1. Purpose, Scope and Applicability
1.1 Purpose
This Acceptable Use Policy ("AUP" or "Policy") defines the standards of acceptable and unacceptable behaviour when accessing or using the NOVA Health Information Exchange and Health Management Information System ("NOVA" or the "Platform"), operated by Crucibel Technology Ltd. ("Crucibel").
NOVA is a platform entrusted with some of the most sensitive personal data that exists - patient health information. The integrity, confidentiality and appropriate use of this data is both a legal obligation and a matter of patient safety and dignity. This Policy therefore exists to:
- Protect the rights, privacy and safety of patients and data subjects whose health information is processed through NOVA
- Ensure compliance with all applicable Kenyan laws governing data protection, health information and digital systems
- Maintain the security, availability and integrity of the NOVA Platform and its underlying infrastructure
- Provide clear, unambiguous guidance on what constitutes acceptable use to all persons who access NOVA
- Establish the consequences of misuse and the enforcement mechanisms available to Crucibel
1.2 Scope - Who This Policy Applies To
This Policy applies to every person who accesses or uses NOVA in any capacity, including:
| User Category | Description |
|---|
| Clinical Staff | Doctors, clinical officers, nurses, midwives, pharmacists, laboratory technicians, community health workers and all other healthcare professionals accessing patient records through NOVA |
| Administrative Staff | Health facility administrators, records officers, billing staff and operations personnel with access to NOVA for non-clinical purposes |
| System Administrators | Client-designated technical personnel with elevated privileges to manage user accounts, roles and configuration on NOVA |
| Integration Partners | Third-party organisations and developers accessing NOVA via APIs or integration interfaces under an approved integration agreement |
| Government & Public Health Users | Ministry of Health personnel, county health officers, public health surveillance teams and NHIF/SHA officials with approved access to NOVA modules |
| Researchers | Persons accessing NOVA data for approved research purposes under a Data Use Agreement and valid ethics approval from a NACOSTI-accredited institution |
| Crucibel Staff & Contractors | Crucibel employees, contractors and agents who access the NOVA Platform or client health data in the course of their duties |
1.3 Geographic Scope
This Policy applies to all use of NOVA within the territory of Kenya. NOVA is currently a Kenya-only platform. Any access from outside Kenya requires Crucibel's prior written approval and is subject to additional security controls and cross-border data transfer compliance requirements under the Kenya Data Protection Act 2019.
1.4 Relationship to Other Policies
This AUP must be read together with:
- Crucibel Terms of Service - the master agreement governing access to NOVA
- Crucibel Health Data & Confidentiality Policy - detailed standards for health data handling
- Crucibel Data Processing Agreement - governs Crucibel's processing of health data as data processor
- Crucibel Privacy Policy - governs processing of personal data of NOVA users
- Crucibel Information Security Policy - technical security standards and controls
In the event of inconsistency between this AUP and the Terms of Service, the Terms of Service shall prevail. This AUP supplements but does not replace any applicable Kenyan law or professional regulatory obligations.
2. Core Principles
Every use of NOVA must be guided by the following core principles, which reflect Crucibel's values as a Kenyan digital health company and the foundational obligations of all persons entrusted with health data:
| Principle | What It Means | In Practice |
|---|
| Patient First | Every action on NOVA must serve the interests of patients and the quality of their care. Patient rights and dignity are paramount. | Access only the records of patients you are actively involved in caring for or have a legitimate administrative reason to access. |
| Minimum Necessary Access | Access only the data you need to perform your specific role. Do not browse, explore, or query data beyond your immediate need. | A pharmacist verifying a prescription does not need to access a patient's psychiatric history. A billing clerk does not need clinical diagnosis detail. |
| Purposeful Use Only | NOVA may only be used for the purposes for which you have been authorised - clinical care, administration, public health, or approved research. No other purpose. | Do not access patient records out of curiosity, personal interest, or for any reason unrelated to your authorised function. |
| Confidentiality Always | Information accessed through NOVA is confidential. It must never be shared with unauthorised persons, whether inside or outside the health facility. | Do not discuss patient information in public areas, share screenshots, or forward records to personal devices or email accounts. |
| Accountability | Every action on NOVA is logged and attributable to a named user. All users are personally accountable for their use of the platform. | Your login is your identity on NOVA. You are responsible for every action taken under your credentials. |
| Legal Compliance | All use of NOVA must comply with Kenyan law, including data protection, health information, cybercrime and professional regulation laws. | Violations may result in criminal prosecution, professional deregistration, civil liability and termination of access. |
3. Permitted Uses
The following uses of NOVA are permitted, subject to each user acting within their assigned role and access level and in compliance with all applicable Kenyan laws and Crucibel's policies:
Clinical Care Activities
- Accessing, reviewing and updating the health records of patients under your direct clinical care
- Recording clinical encounters, diagnoses, treatment plans, prescriptions and clinical notes for patients you are actively treating
- Ordering and reviewing laboratory tests and results for patients under your care
- Accessing a patient's medication history to check for drug interactions or contraindications
- Reviewing immunisation records to determine vaccination status and administer appropriate vaccines
- Accessing maternity and obstetric records to support safe delivery and postnatal care
- Recording referrals and accessing referral information to support continuity of care across facilities
- Accessing patient records in genuine clinical emergencies, including via the break-glass emergency access mechanism, with immediate documentation of the reason
Administrative and Operational Activities
- Managing patient registration and demographic information as part of facility intake processes
- Scheduling appointments and managing patient flow within your facility
- Processing billing, insurance and NHIF/SHA claims consistent with applicable regulations and patient consent
- Generating management reports and dashboards relating to your own facility's performance using aggregate data
- Managing user accounts and access roles for your facility as a System Administrator
- Conducting periodic access reviews to ensure user accounts remain appropriate
Public Health and Surveillance Activities
- Reporting notifiable diseases to the Ministry of Health, county health departments, or CDSC as required by the Health Act 2017 and related regulations
- Submitting aggregate immunisation coverage data to national KEPI/DHIS2 systems
- Accessing aggregate surveillance data for approved outbreak investigation and public health response activities
- Generating facility-level public reports for submission to county or national health authorities
Approved Research Activities
- Accessing data under a signed Data Use Agreement and valid ethics committee approval from a NACOSTI-accredited institution
- Accessing pseudonymised or anonymised data exports for approved research purposes
- Generating aggregate analytical outputs from NOVA for research reporting, within the scope of the approved protocol
Platform Administration (Crucibel Staff and System Administrators)
- Performing authorised technical support, maintenance, configuration and troubleshooting activities
- Monitoring platform performance, availability and security using authorised tools and procedures
- Conducting security assessments, penetration testing and vulnerability scanning under approved schedules
- Accessing client environments for support purposes only with explicit client consent and with full audit logging
Important Reminder
Permitted use does not mean unlimited use. All permitted activities must be performed within the user's assigned role, for a legitimate and documented purpose and in the minimum scope necessary. NOVA's audit logs record all activity. Permitted access used for an impermissible purpose remains a violation of this Policy.
4. Prohibited Uses - Patient Data and Health Records
The following uses of patient health data through NOVA are strictly prohibited. These prohibitions exist to protect patient rights, uphold medical ethics and ensure compliance with Kenyan law, including the Kenya Data Protection Act 2019, the Health Act 2017, the HIV and AIDS Prevention and Control Act 2006 and the Mental Health Act 2022. Violations may constitute criminal offences.
Unauthorised Access to Patient Records
- Accessing the health records of any patient for whom you do not have an active clinical care relationship or a documented administrative or public health purpose
- Accessing the records of public figures, colleagues, family members, friends, or acquaintances out of curiosity or personal interest
- Accessing records of a patient who has expressly restricted sharing with your facility or your role
- Accessing records of a deceased patient other than for lawful post-mortem clinical, legal, or insurance purposes with appropriate authorisation
- Using another user's credentials to access NOVA, regardless of whether that person has consented to sharing their login
Unauthorised Disclosure of Health Data
- Sharing, forwarding, printing, photographing, or transmitting patient health data to any person not authorised to receive it
- Disclosing a patient's HIV status, diagnosis, or HIV test results to any employer, insurer, school, family member, or third party without the patient's explicit written consent - a criminal offence under the HIV and AIDS Prevention and Control Act 2006, Section 23
- Disclosing mental health diagnoses, psychiatric records, or substance use disorder records to any person outside the direct treatment team without patient consent
- Discussing identifiable patient information in public areas, corridors, canteens, or any setting where it may be overheard by unauthorised persons
- Sharing patient data via unsecured channels including personal email, personal WhatsApp, or any unencrypted messaging platform
- Posting, sharing, or referencing identifiable patient information on any social media platform or public forum
- Responding to media or press enquiries about specific patients without authorisation from the facility's designated spokesperson and the patient's consent
Misuse of Health Data for Harmful Purposes
- Using patient health data to discriminate against any individual on the basis of their health status, HIV status, mental health condition, disability, reproductive health, or any other protected characteristic under Kenyan law
- Using patient health data for insurance risk scoring, actuarial underwriting, or any activity that could disadvantage a patient in accessing healthcare coverage
- Using patient health data for employment screening, background checks, or any purpose related to hiring, firing, or promotion decisions
- Using patient health data to coerce, blackmail, harass, stalk, or exercise control over any individual
- Accessing or using reproductive health data - including contraception, pregnancy, or abortion-related records - to report, harm, or disadvantage the patient
- Sharing a patient's health data with law enforcement, government agencies, or immigration authorities except where compelled by a valid court order or express legal obligation
Children's Health Data
- Accessing or processing children's health data without verified parental or guardian consent, except in genuine emergencies or as expressly required by law
- Using children's health data for any purpose beyond their direct clinical care without full ethics approval and guardian consent
- Sharing children's health data with schools, employers, or social welfare agencies beyond what is required for the child's welfare without legal authority
5. Prohibited Uses - System Security and Integrity
The following activities against the NOVA Platform, its infrastructure, or its data integrity are strictly prohibited. These activities may constitute criminal offences under the Computer Misuse and Cybercrimes Act 2018 (No. 5 of 2018) and may result in immediate termination of access and referral to law enforcement.
Criminal Conduct Warning
Unauthorised access to or interference with a computer system or data is a criminal offence under the Computer Misuse and Cybercrimes Act 2018. Violations carry penalties including fines of up to KES 10 million and imprisonment for up to 10 years, or both, depending on the severity of the offence.
Unauthorised System Access
- Attempting to access any NOVA account, module, system component, or data without authorisation
- Using automated tools, scripts, bots, or credential-stuffing attacks to gain or attempt to gain access to NOVA
- Exploiting any vulnerability in NOVA to obtain elevated access or to access data beyond your authorised scope
- Accessing the NOVA administrative console, backend systems, or database layer without explicit written authorisation from Crucibel
- Bypassing, circumventing, disabling, or tampering with any access control, authentication, or authorisation mechanism on NOVA
- Using a VPN, proxy, or anonymisation service to disguise your identity or location when accessing NOVA without Crucibel's approval
Attacks on Platform Integrity
- Introducing, uploading, or transmitting any malware, ransomware, virus, Trojan, worm, spyware, or other malicious code into NOVA or its connected systems
- Launching or participating in any denial-of-service (DoS) or distributed denial-of-service (DDoS) attack against NOVA or any connected system
- Conducting port scanning, network mapping, or reconnaissance activities against NOVA infrastructure without written authorisation from Crucibel
- Attempting to intercept, monitor, or capture data traffic on NOVA networks using packet sniffers, man-in-the-middle tools, or similar techniques
- Performing any penetration testing, vulnerability scanning, or security testing of NOVA without prior written approval from Crucibel's security team
- Deliberately overloading, flooding, or degrading NOVA's performance in a manner that affects other users or services
Tampering with Data and Audit Trails
- Altering, falsifying, or destroying any clinical record, health data entry, or administrative record on NOVA
- Entering false, fabricated, or misleading clinical data into NOVA, including false diagnoses, fictitious patient records, or altered laboratory results
- Attempting to delete, modify, conceal, or corrupt any audit log, access record, or system log on NOVA
- Submitting false or fraudulent claims data, billing data, or insurance records through NOVA
- Creating duplicate or fictitious patient identities for fraudulent or deceptive purposes
Misuse of Administrative Privileges
- Using System Administrator privileges to access patient health data beyond what is necessary for system administration - System Administrators must not use their elevated access to view clinical records for non-administrative purposes
- Creating user accounts for persons who are not genuine Authorised Users of the Client organisation
- Assigning roles to users that exceed their legitimate clinical or administrative function
- Using administrative tools to suppress, bypass, or manipulate access control alerts or audit notifications
- Sharing System Administrator credentials with any other person under any circumstances
6. Prohibited Uses - Commercial Misuse and Secondary Use
Health data processed through NOVA is collected for healthcare and public health purposes. Its commercial exploitation or use for purposes incompatible with healthcare provision is prohibited.
Commercial Exploitation of Health Data
- Selling, licensing, trading, or offering for sale any patient health data, or any derivative of patient health data, to any third party
- Using NOVA data to build, train, or improve any commercial machine learning model, AI system, or predictive algorithm without Crucibel's express written consent and, where required, patient consent and ethics approval
- Extracting, aggregating, or packaging health data from NOVA for sale as a commercial data product or health intelligence service
- Using health data from NOVA to provide data brokerage services to insurers, pharmaceutical companies, employers, or any commercial entity
Unauthorised Secondary Use
- Using patient health data collected for clinical care purposes for research without valid ethics approval from a NACOSTI-accredited research ethics committee
- Using patient health data for academic publication, case study, or teaching without appropriate de-identification and, where required, patient consent
- Using aggregate health data generated through NOVA for purposes incompatible with those disclosed to patients at collection
- Sharing data extracts, reports, or analytics from NOVA with external organisations, media, or researchers without authorisation from the Client data controller and, where applicable, Crucibel
Platform Resale and Misrepresentation
- Sub-licensing, reselling, or providing third-party access to NOVA without Crucibel's prior written consent
- Representing to any third party that your organisation has rights to grant access to NOVA or to share NOVA data beyond the scope of your Service Order
- Using NOVA output, reports, or branding in a manner that misleadingly suggests Crucibel endorses a particular clinical, commercial, or political position
- Reverse-engineering, decompiling, or copying the NOVA software, algorithms, or data models for the purpose of building a competing product
7. Credential and Device Security Obligations
All users of NOVA are personally responsible for the security of their access credentials and the devices through which they access the Platform. Failure to maintain credential and device security may expose patient data to unauthorised access and constitutes a breach of this Policy.
7.1 Password and Credential Requirements
- Use a strong, unique password for NOVA that is not shared with any other system or application
- Never write down your NOVA password in any location accessible to others, including sticky notes on monitors, shared documents, or unencrypted files
- Never share your NOVA login credentials with any other person, including colleagues, managers, or IT support staff - Crucibel support staff will never ask for your password
- Change your password immediately if you suspect it has been compromised
- Multi-factor authentication (MFA) is mandatory for all users and must not be disabled or circumvented
- Do not configure NOVA to auto-save passwords in shared or public browsers
7.2 Device Security
- Only access NOVA from devices that are authorised by your organisation and meet the minimum security requirements specified in NOVA's Documentation
- Ensure your device has up-to-date operating system patches and security updates
- Do not access NOVA from public or shared computers, internet cafés, or kiosks where your credentials or session data may be cached
- Lock your device screen or log out of NOVA whenever you leave your workstation unattended, even briefly
- Do not allow any other person to observe your NOVA session or the patient data displayed on your screen
- Enable full-disk encryption on any device used to access NOVA where this is technically feasible
7.3 Remote and Mobile Access
- When accessing NOVA remotely or on mobile devices, use only secure, private networks - do not access NOVA over unsecured public Wi-Fi without an approved VPN
- Do not access NOVA from a personal device that is also used by other household members who may have access to the device
- Report any lost or stolen device used to access NOVA to your System Administrator and to Crucibel security at security@crucibel.org immediately
7.4 Session Management
- Always log out of NOVA at the end of your session - do not simply close the browser tab
- Do not leave an active NOVA session unattended on a shared workstation
- NOVA will automatically time out inactive sessions after 15 minutes - this setting cannot be overridden by users
- Do not attempt to extend or bypass session timeout mechanisms
8. API and System Integration Use
NOVA provides API interfaces to enable approved integrations with other health information systems, including electronic medical record systems, laboratory information systems, pharmacy systems and national health platforms. All API access is subject to this Policy and the following additional requirements:
8.1 Authorised API Access
- API access is permitted only for organisations that have executed a separate API Integration Agreement or whose Service Order explicitly authorises API access
- All API integrations must be approved in writing by Crucibel before going live - no unauthorised integrations are permitted
- API keys and credentials must be stored securely, treated as confidential and never included in publicly accessible code repositories
- API access must use secure, encrypted connections (HTTPS/TLS 1.3 minimum) at all times
- API integrations must only request and process the minimum data necessary for the integration's authorised function
8.2 Prohibited API Activities
API Misuse
- Using API access to bulk-extract, scrape, or copy patient health data beyond the scope of the approved integration
- Using API credentials for any purpose other than the approved integration function described in the Integration Agreement
- Sharing, publishing, or transferring API keys or integration credentials to any third party
- Using API access to probe, test, or enumerate data not related to the integration's approved purpose
- Exceeding API rate limits, using automated tools to flood API endpoints, or conducting denial-of-service attacks via API interfaces
- Attempting to access API endpoints or system functions not documented or approved for the integration
8.3 National System Integrations
Integrations with national Kenyan health platforms - including KHIS/DHIS2, NASCOP, KEIMIS and NHIF/SHA - are governed by data sharing agreements with the respective agencies. Users of these integrations must comply with the data sharing terms and any additional reporting obligations imposed by those agreements, in addition to this Policy.
9. Obligations for Specific Categories of Sensitive Data
Certain categories of health data carry heightened risks of harm if misused or disclosed. Users who have authorised access to the following data types must observe additional obligations:
Legal Basis
Section 23 of the HIV and AIDS Prevention and Control Act 2006 makes it a criminal offence to disclose a person's HIV status without their written consent. NOVA enforces strict access controls on HIV data; users who breach these controls may face criminal prosecution.
9.1 HIV and AIDS Data
- Access HIV records only as part of direct HIV care or ART programme management for the specific patient
- Never disclose a patient's HIV status to any employer, insurer, school, family member, partner, or third party without the patient's explicit written consent documented in NOVA
- Do not include HIV status in any referral letter, summary report, or communication unless the receiving clinician has a clinical need to know and the patient has consented to the disclosure
- Do not access the HIV module for population-level queries or programme analytics unless you hold an authorised public health or programme management role
9.2 Mental Health Data
- Access mental health records only as part of the direct treatment team for the patient
- Psychotherapy session notes, psychiatric assessments and substance use disorder records carry heightened confidentiality - access is restricted to mental health clinicians directly involved in care
- Do not share mental health diagnoses or treatment records with general clinical staff, family members, employers, or social services without explicit patient consent
- Mental health data must not be included in aggregate reporting or analytics outputs in any identifiable form
9.3 Reproductive and Maternal Health Data
- Reproductive health information - including contraception, pregnancy, fertility treatment and records related to any reproductive healthcare - must be treated with the highest level of discretion
- This data must not be disclosed to family members, partners, employers, or community workers without explicit patient consent
- Access is restricted to the patient's direct reproductive healthcare team
9.4 Children's Health Data
- All data relating to patients under 18 years must be handled with particular care consistent with the Children Act 2022 and the best interests of the child
- Access or processing of children's health data without verified parental or guardian consent is prohibited except in genuine clinical emergencies or where legal authority exists
- Children who are Gillick competent for specific health services may have confidentiality protected from parents for those services - consult clinical guidelines and facility protocols before disclosure
- Children's data must never be used for commercial profiling, marketing, or research without full ethics approval and guardian consent
10. Reporting Obligations
Every user of NOVA has a duty to report suspected or actual violations of this Policy. Prompt reporting protects patients, enables timely incident response and may mitigate legal liability. Failure to report a known breach may itself constitute a violation of this Policy.
10.1 What Must Be Reported
Users must report any of the following immediately upon discovery:
- Actual or suspected unauthorised access to NOVA by any person
- Actual or suspected personal data breach, including unauthorised access to, disclosure of, or loss of patient health data
- Loss or theft of any device used to access NOVA
- Discovery of malware, ransomware, or other malicious software on a device used to access NOVA
- Discovery that another user is violating this Policy, including accessing records without authorisation or sharing credentials
- Receipt of phishing emails, suspicious links, or social engineering attempts targeting NOVA access credentials
- Any system anomaly, unusual access pattern, or suspicious activity noticed in NOVA
- Inadvertent disclosure of patient data to an unintended recipient
10.2 How to Report
| Incident Type | Report To | Contact |
|---|
| Security breach / cyberattack / data breach | Crucibel Security Operations (immediately) + your System Administrator | security@crucibel.org |
| Policy violation by a colleague or user | Your System Administrator and/or facility management | Per your facility's internal reporting procedure |
| Data protection concern / patient rights issue | Crucibel Data Protection Officer | dpo@crucibel.org |
| Lost / stolen device with NOVA access | Your System Administrator (immediately) + Crucibel Security | security@crucibel.org |
| Phishing / social engineering attempt | Crucibel Security Operations | security@crucibel.org |
| Complaint against Crucibel's own data handling | Crucibel DPO, then ODPC if unresolved | dpo@crucibel.org / www.odpc.go.ke |
10.3 Whistleblower Protection
Crucibel is committed to creating an environment where concerns about data misuse and policy violations can be raised without fear of retaliation. Any person who reports a genuine concern in good faith shall not suffer any adverse consequence from Crucibel for making that report, even if the concern ultimately proves unfounded. This protection does not apply to reports made maliciously or in bad faith.
Crucibel shall treat all reports with confidentiality to the extent possible, disclosing the identity of the reporter only where necessary for the investigation or required by law.
11. Monitoring, Audit and Transparency
By accessing NOVA, all users acknowledge and consent to the following monitoring and audit practices, which are necessary to protect patient data, detect misuse and ensure compliance with Kenyan law:
11.1 What Crucibel Monitors
- All login attempts, successful logins and failed login attempts, including timestamp, device and location data
- All access to patient health records, including the specific records viewed, modified, or exported and the user responsible
- All data exports, print requests, API calls and data sharing events
- All System Administrator activities, including account creation, role changes and configuration modifications
- All break-glass emergency access events
- System performance, availability and resource usage
- Network traffic for anomalous patterns indicative of attacks or exfiltration
11.2 How Monitoring Data Is Used
- To detect and investigate suspected policy violations, data breaches and unauthorised access
- To support incident response and forensic investigations following security events
- To generate compliance and audit reports for Crucibel and client organisations
- To fulfil Crucibel's obligations under the Kenya Data Protection Act 2019 and ODPC guidance
- To provide Client System Administrators with access reports for their facility
No Expectation of Privacy in System Activity
Users of NOVA should be aware that they have no expectation of privacy in respect of their system activity on the Platform. All actions are logged, attributable and may be reviewed by Crucibel, by the Client's System Administrator and by regulatory authorities as required by law.
11.3 Audit Log Retention
NOVA audit logs are retained for a minimum of seven (7) years and are immutable - they cannot be deleted or modified by any user, including System Administrators and Crucibel staff. Audit logs are available to:
- Crucibel's security and compliance team
- Client System Administrators (for their own facility's access logs)
- The ODPC and other regulatory authorities as required by law
- Competent courts in Kenya upon valid court order
12. Enforcement and Consequences of Violation
12.1 Crucibel's Enforcement Powers
Crucibel reserves the right to take any or all of the following actions in response to an actual or suspected violation of this Policy:
- Immediately suspend or permanently revoke the access of any user found to be in breach, without advance notice where the breach poses a risk to patient data or platform security
- Notify the Client organisation of the breach and provide audit log evidence
- Terminate the Client's Service Agreement in accordance with the Terms of Service
- Report the breach to the Office of the Data Protection Commissioner (ODPC)
- Report criminal conduct to the Kenya Police Service, the Directorate of Criminal Investigations (DCI), or relevant prosecutorial authorities
- Report professional misconduct to the relevant professional regulatory body (e.g., Kenya Medical Practitioners and Dentists Council, Nursing Council of Kenya, Pharmacy and Poisons Board)
- Pursue civil remedies including damages, injunctions and account of profits in the High Court of Kenya
12.2 Consequences for Individual Users
| Violation Category | Potential Consequences |
|---|
| Accidental minor policy breach (e.g., accessing wrong patient record and self-reporting promptly) | Documented warning; additional training; access review; no further action if isolated incident and promptly reported |
| Deliberate misuse without harm (e.g., accessing a colleague's record out of curiosity) | Immediate access suspension; formal investigation; disciplinary action by employer; possible referral to professional regulatory body |
| Serious breach with harm or high risk (e.g., unauthorised disclosure of HIV status; selling health data) | Permanent access revocation; termination of employment or contract; referral to ODPC; referral to law enforcement; civil proceedings |
| Criminal conduct (e.g., cyberattack; ransomware; deliberate data destruction) | Immediate access revocation; mandatory referral to Kenya Police / DCI; prosecution under Computer Misuse and Cybercrimes Act 2018 and/or KDPA; civil proceedings |
12.3 Consequences for Client Organisations
Where a breach of this Policy is attributable to a Client organisation's systemic failures (e.g., failure to train staff, failure to manage access, failure to report a breach), Crucibel may:
- Require the Client to conduct a formal internal investigation and submit a remediation plan
- Impose enhanced monitoring or audit requirements on the Client's NOVA environment
- Suspend the Client's access pending remediation
- Terminate the Service Agreement for material breach per the Terms of Service
- Notify the ODPC of a systemic data protection failure by the Client as data controller
12.4 No Waiver
Crucibel's failure to enforce any provision of this Policy in any particular instance does not constitute a waiver of Crucibel's right to enforce that provision in any other instance. Repeated or escalating violations will be treated more seriously regardless of prior enforcement history.
13. Legal and Regulatory Framework
This Policy is grounded in the following Kenyan laws and regulations. All users are expected to familiarise themselves with the laws applicable to their role:
| Law / Regulation | Key Relevance to This Policy |
|---|
| Kenya Data Protection Act 2019 (No. 24 of 2019) | Governs all processing of personal data, including health data. Creates rights for data subjects and obligations for data controllers and processors. Authorises the ODPC to investigate, issue enforcement notices and impose fines. |
| Data Protection (General) Regulations 2021 | Subsidiary legislation under the KDPA prescribing procedures for exercising data subject rights, conducting DPIAs and registering with the ODPC. |
| Computer Misuse and Cybercrimes Act 2018 (No. 5 of 2018) | Criminalises unauthorised access to computer systems (Section 16), unauthorised interference with data (Section 17) and unauthorised disclosure of computer data (Section 21). Penalties up to KES 10 million and/or 10 years' imprisonment. |
| Health Act 2017 (No. 21 of 2017) | Governs patient confidentiality, the right to health information and management of health records. Obliges healthcare providers to protect patient data. |
| HIV and AIDS Prevention and Control Act 2006 (No. 14 of 2006) | Section 23 makes unauthorised disclosure of HIV test results a criminal offence. Section 24 prohibits mandatory testing without consent. Applies directly to NOVA's HIV module. |
| Mental Health Act 2022 (No. 9 of 2022) | Protects the rights of persons with mental disorders, including confidentiality of mental health records. Governs consent to treatment and information sharing. |
| Children Act 2022 (No. 29 of 2022) | Protects children's rights, including data privacy rights. Requires parental/guardian consent for data processing and mandates the best interests of the child. |
| Pharmacy and Poisons Act (Cap. 244) | Governs the confidentiality of prescription and dispensing records relevant to NOVA's pharmacy module. |
| Anti-Corruption and Economic Crimes Act 2003 | Relevant to fraudulent use of health data, including submission of false claims through NOVA. |
| Kenya National eHealth Policy 2016–2030 | National framework for health information systems, interoperability and data governance standards applicable to NOVA. |
14. Special Obligations for Crucibel Staff and Contractors
Crucibel employees, contractors and agents who access the NOVA Platform or any client health data in the course of their duties are subject to all provisions of this Policy and the following additional requirements:
14.1 Access to Client Environments
- Crucibel staff may only access a client's NOVA environment with the explicit, documented consent of the client's authorised representative
- All Crucibel access to client environments is subject to advance authorisation, full audit logging and post-access reporting to the client
- Access must be strictly limited to the scope required for the support or maintenance task - no general browsing of client health data
- Crucibel staff must not retain, copy, or store any client health data beyond what is strictly necessary for the support task and must delete it promptly upon completion
14.2 Confidentiality and Non-Disclosure
- All Crucibel staff and contractors must sign a Confidentiality and Data Protection Agreement before being granted any access to client environments or health data
- Crucibel staff are bound by confidentiality obligations that survive termination of their employment or engagement
- Crucibel staff must immediately report any potential or actual breach of client data to the Data Protection Officer at dpo@crucibel.org
14.3 Development and Testing Environments
- Real patient health data must never be used in development, testing, staging, or demonstration environments
- All test data used in non-production environments must be synthetic, fully anonymised, or derived from consented research cohorts
- Developers must not include any real patient identifiers in code commits, bug reports, documentation, or support tickets
14.4 Security Research
- Crucibel security personnel conducting vulnerability assessments or penetration testing must do so only under an approved security testing programme with defined scope and documented authorisation
- Security findings relating to client data vulnerabilities must be reported through the approved vulnerability disclosure process and not disclosed publicly without following responsible disclosure procedures
15. Training and Policy Acknowledgement
15.1 Mandatory Training
All users of NOVA must complete the following training requirements before being granted access and on an annual basis thereafter:
- NOVA User Training - platform navigation, features and operational procedures
- Data Protection and Health Data Confidentiality Module - covering KDPA obligations, patient rights, confidentiality duties and this AUP
- Role-Specific Security Training - tailored to the user's access level and clinical or administrative function
Training completion is recorded in Crucibel's learning management system. Client System Administrators are responsible for ensuring all Authorised Users complete training before access is granted. Access will not be activated for users who have not completed mandatory training.
15.2 Policy Acknowledgement
All users must formally acknowledge this Policy before accessing NOVA for the first time. Acknowledgement is recorded and constitutes binding agreement to comply with this Policy. Acknowledgement is renewed annually at the time of training refresh.
16. Policy Review, Approval and Version Control
16.1 Review Schedule
This Policy shall be reviewed:
- Annually by the Data Protection Officer and Chief Technology Officer
- Immediately upon any material change to Kenyan data protection legislation, health information law, or the Computer Misuse and Cybercrimes Act 2018
- Following any significant security incident or personal data breach involving NOVA
- Upon launch of any significant new NOVA module or feature that introduces new use cases
16.2 Version History
| Version | Date | Author | Summary of Changes |
|---|
| 1.0 | 1 July 2026 | DPO & CTO, Crucibel | Initial version - Policy established for NOVA Kenya market launch |
16.3 Approval
| Role | Name |
|---|
| Data Protection Officer | Tyson Lukale Bukachi |
| Chief Technology Officer | Paul Ochieng' Okello |
| Chief Executive Officer | Goodwin Joshua Omollo |