A Nairobi school has been ordered to pay KSh 637,500 in compensation after unlawfully using a pupil’s personal information and image in a newspaper advertisement without parental consent, the Office of the Data Protection Commissioner (ODPC) has ruled.
In a determination issued on January 19, 2026, Data Protection Commissioner Immaculate Kassait found that Nairobi Academy violated the Data Protection Act by publishing a learner’s name and examination results in the advertising section of a local daily newspaper as part of the school’s promotional activities.
The commissioner ruled that the disclosure amounted to unlawful processing of a minor’s personal data for commercial purposes, noting that the school failed to obtain express consent from the child’s parent before publicising the information.
The case arose from a complaint filed by the pupil’s parents, who first raised concerns with the school in 2023 after a similar incident. Although the school acknowledged the earlier complaint and assured the parent that it would not repeat the action without consent, the data was published again in an edition dated August 21, 2025.
This second publication prompted a formal complaint to the ODPC and a subsequent investigation.
In her ruling, Commissioner Kassait cited Section 65(4) of the Data Protection Act, which recognises that harm resulting from data breaches can include both financial loss and non-financial damage, such as emotional distress.
Taking into account the nature of the violation, the extent of the publication, and the school’s previous conduct regarding data protection, the commissioner directed Nairobi Academy to pay KSh 637,500 to the complainant.
During the investigation, the school admitted that no express parental consent had been obtained and argued that the publication was intended as an academic performance update rather than a deliberate commercial advertisement. The institution also acknowledged delays in responding to the parents’ follow-up concerns and attributed the breach to weaknesses in its internal data-protection procedures, expressing regret over the incident.
The ruling underscores the legal obligations of schools and institutions when handling children’s personal data, particularly where such information is used in public or commercial contexts.
