In 2024, Kenya took another major step in tightening its data governance framework with the introduction of the Computer Misuse and Cybercrimes (Amendment) Act. The new law expands how data security, access, and accountability are defined — and the implications reach far beyond IT departments.

For any organisation that stores, processes, or handles information — whether in digital or paper form — compliance now means more than simply preventing hacks. It’s about proving that every piece of information under your care is protected, traceable, and responsibly managed.

At The Filing Room, we view this as part of a broader shift: cybersecurity is no longer just a technical issue, but a records management one.

Understanding the 2024 Cybercrime Amendment Act

The 2024 amendments strengthen Kenya’s existing Computer Misuse and Cybercrimes Act, 2018 to reflect the evolving digital environment.

Key updates include:

  • Expanded definitions of “access” and “data” — The Act now covers both physical and digital information systems, making organisations accountable for how they store and protect all forms of data.

  • Tougher penalties — Businesses and individuals face heavier fines and criminal liability for breaches involving unauthorised access, data tampering, or identity misuse.

  • Audit trails and accountability — Entities must now demonstrate who accessed data, when, and for what purpose.

  • Critical Information Infrastructure (CII) — Sectors such as banking, law, insurance, and NGOs handling sensitive client or financial records may fall under CII, requiring enhanced controls and documentation.

Although this legislation focuses primarily on digital environments, its principles apply equally to any form of stored information. A misplaced file in an unsecured office can carry the same reputational and legal risk as a leaked database.

(Sources: Kenya Law, CIPIT – Strathmore University, Oraro & Co Advocates)

What this means for document storage

1. Digital Records
Organisations must secure their servers, databases, and cloud archives with restricted access and reliable backup systems. The law now expects businesses to maintain full logs of document retrieval, sharing, and modification.
Failure to demonstrate these controls can expose an organisation to both financial penalties and criminal liability.

2. Physical Records
While the law’s language is digital-first, physical documents often contain equally sensitive information: client records, payroll files, legal contracts, and identification data.
These must be stored in controlled environments, with clear documentation of access and retrieval. Losing or mishandling a paper record that contains personal data can amount to a data breach under both the Data Protection Act (2019) and the Cybercrimes Act (2024).

How The Filing Room helps you stay compliant

With over 25 years of experience serving Kenya’s financial institutions, law firms, NGOs, and corporates, The Filing Room provides integrated records management solutions that meet modern data protection and cyber compliance requirements.

Secure Off-Site Storage
Facilities equipped with CCTV, fire and flood protection, pest control, and restricted access ensure that physical records remain safe, traceable, and fully auditable.

Digitisation and Indexing
Each file is barcoded, scanned, and catalogued for precise traceability. Digital archives allow for instant retrieval while maintaining a complete access history.

Chain of Custody Documentation
Every file movement is logged from pickup to retrieval, creating a verified record trail to demonstrate compliance during audits or investigations.

Certified Destruction
Expired or obsolete files are securely destroyed through an audited pulping process, ensuring that no sensitive information can be reconstructed.

Records Consultancy
Our team helps organisations develop retention schedules, access policies, and security frameworks that align with Kenya’s evolving regulatory landscape — including DPA and the 2024 Cybercrime Amendment Act.

Practical steps businesses should take now

  1. Audit your current records systems — Identify where information lives (both physically and digitally) and assess who has access.

  2. Strengthen access controls — Restrict and document file access to authorised personnel only.

  3. Digitise critical records — Secure digital archives reduce physical handling and enable complete audit trails.

  4. Update your retention and destruction policies — Align with both DPA and Cybercrime Act requirements.

  5. Train your staff — Awareness is the first line of defence against internal breaches or misuse.

Final thoughts

The Computer Misuse and Cybercrimes (Amendment) Act, 2024 signals a new era of responsibility for Kenyan organisations. Protecting data now extends beyond IT infrastructure to every layer of record management.

Whether your archives are physical, digital, or hybrid, the same principle applies: information must be secured, traceable, and responsibly managed.

The Filing Room provides the systems, facilities, and expertise to help your organisation meet these standards — ensuring your records are not only compliant but defensible.

📧 info@filingroomkenya.com
📞 +254 20 2663263
🌐 filingroomkenya.com