MMUST Registered as Data Controller and Processor: Pioneering Data Privacy Compliance in Higher Education
On 15th July 2023, Masinde Muliro University of Science and Technology (MMUST) reached a significant milestone by officially registering as a Data Controller and Data Processor under Kenya’s Data Protection Act, 2019. This historic step places MMUST among the leading public universities that are actively aligning institutional operations with national data privacy laws and global standards for ethical data governance.
The registration was facilitated through the Office of the Data Protection Commissioner (ODPC) and formally recognizes MMUST’s responsibility in handling and protecting personal data across its core functions—ranging from academic records and staff information to student health services and digital systems.
“Registration is more than a legal formality—it’s a signal of our commitment to safeguarding the rights and information of our stakeholders. As a university, data protection is now a shared responsibility across departments,” noted the Director of ICT Services.
What Does It Mean to Be a Data Controller and Processor?
As a Data Controller, MMUST determines how and why personal data is collected and used. As a Data Processor, the university also handles data on behalf of others, particularly within its systems like:
- Learning Management Systems (LMS)
- Student Information Systems
- Human Resource and Payroll platforms
- Biometric tools
- Health systems
The designation places a legal duty on MMUST to ensure lawful, transparent, and secure processing of data, guided by the principles of data minimization, confidentiality, accuracy, and accountability.
