🏆 PICCASO Awards Nominee + Growth! DataHub is expanding its Country Reporter Network across Africa. Be part of the story → Apply Here
Free Consultation
Free Consultation
Free Consultation
Your Cart
Loading

Kenya-US Health Data Sharing: A $1.6 Billion Deal and What It Means for Your Medical Privacy Understanding What Was Actually Signed

On December 4, 2025, Kenya signed two interconnected agreements with the United States that will fundamentally impact how your health information is managed and shared for the next seven years. The first is a sweeping Cooperation Framework committing $1.6 billion in U.S. funding (with Kenya contributing an additional escalating amount reaching 50 billion shillings by 2030) to transform Kenya's health system. The second is a Data Sharing Agreement that authorizes Kenya to provide health data to the U.S. Government to support this massive health transformation.


Together, these agreements represent one of the most ambitious health sector partnerships in Kenya's history. They also represent one of the most significant commitments of Kenyan health data to a foreign government ever undertaken. Yet most Kenyans learned about these agreements only after they were signed, with no public consultation and minimal details about what data will be shared, how individual privacy will be protected, or what role Kenya's data protection and digital health regulators played in approving this arrangement.


What the Cooperation Framework Actually Does

The Cooperation Framework is a comprehensive five-year plan covering seven major areas with combined funding exceeding $2 billion:

  1. Surveillance & Outbreak Response ($22.5 million) - Building Kenya's capacity to detect infectious disease outbreaks within seven days and respond within seven days, including funding for field epidemiologists, training 250+ staff annually, and establishing 10 regional Emergency Operations Centers.
  2. Laboratory Systems ($79 million): Creating a tiered laboratory network spanning 12 national labs, 35 regional labs, and 4,542 county labs, initially funded by the U.S. but transitioning to full Kenyan funding by 2030.
  3. Commodities ($366 million) - Procuring HIV treatments, tuberculosis drugs, malaria interventions, and maternal/child health commodities, with initial 100% U.S. funding transitioning to 100% Kenyan procurement by 2031.
  4. Healthcare Workers ($152 million) - Funding 28,668 healthcare workers initially, transitioning these positions to Kenya's government payroll by 2028.
  5. Data Systems ($175 million) - Building comprehensive digital health infrastructure including hospital management systems, national logistics platforms, public health intelligence systems, disease outbreak modules, laboratory information systems, and a national health cloud.
  6. Strategic Interventions ($747 million) - Programs targeting HIV treatment scale-up, laboratory strengthening, outbreak detection, health workforce development, supply chain modernization, and digital health transformation.

The Framework establishes a Joint Health Framework Steering Committee to oversee implementation and explicitly ties continued U.S. funding to Kenya meeting co-investment benchmarks and performance metrics.


What Data Actually Gets Shared

Section 2.5.8.20 of the Cooperation Framework explicitly states that the U.S. and Kenya will "negotiate a data sharing agreement in line with Paragraph 15 on 'Separate Agreements' for the purpose of implementation of this Framework." The Data Sharing Agreement signed the same day fulfills this commitment.

Based on both documents, the "Covered Data Systems" that will share data include:

  • Surveillance and Outbreak Data - Real-time infectious disease information from the National Public Health Intelligence Information System (NPHIIS), All Disease Outbreak Module (ADAM), Emergency Operations Centers, and the "7-1-7" metric system (detect within 7 days, notify within 1 day, respond within 7 days).
  • Clinical Care Data - Patient information from TaifaCare Hospital Management Information System (HMIS) being deployed to 8,000 health facilities, including laboratory results, pharmacy records, blood transfusion data, and comprehensive clinical information. The Framework requires 50% of clinical encounters loaded in Electronic Health Records within one year and 90% within two years.
  • Laboratory Data - Results from the tiered laboratory network including HIV viral load testing, tuberculosis diagnosis, malaria testing, and biosafety monitoring across thousands of laboratories.
  • Supply Chain Data - Commodity tracking through the National Logistics Management Information System (NLMIS), including real-time inventory levels, distribution data, and consumption patterns for HIV drugs, TB medications, and other health commodities.
  • Performance Metrics - Detailed outcome indicators covering HIV status awareness, antiretroviral treatment coverage, TB notification rates, malaria deaths, vaccination rates, maternal mortality, neonatal mortality, and antenatal care attendance.
  • Financial Data - Co-investment audits tracking Kenya's domestic health expenditure increases against committed benchmarks.

The "To the Maximum Extent Practical" Problem

Article 2(a) of the Data Sharing Agreement contains language that should concern every Kenyan: "To the maximum extent practical, Kenya shall not provide individual level data or personally identifiable information (PII) to the U.S. Government."


This is not an absolute prohibition. "To the maximum extent practical" means that when Kenya or the U.S. determines that sharing individual-level data is "practical" for implementing the Cooperation Framework, they can do so. There are no defined criteria for what makes individual data sharing "practical," no requirement for independent review, and no mechanism for individuals to object.


With TaifaCare HMIS being deployed to 8,000 facilities and the Framework requiring 50-90% of clinical encounters captured electronically, we are potentially talking about millions of individual patient records. Electronic health records typically contain names, identification numbers, addresses, phone numbers, HIV status, tuberculosis diagnosis, pregnancy status, medication regimens, laboratory results, and comprehensive medical histories.


Consider this scenario: An outbreak of a novel pathogen is detected. Under the Framework's 7-1-7 metric, Kenya must notify the U.S. within one day. To effectively respond, epidemiologists might need to trace contacts, analyze demographic patterns, and understand underlying health conditions. Suddenly, sharing individual-level data on everyone tested, their addresses, their HIV status, and their mobile numbers becomes "practical" for outbreak response. Nothing in the agreement prevents this.


What Kenya's Data Protection Act Requires

Kenya's Data Protection Act 2019 establishes fundamental requirements that this arrangement appears to bypass:

  • Lawful Basis for Processing (DPA Section 30) - For health data - classified as "sensitive personal data" - Section 30 generally requires explicit consent or another specified lawful basis such as public health protection under strict conditions. The Data Sharing Agreement does not specify what lawful basis justifies this processing or whether patients will be asked to consent.
  • Purpose Limitation and Transparency (DPA Section 25) - The DPA requires that data be collected for "explicit, specified, and legitimate purposes" and that data subjects be informed. The agreement authorizes use for purposes "consistent with metrics or activities referenced in Paragraphs 1, 2, 4 and 5 of the Cooperation Framework" - requiring Kenyans to read a separate 37-page document to understand what's authorized. Ordinary Kenyans visiting clinics have no idea their health information may be shared with a foreign government.
  • Data Minimization (DPA Section 25) - Only data that is "adequate, relevant, and limited to what is necessary" should be processed. The "maximum extent practical" language inverts this principle, starting from "aggregate data unless individual data is practical" rather than "no individual data unless absolutely necessary."
  • Transborder Data Flows (DPA Section 48): This is perhaps the most critical issue. Section 48(1) prohibits transferring personal data outside Kenya unless the destination country "ensures an adequate level of protection for the rights and freedoms of data subjects." Section 48(2) provides exceptions only if "appropriate safeguards" exist and "enforceable data subject rights and effective legal remedies" are available. The High Court of Kenya in Federation of Kenya Employers vs. Cabinet Secretary, Ministry of Foreign Affairs and International Relations & 4 others; Law Society of Kenya (Interested Party) - Petition E085 of 2023 [2023] KEELRC 3067 (KLR) provided clarity on Section 48 of the Data Protection Act 2019, making it unequivocally clear that obtaining prior approval from the Data Commissioner is mandatory when transferring sensitive personal data outside Kenya, regardless of whether the data subjects have provided consent or whether any complaints have been raised. Read our analysis of this case Here - Key Takeaways from Kenya’s Precedent-Setting Ruling on Cross-Border Data Transfers.

Has the Office of the Data Protection Commissioner issued an adequacy determination for the United States? No such determination appears in public records. Has the ODPC approved "appropriate safeguards"? The agreement does not mention ODPC involvement. Do Kenyans have "enforceable rights and effective legal remedies" if the U.S. Government misuses their health data? The agreement states disputes will be resolved "through diplomatic channels," explicitly avoiding courts.

  • Data Subject Rights (DPA Sections 38-43) - Kenyans have rights to access their data, correct inaccuracies, and object to processing. How does a Kenyan exercise these rights once their health data is in U.S. Government systems? The agreement is completely silent on this mechanism.

What Kenya's Digital Health Act Requires

Beyond the Data Protection Act, Kenya's Digital Health Act 2023 establishes specific requirements for health information that this arrangement also appears to bypass. The Act created the Digital Health Agency (DHA) as Kenya's specialized regulatory authority for digital health - yet the DHA is conspicuously absent from both agreements.

  • Health Information Belongs to the Patient (Section 8) - The Digital Health Act establishes that health information is owned by the patient, not the government or health facilities. Any sharing of that information should respect patient ownership rights.
  • Informed Consent Requirements (Section 19) - The Act generally requires informed consent before health information can be shared, particularly for secondary uses beyond direct treatment. Nothing in the Data Sharing Agreement indicates how consent will be obtained from patients whose data enters "Covered Data Systems."
  • Licensing of Health Information Systems (Section 24) - The Digital Health Act requires that health information systems be licensed by the DHA. The systems mentioned in the Cooperation Framework - TaifaCare HMIS, NLMIS, NPHIIS, ADAM, eCHIS, LIMS - all fall under this licensing requirement. Has the DHA licensed these systems? Under what conditions? Do the licensing conditions address international data sharing?
  • Standards for Health Information Systems (Section 25) - The DHA is mandated to develop and enforce standards for data quality, interoperability, security, privacy, and data exchange protocols. Before the U.S. invests $175 million in Kenya's digital health infrastructure, the DHA should establish the standards these systems must meet, particularly regarding data security and privacy when data will be shared internationally.
  • Health Information Exchange Governance (Section 28) - The Act gives the DHA authority over health information exchanges - mechanisms for sharing health data between systems. The data sharing arrangement between Kenya and the U.S. is essentially an international health information exchange. The DHA should be authorizing this exchange, setting its conditions, and ensuring it complies with Kenya's digital health standards.
  • Data Localization and Cross-Border Processing (Section 29) - The Act addresses where health data must be stored and under what conditions it can be processed outside Kenya. If Kenyan health data will be transferred to U.S. systems, Section 29's requirements on cross-border data processing should apply, with DHA approval required.
  • Public Participation (Section 6) - The Digital Health Act requires the DHA to "facilitate public participation in the performance of its functions." A data sharing arrangement affecting potentially millions of patients clearly warrants public consultation, which never occurred.

Want a clearer grip on the Digital Health Act? Dive into our step-by-step video courses inside the MZIZI Africa Data Protection Library.

Where Are Kenya's Data Protection Regulators?

The conspicuous absence of both the Office of the Data Protection Commissioner and the Digital Health Agency in key areas from these agreements represents a serious governance failure.


The Missing ODPC Authorization

The ODPC is Kenya's independent authority responsible for enforcing the Data Protection Act. Under Section 24 of the DPA, the ODPC has powers to authorize transborder data transfers when satisfied that adequate safeguards exist.

What the ODPC Should Have Done: Before this agreement was signed, the ODPC should have:

  • Conducted a Transfer Impact Assessment evaluating whether the U.S. provides adequate data protection for health information
  • Required Standard Contractual Clauses imposing data protection obligations on the U.S. Government
  • Mandated a Privacy Impact Assessment identifying risks and mitigation measures
  • Established procedures for how Kenyans can exercise their data protection rights
  • Required public transparency about what systems and data will be shared
  • Secured audit rights independent of diplomatic channels

Critical Question: Was the ODPC consulted before this agreement was signed? Neither document indicates ODPC involvement. If the agreement was concluded without ODPC authorization under Section 48, it may violate the Data Protection Act.


The Missing DHA Oversight

The Digital Health Agency should be at the center of this entire arrangement. Health information systems, health data sharing, digital health infrastructure - these are precisely what the agency was created to regulate under the Digital Health Act 2023.

What the DHA Should Have Done: Before Kenya committed to sharing health data through digital systems, the DHA should have:

  • Conducted a technical review of what systems will be included and what data flows are proposed
  • Licensed each system with specific privacy-protective conditions
  • Set technical standards for secure international data exchange
  • Required privacy-by-design features in all systems built with Framework funding
  • Assessed whether the data sharing is necessary for legitimate health purposes
  • Established mechanisms for patient notification and consent
  • Conducted joint review with the ODPC since their mandates overlap

The Ideal Model: For international health data sharing, both agencies should work together:

  • DHA provides technical assessment: Are the systems sound? Is the sharing necessary for legitimate health purposes? What technical safeguards are needed?
  • ODPC provides data protection assessment: Does this comply with the Data Protection Act? Does the recipient country provide adequate protection? Are data subject rights enforceable?
  • Joint approval required: Both DHA and ODPC must sign off before individual-level health data can be shared internationally

The fact that neither agency is explicitly involved suggests either they weren't consulted (a governance failure), or they raised concerns that were overruled (undermining regulatory independence), or the DHA lacks the capacity to exercise its mandate (meaning Kenya committed to massive digital health transformation before its regulator was ready).


The Audit Provisions: Data About Data

Paragraph 5 of the Cooperation Framework contains extensive audit provisions effectively requiring Kenya to provide the U.S. Government with comprehensive information:

  • Process Metrics Audit - Kenya must provide information needed "to audit the process metrics... in up to five percent (5%) of randomly selected and/or specific health facilities, clinics, labs, or programs." This authorizes U.S. auditors to examine patient records, laboratory results, and clinical processes.
  • Supply Chain Audit - Kenya must provide information "to audit supply chain leakage" of U.S.-funded commodities, requiring comprehensive supply chain data from procurement through final dispensing to patients.
  • Co-Investment Audit - To verify Kenya is meeting commitments to increase domestic health expenditures, Kenya must provide "any information needed to audit any accounts from which or to which co-investment funding is being made" - essentially financial surveillance of Kenya's health budget.
  • Regulatory Compliance Audit - Most concerning, Kenya must provide information "to monitor compliance with applicable law and legal requirements of Kenya, including to confirm no U.S. Government funding is being used for the performance of abortion as a method of family planning." This requires Kenya to open its health programs to U.S. monitoring of compliance with American abortion restrictions - a breathtaking assertion of extraterritorial authority.

Critically, Section 5.7 states that information shared for audit purposes "is expected to be subject to existing laws and regulations of Kenya and concurrence of the Office of Data Protection Commissioner." "Expected to be" is not the same as "shall be" - this is aspirational language, not a binding requirement, suggesting ODPC involvement was anticipated but not actually secured.

The Massive Scale and Real Benefits

To understand what's at stake, consider the scope:

  • Financial: Over $2 billion combined (U.S. and Kenya) over five years
  • Infrastructure: TaifaCare HMIS in 8,000 facilities, comprehensive laboratory networks, national health cloud, multiple integrated digital systems
  • Human Resources: 28,668 U.S.-funded healthcare workers initially, thousands more through strategic interventions
  • Data Systems: Hospital management, logistics tracking, public health intelligence, disease surveillance, laboratory information, and more - all potentially sharing data with the U.S. Government

The benefits are real:

  • Improved Disease Surveillance: The 7-1-7 metric represents a significant upgrade to Kenya's infectious disease monitoring. Early detection saves lives.
  • Strengthened Laboratory Capacity: Moving from external lab dependence to a robust tiered laboratory network enhances Kenya's diagnostic independence.
  • Digital Health Infrastructure: If implemented well, the $175 million investment could dramatically improve health service delivery, reduce stockouts, and enable data-driven decision-making.
  • Universal Health Coverage Progress: The Framework explicitly supports Kenya's UHC goals with digital transformation as a key enabler.
  • Transition to Sustainability: Unlike many donor arrangements creating permanent dependency, this Framework has explicit transition timelines for Kenya to take over funding by 2028-2031.

The Serious Concerns That Cannot Be Ignored

However, several aspects raise fundamental concerns:

  1. Vague Data Sharing Purposes - The agreement authorizes sharing for purposes "consistent with metrics or activities referenced in Paragraphs 1, 2, 4 and 5" - extraordinarily broad language covering essentially the entire health sector. What specific analyses will be conducted? Will U.S. researchers publish papers using Kenyan patient data? Will data inform U.S. foreign policy decisions? The agreement doesn't say.
  2. No Individual Notice or Consent - Nothing indicates that Kenyans will be informed when seeking health services that their data may be shared with the U.S. Government, much less asked to consent. This violates the spirit of the Digital Health Act's Section 19 on informed consent.
  3. Seven-Year Lock-In Without Review - The Data Sharing Agreement lasts seven years with amendments only by "mutual written consent." If Kenya becomes uncomfortable with how data is being used, it must negotiate with the U.S. - a negotiation the less powerful party rarely wins.
  4. Weak Breach Notification - Article 3(b) requires notification of "unauthorized access" but says nothing about authorized uses that exceed agreed purposes, who investigates violations, what penalties apply, or how affected Kenyans are notified.
  5. No Court Accountability - Disputes will be resolved "through diplomatic channels" rather than courts, removing legal accountability and tilting the field toward the more powerful party.
  6. Questionable U.S. Data Protection Standards - The United States lacks comprehensive federal data protection law equivalent to Kenya's DPA. U.S. surveillance laws authorize broad intelligence collection, including on foreign nationals. The Data Sharing Agreement contains no provisions prohibiting intelligence agency access to Kenyan health data.
  7. Performance Incentives Creating Pressure - Section 6.2 establishes "Performance Incentives" - if Kenya achieves certain metrics, it becomes eligible for additional funding. This creates pressure to optimize for measured indicators, potentially at the expense of unmeasured but equally important care, and to share data that enables metric verification.
  8. Transition Risks - The Framework assumes Kenya can absorb $94 million in annual commodity costs, 13,293 healthcare workers' salaries, and ongoing digital system maintenance by 2028-2031. If Kenya cannot meet these commitments, programs may collapse when U.S. funding ends.
  9. Extraterritorial Abortion Monitoring - Section 5.5's requirement that Kenya prove compliance with U.S. abortion restrictions represents supervision, not partnership, establishing the U.S. as overseer of Kenya's reproductive health programs.

What Should Happen Now

Given these concerns, urgent steps are needed:

From the Office of the Data Protection Commissioner:

  1. Immediate Assessment: The ODPC must immediately assess whether this data sharing arrangement complies with Section 48 of the Data Protection Act. If not consulted before signing, the Commissioner should publicly state this and assert the office's authority.
  2. Demand Impact Assessment: Require Kenya to conduct and publish a comprehensive data protection impact assessment covering what specific data will be shared, which systems will be included, privacy risks, and mitigation measures.
  3. Adequacy Determination or Safeguards: Either formally determine that the U.S. provides adequate data protection (unlikely), or require specific contractual safeguards including strict purpose limitations, deletion timelines, prohibition on intelligence sharing, enforceable patient rights mechanisms, and penalties for misuse.
  4. Establish Complaints Mechanism: Create a clear process for Kenyans to complain if their health data has been improperly shared, with the ODPC empowered to investigate and order remedies.
  5. Demand Audit Rights: Secure the right to audit, independently of diplomatic processes, how the U.S. Government handles Kenyan data.
  6. Consider Suspension Order: If adequate safeguards cannot be verified, the ODPC should exercise its power under Section 24(d) to order suspension of data transfer until compliance is achieved.

From the Digital Health Agency:

  1. Assert Regulatory Authority: Issue a public statement clarifying whether the DHA was consulted before these agreements were signed. If not, assert that the DHA has regulatory authority over health information systems and data sharing arrangements.
  2. Conduct Compliance Review: Assess whether the data sharing arrangement complies with the Digital Health Act's provisions on health information protection, informed consent, and international data transfers. Publish findings publicly.
  3. Participate in Defining "Covered Data Systems": Article 2 says Kenya and the U.S. "shall jointly develop a named list of the Covered Data Systems." The DHA should participate in this definition, insist that only licensed systems can be included, require privacy impact assessments for each system, and publish the list once developed.
  4. License Systems with Privacy Conditions: As the Framework's systems are deployed, license each with clear conditions:
  5. TaifaCare HMIS: Patient notification at point of care, technical controls preventing unauthorized data export, requirement for aggregate data unless specific justification exists
  6. NLMIS: Ensure patient-identifiable information doesn't leak through supply chain data
  7. NPHIIS: Strict controls ensuring surveillance data is anonymized before international sharing
  8. Laboratory Systems: Link lab results to patients through pseudonyms, not directly identifiable information
  9. Establish Data Governance Framework: Develop comprehensive regulations for the "national health cloud" and data warehouses, specifying who has access to what data, what approvals are needed for data extracts, how data is anonymized for research, and what audit processes prevent misuse.
  10. Monitor Implementation: Participate in the Joint Health Framework Steering Committee, demand regular reports on data sharing, conduct independent technical audits, and review any expansion of "Covered Data Systems."
  11. Coordinate with ODPC: Formalize joint oversight arrangements ensuring both agencies work together on international health data transfers - DHA providing technical assessment, ODPC providing data protection assessment, both required to approve before individual-level data flows internationally.
  12. Build Kenyan Capacity: Use this investment to develop Kenya's own technical capacity - insist that Kenyan staff are trained on all systems, ensure source code and documentation are available to Kenya, build Kenya's capability to independently maintain and expand these systems.
  13. Implement Patient Rights Mechanisms: Create practical ways for Kenyans to:
  • See what health information exists about them in digital systems
  • Know if their data has been shared with the U.S. Government
  • Correct inaccurate health information
  • Object to international data sharing where legally permissible
  • Manage consent for secondary uses like research or international sharing

From the Ministry of Health:

  1. Full Transparency: Publish the complete list of "Covered Data Systems" once developed. For each system, specify what data elements it contains, whether it includes personally identifiable information, what will be shared (aggregate vs. individual), how often, and what security measures protect it.
  2. Patient Notice: Implement clear notices at health facilities informing patients that data from certain systems may be shared with the U.S. Government for public health purposes.
  3. Privacy by Design: As systems are built, incorporate privacy-protective features - pseudonymization, differential privacy techniques, access controls, audit logs tracking every access to personal data.
  4. Annual Transparency Reports: Publish annual reports detailing what data was shared, for what purposes, what results were achieved, any breaches, and how many Kenyans' data was involved.
  5. Amendment Request: Work with the U.S. to amend Article 2(a), changing "to the maximum extent practical" to "shall not provide individual level data except" with clearly defined, narrow circumstances requiring both DHA and ODPC approval.

From Parliament:

  1. Legislative Clarification: Consider amendments to the Data Protection Act or Digital Health Act establishing clearer rules for government-to-government health data sharing, ensuring such arrangements cannot bypass normal regulatory requirements.
  2. Budget Scrutiny: Examine whether Kenya can meet co-investment commitments of 10-50 billion KES over four years without compromising other essential services.
  3. Treaty Approval Review: Determine whether these agreements should have been submitted to Parliament for approval under Article 2(6) of the Constitution.
  4. Oversight Hearings: The Health Committee and ICT Committee should immediately hold public hearings questioning:
  • Cabinet Secretary for Health on why the public wasn't consulted
  • Data Protection Commissioner on whether Section 48 approval was granted
  • Digital Health Agency on whether systems were licensed and standards set
  • Attorney General on legal compliance

From Civil Society:

  1. Public Education: Educate Kenyans about these agreements and their implications for medical privacy.
  2. Legal Challenge: If regulators don't act, consider constitutional petition under Article 22 arguing that data sharing without informed consent violates privacy rights under Article 31, particularly when combined with the right to health under Article 43.
  3. Monitor Implementation: Independently track performance metrics, co-investment transparency, and whether promised benefits materialize.

Questions Every Kenyan Should Be Asking

  1. Which health information systems are "Covered Data Systems"? Until specified, you don't know if data from your HIV test, TB screening, or child's vaccination is being shared.
  2. Will I be notified and can I opt out? If I object to sharing my data with the U.S. Government, can I still access health services?
  3. Was the Data Protection Commissioner consulted? If not, why not? If yes, what safeguards were required?
  4. Was the Digital Health Agency consulted? Did the DHA license these systems? Under what privacy-protective conditions?
  5. What specific purposes will my data serve? Beyond vague references to "surveillance" and "strategic interventions," what exactly will be done with data from Kenyan patients?
  6. How is the data secured? What standards apply in U.S. systems? Who has access? How long is it retained? Can it be shared with U.S. intelligence agencies?
  7. If my data is misused, what recourse do I have? Can I sue? Or am I dependent on diplomatic negotiations?
  8. Can Kenya meet the financial commitments? Where will 10-50 billion KES come from? What gets cut? Do taxes increase?
  9. What happens to US-funded workers in 2028 and patients on US-funded treatment in 2031? If Kenya cannot absorb these costs, what happens?
  10. Why weren't Parliament and the public consulted? This affects millions of Kenyans' health data. Why was there no public participation as required by the Digital Health Act Section 6?

The Fundamental Question: Accountability or Trust?

At its core, this arrangement raises a question: Do you trust that the U.S. Government will use Kenyan health data only for stated purposes? Do you trust that "diplomatic channels" will provide adequate accountability if data is misused? Do you trust that Kenya's negotiators prioritized your privacy?

Trust is important, but in data governance, trust is insufficient. Robust legal protections, transparent processes, independent regulatory oversight, and enforceable rights are what safeguard privacy. Those elements are largely missing here.

The power imbalance is undeniable. The U.S. is providing $1.6 billion. Kenya needs that funding. When one party controls the resources and the other needs them, negotiations are rarely between equals.

But this is precisely why strong legal frameworks exist - the Data Protection Act to protect personal data, the Digital Health Act to regulate health information systems. The independence of the ODPC and DHA is supposed to guarantee that data protection principles aren't sacrificed for economic expedience.

Can This Be Fixed?

These agreements are signed. That's done. But they can be implemented in ways that balance legitimate public health goals with robust privacy protection and Kenyan sovereignty.

The answer is yes - but only with accountability.


The ODPC and DHA must assert their authority. Parliament must exercise oversight. Civil society must maintain scrutiny. And the Ministry of Health must prioritize transparency over secrecy. The data systems in Section 2.5 are being built now. This is the moment to ensure they're built with privacy protections embedded from the start - encryption, access controls, anonymization, purpose limitations. These aren't obstacles to public health; they're essential safeguards enabling ethical public health programs.


The "Covered Data Systems" list hasn't been finalized. This is the moment to insist that only truly necessary systems are included, that individual-level data sharing is the rare exception rather than the default, and that every data flow undergoes privacy impact assessment. But this requires Kenyans to demand accountability. If we accept these agreements without question, if we don't insist on transparency and oversight, we'll get a health system that serves foreign policy goals more than patient welfare.


Your health data tells intimate stories about your life - your HIV status, TB diagnosis, pregnancy, miscarriage, your child's vaccinations, your chronic conditions. These are not just data points; they are profoundly personal facts that deserve protection.


The Kenya-US Cooperation Framework represents massive investment in Kenya's health system. That investment can build digital infrastructure that respects privacy, improves care, and strengthens Kenya's health security. But it can also become a mechanism for extracting Kenyan health data with inadequate safeguards. Which outcome we get depends on whether Kenyans demand accountability now, while these systems are being built, while the Digital Health Agency can still set licensing conditions, while the ODPC can still require safeguards, while there's still time to get it right.


The Data Protection Act and Digital Health Act gave you rights. The ODPC and DHA exist to protect those rights. Parliament has oversight responsibilities. The Constitution guarantees privacy. Now is the time to insist that these are not just words on paper, but protections that actually function when your health data is at stake.

---

info@mzizi-africa.com

---

The materials on this website are intended to provide a general summary of the law and do not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact or situation.

Back to blog
About Us

We are organized under the laws and bar rules of Kenya.

Nairobi Office : Maziwa Lane, Block 1, Ground Floor, P.O. Box 3336 Nairobi 00100, KENYA Tel : +254721640667

Email : info@mzizi-africa.com

RL Partners

Mombasa: Canon Towers II, Bandari Wing, 2nd Floor, Moi Avenue, P.O. Box 41742 Mombasa 80100

Eldoret: Asai Complex, 1st Floor (Next to Equity Bank), Kisumu Road, P.O. Box 1315 Kapsabet 30300

  • Maestro
  • Mastercard
  • PayPal
  • Visa
  • Discover

By using this website, you agree to our use of cookies. We use cookies to provide necessary site functionality and provide you with a great experience.