There is a quiet shift happening inside schools that many have not fully confronted. It is not about new classrooms or revised timetables. It is about data. Every admission form filled, every exam result recorded, every photo taken during a school event, and every message sent through a school system is now part of a digital footprint that defines the modern institution.
Schools are no longer only places of learning. They are becoming data centres, and with that shift comes a responsibility that is no longer optional.
In Kenya, this responsibility is clearly defined under the Kenya Data Protection Act (DPA) 2019, enforced by the Office of the Data Protection Commissioner. The law is not theoretical. It is practical, strict, and enforceable. It requires that any institution handling personal data must do so lawfully, transparently, and with full accountability. For schools, this means every piece of student or parent information is protected by law from the moment it is collected to the moment it is stored, shared, or deleted. Yet, in many institutions, data still moves too freely.
A teacher shares results in a messaging group for convenience. A school uploads student photos to social media for visibility. An administrator stores records on an unsecured device for ease of access. These actions may seem harmless in the moment, but in the language of data protection, they carry serious consequences.
Because data, once exposed, cannot be contained. Across Kenya and beyond, incidents of data mishandling in education are becoming more visible. A school publishes learner images without parental consent. Another circulates academic results through informal channels. In some cases, entire student databases are compromised due to weak system security or poor access control.
What begins as routine communication can quickly escalate into a compliance issue. And under the law, the consequences are not light. Schools found in violation of data protection principles may face penalties of up to KSh 5 million or 1 percent of annual turnover, alongside enforcement orders that can disrupt operations and damage institutional credibility. But even beyond fines, the deeper impact is reputational.
In education, trust is the real currency. Once parents begin to question how their children’s data is handled, that trust becomes fragile. At the centre of this challenge is something often underestimated: consent. Consent is not a form filed away in an admission folder. It is not a checkbox signed once and forgotten. It is an ongoing agreement between the school and the parent. It is understanding, communication, and choice.
Many schools still treat consent as a formality. But the law requires something deeper. Parents must know what data is being collected, why it is being collected, how it will be used, and who will have access to it. They must also have control over how their child’s image or information appears in public or digital spaces. This is where compliance begins to take shape—not on paper, but in practice.
The rise of digital learning has made this responsibility even more critical. Schools now depend on online platforms for teaching, communication, and administration. Cloud systems store academic records. Mobile apps track attendance and performance. Third-party platforms manage learning content. Each system introduces efficiency but also introduces risk.
Before adopting any digital tool, schools must ask essential questions: Where is the data stored? Who controls access? How secure is the system? Does the provider comply with Kenyan data protection law and international standards? Global guidance on child data protection reinforces this need for caution, especially where minors are involved in digital ecosystems.
Without these safeguards, innovation becomes exposure. Yet compliance is not only a technical requirement. It is a cultural shift. It is seen in how teachers handle records. It is reflected in how administrators share information. It is demonstrated in how leadership prioritises privacy in decision-making. A compliant school is not one that only has policies. It is one that practices them daily. It is a school where a staff member pauses before sharing data, where systems are configured with access control in mind, where parents are informed and not assumed, and where transparency replaces convenience.
The reality is simple but powerful. Every school is now a data custodian. Every learner is a data subject. Every system is a responsibility. And in this digital reality, mistakes are no longer private. They are visible. They are documented. They are traceable.
READ ALSO: KICD forced to use newspaper advert after low response from schools on Grade 10 data
But more importantly, they are preventable. The future of education is already digital, but it must also be secure. Schools that embrace compliance will not only protect themselves from penalties; they will protect the trust that defines their relationship with parents and learners. Because in the end, education is not only about knowledge transfer. It is about trust, and data protection is how that trust is preserved in a digital world.
By Nick Odundo
Sir Nick Odundo is an ICT Specialist and Education Technology Integration Advocate focused on helping schools build secure, compliant, and future-ready digital ecosystems.
You can also follow our social media pages on Twitter: Education News KE and Facebook: Education News Newspaper for timely updates.
>>> Click here to stay up-to-date with trending regional stories
>>> Click here to read more informed opinions on the country’s education landscape
>>> Click here to stay ahead with the latest national news.
