The Pharmaceutical Society of Kenya (PSK) has formally condemned the unauthorized recording of former Deputy President Rigathi Gachagua at a pharmacy, an incident that legal experts say triggers several high-stakes violations of the Data Protection Act (DPA), 2019.
The viral footage, showing the leader of the Democracy for Citizens Party (DCP) purchasing and consuming medication, has moved beyond a professional ethics concern into a major test for Kenya’s data privacy enforcement.
1. Processing of “Sensitive Personal Data”
Under Section 2 of the Data Protection Act, “health status” is explicitly classified as Sensitive Personal Data. The law mandates a higher standard of care for this information compared to regular personal data.
The Violation: Recording a patient’s interaction in a pharmacy essentially captures their health status and treatment path. Under Section 44 of the Act, processing such sensitive data without the data subject’s (Mr. Gachagua’s) prior and explicit consent is a direct breach.
2. Duty of professional secrecy
The Act provides a specific shield for healthcare environments. Section 45 stipulates that personal data relating to health may only be processed by or under the responsibility of a healthcare professional who is subject to the obligation of professional secrecy.
The Implication: If the recording was facilitated or allowed by pharmacy staff, they have violated the statutory duty of confidentiality outlined in the Act, which works in tandem with the pharmacist’s professional oath.
3. Failure of Data Protection principles
Legal analysts point to the breach of several core principles under Section 25 of the Act:
- Integrity and Confidentiality: The pharmacy, as a “Data Controller,” failed to ensure the security of the data subject’s information by allowing a recording to take place and leak.
- Purpose Limitation: Information shared in a pharmacy is intended solely for medical treatment, not for public broadcast or social media consumption.
Potential penalties and consequences
The Office of the Data Protection Commissioner (ODPC) has the power to issue significant “Penalty Notices” for such breaches.
| Entity Affected | Potential Statutory Penalty |
| Pharmacy Outlet | An administrative fine of up to KSh 5 million or 1% of the annual turnover, whichever is lower. |
| Individual Filmer | Possible criminal liability, including fines or imprisonment for the unauthorized disclosure of sensitive data. |
| Healthcare Professional | Deregistration by the Pharmacy and Poisons Board (PPB) and disciplinary action for professional misconduct. |
PSK President Dr. Wairimu Mbogo confirmed that the society is working to identify the outlet and the professionals involved. “This incident underscores the critical importance of ensuring that pharmacy outlets operate under the supervision of qualified professionals who understand and uphold the law,” she stated.
The ODPC is expected to review the matter to determine if a formal investigation into the pharmacy’s data handling practices is warranted.