulent claims.

Unanswered Questions and Next Steps

While the legal framework is clear, the practical implementation and public adherence to health privacy principles remain an ongoing challenge. The extent to which Sifuna's statement will shift public behaviour and media reporting on individual health matters is yet to be seen. Further clarity on the specific mechanisms for reporting and addressing privacy breaches, particularly in the context of public figures, could be beneficial.

What to Watch

Observers will be watching for any policy adjustments or public awareness campaigns that may follow Sifuna's statement. The ongoing efforts by the ODPC and KMPDC to ensure compliance with data protection regulations within the healthcare sector will also be a key area of focus. Additionally, the political discourse surrounding the Social Health Authority and its financial integrity is likely to continue, with potential implications for how health information is managed and discussed publicly.