Job Category: Programmes
Job Type: Part Time
Job Location: Nairobi


The Open Institute’s Data Governance programme aims to guide the operationalization of Kenya’s Data Protection Act, 2019, and ensure that Kenyans benefit from the advantages of technology without compromising their fundamental rights. The Data Protection Act 2019 (DPA 2019) has defined data protection and has several provisions that govern its use, and this Act provided for the creation of an Office charged primarily with dealing with issues of data protection. In 2020, Kenya’s first Data Protection Commissioner was appointed, and our project sought to create awareness about the Office of the Data Protection Commissioner and the provisions in the Act that are relevant to citizens at large. Section 5 of the DPA 2019 establishes the Office of the Data Protection Commissioner as a State Office with the overall function of overseeing implementation and responsibility for the enforcement of the Act. 

Data privacy and protection in Africa is still developing across the continent and in its evolution it is important that the aspect of gender is incorporated into the legal and policy frameworks. Gender is a social and cultural construct of what it means to identify as a man, woman, or non-binary person.

While Kenya has a data protection law in place, it does not highlight how gendered data will be collected, processed, handled, used and protected. It is therefore important for gender to be highlighted in the conversation on data protection in Kenya as a sensitive or special category. Not recognizing gender in data protection leaves room to the potential unlawful or arbitrary discrimination based on gender. Further, there is a need for more research on how data protection and information rights affect children. Further, there is a need for more research on how data protection and information rights affect vulnerable and marginalized groups such as; youth, persons with disabilities (PWDs), the lesbian, gay, bisexual, transgender, queer, intersex, asexual community (LGBTQIA+) and the elderly community. As is the case for gendered data, the DPA does not address how the rights of vulnerable and marginalised groups will be treated. Yet these groups fall victim to people and technology that exploit them. It is important for the DPA to ensure their rights are protected and their informed consent is guaranteed. 

Unlike the PWDs and elderly people, the LGBTQIA+ community are invisible, this is because their data is not collected by the national statistical units (aside from the intersex community who were counted for the very first time in the 2019 census).  LGBTQIA+ issues are a sensitive topic in the country due to the stigmatisation the community faces and the laws at hand. Therefore, it is important to develop data protection safeguards that ensure the data shared by these communities does not put them at risk of; being illegally monitored by state or non-state actors; jailed, persecuted or of physical harm or death.

Further, in a study conducted by the Open Institute on Subnational Data Practices in Kenya, we were able to conduct an examination of good data protection practices in Kenya – through the lens of both Access to Information and Data Protection. Sampling was conducted in 5 counties, namely:  Makueni, Taita Taveta, Kilifi, Vihiga and Bomet. The study made a number of recommendations, key among them being: 

  1. Developing and adopting clear and comprehensive access to information and data protection policies and legislations: County governments should establish policy, legislative and institutional frameworks to facilitate effective and timely access to information and data protection in all their administrative and service provision processes. They should also develop and resource all institutional and administrative frameworks up to sub-ward levels and ensure that they proactively disclose information within the confines of the Access to Information 2016
  2. Building the capacity of counties to undertake Data Protection Impact Assessment (DPIA): Undertaking a timely and comprehensive DPIA is one way in which County Governments can readily demonstrate to the oversight mechanism (Office of the Data Protection Commissioner) that they comply with the Data Protection Act, 2019. 
  3. Strengthening civil society organisations information rights and data governance programmes: Civil Society Organisations (CSOs) play a critical role in ensuring citizen-agency and county governments should take advantage of the social capital, skills, knowledge in CSOs to establish the mechanisms for interaction and co-learning to ensure better data governance practices that ensure data justice to all.

In line with these recommendations, we seek to engage the services of a consultant(s) to undertake the scope of work mentioned below in order to strengthen Data Protection at the subnational level – as well as with non-state actors (Civil Society and Private Sector Actors). 

Key Deliverables

The consultant will complete and undertake the following scope of work:

  1. Developing and adopting clear and comprehensive access to information and data protection frameworks, policies and(or) legislations: The consultant will provide guidance on the best approach from a policy perspective on data protection for 8 counties (Samburu, Makueni, Nairobi, Mandera, West Pokot, Nandi, Nakuru and Turkana) as follows:
    1. Developing a model policy/framework for operationalization of the DPA and Developed guidelines
    2. Advice on the most appropriate practice for each county – whether it be a guideline, policy or other legal framework to actualize operationalization of the DPA.
  2. Building the capacity of counties to undertake Data Protection Impact Assessment (DPIA): In each of the 8 counties (Samburu, Makueni, Nairobi, Mandera, West Pokot, Nandi, Nakuru and Turkana), assist in this activity by:
    1. Development of a broad-based curriculum targeting county officials on data protection and data privacy.
    2. Developing templates through which counties can undertake a timely and comprehensive DPIA in compliance with the DPA and other ODPC requirements.
    3. Build capacity of these counties to undertake the DPIA’s in compliance with the DPA
    4. A first DPIA for at least 2 participating counties.
  3. Strengthening information rights and data governance programmes for non-state actors: To achieve this, the consultant will engage with OI and at least 5 of its partners and other stakeholders  in order to achieve the following:
    1. Develop templates for certain private sector actors and Civil Society Organizations can understand and undertake at least one (1) DPIA in compliance with the ODPC. Some of these include the SDG Kenya Forum and/or its members; some professional bodies such as Institute of Certified Public Accountants of Kenya (ICPAK), Kenya Medical Practitioners and Dentists Union (KMPDU), Kenya Private Sector Alliance (KEPSA)
    2. Build capacity among some of the aforementioned organizations to enable them undertake DPIAs.
    3. A first DPIA for at least 2 participating organizations (preferably a private sector and civil society organization).
  4. Provide a report on lessons learnt and good practices, specifically in line with implementation of the DPIA’s as undertaken within the scope of this ToR.  

Main tasks:

The consultant shall be required to:

  1. Participate in an inception meeting and prepare an inception report detailing general understanding of the assignment and the detailed workplan.
  2. Deliver:
    1. A draft/model policy/guideline/framework for county governments to operationalize the DPA at the subnational level.
    2. A curriculum on data protection and data privacy targeting county officials.
    3. The DPIA templates and requisite training programme to the aforementioned target groups – in support of operationalization of the DPA 2019.
    4. A first DPIA for at least 4 initial participating organizations. 
  3. Develop and submit a final report with lessons learnt and good practices on undertaking at DPIA (both public and private sector actors).

Time Frame

The assignment should be completed within 3.5 – 4 months in accordance with the research and work plan for this project.

Required Qualifications


  1. Bachelor’s degree in law, human rights or any other relevant social science
  2. Demonstrated knowledge of international and regional human rights legal frameworks and data privacy rights.  
  3. A good understanding of the County Government Act 2012, Public Finance Management Act 2012, public participation processes in Kenya as well as the key devolved functions for county governments.
  4. Demonstrated knowledge of national legal and policy framework on data privacy rights – and/including undertaking assessments, evaluations and reviews. 
  5. Demonstrated experience with delivery of capacity building programmes. 
  6. Ability to research and write good reports.


  • Experience of working with county governments and professional bodies..

Application Process


Interested applicants are requested to submit expression of interest that includes:

  1. A technical narrative (not more than 5 pages) highlighting their understanding of the TORs and accomplishment of the task, proof of previous experience and capacity to undertake task (human, time) as well as proposed process (methodology, plan and administration arrangements)
  2. Cost proposal, indicating expected remuneration per day and total costs.
  3. CV’s of the consultant(s) and the cover letter (where applicable).

Send all the required documents in PDF to 

Applications must be received by 31st January 2023 midnight (EAT). Due to a high number of applications expected, only shortlisted candidates will be contacted.

Open Institute does not charge a fee at any stage of the recruitment process (application, interview meeting, processing, or training). Open Institute is an equal opportunity employer and does not discriminate on the basis of gender, religion or ethnicity.

Apply for this position

Allowed Type(s): .pdf, .doc, .docx