When an organisation appoints a Data Protection Officer (DPO) in Kenya, one of the first questions that tends to arise is whether that officer is bound by the same kind of confidentiality obligations that apply to lawyers. The answer is yes, but with an important distinction. While lawyers enjoy a special form of protection known as legal professional privilege, the duties of a Data Protection Officer are based on statutory and contractual obligations rather than evidentiary shields.
The Kenyan Data Protection Act (KDPA) does not spell out the confidentiality of the DPO’s role in the same way as the European Union’s General Data Protection Regulation (GDPR), which expressly requires DPOs to keep matters secret in the course of their duties. Article 38(5) of the GDPR states that ‘the data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law’.
Confidentiality is firmly embedded in the Kenyan framework. Section 25 of KDPA requires data controllers and processors to safeguard the confidentiality of personal data and places the DPO at the centre of ensuring compliance. In effect, the role naturally carries with it a duty of discretion, reinforced by the fact that most organisations explicitly include confidentiality clauses in a DPO’s contract or appointment letter.
However, a DPOs duty to confidentiality does not equate to lawyer–client privilege. Lawyers are regulated by the Advocates Act, and their professional secrecy is absolute except in rare circumstances such as the prevention of a crime or fraud. This means that what a client tells a lawyer is generally protected from disclosure in court or before regulators. A DPO does not enjoy that same protection. If the Office of the Data Protection Commissioner (ODPC) or a court demands access to a compliance report, a Data Protection Impact Assessment, or an internal breach investigation, the DPO is obliged to provide it. Their confidentiality is therefore a professional duty rather than a shield against disclosure.
Despite this important difference, the practical scope of the DPO’s confidentiality obligation is wide-ranging. In the course of their work, DPOs handle sensitive information on a daily basis. They receive and process complaints and access requests from data subjects, often involving highly private details. They conduct audits and impact assessments that expose weaknesses in an organisation’s compliance framework. They manage communications with regulators that could affect the organisation’s reputation and liability. They also act as a trusted point of contact for staff members who may wish to blow the whistle on poor data practices. In all these cases, discretion is not optional. It is the foundation of the DPO’s role.
The risks of breaching confidentiality are significant. The ODPC has the power under the KDPA to issue fines and enforcement notices. Individuals whose personal data is mishandled can pursue civil claims for compensation. Breaches of confidentiality may also amount to employment or contractual misconduct, potentially leading to dismissal or damages. Perhaps most importantly, any failure to keep matters confidential undermines the trust that is essential to the DPO’s credibility within an organisation and in the eyes of the public.
For these reasons, it is crucial for Kenyan organisations to strengthen the confidentiality framework surrounding their DPOs. This can be achieved through clear contractual clauses in appointment letters, through well-drafted internal policies on the handling of sensitive information, and through regular training that keeps DPOs and their support teams alert to their obligations. Organisations should also ensure that the DPO has sufficient independence by reporting directly to senior management or the board, which helps protect against conflicts of interest and undue pressure to disclose information improperly.
Ultimately, while Data Protection Officers in Kenya do not enjoy the same kind of legal privilege as lawyers, they are nonetheless bound by confidentiality obligations that are no less serious. Their role demands integrity and discretion in handling sensitive data, internal reports, and regulatory interactions. Trust in the DPO is essential for compliance, accountability, and the protection of personal data. In today’s digital economy, where data is both an asset and a risk, confidentiality is not just a legal requirement; it is a cornerstone of public confidence.