Of Children, Data Privacy and Safety

Published On - February 20, 2026

EA Blog, Cybersecurity, Education

Working as a communications consultant in the edtech space means that my daily work is underpinned by data; images of children coding in community libraries, videos of read-aloud sessions, email addresses of parents, feedback forms from teachers, attendance sheets, and testimonials.

Before the training I attended, I understood data as something functional, necessary for reporting, storytelling, evaluation, and visibility, but during the two-day data protection training hosted by Amnesty International Kenya in collaboration with Watoto Watch Network on 11th–12th February, I gained a new perspective as a data handler. 

We explored what data truly means: information collected for a specific purpose or output. We learnt the terminology that frames responsibility:

  • Data subject – the individual whose data is being collected.
  • Data processor – the person or organisation processing the data.
  • Data controller – the person or organisation that determines why and how data is processed.

In my work, a child attending a robotics programme is a data subject, and so is a parent signing a consent form or a teacher filling in an evaluation form. In many cases, I or the organisation I represent become both data processor and data controller.

Laws that back up data handling and processing

Kenya’s data protection framework is anchored in the Constitution and legislation. Article 31 of the Constitution of Kenya guarantees the right to privacy. The Data Protection Act operationalises this right, outlining how personal data should be collected, processed, stored, and shared. The Children’s Act further protects the dignity and privacy of children.

Oversight lies with the Office of the Data Protection Commissioner (ODPC). Organisations and CSOs are required to register, with an initial registration fee (currently KES 4,000) and renewal every two years (KES 2,000). There are exemptions for organisations earning less than KES 5 million annually and employing fewer than 10 staff,  but importantly, the exemption applies only if both conditions are met. If just one threshold is exceeded, registration becomes mandatory.

Upon failure to comply, the ODPC may issue:

  • Enforcement notices (requiring compliance),
  • Penalty notices of upto 5M Ksh.
  • Administrative fines of upto 5M Ksh. 
credits @Amnesty International Kenya

Consent 

One of the things that stood out during the training was consent. What is consent?
It is a freely given, specific, informed and unambiguous indication that a data subject agrees to the processing of their data.

In this regard, consent must be:

  • Voluntary – not coerced.
  • Informed – the data subject must know how the data will be used.
  • Specific – tied to a clear purpose.
  • Withdrawable – it can be revoked at any time.

For children under 18, consent must come from a parent or legal guardian.

This matters in communications work. Picture this: I visit a community library for a robotics programme. Children are proudly presenting their projects. I take photos and videos. Later, I post them on social media to celebrate the programme’s impact. Without consent, this sharing becomes unlawful.

If I use images collected for this programme to market another children’s programme without prior disclosure, I violate purpose limitation principles. Similarly, if I collect emails for attendance tracking and later use them for promotional campaigns without informing the data subjects, I step outside the lawful basis of processing.

This challenged me. In communications, reuse of stories and visuals is common. It therefore becomes an obligation for communications and marketing departments to always ensure clear disclosure of how data may be used. 

Anonymisation and Pseudonymisation: Protecting Identity

In much of my work, I collect images, audio recordings, and video footage. The training deepened my understanding of how to handle this responsibly.

If consent has not been obtained, anonymisation becomes necessary. This may mean:

  • Taking photos from the side or back
  • Avoiding identifiable features
  • Blurring faces
  • Removing names and specific identifiers.

Where identifiable data has been lawfully collected with consent, pseudonymisation becomes important for record-keeping after a project ends. Here, data is stored in a way that replaces identifying details with codes or restricted identifiers, accessible only to authorised individuals.

For example, if an image was identified as Sharon Kekesa Grade 10 Mikili Primary School, it should be changed to SK G10 MP. 

credits @Amnesty International Kenya

Data Retention: How Long Is Too Long?

Another critical question we explored: How long should you keep the data you collect?

The principle of storage limitation requires that data be kept only for as long as necessary for the purpose for which it was collected. Once that purpose is fulfilled, the data should be securely deleted or pseudonymized.

My Take-Away

What I carried home from those two days was not fear of fines or lawsuits, but a clearer understanding of my responsibility.

Children’s images are not marketing assets. Parents’ and teachers’ emails are not mailing list opportunities. Testimonials are not just content; they are fragments of people’s identities entrusted to us.

A clear understanding of Article 31 of the Constitution, alongside the Data Protection Act and the Children’s Act, empowers us to handle data with integrity and accountability. These legal frameworks are safeguards designed to protect personal information and preserve the dignity and privacy of every individual.

Written by Faith Wanja