IntroductionThe Data Protection Act of 2019 in Kenya and the attendant regulations, lays bare a legal framework and guidelines for data controllers and processors on handling personal data in an ethical and responsible manner. One crucial aspect of this legislation is the duty imposed on data controllers and processors when handling minors’ personal data. This article explores the importance of obtaining consent from parents and guardians when handling minors’ personal data and provides a commentary on the recently published Guidance Notes for the Education Sector with a view to highlighting the necessity of compliance so far as minor’s data is concerned.


Vide a press release on 26th September 2023, the Office of the Data Protection Commissioner issued three (3) penalty notices totaling to Kes. 9,375,000 to three data controllers citing breach of data protection laws. One of the affected is Roma School, an educational institution based in Uthiru. The school was fined Kes. 4,550,000 for posting minor’s pictures without parental consent. The fine goes in to history as the first and the highest penalty to an educational facility.  

The story of Roma School serves as a cautionary tale, emphasizing the duty of data controllers and processors, especially schools and educational facilities, to obtain proper consent from parents and guardians when handling minors’ personal data. 

It is not unusual that many educational institutions collect and use minors’ data extensively for various purposes, such as admission and enrollment data, academic performance, health information, disciplinary records, promotional materials, newsletters, and social media posts oblivious of data protection obligations. 

The data Protection regime in Kenya accords a special recognition to minors in the context of data privacy. This is because minors are less likely to comprehend Privacy Policies. They are also more likely to fall prey to data exploitation; unauthorized access, disclosure, or loss, cyber-attacks and other security threats.

Key Takeaways from the Guidance Notes for the Education Sector

  • Parental Consent; A minor’s rights can be exercised by a person with parental authority or a guardian. It places the responsibility on data controllers and processors to obtain consent from the legal guardians. 
  • Verify the Parental consent – To make sure parental consent is real, it is essential to check if it’s from the actual parent or guardian. This can be done with a signed form, by production and verification with a National ID, or using electronic signatures. It is required to confirm that the person giving consent is really the child’s parent or guardian, not someone pretending to be them.
  • Verify the Age of the Child– Checking a child’s age is crucial for safeguarding their online privacy. It prevents them from getting into content or services that might harm them. Ways to verify age include entering birthdates, using ID, or using third-party checks.
  • Control Access of the Child– controls involve things like putting time restrictions on screens, keeping an eye on online behavior, and stopping access to unsuitable content. Examples include device parental controls, social media content filters, and controls in educational technology apps.
  • Publication of Exam Results– Exam results are private, and revealing them without permission can cause embarrassment or stigma for the child. It’s important to keep this information confidential and share it only with authorized people. Schools need to get permission from parents before sharing any details about student.
  • Photography– Sharing Children’s photos in education is a big privacy issue. A child’s photo is their personal data, and using or sharing it without permission violates their privacy rights. It is required to get consent from parents before putting up or spreading any child photos, especially in public places.
  • Third Party Use– When education institutions work with vendors or service providers to handle data, they need to stay responsible as data controllers. Controllers must demonstrate due diligence to establish the vendor’s/ service provider’s ability to protect personal data. 
  • Mandatory Registration– Educational institutions are subject to mandatory registration regardless of their size and/or their annual turnover/ revenue.


The penalty imposed on Roma School highlights the critical importance of obtaining explicit and informed consent from parents or guardians when handling minors’ personal data. Moving forward, it is imperative that schools prioritize compliance with data protection regulations when dealing with minors’ data. 

This article is provided free of charge for information purposes only; it does not constitute legal advice and should be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary as set in the article should be held without seeking specific legal advice on the subject matter. If you have any query regarding the same, please do not hesitate to contact Commercial Department at

Loader Loading...
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download [802.44 KB]

About the author


Virginiah is a promising transactional advocate specializing in Real Estate and Securitization, Banking and Finance.

Share this

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and legal updates from our team.

You have successfully subscribed to Wamae & Allen Quarterly.