For any current or former student, access to complete, accurate, and readily available personal records, be they academic transcripts, degree certificates, or financial clearance letters, is non-negotiable. These documents are the key that unlocks employment, international travel, and career progression. When a learning institution (or a third party like a loan board or payment service) fails to accurately process or timely provide these records, the consequences, from delayed job offers to disrupted postgraduate applications, are immediate and severe.
Under the Data Protection Act, 2019 (the Act), all institutional records containing personally identifiable information constitute personal data. This framework assigns students powerful rights as Data Subjects and mandates rigorous, verifiable duties upon institutions acting as Data Controllers.
This article serves as a crucial guide, detailing the specific rights students must exercise to regain control over their records, and outlining the essential compliance frameworks and timelines institutions are legally required to uphold.
Part I: The Student’s Legal Toolkit - Ensuring Availability and Correctness
When academic or clearance records are inaccurate, unavailable, or difficult to access, students are empowered to demand remedial action by citing fundamental data subject rights. The key focus areas are access, correctness, and timely provision.
1. The Right to Access and Timely Provision
The most immediate right a student has is the Right to Access their personal data in the custody of the data controller or data processor. This is the mechanism for retrieving transcripts, enrollment records, or clearance histories.
The Seven-Day Rule - Data Controllers have a clear statutory timeline for fulfilling access requests. Pursuant to Regulation 9(3)(a) of the Data Protection (General) Regulations, 2021, a data controller or processor has an obligation to provide access to personal data within seven days from the date of the request.
In Jeremy Obano vs. Kenya Airways PLC, the Complainant requested access to a telephone call recording, which contained his personal data. The Respondent, an organization, had the obligation to provide this access within seven days, but failed to honour the request. The ODPC noted that the Complainant’s request for access to his personal data has never been honoured by the Respondent. This confirms that the seven-day period is a mandatory compliance timeline, and failure to meet it constitutes an infringement.
Action Point for Students: When formally requesting a record (e.g., a transcript or a copy of your application file), cite your Right to Access (Section 26(b)) and clearly state the expectation for provision within seven days (Regulation 9(4)).
2. The Right to Accuracy and Correction
A record is "missing" if its content is misleading, outdated, or fundamentally incorrect, thereby preventing its effective use (e.g., a clearance certificate that shows a default). The Act mandates that personal data must be kept accurate and up to date.
- Right to Correction: The data subject has the right to correction of false or misleading data.
- Right to Deletion: The data subject has the right to deletion of false or misleading data about them.
In Koros Kiprotich vs. Higher Education Loans Board (HELB), the Complainant alleged that despite having cleared all his HELB arrears, his status at the HELB portal still displayed a "default history". The ODPC found that HELB failed to update the Complainant's status and ensure the data was kept up to date and accurate at all material times. This lapse violated the Complainant's right to correction and rectification of personal data. Similarly, in Dr. Bernard Shiaunda vs. NCBA Bank Kenya PLC, the Complainant alleged the bank sent false and misleading information about his bank balances, highlighting the legal risk when data controllers fail to effect necessary changes in records.
Action Point for Students: If an adverse record (such as an incorrect email or a misleading account balance) is identified, demand rectification without undue delay.
3. Addressing Record Loss and Unauthorized Use
Institutions have an obligation to safeguard data, and if a record is used outside its original, legitimate purpose, it becomes an unlawful disclosure or a breach.
Unauthorized Processing (Third Parties) - Educational records are often shared for specific administrative purposes (e.g., admissions, loan processing). If data is collected indirectly (e.g., contact data provided by a third party), the Data Controller must demonstrate the lawful basis for indirect collection. In the financial sphere, cases involving loan apps, such as Daniel Ndambuki vs. Aventus Technology Ltd and Peter Khaemba vs. Aventus Technology Ltd, show that contacts listed as referees or guarantors who were not informed or did not consent had their data unlawfully processed. This applies equally if an institution receives a student’s data from a source like a placement agency (e.g., KUCCPS) without providing notification under Section 29.
Retention Failure and Loss of Data Integrity - When an organization fails to delete data when no longer authorized or needed, it risks future breaches. The case of James Kabiru vs. Safaricom PLC illustrates catastrophic loss of data integrity over time: despite the Complainant exercising his right to deletion upon resignation in 2018, his personal mobile number remained linked to Mt. Kenya University's paybill service for transaction reversals for years. This highlights a failure to erase or destroy without undue delay personal data that the Data Controller is no longer authorized to retain.
The case of Hilda Musimbi Anyama vs. Friends School Keveye Girls High School is a potent example of record loss due to poor handling. The school recorded a video of a minor serving punishment for the stated purpose of collecting real-time evidence to store for future reference. However, the video was subsequently disclosed, leading to widespread exposure of the minor's identity. The failure to ensure the use and disclosure of the minor’s personal data adhered to the original purpose was found to be a violation of the obligations under the Act.
Get guided support If you are dealing with a data protection issue:
Individuals: Use the self-assessment prompts to clarify your concern and understand possible next steps: Self Assessment
Organisations: Use the structured compliance prompts to identify the issue and determine the practical actions required: DP Services
Part II: Institutional Compliance – Frameworks, Tools, and Timelines
Institutions are held accountable not just for the result of data breaches, but for the lack of policies, tools, and technical safeguards that prevent them. To meet the robust expectations of availability, accuracy, and security, Data Controllers must invest in specialized frameworks and strictly adhere to statutory response deadlines.
1. Mandatory Frameworks and Policy Investment
Institutions handling student and employee records must put in place comprehensive legal and institutional mechanisms to protect personal data. These frameworks demonstrate accountability and governance, which are critical mitigation factors.
Section 41(1) of the Act mandates that every data controller or processor implement appropriate technical and organizational measures to implement data protection principles in an effective manner.
- Accuracy/Integrity Tools - Institutions must invest in systems that prevent data errors, particularly when data is moved or synchronized across different platforms. The Respondent (NCBA Bank) in the Dr. Bernard Shiaunda case addressed their issue by contacting the system vendor to provide a fix for the sync update that occurs between internal systems (NQEST and T24) to ensure the system only picks the primary contact, preventing recurrence of a similar issue. This demonstrates the need for investment in data integration integrity tools.
- Secure Storage and Destruction - Data storage systems must ensure records are secured against unauthorized access, loss, alteration, or destruction. For sensitive data, such as a minor's video record, security measures must be implemented to prevent unauthorized use, access, or disclosure.
- Accountability in Third-Party Processing - Since institutions often use third-party processors (e.g., banks for payment platforms or CRBs for financial clearance), they must establish formal Data Processing Agreements. In the James Kabiru case, the issue arose because Safaricom was not notified by the Interested Party (Mt. Kenya University) of the change in employment status, leading to the data remaining active. Robust communication and system updates between controllers and processors are essential to avoid such records falling through the cracks.
3. Strict Statutory Timelines for Compliance
Data Controllers must adhere to swift, mandatory timelines both in handling data requests and during regulatory investigations.
The principle is clear: if an institution fails to take every reasonable step to ensure that any inaccurate personal data is erased or rectified without delay, they are liable.
When a record is vital for a student's future, timely provision and verifiable accuracy are not optional administrative tasks, but core legal duties.
The complexity of institutional data handling, whether managing academic transcripts or ensuring loan clearance is updated, requires operational excellence that matches the regulatory expectations. For students, understanding these obligations is the fastest way to assert control and ensure their records accurately reflect their achievements and standing.
When an institution’s system fails to update or share the correct data, it is a sign that the technical and organizational safeguards are insufficient, forcing the regulator to step in to enforce the fundamental rights of accuracy and access.
---
info@mzizi-africa.com
---
The materials on this website are intended to provide a general summary of the law and do not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact or situation.
Comments ()