Why a DPIA File Should Be Treated as a Project Start Document for NGOs in Kenya

A small file can prevent a large privacy problem

Many NGO projects begin with a workplan, a donor agreement, a budget and a list of expected beneficiaries. Data protection is often added later, sometimes as a consent sentence on the registration form or as a privacy notice copied from a previous project. That habit appears harmless until the project begins to collect sensitive information. Once photographs, identity numbers, phone contacts, health details, children’s records, biometric data or location information enter the project system, the organisation is no longer dealing with simple administration. It is handling pieces of private life.

A Data Protection Impact Assessment, often called a DPIA, should not be seen as a technical document reserved for large technology companies. For an NGO, it can be a practical project start file. It helps the team decide whether a proposed way of collecting and using data is necessary, fair, proportionate and safe. It also creates a written record showing that the organisation considered beneficiary rights before collecting information, rather than trying to explain itself after a complaint or investigation.

The Kenya High Court decision in Republic v Tools for Humanity Corporation (US) and others; Katiba Institute and others (Ex parte Applicants); Data Privacy and Governance Society of Kenya (Interested Party), Judicial Review Application E119 of 2023 [2025] KEHC 5629 (KLR), decided on 5 May 2025, gives this issue a practical sharpness. The court was concerned with biometric data collection, consent, incentives, registration, the adequacy of a DPIA, cross border transfer and compliance with the Office of the Data Protection Commissioner. The case is not a simple instruction that every NGO activity is unlawful unless it has a DPIA. It may, however, suggest that organisations collecting sensitive or high risk data should be able to show more than good intentions.

The real risk is often hidden in ordinary fieldwork

Data protection problems do not always arise from advanced technology. They can begin with a paper form passed around at a community meeting. They can begin when a volunteer takes pictures of children receiving school materials. They can begin when a health project stores status information on a personal phone, or when a legal aid clinic sends beneficiary lists to a donor without checking whether identifying details are necessary.

The concern is not that staff are careless by nature. Field staff are often working under pressure, with limited time, poor internet and demanding reporting expectations. They may be asked to prove delivery, prevent duplication, verify identity and satisfy donor requirements, all while maintaining trust with communities. In that environment, data can be collected because it is useful, not because it is strictly necessary. A DPIA file gives the team a place to pause before the collection becomes routine.

What the file should ask before data is collected

The first question is purpose. The NGO should write down, in plain language, why each category of data is being collected. A project may need a beneficiary’s name and phone number to coordinate services. It may not need the same person’s national identity document, exact household location, medical history and photograph unless those items serve a defined purpose. Where the purpose is vague, the data request should be reconsidered.

The second question is necessity. It is easy to collect more information because the form has space for it, because a previous project used it or because a donor might later ask for it. A better practice is to ask what would happen if the NGO did not collect that data. If the project would still work, then the organisation should consider whether the information is truly needed. This is especially important for children, survivors of violence, refugees, persons with disabilities and people seeking urgent assistance.

The third question is power. Consent is not always free in a humanitarian, social support or legal aid setting. A person standing in a queue for food assistance may sign a data form without feeling able to refuse. A young person applying for school support may not question a photograph requirement because they fear being left out. The DPIA file should honestly record whether consent is the right basis, whether refusal is possible in practice and whether the beneficiary has been told what withdrawal means.

Digital verification needs particular care

Some NGOs are attracted to biometric verification, facial recognition, digital identity tools or artificial intelligence systems because these tools appear to reduce fraud and improve reporting. They may sometimes have a legitimate role. Even so, they raise harder questions. Biometric information cannot be changed like a password. Facial images, fingerprints and iris scans are closely tied to personal identity. If misused, leaked or transferred without adequate safeguards, the harm may be difficult to reverse.

Before using such tools, the NGO should document why a less intrusive method would not be enough. It should ask whether the technology has been tested in similar communities, whether beneficiaries understand the process, whether the vendor is bound by written instructions, where the data will be stored and whether the data will leave Kenya. A donor’s interest in accuracy is relevant, but it is not the only consideration. The beneficiary’s dignity and privacy also matter.

Partners and donors should not be an afterthought

In many NGO projects, beneficiary data moves beyond the organisation. Donors may ask for verification records. International headquarters may require central reporting. Consultants may analyse datasets. Cloud systems may store forms. Enumerators may collect information on phones. Each of these actors can create risk if the rules are not written down.

The DPIA file should identify who receives or accesses data and on what basis. It should keep copies of data sharing agreements, processor instructions, confidentiality commitments and transfer records where relevant. If data leaves Kenya, the organisation should record why that transfer is necessary and what safeguards apply. This does not mean every routine email becomes a legal crisis. It means the organisation should know where beneficiary information goes and should not discover the answer only after a problem arises.

Retention is part of protection

There is a quiet data protection issue that many organisations overlook. They keep information for too long. A project ends, staff move to new roles, laptops are reassigned, donor folders remain in shared drives and old spreadsheets sit in inboxes. Later, nobody is quite sure why the data still exists or who is responsible for it.

A DPIA file should include a retention decision from the beginning. It should say how long information will be kept, who will approve deletion, what will be anonymised and what must be archived for legal, audit or safeguarding reasons. The organisation should also keep a deletion record. Without that record, a retention policy may become a promise that nobody follows.

Turning the file into a working habit

A useful DPIA file should not be too long or too technical. It should be readable by programme staff as well as compliance staff. It should include a project data map, a consent and information notice, a lawful basis note, a registration check, a DPIA screening form, partner and processor records, cross border transfer notes, an incident contact and a retention record. These documents can sit in one physical and electronic folder, reviewed before fieldwork begins and updated when the project changes.

The most realistic approach is to connect the DPIA file to existing project routines. Before forms are printed, the team checks data minimisation. Before digital tools are purchased, the team completes DPIA screening. Before donor reporting, the team checks whether personal identifiers are really needed. Before project closure, the team confirms deletion or anonymisation. None of this requires drama. It requires a modest discipline.

Final compliance reflection

An NGO’s work may be compassionate, urgent and socially valuable. That does not remove the need for careful data governance. In fact, the more vulnerable the beneficiaries, the stronger the argument for caution. A DPIA file helps an NGO show that privacy was considered at the design stage, not repaired later.

The deeper lesson is quite human. People who rely on NGO services should not have to surrender unnecessary parts of their private lives in order to receive help. A well prepared DPIA file is one way of making that principle practical.

Source note. This article is based on the Kenya High Court decision in Republic v Tools for Humanity Corporation (US) and others; Katiba Institute and others (Ex parte Applicants); Data Privacy and Governance Society of Kenya (Interested Party), Judicial Review Application E119 of 2023 [2025] KEHC 5629 (KLR), the Data Protection Act 2019, the Data Protection General Regulations, and the Data Protection Registration of Data Controllers and Data Processors Regulations. It is for general information and should be adapted to the facts of each NGO project.