Data protection & ODPC

EduPrime is built to help institutions meet their obligations under the Kenya Data Protection Act – ODPC registration, lawful consent, subject-access requests – and to keep confidential records protected by record rules. The same tooling supports GDPR, POPIA and NDPR.

Where to find it — App drawer → ODPC Compliance → Audit Log.
ODPC data-protection workspace
The data-protection workspace centralises registration, consent records and subject-access requests.
Important — EduPrime gives you the controls; it does not make you compliant on its own. You must appoint a Data Protection Officer, register with your regulator, and operate the processes below. Treat this page as a tool guide, not legal advice – verify your obligations with your DPO or counsel.

ODPC registration & records of processing

Under the Kenyan Act, schools and universities are data controllers and most must register with the Office of the Data Protection Commissioner (ODPC). EduPrime helps you maintain the underlying record of processing activities (ROPA):

  • What personal data you hold (student, parent, staff records, biometrics, health, financial).
  • The purpose and lawful basis for each processing activity.
  • Who it is shared with (e.g. exam boards, payment providers).
  • Retention periods and security measures.

Keep your registration certificate number and renewal date in the compliance workspace so it appears on the returns calendar (see Statutory returns & exports).

Where processing relies on consent – photography, marketing, optional services – capture it explicitly. EduPrime stores a consent record per person per purpose, with the date, the channel (form, portal) and the wording the person agreed to. Consent can be withdrawn at any time, and withdrawal is timestamped, so you can prove what was permitted when.

Subject-access requests (SARs)

A data subject – a student, parent or staff member – has the right to a copy of the personal data you hold about them. EduPrime turns this into a controlled workflow:

  1. Log the request, identifying the requester and verifying their identity.
  2. EduPrime gathers the personal data held about that person across modules into a SAR pack.
  3. The DPO reviews the pack, redacting third-party personal data that must not be disclosed.
  4. Release the pack to the requester and record the date – the statutory clock (commonly 30 days) is tracked so you do not breach the deadline.

Confidential records & record rules

The most sensitive data – counselling notes, health records, disciplinary and welfare files, IEPs – is protected by record rules so only authorised roles can see it. A class teacher sees academic data but not counselling notes; the school nurse sees health records but not finance. These rules are enforced at the database layer, not just hidden in the interface, so an export or API call respects them too.

Tip — Review who holds each confidential-data role at the start of every term. People change posts; access should follow the post, not linger with the person who used to hold it. The audit trail (see Retention, consent & audit) shows who has actually opened sensitive records.
Was this page helpful?