By

Njoki Kimemia

Legal and Data Protection Associate

South End Tech Limited

DATE:  May 31, 2023

The Kenya Data Protection Act of 2019 and its subsidiary legislations apply to research. For example, Section 55 of the Act allows the data controller or processor the right to collect, use and process data in a permitted health situation so long as the collection of health information to provide a health service; (b) the collection, use, or disclosure of health data is for health research and related purposes. However, neither rights nor general principles of research ethics can simply be ignored and this generates exemptions to some rights in a research context. So what do researchers need to know?

1. Informed Consent: Researchers must obtain informed consent from participants before collecting and processing their personal data. Participants should be provided with clear and understandable information about the purpose of the research, how their data will be used, potential risks, and their rights regarding data protection. Consent should be voluntary, and individuals should have the option to withdraw their consent at any time.” (section 4(1)
2. Data Minimization: Researchers should practice data minimization by collecting and processing only the necessary personal data required for research purposes. Unnecessary or excessive data should not be collected, and steps should be taken to de-identify or anonymize data whenever possible to protect individuals’ privacy.
3. Data Security: Researchers have a responsibility to implement appropriate security measures to protect the personal data they collect. This includes ensuring secure storage, access controls, and encryption of sensitive data. Adequate safeguards should be in place to prevent unauthorized access, data breaches, or accidental disclosure.

• Confidentiality and Anonymity: Researchers should maintain confidentiality and protect the anonymity of participants whenever possible. Personal data should be stored and analyzed in a way that prevents the identification of individuals unless explicitly consented to or required by law.
• Purpose Limitation: Researchers should ensure that the personal data collected is used solely for the stated research purposes. Data should not be used for unrelated activities or shared with third parties without appropriate consent or legal justification.
• Data Retention and Disposal: Researchers should establish clear policies for data retention and disposal. Personal data should be retained only for as long as necessary to fulfill the research objectives and comply with legal requirements. Once the data is no longer needed, it should be securely deleted or anonymized.
• Research Ethics Review: Depending on the nature and scope of the research, ethical review boards or committees may need to assess and approve research proposals involving personal data. These review processes ensure that research is conducted ethically and in compliance with relevant regulations and guidelines.
• Transparency and Reporting: Researchers should be transparent about their research methods, data collection, and data handling practices. Findings should be reported accurately, and any limitations or potential biases should be disclosed.
• Compliance with Data Protection Laws: Researchers must comply with applicable data protection laws and regulations in Kenya, such as the Data Protection Act, 2019. Familiarity with legal requirements and incorporating them into research protocols is essential.
• Researcher Accountability: Researchers are accountable for the ethical conduct of their research. They should adhere to professional standards and guidelines, seek necessary approvals, and maintain appropriate records and documentation.

Adhering to research ethics in data protection promotes the responsible and ethical use of personal data in research activities in Kenya