Trust Center

Health Data & Confidentiality Policy

Last Updated: 1 July 2026

1. Purpose and Scope

1.1 Purpose

Crucibel Technology Ltd. ("Crucibel") is a Kenyan technology company registered under the Laws of Kenya. Crucibel develops and operates NOVA, a cloud-based Health Information Exchange (HIE) and Health Management Information System (HMIS) delivered as a Software-as-a-Service (SaaS) platform to healthcare organizations in Kenya.

This Health Data & Confidentiality Policy ("Policy") establishes Crucibel's binding commitments and operational standards for the collection, storage, processing, sharing, protection, and disposal of health data processed through the NOVA platform. It reflects the primacy of patient dignity, autonomy, and privacy as foundational values of Kenya's healthcare system and digital health ecosystem.

This Policy is designed to ensure that every person whose health information is processed through NOVA can trust that their data will be treated with the highest standards of confidentiality, integrity, and respect - consistent with Kenyan law and the ethical obligations of healthcare.

1.2 Scope

This Policy applies to:

  • Crucibel employees, contractors, directors, and agents who access health data in the course of their duties
  • All client organizations (hospitals, clinics, laboratories, pharmacies, community health programs, government health agencies, NGOs) that access or use the NOVA platform under a valid Service Agreement
  • Sub-processors and third-party suppliers engaged by Crucibel who process health data on Crucibel's behalf
  • All health data processed through NOVA, whether in electronic or derived form, relating to individuals receiving healthcare services in Kenya

Territorial Application

This Policy applies to all processing activities conducted by Crucibel and NOVA within the territory of Kenya. All processing is subject to Kenyan law, including the Kenya Data Protection Act 2019, and to the regulatory oversight of the Office of the Data Protection Commissioner (ODPC) and the Kenya Health sector regulatory authorities.

1.3 What This Policy Does Not Cover

  • Personal data of Crucibel employees processed for employment purposes (governed by Crucibel's HR Data Privacy Policy)
  • Non-health personal data collected by Crucibel for commercial purposes (governed by Crucibel's general Privacy Policy)
  • Health data processed in jurisdictions outside Kenya - NOVA is currently a Kenya-only platform

2. Definitions

In this Policy, unless the context otherwise requires:

TermDefinition
Health DataAny personal data relating to the physical or mental health of an individual, including data revealing information about their health status, diagnoses, treatment, prescriptions, laboratory results, reproductive health, disability, or any other clinical information, as defined under Section 2 of the Kenya Data Protection Act 2019.
NOVA PlatformThe cloud-hosted Health Information Exchange and Health Management Information System operated by Crucibel as a SaaS product.
Data Subject / PatientThe identified or identifiable individual to whom health data relates. In the context of NOVA, this is primarily a patient receiving healthcare services in Kenya.
Data ControllerA person or entity that determines the purposes and means of processing personal data. Client healthcare organizations using NOVA are data controllers in respect of their patients' health data.
Data ProcessorCrucibel, which processes health data on behalf of data controllers pursuant to a Data Processing Agreement.
ConfidentialityThe obligation to ensure that health data is accessible only to those who are authorized to access it and is not disclosed to unauthorized persons.
KDPAKenya Data Protection Act, No. 24 of 2019, and any subsidiary legislation, regulations, or guidelines issued thereunder.
ODPCOffice of the Data Protection Commissioner, the independent statutory authority responsible for overseeing data protection in Kenya.
Sensitive Personal DataUnder the KDPA, categories of personal data requiring heightened protection, including data concerning health or medical history, genetic data, biometric data, and data relating to HIV/AIDS status.
Personal Data BreachA breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, health data transmitted, stored or otherwise processed on NOVA.
PseudonymizationProcessing of health data in a manner such that the data can no longer be attributed to a specific individual without the use of additional information that is held separately and securely.
Sub-processorA third party engaged by Crucibel to process health data on its behalf, including cloud infrastructure providers, security service providers, and integration partners.

3. Legal and Regulatory Framework

This Policy is grounded in and must be read together with the following Kenyan laws, regulations, and standards:

Legal InstrumentKey Relevance to NOVA and this Policy
Kenya Data Protection Act 2019 (No. 24 of 2019)Primary data protection legislation. Governs all processing of personal data (including health data) in Kenya. Establishes rights of data subjects, obligations of controllers and processors, and enforcement powers of the ODPC. Requires registration of data controllers and processors to process sensitive personal data.
Data Protection (General) Regulations 2021Subsidiary legislation under the KDPA prescribing requirements for lawful processing, data subject rights procedures, data protection impact assessments, and registration with the ODPC.
Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021Requires Crucibel to register as a data processor with the ODPC given the nature and scale of health data processing on NOVA.
Health Act 2017 (No. 21 of 2017)Establishes the right to health and patient confidentiality obligations for healthcare providers. Part VI governs health information management, including electronic health records, and authorizes the Kenya Health Information System (KHIS).
HIV and AIDS Prevention and Control Act 2006 (No. 14 of 2006)Establishes strict confidentiality protections for HIV-related data. Section 23 prohibits unauthorized disclosure of HIV test results. NOVA processes HIV data only with explicit legal authority and enhanced access controls.
Mental Health Act 2022 (No. 9 of 2022)Governs protection of the rights of persons with mental disorders. Contains confidentiality requirements for mental health records. Relevant to NOVA's mental health module.
Children Act 2022 (No. 29 of 2022)Governs the protection of children's rights. Requires parental or guardian consent for processing children's health data and mandates the best interests of the child as primary consideration.
Pharmacy and Poisons Act (Cap. 244)Governs medication dispensing records, prescription data confidentiality, and pharmacy information management relevant to NOVA's pharmacy module.
Computer Misuse and Cybercrimes Act 2018 (No. 5 of 2018)Criminalizes unauthorized access to computer systems. Directly applicable to unauthorized access to NOVA and patient health records.
Kenya National eHealth Policy 2016–2030National policy framework for health information systems including interoperability, data governance, and digital health standards in Kenya.

4. Data Protection Principles

All health data processed through NOVA shall be processed in accordance with the following principles, which reflect both the KDPA and Crucibel's ethical commitments as a Kenyan digital health company:

PrincipleWhat It MeansHow NOVA Implements It
Lawfulness, Fairness & TransparencyHealth data is processed only where there is a valid legal basis; patients are informed about how their data is used.Privacy notices displayed at point of care; legal bases documented; client DPAs specify lawful processing only.
Purpose LimitationHealth data collected for a specific purpose is not used for a different, incompatible purpose without consent.Technical data separation between clinical care and analytics; consent management module controls secondary use; data use agreements for research.
Data MinimizationOnly data that is adequate, relevant, and limited to what is necessary for the purpose is collected.NOVA modules collect only clinically necessary fields; configurable data collection forms; API scoping prevents over-collection.
AccuracyHealth data is kept accurate, complete, and up to date; inaccuracies are corrected without delay.Clinical record update workflows; patient flagging mechanism; data quality monitoring and reporting.
Storage LimitationHealth data is not kept in identifiable form for longer than necessary for its purpose.Automated retention and archival policies; anonymization schedules; retention register maintained per data type.
Integrity & Confidentiality (Security)Health data is protected against unauthorized access, accidental loss, destruction, or damage.AES-256 encryption at rest; TLS 1.3 in transit; MFA; RBAC; SIEM monitoring; annual penetration testing.
AccountabilityCrucibel is responsible for, and able to demonstrate compliance with all data protection principles.Appointed DPO; Records of Processing Activities (ROPA); DPIA program; annual compliance reviews; ODPC registration.

5. Patient Rights

Every individual whose health data is processed through NOVA has the following rights under the Kenya Data Protection Act 2019. Crucibel and its client data controllers are jointly committed to upholding these rights.

5.1 Right to Be Informed

Patients have the right to be informed, in plain language and in a language they understand about:

  • Who is collecting their health data and for what purposes
  • The legal basis for processing their health data
  • How long their data will be retained
  • With whom their data may be shared
  • Their rights under the KDPA and how to exercise them

Crucibel provides standard-form privacy notices and patient information templates to all NOVA client organizations, translated into English and Kiswahili. Client healthcare organizations are responsible for ensuring these notices are communicated to patients at the point of registration.

5.2 Right of Access

Patients have the right to obtain confirmation of whether their health data is being processed and to receive a copy of their health data. Requests must be:

  • Submitted to the relevant client healthcare organization (data controller), which is responsible for responding
  • Responded to within 21 days of receipt of a valid request
  • Provided free of charge for the first request; a reasonable administrative fee may be charged for subsequent requests within 12 months

NOVA provides a patient-facing portal through which, where enabled by the client organization, patients may directly access their health records.

5.3 Right to Rectification

Patients have the right to have inaccurate or incomplete health data corrected. Where a patient identifies an error in their health record, they should:

  • Notify their healthcare provider (the data controller)
  • The healthcare provider will review the request and, where the inaccuracy is confirmed, correct the record in NOVA
  • Where a clinical note is disputed rather than factually incorrect, the patient's objection may be appended to the record

Note on Medical Records Integrity

Clinical health records are medico-legal documents. NOVA maintains version-controlled audit trails of all record modifications. Deletions of clinical entries are not permitted; corrections are recorded as amendments with the original entry preserved in the audit log.

5.4 Right to Erasure

The right to erasure ("right to be forgotten") is subject to significant limitations in the health data context under Kenyan law:

  • Patient health records must be retained for the periods specified in Section 9 of this Policy to comply with the Health Act 2017 and medico-legal requirements
  • Where erasure is legally permissible (e.g., data processed on the basis of consent for a secondary purpose), Crucibel and the client organization will delete or anonymize the data within 30 days
  • Erasure requests that cannot be fulfilled due to legal obligations will be explained in writing to the patient within 21 days

5.5 Right to Data Portability

Patients have the right to receive their health data in a structured, commonly used, machine-readable format and to transmit that data to another healthcare provider. NOVA supports this right through:

  • HL7 FHIR-compliant patient health record export
  • Patient Summary documents downloadable via the patient portal
  • Secure electronic transfer to authorized receiving healthcare providers

5.6 Right to Object

Patients have the right to object to processing of their health data for purposes other than direct clinical care, including:

  • Medical research (even where ethical approval has been obtained - patient objection is valid)
  • Health analytics and performance benchmarking beyond direct care purposes
  • Teaching and training uses of their records

Objections must be directed to the relevant client healthcare organization. Crucibel will implement technical restrictions on data processing upon instruction from the data controller.

5.7 Rights of Vulnerable Patients

5.7.1 Children

The health data of children (persons under 18 years of age) shall only be collected and processed with the consent of a parent, legal guardian, or person with parental responsibility, except where:

  • Processing is necessary to protect the vital interests of the child
  • A court order or other legal authority overrides parental consent
  • The child is of sufficient age and maturity to consent on their own behalf for specific health services (as determined by applicable clinical guidelines and the Children Act 2022)

5.7.2 Persons with Mental Health Conditions

The health data of persons with mental health conditions shall be processed with sensitivity and in accordance with the Mental Health Act 2022. Where a patient lacks capacity to consent, a legally recognized substitute decision-maker shall provide consent. Treatment without consent in emergencies shall be documented and subject to clinical review.

5.7.3 Persons Living with HIV

NOVA applies the highest level of access restriction to HIV-related data in compliance with the HIV and AIDS Prevention and Control Act 2006. HIV status information may only be accessed by:

  • The treating clinician directly involved in the patient's HIV care
  • The patient themselves
  • Persons with the patient's explicit written consent
  • Public health authorities as required by mandatory reporting law (in anonymized/aggregate form only)

6. Lawful Bases for Processing Health Data

Processing of health data on NOVA is only permitted where there is a valid lawful basis under the Kenya Data Protection Act 2019. The following table sets out the lawful bases applied to each category of processing activity on NOVA:

Processing ActivityLawful Basis (KDPA)Notes
Direct patient clinical care and treatmentHealthcare provision (S.30(c))Primary basis for all clinical data processing; no additional consent required for care delivery
Patient identity matching and MPI managementHealthcare provision (S.30(c))Necessary to prevent patient misidentification errors and ensure continuity of care
Laboratory results exchange between providersHealthcare provision (S.30(c))Results shared only with treating clinicians and authorized care team members
Immunization program tracking (national)Public health / vital interests (S.30(b), (d))National immunization program; consistent with Kenya Expanded Program on Immunization (KEPI)
Notifiable disease reporting to public health authoritiesLegal obligation (S.30(f))Mandatory notification under Health Act 2017 and Infectious Diseases (Notification) regulations
HIV/AIDS case-based surveillanceLegal obligation; public health (S.30(d), (f))Strictly limited to anonymized/pseudonymized data; governed by HIV & AIDS Prevention and Control Act 2006
Health facility performance analyticsLegitimate interests (S.30(e))Aggregate, non-identifiable data only; does not identify individual patients
Medical and public health researchExplicit consent; public interest (S.30(a), (d))Requires: patient consent OR NACOSTI ethical approval + data use agreement; pseudonymized data preferred
Training and education using case dataExplicit consent (S.30(a))Individual patient consent required; anonymized wherever possible
Platform security and audit loggingLegal obligation; legitimate interests (S.30(e), (f))Audit logs are mandatory under KDPA accountability requirements; security monitoring is a legitimate interest

7. Confidentiality Obligations

7.1 Crucibel Staff and Contractors

All Crucibel employees, contractors, and agents who have access to health data in the course of their work are bound by the following confidentiality obligations:

  • Duty of Confidentiality: Every person with access to health data processed through NOVA carries a duty of confidentiality as a condition of their engagement with Crucibel. This duty arises from employment and contractor agreements, this Policy, and the laws of Kenya.
  • Confidentiality Agreements: All Crucibel staff and contractors must sign a Confidentiality and Data Protection Agreement before being granted access to health data. This obligation survives termination of employment or engagement.
  • Need-to-Know Principle: Access to health data is granted only to the extent necessary for the individual's specific role and responsibilities. No person shall access health data out of curiosity, personal interest, or for any purpose unrelated to their authorized duties.
  • Prohibition on Unauthorized Disclosure: No Crucibel employee or contractor shall disclose, share, copy, or transmit health data to any person or entity not authorized to receive it, whether inside or outside Crucibel.
  • Prohibition on Personal Device Storage: Health data shall not be downloaded to, stored on, or processed using personal devices (personal laptops, smartphones, USB drives) unless expressly authorized and secured in accordance with Crucibel's Mobile Device Policy.
  • Reporting of Suspected Breaches: Any employee or contractor who suspects or becomes aware of a breach of confidentiality or a personal data incident must report it immediately to the Data Protection Officer at dpo@crucibel.org or the designated incident hotline.

7.2 Client Healthcare Organizations

Client organizations accessing NOVA are bound by the following confidentiality standards as conditions of their Data Processing Agreement (DPA) with Crucibel:

  • Appoint at least one designated System Administrator responsible for user access management and ensuring staff compliance with this Policy
  • Ensure all clinical and administrative staff accessing NOVA have completed data protection and health data confidentiality training before being granted system access
  • Implement a formal access management process, including onboarding, role assignment, periodic access review, and prompt offboarding of departing staff
  • Report any suspected personal data breach or unauthorized access to Crucibel within 24 hours of discovery, in accordance with the Data Processing Agreement
  • Not share NOVA login credentials between users; each user must have an individual account
  • Not use NOVA to process health data for purposes beyond those specified in the Data Processing Agreement without written amendment

7.3 Permitted Disclosures

Health data may be disclosed without the patient's explicit consent only in the following circumstances permitted under Kenyan law:

CircumstanceConditions and LimitationsLegal Authority
Emergency medical treatmentDisclosure limited to what is necessary for the immediate treatment of the patient; documented in patient recordS.30(b) KDPA; Health Act 2017
Notifiable disease reportingReporting to Ministry of Health and county health authorities only; prescribed forms; patient-identifiable data only where legally requiredHealth Act 2017 S.76; Public Health Act Cap. 242
Court order or legal processValid court order from a Kenyan court required; disclosure limited to what the order specifies; Crucibel/client to seek legal advice before disclosingCourt order; Evidence Act
Child protection concernsDisclosure to authorized child protection authority where there is reasonable belief of abuse, neglect, or risk to the child's life; minimum necessary informationChildren Act 2022 S.9; Children Act duty to report
Serious public health threatDeclaration of public health emergency; disclosure to Cabinet Secretary for Health or CDSC only; proportionate to the threatPublic Health Act; Health Act 2017
Death - medico-legal purposesDisclosure to coroner or police only where required for inquest or criminal investigation; minimum necessaryBirths and Deaths Registration Act; Coroners Act

7.4 Prohibited Disclosures

The following disclosures are strictly prohibited under this Policy and Kenyan law:

  • Disclosure of HIV test results or HIV status to any employer, insurance company, school, or other third party without the patient's explicit written consent (HIV & AIDS Prevention and Control Act 2006, Section 23)
  • Disclosure of mental health records to any person not directly involved in the patient's care without patient consent (Mental Health Act 2022)
  • Disclosure of health data to media organizations, social media platforms, or any public forum
  • Sharing of health data for commercial purposes such as targeted advertising, insurance risk scoring, or employment screening
  • Disclosure to any foreign government, foreign law enforcement authority, or international organization without legal authority under Kenyan law
  • Any disclosure that would enable the re-identification of a patient whose data has been de-identified

8. Access Control and Information Security

8.1 Access Control Framework

NOVA implements a layered access control framework designed to ensure that health data is accessible only to authorized personnel with a legitimate clinical or administrative need:

Control LayerDescription
Multi-Factor Authentication (MFA)Mandatory for all NOVA users. MFA is enforced at login using a combination of password and a time-based one-time password (TOTP) or SMS OTP. MFA cannot be disabled by client administrators.
Role-Based Access Control (RBAC)Each user is assigned a role (e.g., Clinical Officer, Nurse, Lab Technician, Pharmacist, Facility Administrator, Public Health Officer). Roles define the data elements and functions accessible to each user. Roles are configured by the client System Administrator.
Field-Level Access ControlsUltra-sensitive data fields (HIV status, mental health diagnoses, reproductive health data, genetic data) are subject to additional access restrictions. Only users with explicitly assigned permissions can view these fields.
Break-Glass Emergency AccessA controlled override mechanism permits access to patient records in genuine clinical emergencies where normal authorization cannot be obtained. All break-glass access is logged, generates an immediate alert to the System Administrator, and is reviewed within 24 hours.
Session ManagementSessions automatically time out after 15 minutes of inactivity. Concurrent sessions from different devices are restricted and flagged for review.
Audit LoggingEvery access to, and modification of, patient health data is logged with timestamp, user identity, data accessed or modified, and action taken. Audit logs are immutable (cannot be deleted or modified) and retained for 7 years.

8.2 Technical Security Standards

The following minimum technical security standards apply to all health data processed through NOVA:

  • Encryption at Rest: All health data stored in NOVA databases and backup systems is encrypted using AES-256 encryption
  • Encryption in Transit: All data transmitted between clients and the NOVA platform uses TLS 1.3 or higher; unencrypted connections are rejected
  • Vulnerability Management: Automated vulnerability scanning conducted weekly; critical vulnerabilities patched within 72 hours; high vulnerabilities patched within 14 days
  • Penetration Testing: Annual third-party penetration testing of the NOVA platform and infrastructure by a certified ethical hacking firm
  • Cloud Infrastructure: NOVA is hosted on ISO 27001-certified cloud infrastructure within data centers located in Kenya or, where Kenyan facilities are unavailable, subject to Transfer Impact Assessment
  • Backup and Recovery: Automated daily backups; tested restoration procedures; Recovery Time Objective (RTO) of 4 hours for critical services
  • Secure Development: NOVA software development follows a Secure Software Development Lifecycle (SSDLC); security code reviews are mandatory for all changes affecting health data processing

9. Data Retention and Disposal

9.1 Retention Schedule

Health data processed through NOVA shall be retained for the following minimum periods, consistent with the Health Act 2017, the Medical Records Management Guidelines (Ministry of Health Kenya), and the KDPA:

Data CategoryRetention PeriodAuthority / Basis
Adult patient health records (general)Minimum 10 years from date of last clinical encounterMOH Medical Records Management Guidelines; medico-legal requirements
Children's health records (under 18)Until 25th birthday of the patient (i.e., 10 years from age 15, or until age 25, whichever is longer)Children Act 2022; MOH Guidelines - accounts for delayed litigation by adults regarding childhood care
Maternity and obstetric records25 years from date of last entryMOH guidelines; potential litigation related to birth injuries in later life
Mental health records20 years from date of last clinical encounterMental Health Act 2022; long-term nature of mental health conditions
HIV/ART treatment recordsLifetime of patient; minimum 20 yearsHIV & AIDS Prevention and Control Act 2006; National AIDS & STI Control Program (NASCOP) guidelines
Immunization recordsLifetime of individualKenya Expanded Program on Immunization; lifelong health relevance
Laboratory results10 years from date of resultConsistent with parent health record retention
Prescription / dispensing records10 years from date of dispensingPharmacy and Poisons Act (Cap. 244)
Audit and access logs7 yearsKDPA accountability requirements; limitation periods under Kenyan law
Aggregate public health / analytics data10 years (anonymized / aggregate)Public health policy and trend analysis; no individual rights affected (anonymized)

9.2 Disposal of Health Data

Upon expiry of the applicable retention period, health data shall be disposed of securely and permanently:

  • Electronic health data shall be deleted using cryptographic erasure (overwriting encryption keys) or secure data deletion meeting NIST 800-88 standards
  • Physical media containing health data shall be destroyed using certified destruction services with a certificate of destruction provided to Crucibel
  • Disposal activities shall be recorded in Crucibel's data disposal register
  • Client data controllers shall be notified of scheduled data disposal 60 days in advance
  • Where a client requires extended retention beyond the scheduled disposal date for legitimate clinical, legal, or public health reasons, a written extension request must be submitted to the Crucibel DPO

10. Personal Data Breach Management

A personal data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, health data processed through NOVA. Crucibel maintains a formal breach management procedure aligned with the Kenya Data Protection Act 2019.

10.1 Breach Notification Obligations

Notification ToTimeframeContent Required
Crucibel Data Protection OfficerImmediately / within 1 hour of discoveryNature of incident, systems affected, preliminary assessment of scope, immediate actions taken
Client Data ControllerWithin 24 hours of Crucibel becoming awareFull breach notification per Data Processing Agreement; nature of breach, data affected, likely consequences, measures taken
Office of the Data Protection Commissioner (ODPC)Within 72 hours of becoming aware (KDPA S.43)Nature of breach, categories and number of data subjects affected, likely consequences, remediation measures. Joint notification with the data controller where appropriate.
Affected Data Subjects (Patients)Without undue delay where the breach is likely to result in high risk to rights and freedomsClear description of breach; nature of data compromised; likely consequences; steps taken; contact details for further information

10.2 Breach Response Procedure

  • Contain: Isolate affected systems; revoke compromised access credentials; engage incident response team within 1 hour
  • Assess: Determine scope, nature of data affected, number of data subjects, likely consequences, whether breach was malicious or accidental
  • Notify: Notify DPO, client controller, ODPC, and affected patients as per the schedule above
  • Investigate: Conduct root cause analysis; document timeline of events; preserve forensic evidence
  • Remediate: Implement technical and organizational measures to prevent recurrence; apply patches or configuration changes as needed
  • Review: Post-incident review within 30 days; update policies, procedures, and training as required; close breach record in the incident register

11. Special Categories of Health Data

Certain categories of health data carry heightened risks of harm if disclosed and are subject to enhanced protections under this Policy and Kenyan law.

11.1 HIV/AIDS Data

Legal Basis: HIV and AIDS Prevention and Control Act 2006 (No. 14 of 2006)

Section 23 prohibits the disclosure of HIV test results of a person without their written consent, except in limited circumstances defined by law. Violation is a criminal offence.

  • HIV status and ART records are stored in a restricted-access module within NOVA, separated from general clinical records
  • Access to HIV data requires a specific "HIV Care" role assigned by the client System Administrator - this role is not part of the default clinician access set
  • HIV data is never included in general patient summary exports or analytics reports in identifiable form
  • Mandatory reporting to NASCOP is conducted using anonymized, aggregate data only, consistent with NASCOP reporting guidelines
  • Any request for disclosure of a patient's HIV status - including from law enforcement - must be referred to the client's legal counsel before any disclosure is made

11.2 Mental Health Data

  • Mental health diagnoses, psychiatric treatment records, and psychotherapy notes are subject to enhanced access restrictions within NOVA
  • Access restricted to members of the patient's mental health care team; general clinical staff do not have default access to mental health records
  • Mental health records cannot be shared with employers, schools, insurance companies, or family members without explicit patient consent and documentation
  • Processing of mental health data of involuntarily admitted patients requires additional clinical governance oversight at the client facility

11.3 Reproductive and Maternal Health Data

  • Reproductive health data, including contraception, abortion-related care, fertility treatment, and pregnancy records, is treated as highly sensitive
  • Access is restricted to the patient's direct care team
  • NOVA does not permit export or disclosure of reproductive health data for insurance, employment, or social service assessment purposes

11.4 Children's Health Data

  • All data relating to patients aged under 18 years is classified as sensitive
  • Parental/guardian consent is required for non-emergency processing; a documented consent trail is maintained in NOVA
  • Children who are Gillick competent (i.e., sufficiently mature to consent independently for specific health services) may have their confidentiality preserved from parents for those specific services, consistent with Kenyan clinical guidance
  • Child health data is never used for commercial profiling, marketing, or research without full ethical approval and guardian consent

11.5 Genetic and Biometric Data

  • Genetic test results and biometric identifiers (where used for patient matching) are stored with field-level encryption and accessible only to authorized clinical staff
  • Genetic data shall not be shared with insurers, employers, or any third party for predictive risk assessment purposes
  • Biometric data used solely for patient identity verification shall be stored as irreversible hashes and not as raw biometric templates

12. Data Sharing, Interoperability and Third Parties

12.1 Sharing Between Healthcare Providers

NOVA is designed to enable the secure, authorized sharing of health data between healthcare providers to support continuity of care. Such sharing shall:

  • Be limited to the minimum data necessary for the receiving provider's clinical purpose
  • Occur only between healthcare organizations that are authorized NOVA clients with valid Data Processing Agreements
  • Maintain a complete audit trail of all shared data transactions
  • Respect any patient restrictions on sharing (e.g., where a patient has opted out of certain data sharing)

12.2 Integration with National Health Systems

NOVA integrates with key national health information systems in Kenya, including:

  • Kenya Health Information System (KHIS) / DHIS2: Aggregate, non-identifiable health statistics for national reporting
  • National AIDS & STI Control Program (NASCOP): Anonymized HIV program data
  • Kenya Immunization Management Information System (KEIMIS): Immunization records consistent with KEPI
  • National Hospital Insurance Fund (NHIF) / SHA: Claims data where applicable and legally authorized

All integrations with national systems are governed by data sharing agreements with the relevant Ministry of Health agencies and are restricted to the data elements and formats prescribed by those agreements.

12.3 Sub-Processors

Crucibel engages the following categories of sub-processors to support the delivery of NOVA:

  • Cloud infrastructure and hosting providers
  • Cybersecurity and SIEM service providers
  • Communication service providers (SMS/email for patient notifications)
  • Software development and technical support partners

All sub-processors are bound by Data Processing Agreements that impose data protection obligations at least equivalent to those in this Policy. Crucibel maintains a current Sub-Processor Register available to clients upon request. Clients will be notified at least 30 days before any new sub-processor is engaged.

12.4 Research Access

Health data processed through NOVA may be made available for approved public health or medical research subject to the following conditions:

  • Research protocol approved by a recognized Kenyan Research Ethics Committee (NACOSTI-accredited)
  • Signed Data Use Agreement between the research institution and Crucibel/client data controller
  • Data provided in pseudonymized or anonymized form wherever possible
  • Individual patient consent obtained where identifiable data is required
  • Research results may not identify individual patients
  • Data destroyed upon completion of the research project unless ongoing retention is justified and consented

13. Governance and Accountability

13.1 Data Protection Officer

Crucibel has appointed a Data Protection Officer (DPO) who is registered with the Office of the Data Protection Commissioner as required under the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021. The DPO is responsible for:

  • Monitoring Crucibel's compliance with the KDPA and this Policy
  • Advising on Data Protection Impact Assessments
  • Acting as point of contact with the ODPC
  • Receiving and managing data subject rights requests and complaints
  • Overseeing staff data protection training

The DPO can be contacted at: dpo@Crucibel.org

13.2 Roles and Responsibilities

RoleData Protection Responsibilities
Board of DirectorsUltimate accountability for data protection compliance; approve this Policy; ensure adequate resources for DPO function
Chief Executive OfficerExecutive accountability; ensure data protection is embedded in corporate strategy; approve major data processing decisions
Data Protection OfficerDay-to-day compliance monitoring; policy development and maintenance; staff training; ODPC liaison; DPIA oversight; breach management
Chief Technology OfficerTechnical security of NOVA platform; Privacy by Design in product development; vulnerability management; incident response
Engineering TeamImplement Privacy by Design; conduct security code reviews; apply data minimization in feature development; report security issues to DPO and CTO
Client Success / Implementation TeamEnsure clients understand their data protection obligations; deliver client data protection training; manage DPA execution
Client System AdministratorsManage user access and roles at facility level; ensure staff training compliance; report breaches to Crucibel within 24 hours; conduct periodic access reviews

13.3 Training Requirements

The following training requirements apply:

  • All Crucibel staff: Mandatory annual data protection and health data confidentiality training; completion recorded and verified
  • Crucibel developers: Additional secure coding and privacy engineering training annually
  • Client healthcare staff: Mandatory NOVA user training including data protection module before first access; annual refresher
  • New joiners (Crucibel and clients): Training completed and assessed before any health data access is granted

13.4 Records of Processing Activities (ROPA)

Crucibel maintains a Register of Processing Activities (ROPA) as required under the KDPA and Data Protection (General) Regulations 2021. The ROPA records all health data processing activities conducted through NOVA, including processing purposes, legal bases, data categories, retention periods, and security measures. The ROPA is reviewed and updated quarterly and is available to the ODPC upon request.

14. Complaints, Escalation and Enforcement

14.1 Internal Complaints Process

Any patient, data subject, Crucibel staff member, or client organization with a concern about how health data has been processed through NOVA may raise a complaint through the following process:

  • Submit the complaint in writing to the Crucibel Data Protection Officer: dpo@crucibel.org
  • The DPO will acknowledge receipt within 5 business days and commence investigation
  • The DPO will provide a substantive response within 21 days of receipt of the complaint
  • Where the complaint is upheld, Crucibel will take appropriate remedial action and notify the complainant
  • Where the complainant is not satisfied with the Crucibel response, they have the right to escalate to the ODPC

14.2 Regulatory Escalation

Complaints may be submitted to the Office of the Data Protection Commissioner (ODPC) at any time:

  • Website: www.odpc.go.ke
  • Postal Address: Office of the Data Protection Commissioner, Nairobi, Kenya
  • The ODPC has powers to investigate complaints, issue enforcement notices, and impose administrative fines of up to KES 5 million or 1% of annual gross revenue under the KDPA

14.3 Consequences of Breach

Breaches of this Policy may result in:

  • For Crucibel staff: Disciplinary action up to and including summary dismissal; personal civil and criminal liability under the KDPA and the Computer Misuse and Cybercrimes Act 2018
  • For client organizations: Termination of the NOVA Service Agreement; notification to relevant healthcare regulatory bodies; liability under the Data Processing Agreement
  • For Crucibel as a company: Administrative fines by the ODPC; regulatory sanctions; reputational harm; civil liability to affected data subjects

15. Policy Review, Approval and Version Control

15.1 Review Schedule

This Policy shall be reviewed:

  • Annually by the Data Protection Officer, with approval by the Board of Directors
  • Immediately upon any material change to Kenyan data protection legislation or health information law
  • Following any significant personal data breach involving NOVA
  • Upon launch of a significant new NOVA module or feature that materially changes the nature of health data processing

15.2 Version History

VersionDateAuthorSummary of Changes
1.01 July 2026Data Protection OfficerInitial version - Policy established for NOVA Kenya market launch

15.3 Approval

RoleNameDate
Data Protection OfficerTyson Lukale Bukachi1 July 2026
Chief Executive OfficerGoodwin Joshua Omollo1 July 2026
Board ChairGoodwin Joshua Omollo1 July 2026