How your organisation manages its records isn’t just a matter of efficiency — it’s a matter of legal compliance. Since the enactment of the Data Protection Act (DPA), 2019, all entities handling personal data in Kenya are required to uphold strict standards of security, transparency, and accountability.
Whether your records are stored on paper or in the cloud, your document management practices must now align with the law. Here’s what that means — and how you can start.
What Does the Data Protection Act Require?
The DPA, enforced by the Office of the Data Protection Commissioner (ODPC), governs the processing of personal data. This includes how data is collected, stored, accessed, shared, and ultimately destroyed.
Key principles include:
-
Lawful and transparent processing
-
Purpose limitation (data should only be used for specific, legitimate purposes)
-
Data minimisation (only necessary data should be kept)
-
Storage limitation (data should not be retained longer than needed)
-
Security and confidentiality
Importantly, the Act applies not only to digital records but also to physical files — making document management a central compliance issue.
Paper and Digital Records: What the Law Means in Practice
For Paper Records
Physical files often contain sensitive personal data: employee files, payroll records, customer details, and more. Under the DPA:
-
Files must be securely stored, with access limited to authorised personnel.
-
Retention policies must be clear and documented.
-
Disposal must prevent reconstruction of data — shredding or pulping is essential.
For Digital Records
Electronic data must also be securely maintained. This includes:
-
Controlled access with audit trails.
-
Regular backups and secure cloud storage (preferably with local or DPA-compliant hosting).
-
Accurate digitisation processes that preserve data integrity.
A scanned file is still protected by the DPA — meaning even seemingly minor missteps, like unprotected email attachments or unsecured drives, can amount to violations.
Common Gaps in Compliance
Despite good intentions, many businesses still fall short in areas such as:
-
Leaving personal files in unlocked cabinets or unsecured storage rooms.
-
Lacking policies on retention or destruction.
-
Allowing too many people access to sensitive records.
-
Failing to document who accessed what, and when.
Such gaps not only expose organisations to hefty fines, but also increase the risk of data loss, misuse, or reputational harm.
How The Filing Room Helps You Stay Compliant
Our services are built to support DPA compliance:
-
Secure Off-Site Storage: Files are stored in monitored facilities with controlled access, fire protection, and pest control.
-
Digitisation with Traceability: Barcode tracking ensures every file scanned is traceable. Scan-on-Demand and high-volume digitising offer flexibility without sacrificing control.
-
Certified Destruction: Our secure pulping service ensures personal data is permanently destroyed, with destruction certificates for your records.
-
Onsite Consultancy: We help clients assess current risks, build compliant inventories, and implement clear retention schedules.
We work closely with each client to understand their needs, helping you meet legal standards without disrupting operations.
Getting Started
Complying with the DPA doesn’t have to be complex. Start with these steps:
-
Audit your current records — both physical and digital.
-
Classify what contains personal data and who can access it.
-
Review your retention and destruction policies.
-
Partner with a document management provider who understands DPA requirements.
Final Thoughts
Data protection is now part of doing business in Kenya. Proper records management is no longer just an administrative concern — it’s a legal obligation and a strategic advantage.
By adopting secure, transparent, and well-documented practices, your organisation can meet the requirements of the Data Protection Act while building trust with your staff, clients, and partners.
Why wishful thinking isn’t enough