The Kenya Medical Practitioners and Dentists Council (KMPDC) has announced that all new health facilities will be required to possess a valid Certificate of Data Handler/Processor from the Office of the Data Protection Commissioner (ODPC) starting January 1, 2025.
In a public notice issued on Tuesday, December 17, KMPDC also directed that existing health facilities must obtain the certification by March 31, 2025.
The council explained that the directive aligns with the Data Protection Act, 2019, which regulates the processing of personal data to safeguard individuals’ privacy and mitigate risks associated with data misuse.
“KMPDC wishes to inform all health institutions of a new compliance requirement under the Data Protection Act, 2019. The Act, implemented through the Office of the Data Protection Commissioner (ODPC), mandates the regulation of personal data processing to protect individuals’ privacy and mitigate the risk of data misuse,” the notice stated.
Compliance Deadlines
- New Health Facilities: Must present a valid Certificate of Data Handler/Processor during registration starting January 1, 2025.
- Existing Health Facilities: Required to secure the certification by March 31, 2025.
KMPDC emphasized that the new requirement underscores the critical importance of protecting patient privacy, which is central to ethical medical practice.
“This requirement highlights the critical importance of safeguarding patient privacy, a fundamental aspect of ethical medical practice. By ensuring the responsible and lawful handling of personal data, health institutions not only comply with regulatory standards but also strengthen patient trust and enhance safety,” the council stated.
The council reiterated its commitment to maintaining the highest standards of professionalism, accountability, and respect for individual rights in the healthcare sector.
The directive reinforces the government’s commitment to ensuring that health institutions operate responsibly while fostering patient confidence through enhanced data protection measures.
In the new health scheme Taifa Care, the government, through a proposed Digital Health Information Management Regulations 2024, has integrated patient data across all counties and national hospitals.
In the regulations, all health facilities accredited by SHA will be required to store all patient data collected in the course of diagnosis and any other follow-up check in a National Health Data Bank.
Central to the new framework is the Enterprise Service Bus (ESB). However, there will be two data banks, the National Health Data Bank and the County Health Data Banks.
In the regulations, all health facilities accredited by SHA will be required to store all patient data collected in the course of diagnosis and any other follow-up check in a National Health Data Bank.
Thus, the directive from KMPDC is to align hospitals with other regulations and allow them to hold the data. “This requirement underscores the critical importance of safeguarding patient privacy, a fundamental aspect of ethical medical practice,” stated Kariuki in the notice.
According to the ODPC, there are three categories of registration fees, determined by annual turnover and number of employees. The micro and small entities pay a registration fee of Ksh 4,000, medium entities pay Ksh16,000, and large entities will fork out Ksh40,000.
However, entities with an annual turnover below Ksh5 million or fewer than 10 employees may be exempt from registration.
The application process for a Certificate of Registration takes 14 days. The certificate is valid for 24 months and is renewable.
