Why school managers should be extremely careful with children's data

In an age defined by digital footprints and instant sharing, schools have emerged as both centres of learning and nodes in a vast web of data collection and dissemination. Yet, even as they champion technological integration, many schools in Kenya remain oblivious—or willfully ignorant—of the law when it comes to the data privacy of their most vulnerable stakeholders: Children.

The Office of the Data Protection Commissioner (ODPC) has made its stance unmistakably clear. In recent years, it fined a prominent school, Roma School in Nairobi, for the unauthorised publication of minors’ photographs on digital platforms, setting a stern precedent for others who might tread the same reckless path.

The landmark fine of Sh4.5 million was not merely a bureaucratic gesture, it was a resounding message: The days of casual violations of children’s privacy are over.

The Constitution, under Article 31, enshrines the right to privacy, a right not suspended at the school gate. Children, though young and dependent, are rights-holders under the law, and schools are duty-bearers.

The Data Protection Act, enacted in 2019, builds upon this constitutional safeguard with meticulous precision. It defines personal data expansively to include images and biometric identifiers and places stringent requirements on entities processing such data and schools are not excluded.

The law demands explicit, informed consent for the processing of minors’ personal data. This is not an optional bureaucratic nicety. It is a non-negotiable legal prerequisite. Schools must develop and implement comprehensive data protection policies.

These must include detailed, written consent forms for parents or legal guardians before any data—especially photographs or videos of minors—is captured, stored, or published online. Without such consent, any use of a child’s image on websites, in newsletters, or on social media is a direct violation of the Data Protection Act.

The ODPC’s decision to impose fines against schools that posted pupils’ photographs without consent is a clear demonstration of the enforcement mechanisms now fully operational. It should send a chill down the spines of school administrators.

Head teachers and board members who treat children’s data as administrative fodder or public relations material will soon find themselves on the wrong end of the law. The era of impunity is gone and even private schools are not exempted.

To understand the gravity of this mandate, one must consider the risk to the child. Posting a child’s photograph online is not merely an innocent act of celebration of success on those websites for schools. It exposes the child to the possibility of digital abuse, cyberbullying, exploitation by predators, and long-term digital profiling.

The internet forgets nothing. A photograph taken at age six, when published online without proper safeguards, may float across cyberspace for decades—used, misused, and reproduced without control. By failing to take consent seriously, schools not only violate the law—they endanger the very children they purport to protect and educate.

There is also the matter of justice and respect. A school that ignores a parent’s right to consent insults the principle of parental authority. It undermines the parent-child relationship and tramples upon family autonomy. If schools wish to foster trust, they must first demonstrate respect, not just for the child, but for the legal frameworks that protect that child’s identity, dignity, and future.

The ODPC has made its expectations plain. Schools must conduct Data Protection Impact Assessments where the processing of minors’ data is involved. They must designate data protection officers, train staff in data ethics, and embed accountability in every layer of school governance. Let this be a warning to all educational institutions in Kenya: The Constitution is not a suggestion. The Data Protection Act is not symbolic. They are enforceable instruments.

The ODPC will not hesitate to penalise institutions that flout these obligations. Schools must cleanse themselves of laxity. They must adopt clear, transparent, and lawful policies on the use of minors’ data. They must create consent forms that explain, in no uncertain terms, the purpose, scope, and duration of data usage. They must allow parents to say “no,” and they must respect it.