How the transition to SHA has exposed gaps in data governance

Medical Services Principal Secretary Harry Kimtai. [Kanyiri Wahito, Standard]

For months, the government has urged Kenyans to register for the new Social Health Authority (SHA), which is replacing the National Health Insurance Fund (NHIF). 

Despite these efforts, only about 2 million Kenyans had signed up for the new scheme, by the time SHA was officially rolled out on October 1, 2024.

To speed up the transition, the government began automatically migrating NHIF members to SHA without their consent.

A message confirming the automatic migration from NHIF to the new Social Health Authority (SHA). [Screenshot]

The unsolicited migration has since sparked widespread criticism, with many expressing concerns over privacy violations.

"NHIF had very different terms of service compared to SHA. Migrating people without their consent is a clear breach of data privacy and is illegal. This should be common sense," opined X user, Bravin Yuri.

Another user questioned the government's actions: "Is the government forcefully migrating us to SHA? I haven't registered, yet I received this SMS. They might as well finish what they've started and update my profile because I’m not on board with this."

Data governance lawyer James Mbugua, speaking to The Standard, avers that the government has violated privacy laws with the unauthorised migration.

"There is a violation of consent and the right to object to data processing. We haven't entered into any agreement with SHA regarding how our data will be handled, processed, or shared," he said.

In response to the backlash, the Ministry of Health on Thursday, September 3 said that the transition process from NHIF to SHA is lawful. 

“The Ministry has received inquiries regarding the transition of existing NHIF members to SHA. We wish to clarify that legal notice 147 of 2024 allows for the migration of all registered and verifiable NHIF members to SHA,” the statement read. 

“This process ensures continuity of coverage, and members are encouraged to verify and update their profiles, as well as add dependents through our official SHA channels.”

The Law
According to the Data Protection Act of 2019, individuals have the right to control how their personal information is used. 

The law mandates that personal data can only be processed or transferred with informed consent, except in cases where a legal exception applies.