Govt Orders School To Pay Ksh500,000 To Student
The school breached fundamental provisions of the Data Protection Act 2019 by collecting and using a minor’s data without a valid legal basis
Marvin Chege 
The Office of the Data Protection Commissioner (ODPC) has directed Nova Pioneer School–Athi River to pay Ksh500,000 in compensation after unlawfully handling and sharing a student's personal data without parental consent.
According to the ruling, the school breached fundamental provisions of the Data Protection Act 2019 by collecting and using a minor’s data without a valid legal basis or verified permission from the parent.
The complaint, lodged on October 21, 2024, alleged that the school shared sensitive details — including the child’s name, gender, passport number, date of birth, and nationality — with Bluepath Safaris and the U.S. Embassy, tied to a school-organised trip to the United States (US) for the World Scholars Cup, a debate competition.
Photo of Nova Pioneer Schools. /NOVA PIONEER
Despite the parent opting out and refusing to sign any consent forms, the child’s personal information was still used for visa documentation, alongside data from 15 other students. The parent reported experiencing emotional distress as a result.
Nova Pioneer, however, defended its actions by claiming it shared the students’ data in good faith, as part of its efforts to offer meaningful opportunities for student development.
The school stated that it used a Google Form to collect parental consent and submitted supporting documents such as a service agreement with the tour company, its internal data privacy policy, and student trip guidelines.
However, the ODPC found flaws in the school’s defence. Notably, Nova Pioneer failed to provide any signed consent form from the complainant, only submitting a blank sample. Their records also confirmed that the parent had opted out of the trip entirely.
The Data Commissioner ruled that the school violated Section 25 of the Data Protection Act by failing to process data lawfully, fairly, and transparently. It also breached Section 33(1)(a), which forbids processing a child’s data without verified parental consent.
The decision stressed that the responsibility to prove consent lies with the data controller—in this case, the school—and Nova Pioneer failed to meet that requirement. Additionally, it had no valid legal basis under Section 30(1)(b) to share the minor’s data without consent.
The school’s claim that the child’s data wasn’t shared with the tour company was contradicted by its admission that letters containing students’ personal information were given to parents and submitted to the Embassy.
“Personal data belonging to minors requires special protection due to their vulnerability and should always advance the rights and best interests of the child,” the ruling stated.
Based on the findings, the Data Commissioner granted the complainant Ksh500,000 in compensation. This sum accounts for both monetary and emotional damages caused by the violation of privacy.
The decision was issued in accordance with Section 65 of the Data Protection Act and Regulation 14(3)(e) of the Complaints Handling and Enforcement Regulations.
“The Office hereby orders the Respondent to pay the Complainant Kenya Shillings five hundred thousand (KES. 500,000) as compensation for the unlawful processing of the Minor’s personal data," the ODPC ruled.
Data Commissioner Immaculate Kassait speaking to journalists on April 29, 2024, ahead of the Network of African Data Protection Authorities (NADPA) Annual General Meeting (AGM) and conference. /HANDOUT
