In your opinion, Should a deceased person be considered a data subject and have their rights to privacy observed?

The Kenya Data Protection Act is defined as “AN ACT of Parliament to give effect to Article 31(c) and (d) of the Constitution; to establish the Office of the Data Protection Commissioner; to make provision for the regulation of the processing of personal data; to provide for the rights of data subjects and obligations of data controllers and processors; and for connected purposes” The Act has had several regulations and guidance notes published to help data controllers and processors some of its specific aspects.

Among other areas, questions of whether a person retains their right to privacy after death (in this article referred to as posthumous protection) is still not well-clarified in the law and could perhaps benefit from a Guidance Note in the future, from the Office of the Data Protection Commissioner.

How does the Data Protection Act address the rights and privacy concerns of deceased individuals?

The Data Protection Act defines a data subject as “an identified or identifiable natural person who is the subject of personal data”. It is therefore assumed that the DPA is designed to protect the rights and privacy of living individuals concerning their personal data. When an individual passes away, the legal landscape becomes nuanced.

This was also observed with the Data Protection and Privacy Act, 2019 of Uganda which does not explicitly address the data protection rights of deceased individuals.

In contrast…

In Rwanda, the Data Protection and Privacy Law, Law No 058/2021 of 13/10/2021, applies natural persons, whether alive or deceased.

Recital 27 of the GDPR states as follows: “This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons”. For natural persons, on the other hand, protection begins and is extinguished with legal capacity. Basically, a person obtains this capacity with his birth, and loses it upon his death. Data must therefore be assignable to identified or identifiable living persons to be considered personal according to the GDPR.

Posthumous Protection

This section highlights some areas of discourse pertaining to posthumous protection and some of the resources that guide such undertakings.

  • Executors of a Deceased’s Estate

Upon death, an executor who’s appointed by the testator or their family/ trustee interacts with assets of the deceased, including their personal data, in the process of executing their will (Section 79-95 of the succession act Kenya). This may include processing of sensitive information such as financial records, medical history, and digital accounts.

The Data Protection Act allows for processing of personal data for certain legitimate purposes. In this case, this includes settling the deceased’s estate and carrying out their final wishes. It is, therefore, the responsibility of the executor to ensure that such information is accorded the necessary protection, and that the deceased’s privacy is respected.

  • The Deceased and their Digital Footprint

This section borrows an example from Facebook’s terms and conditions on Managing a Deceased Person’s Account. “If Facebook is made aware that a person has passed away, it’s our policy to memorialize the account. Memorialized accounts are a place for friends and family to gather and share memories after a person has passed away. Memorializing an account also helps keep it secure by preventing anyone from logging in to it.” The platform also gives guidance to family members that wish to remove a deceased family member’s account. Access to such accounts is controlled and is granted after production of documentation to support that one is an authorized representative or has a court order.

  • Posthumous Protection and Cadaveric Research

The Act does not explicitly define deceased persons as data subjects under the Law but provides direction for and strikes a balance between privacy and public interest when it comes to using deceased persons’s data in conducting research. In Section 30 under subsection (b) (viii) processing is necessary for the purpose of historical, statistical, journalistic, literature and art or scientific research. Organizations that process personal data of deceased persons do so on the basis of public interest.

What Can be Done?

The legal definition of a deceased person’s rights is not clear, which leaves a lot of space for interpretation and moral concerns. In an effort to strike a balance between upholding their rights and serving the public interest, this calls for more precise criteria for posthumous protection.

Some of the controls Research Institutions can implement to ensure privacy and dignity of the deceased in their studies include:

  • Anonymization and de-identification – as much as possible, apply anonymization controls to protect identities of individuals used in their research. This can be achieved through data masking, generalization, perturbation, etc.
  • Informed consent from family members – Where applicable, get informed consent from the person’s family or legal representatives prior to using a deceased person’s data for research, where applicable. Explain the purpose of the study, the way the data will be used, and any possible repercussions in plain language.
  • Public engagement and education – Interact with the public and inform them of the organization’s guidelines for using deceased people’s data. Encourage communication to allay worries, provide information, and establish a sense of trust in the community.
  • Data access limitation – Strict access controls should be applied where research data is concerned, employing least privilege principles.
  • Secure storage and transmission – employ secure controls for storage of such data such as encryption and use of secure communication protocols in the network.
  • Transparency and communication – Be open and honest about the study process, particularly when it comes to using deceased people’s data.
  • Data retention policies – Define and implement duration for which research data will be stored. These policies should also define secure disposal processes once the purpose for processing has been achieved, as well as secure archival processes.
  • Be mindful of cultural and religious sensitivities surrounding handling of data for deceased persons.

Appendix: Dashboards from Survey on Posthumous Protection

All persons that undertook the survey to understand their position pertaining the rights of deceased persons believe that they should be considered data subjects in the Privacy Laws in their respective countries and that their rights to privacy should be explicitly defined.


Therefore, while the Data Protection Act (like many other such laws around the world) doesn’t offer specific protections for the deceased, other legal and ethical considerations might still be relevant regarding their data. It’s advisable to consult with a legal professional for specific guidance on handling the data of a deceased individual in the context of the law.

What’s encouraging is that there are ongoing discussions globally around the data rights of deceased individuals, particularly concerning online accounts and social media profiles. As these discussions evolve, future amendments to the DPA might address this topic.

By Mueni Faith – GRC Consultant
Head of Projects

No comments yet


Hello, Thank you for contacting Sentinel Africa. How may i assist you?

× WhatsApp