Related documents
- Is amended by 24th Annual Supplement

LAWS OF KENYA
DATA PROTECTION ACT
THE DATA PROTECTION (CIVIL REGISTRATION) REGULATIONS
LEGAL NOTICE 196 OF 2020
- Commenced on 16 October 2020
- [Revised by 24th Annual Supplement (Legal Notice 221 of 2023) on 31 December 2022]
Part I – PRELIMINARY
1. Citation.
These Regulations may be cited as the Data Protection (Civil Registration) Regulations.2. Interpretation.
In these Regulations, unless the context otherwise requires—"Act" means the Data Protection Act (Cap. 411C);"authorized officer" means an officer of the civil registration entity who is expressly permitted by the civil registration entity to access the civil registration entity’s database and database system;"child" has the meaning assigned to it under the Children Act (Cap. 141);"civil registration" means the continuous, permanent, compulsory and universal recording of the occurrence and characteristics of vital events to the population including registration of births, adoption, marriage and death as provided under the existing laws;"civil registration entity" means a public agency responsible for administering laws under regulation 3, and includes—3. Scope of the Regulations.
These Regulations shall apply to a civil registration entity involved in the processing of personal data relating to—Part II – DATA PROTECTION PRINCIPLES
4. Lawful processing of personal data.
The processing of personal data is lawful, if undertaken pursuant to the Act and in accordance to the provisions of the following laws—5. Privacy in processing personal data.
A civil registration entity shall take all practical measures to ensure—6. Consent.
7. Manner of giving consent.
8. Collection of personal data.
9. Limitation in processing of personal data.
Part III – RIGHTS OF A DATA SUBJECT
10. Access to personal data.
11. Rectification of personal data.
12. Objection to processing of personal data.
A data subject who objects to the processing of personal data pursuant to section 26(c) of the Act, shall apply to the civil registration entity in Form 1 set out in the First Schedule.13. Data portability request.
A civil registration entity shall, upon request in writing by the data subject, provide the data subject with their personal data in a structured, commonly used and machine readable format within thirty days from the date of receipt of the request and upon payment of the required fees.14. Exercise of data subject rights by others.
15. Processing of Personal data relating to a child.
Part IV – OBLIGATION OF THE CIVIL REGISTRATION ENTITY
16. Duty to notify.
17. Retention of personal data.
18. Notification of breach of personal data.
19. Data protection impact assessment.
20. Responsibilities of Data Protection Officer.
21. Sharing of personal information with public agencies.
22. Automated individual decision making.
23. Internal complaints handling procedure.
Part V – SECURITY SAFEGUARDS
24. Data protection by design or default.
25. Security safeguards of personal data.
A civil registration entity shall put in place security safeguards to ensure that personal data held by them is accessed by authorized persons which include—26. Database security.
A civil registration entity shall implement restriction of unauthorized access, configuration to prevent distributed denial of service attack or user overload and continuous database backup to enhance database security.27. Monitoring by the Data Commissioner.
The Data Commissioner may on a periodic basis conduct monitoring and evaluation of security safeguards employed by a civil registration entity.28. Data security procedure.
29. Database systems and a risk assessment.
30. Physical protection and secure surroundings.
31. Data security in manpower management.
32. Access permission management.
33. Monitoring and documenting access.
34. Documentation of security incidents.
35. Network security.
36. Periodical audits.
37. Data backup and restoration.
38. Transfer of personal data outside Kenya.
Part VII – GENERAL PROVISIONS
39. Reports to the Data Commissioner.
A civil registration entity shall, on annual basis, submit a compliance report to the Data Commissioner.40. Outsourcing.
History of this document
31 December 2022 this version
Revised by
24th Annual Supplement
16 October 2020
Commenced