Five Beneficiary Data Documents Every NGO Project in Kenya Should Prepare Before Collecting Personal Information

Why this issue now matters

An NGO that collects personal information from beneficiaries should be careful not to treat consent as a small sentence at the bottom of a form. That approach appears simple, and in many field settings it may even feel practical. Still, it is likely to be too thin where the organisation is collecting photographs, identity documents, phone numbers, health information, location details, information about children, disability status, refugee status, family income, biometric identifiers or other sensitive data.

The point is not that NGOs should stop collecting information. Most programmes cannot operate without some form of beneficiary record. A legal aid project may need names, phone numbers and case details. A health support project may need information that is deeply private. A child protection project may need family history and school records. The problem begins when the organisation collects all of this because it is useful for reporting, donor verification or monitoring, but cannot later explain the lawful basis, the necessity of each item, the consent process, the retention period or the safeguards used when data leaves Kenya.

The recent Kenya High Court decision in Republic v Tools for Humanity Corporation (US) and others; Katiba Institute and others (Ex parte Applicants); Data Privacy and Governance Society of Kenya (Interested Party), Judicial Review Application E119 of 2023 [2025] KEHC 5629 (KLR), decided on 5 May 2025, is a reminder that data collection can become a serious rights issue. The court treated the collection of biometric data without adequate safeguards as a matter of real concern. It paid attention to registration, Data Protection Impact Assessment questions, informed consent, incentives, cross border transfer and compliance with directions from the Office of the Data Protection Commissioner. For NGOs, the lesson is not limited to biometrics. It is broader and more ordinary. Good intentions do not automatically make weak data governance lawful.

Consent is not always as free as it looks

In many NGO settings, the word consent can hide an uncomfortable reality. A beneficiary who needs food support, cash assistance, school fees, shelter, legal aid or medical help may sign almost anything placed before them. That signature may suggest agreement, but it does not always show that the person understood the purpose of processing, the risks of sharing, the right to withdraw or the consequences of refusal. A mother asked to provide her child’s photograph before receiving school materials may not feel she has a meaningful choice, even if the form contains the word voluntary.

This is why a serious NGO should not rely on a short consent line. It should prepare a beneficiary data file before fieldwork begins. The file does not have to be complicated. It should be clear enough for a programme officer, donor, board member, auditor or regulator to understand what data is collected, why it is collected, who sees it, how long it is kept and how the organisation protects it. In practice, that file becomes the organisation’s memory. Staff change, volunteers rotate and project deadlines become stressful. A written file helps prevent privacy from depending on whoever happens to remember the original decision.

The first document should be a real project data map

A data map is not merely an administrative form. It is the starting point for honest reflection on what the project is doing. The organisation should record each category of personal data collected, the person from whom it is obtained, the purpose for collection, the staff or partner who can access it, the storage location and the expected deletion date. This may sound basic, but it often reveals unnecessary collection. For example, a livelihood training project may discover that it has been collecting copies of national identity cards even where a unique beneficiary number would be enough. A community health project may realise that field officers are recording medical details in notebooks that are later photographed and sent through informal messaging groups.

A good data map also helps programme teams see where data moves. It may start with a community mobiliser, pass to a Monitoring and Evaluation officer, enter a donor report, sit on a cloud platform and later be shared with an international headquarters. Each movement raises a different level of risk. The map forces the organisation to stop treating data as paperwork and start treating it as part of beneficiary dignity.

The second document should be a clear consent and information notice

The consent notice should be written in language that beneficiaries can understand. In many projects, this may require translation into Kiswahili or a local language, and it may require field testing before the form is used. A notice that looks legally neat in English may still fail in practice if a community member cannot explain it back in their own words. The notice should identify the NGO, state each purpose of processing, describe the types of information collected, explain who may receive the data and say what happens if the person refuses or later withdraws consent where consent is the basis relied upon.

There is also a need for restraint. Some NGOs use a single consent clause to cover photography, donor reporting, case management, research, social media, biometric verification and future unspecified communication. That may be convenient, but it appears too broad. Consent should be specific enough for a person to understand what they are agreeing to. A beneficiary who agrees to receive legal aid should not be assumed to have agreed to the use of their image in a fundraising campaign.

The third document should explain the lawful basis

Consent is important, but it is not always the right or only lawful basis. An NGO should record the basis for each processing activity and should be especially careful where the service is essential or the beneficiary is vulnerable. It may be reasonable to ask whether consent is genuinely free when refusal could affect access to assistance. In some cases, the organisation may need to rely on another lawful basis, while still giving clear information and protecting the beneficiary’s rights.

This lawful basis note should be short, but it should be thoughtful. It should explain why the data is necessary for the project, why less intrusive data would not be enough and why the organisation believes the chosen basis is appropriate. The note should not be written only for lawyers. It should help programme staff understand the difference between data they need and data they are merely curious to collect.

The fourth document should record registration and DPIA screening

An NGO should keep evidence showing whether it is required to register as a data controller or processor with the Office of the Data Protection Commissioner. If it is registered, the certificate and renewal calendar should be easy to find. If the organisation has concluded that registration is not required for a particular activity, the reasons should still be recorded. Silence can look careless later, even where the original legal position was defensible.

The same applies to Data Protection Impact Assessment screening. A DPIA may be required where processing is likely to be high risk, especially where the project uses biometrics, profiling, artificial intelligence tools, children’s data, health data or large datasets. Before buying a digital verification system, scanning fingerprints or collecting facial images, the NGO should ask whether the tool is necessary, proportionate and safe. A donor preference for stronger verification may be understandable, but it should not replace a careful rights assessment.

The fifth document should cover partners, transfer and deletion

Beneficiary data rarely stays inside one office. Enumerators, consultants, software vendors, cloud providers, international partners and donors may all touch it. The NGO should keep written agreements or instructions showing how these actors will process the data and what safeguards apply. If data leaves Kenya, the organisation should record why the transfer is needed, where the data is going and what protection has been considered.

A retention and deletion record is equally important. Many NGOs are better at collecting data than deleting it. Old beneficiary lists remain on laptops, email inboxes, shared drives and personal phones long after a project closes. That practice may feel harmless, but it increases risk. A well managed project should decide at the design stage when data will be deleted, anonymised or archived. It should also keep evidence that this was actually done.

A practical closing reflection

The safer approach is to hold a short data risk meeting before the first form is printed or uploaded. Programme staff, Monitoring and Evaluation staff, information technology staff, safeguarding staff and compliance staff should sit together and ask simple questions. Are we collecting more than we need? Can beneficiaries understand the notice? Is refusal possible in reality? Will any data leave Kenya? Are we using digital or biometric tools that need a DPIA? Who will delete the data when the project ends?

These questions may slow the project slightly at the beginning. Even so, they are likely to protect the organisation and, more importantly, the people whose information makes the project possible. A beneficiary data file is not just evidence for regulators. It is a small but meaningful way of recognising that poverty, illness, displacement or vulnerability should not make a person’s private life easier to collect, store and circulate.

Source note. This article is based on the Kenya High Court decision in Republic v Tools for Humanity Corporation (US) and others; Katiba Institute and others (Ex parte Applicants); Data Privacy and Governance Society of Kenya (Interested Party), Judicial Review Application E119 of 2023 [2025] KEHC 5629 (KLR), the Data Protection Act 2019, the Data Protection General Regulations, and the Data Protection Registration of Data Controllers and Data Processors Regulations. It is for general compliance awareness and does not replace legal advice on a particular project.