Trust Center
Last Updated: 1 July 2026
Crucibel Technology Ltd. ("Crucibel") is a Kenyan technology company registered under the Laws of Kenya. Crucibel develops and operates NOVA, a cloud-based Health Information Exchange (HIE) and Health Management Information System (HMIS) delivered as a Software-as-a-Service (SaaS) platform to healthcare organizations in Kenya.
This Health Data & Confidentiality Policy ("Policy") establishes Crucibel's binding commitments and operational standards for the collection, storage, processing, sharing, protection, and disposal of health data processed through the NOVA platform. It reflects the primacy of patient dignity, autonomy, and privacy as foundational values of Kenya's healthcare system and digital health ecosystem.
This Policy is designed to ensure that every person whose health information is processed through NOVA can trust that their data will be treated with the highest standards of confidentiality, integrity, and respect - consistent with Kenyan law and the ethical obligations of healthcare.
This Policy applies to:
This Policy applies to all processing activities conducted by Crucibel and NOVA within the territory of Kenya. All processing is subject to Kenyan law, including the Kenya Data Protection Act 2019, and to the regulatory oversight of the Office of the Data Protection Commissioner (ODPC) and the Kenya Health sector regulatory authorities.
In this Policy, unless the context otherwise requires:
| Term | Definition |
|---|---|
| Health Data | Any personal data relating to the physical or mental health of an individual, including data revealing information about their health status, diagnoses, treatment, prescriptions, laboratory results, reproductive health, disability, or any other clinical information, as defined under Section 2 of the Kenya Data Protection Act 2019. |
| NOVA Platform | The cloud-hosted Health Information Exchange and Health Management Information System operated by Crucibel as a SaaS product. |
| Data Subject / Patient | The identified or identifiable individual to whom health data relates. In the context of NOVA, this is primarily a patient receiving healthcare services in Kenya. |
| Data Controller | A person or entity that determines the purposes and means of processing personal data. Client healthcare organizations using NOVA are data controllers in respect of their patients' health data. |
| Data Processor | Crucibel, which processes health data on behalf of data controllers pursuant to a Data Processing Agreement. |
| Confidentiality | The obligation to ensure that health data is accessible only to those who are authorized to access it and is not disclosed to unauthorized persons. |
| KDPA | Kenya Data Protection Act, No. 24 of 2019, and any subsidiary legislation, regulations, or guidelines issued thereunder. |
| ODPC | Office of the Data Protection Commissioner, the independent statutory authority responsible for overseeing data protection in Kenya. |
| Sensitive Personal Data | Under the KDPA, categories of personal data requiring heightened protection, including data concerning health or medical history, genetic data, biometric data, and data relating to HIV/AIDS status. |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, health data transmitted, stored or otherwise processed on NOVA. |
| Pseudonymization | Processing of health data in a manner such that the data can no longer be attributed to a specific individual without the use of additional information that is held separately and securely. |
| Sub-processor | A third party engaged by Crucibel to process health data on its behalf, including cloud infrastructure providers, security service providers, and integration partners. |
This Policy is grounded in and must be read together with the following Kenyan laws, regulations, and standards:
| Legal Instrument | Key Relevance to NOVA and this Policy |
|---|---|
| Kenya Data Protection Act 2019 (No. 24 of 2019) | Primary data protection legislation. Governs all processing of personal data (including health data) in Kenya. Establishes rights of data subjects, obligations of controllers and processors, and enforcement powers of the ODPC. Requires registration of data controllers and processors to process sensitive personal data. |
| Data Protection (General) Regulations 2021 | Subsidiary legislation under the KDPA prescribing requirements for lawful processing, data subject rights procedures, data protection impact assessments, and registration with the ODPC. |
| Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 | Requires Crucibel to register as a data processor with the ODPC given the nature and scale of health data processing on NOVA. |
| Health Act 2017 (No. 21 of 2017) | Establishes the right to health and patient confidentiality obligations for healthcare providers. Part VI governs health information management, including electronic health records, and authorizes the Kenya Health Information System (KHIS). |
| HIV and AIDS Prevention and Control Act 2006 (No. 14 of 2006) | Establishes strict confidentiality protections for HIV-related data. Section 23 prohibits unauthorized disclosure of HIV test results. NOVA processes HIV data only with explicit legal authority and enhanced access controls. |
| Mental Health Act 2022 (No. 9 of 2022) | Governs protection of the rights of persons with mental disorders. Contains confidentiality requirements for mental health records. Relevant to NOVA's mental health module. |
| Children Act 2022 (No. 29 of 2022) | Governs the protection of children's rights. Requires parental or guardian consent for processing children's health data and mandates the best interests of the child as primary consideration. |
| Pharmacy and Poisons Act (Cap. 244) | Governs medication dispensing records, prescription data confidentiality, and pharmacy information management relevant to NOVA's pharmacy module. |
| Computer Misuse and Cybercrimes Act 2018 (No. 5 of 2018) | Criminalizes unauthorized access to computer systems. Directly applicable to unauthorized access to NOVA and patient health records. |
| Kenya National eHealth Policy 2016–2030 | National policy framework for health information systems including interoperability, data governance, and digital health standards in Kenya. |
All health data processed through NOVA shall be processed in accordance with the following principles, which reflect both the KDPA and Crucibel's ethical commitments as a Kenyan digital health company:
| Principle | What It Means | How NOVA Implements It |
|---|---|---|
| Lawfulness, Fairness & Transparency | Health data is processed only where there is a valid legal basis; patients are informed about how their data is used. | Privacy notices displayed at point of care; legal bases documented; client DPAs specify lawful processing only. |
| Purpose Limitation | Health data collected for a specific purpose is not used for a different, incompatible purpose without consent. | Technical data separation between clinical care and analytics; consent management module controls secondary use; data use agreements for research. |
| Data Minimization | Only data that is adequate, relevant, and limited to what is necessary for the purpose is collected. | NOVA modules collect only clinically necessary fields; configurable data collection forms; API scoping prevents over-collection. |
| Accuracy | Health data is kept accurate, complete, and up to date; inaccuracies are corrected without delay. | Clinical record update workflows; patient flagging mechanism; data quality monitoring and reporting. |
| Storage Limitation | Health data is not kept in identifiable form for longer than necessary for its purpose. | Automated retention and archival policies; anonymization schedules; retention register maintained per data type. |
| Integrity & Confidentiality (Security) | Health data is protected against unauthorized access, accidental loss, destruction, or damage. | AES-256 encryption at rest; TLS 1.3 in transit; MFA; RBAC; SIEM monitoring; annual penetration testing. |
| Accountability | Crucibel is responsible for, and able to demonstrate compliance with all data protection principles. | Appointed DPO; Records of Processing Activities (ROPA); DPIA program; annual compliance reviews; ODPC registration. |
Every individual whose health data is processed through NOVA has the following rights under the Kenya Data Protection Act 2019. Crucibel and its client data controllers are jointly committed to upholding these rights.
Patients have the right to be informed, in plain language and in a language they understand about:
Crucibel provides standard-form privacy notices and patient information templates to all NOVA client organizations, translated into English and Kiswahili. Client healthcare organizations are responsible for ensuring these notices are communicated to patients at the point of registration.
Patients have the right to obtain confirmation of whether their health data is being processed and to receive a copy of their health data. Requests must be:
NOVA provides a patient-facing portal through which, where enabled by the client organization, patients may directly access their health records.
Patients have the right to have inaccurate or incomplete health data corrected. Where a patient identifies an error in their health record, they should:
Note on Medical Records Integrity
Clinical health records are medico-legal documents. NOVA maintains version-controlled audit trails of all record modifications. Deletions of clinical entries are not permitted; corrections are recorded as amendments with the original entry preserved in the audit log.
The right to erasure ("right to be forgotten") is subject to significant limitations in the health data context under Kenyan law:
Patients have the right to receive their health data in a structured, commonly used, machine-readable format and to transmit that data to another healthcare provider. NOVA supports this right through:
Patients have the right to object to processing of their health data for purposes other than direct clinical care, including:
Objections must be directed to the relevant client healthcare organization. Crucibel will implement technical restrictions on data processing upon instruction from the data controller.
The health data of children (persons under 18 years of age) shall only be collected and processed with the consent of a parent, legal guardian, or person with parental responsibility, except where:
The health data of persons with mental health conditions shall be processed with sensitivity and in accordance with the Mental Health Act 2022. Where a patient lacks capacity to consent, a legally recognized substitute decision-maker shall provide consent. Treatment without consent in emergencies shall be documented and subject to clinical review.
NOVA applies the highest level of access restriction to HIV-related data in compliance with the HIV and AIDS Prevention and Control Act 2006. HIV status information may only be accessed by:
Processing of health data on NOVA is only permitted where there is a valid lawful basis under the Kenya Data Protection Act 2019. The following table sets out the lawful bases applied to each category of processing activity on NOVA:
| Processing Activity | Lawful Basis (KDPA) | Notes |
|---|---|---|
| Direct patient clinical care and treatment | Healthcare provision (S.30(c)) | Primary basis for all clinical data processing; no additional consent required for care delivery |
| Patient identity matching and MPI management | Healthcare provision (S.30(c)) | Necessary to prevent patient misidentification errors and ensure continuity of care |
| Laboratory results exchange between providers | Healthcare provision (S.30(c)) | Results shared only with treating clinicians and authorized care team members |
| Immunization program tracking (national) | Public health / vital interests (S.30(b), (d)) | National immunization program; consistent with Kenya Expanded Program on Immunization (KEPI) |
| Notifiable disease reporting to public health authorities | Legal obligation (S.30(f)) | Mandatory notification under Health Act 2017 and Infectious Diseases (Notification) regulations |
| HIV/AIDS case-based surveillance | Legal obligation; public health (S.30(d), (f)) | Strictly limited to anonymized/pseudonymized data; governed by HIV & AIDS Prevention and Control Act 2006 |
| Health facility performance analytics | Legitimate interests (S.30(e)) | Aggregate, non-identifiable data only; does not identify individual patients |
| Medical and public health research | Explicit consent; public interest (S.30(a), (d)) | Requires: patient consent OR NACOSTI ethical approval + data use agreement; pseudonymized data preferred |
| Training and education using case data | Explicit consent (S.30(a)) | Individual patient consent required; anonymized wherever possible |
| Platform security and audit logging | Legal obligation; legitimate interests (S.30(e), (f)) | Audit logs are mandatory under KDPA accountability requirements; security monitoring is a legitimate interest |
All Crucibel employees, contractors, and agents who have access to health data in the course of their work are bound by the following confidentiality obligations:
Client organizations accessing NOVA are bound by the following confidentiality standards as conditions of their Data Processing Agreement (DPA) with Crucibel:
Health data may be disclosed without the patient's explicit consent only in the following circumstances permitted under Kenyan law:
| Circumstance | Conditions and Limitations | Legal Authority |
|---|---|---|
| Emergency medical treatment | Disclosure limited to what is necessary for the immediate treatment of the patient; documented in patient record | S.30(b) KDPA; Health Act 2017 |
| Notifiable disease reporting | Reporting to Ministry of Health and county health authorities only; prescribed forms; patient-identifiable data only where legally required | Health Act 2017 S.76; Public Health Act Cap. 242 |
| Court order or legal process | Valid court order from a Kenyan court required; disclosure limited to what the order specifies; Crucibel/client to seek legal advice before disclosing | Court order; Evidence Act |
| Child protection concerns | Disclosure to authorized child protection authority where there is reasonable belief of abuse, neglect, or risk to the child's life; minimum necessary information | Children Act 2022 S.9; Children Act duty to report |
| Serious public health threat | Declaration of public health emergency; disclosure to Cabinet Secretary for Health or CDSC only; proportionate to the threat | Public Health Act; Health Act 2017 |
| Death - medico-legal purposes | Disclosure to coroner or police only where required for inquest or criminal investigation; minimum necessary | Births and Deaths Registration Act; Coroners Act |
The following disclosures are strictly prohibited under this Policy and Kenyan law:
NOVA implements a layered access control framework designed to ensure that health data is accessible only to authorized personnel with a legitimate clinical or administrative need:
| Control Layer | Description |
|---|---|
| Multi-Factor Authentication (MFA) | Mandatory for all NOVA users. MFA is enforced at login using a combination of password and a time-based one-time password (TOTP) or SMS OTP. MFA cannot be disabled by client administrators. |
| Role-Based Access Control (RBAC) | Each user is assigned a role (e.g., Clinical Officer, Nurse, Lab Technician, Pharmacist, Facility Administrator, Public Health Officer). Roles define the data elements and functions accessible to each user. Roles are configured by the client System Administrator. |
| Field-Level Access Controls | Ultra-sensitive data fields (HIV status, mental health diagnoses, reproductive health data, genetic data) are subject to additional access restrictions. Only users with explicitly assigned permissions can view these fields. |
| Break-Glass Emergency Access | A controlled override mechanism permits access to patient records in genuine clinical emergencies where normal authorization cannot be obtained. All break-glass access is logged, generates an immediate alert to the System Administrator, and is reviewed within 24 hours. |
| Session Management | Sessions automatically time out after 15 minutes of inactivity. Concurrent sessions from different devices are restricted and flagged for review. |
| Audit Logging | Every access to, and modification of, patient health data is logged with timestamp, user identity, data accessed or modified, and action taken. Audit logs are immutable (cannot be deleted or modified) and retained for 7 years. |
The following minimum technical security standards apply to all health data processed through NOVA:
Health data processed through NOVA shall be retained for the following minimum periods, consistent with the Health Act 2017, the Medical Records Management Guidelines (Ministry of Health Kenya), and the KDPA:
| Data Category | Retention Period | Authority / Basis |
|---|---|---|
| Adult patient health records (general) | Minimum 10 years from date of last clinical encounter | MOH Medical Records Management Guidelines; medico-legal requirements |
| Children's health records (under 18) | Until 25th birthday of the patient (i.e., 10 years from age 15, or until age 25, whichever is longer) | Children Act 2022; MOH Guidelines - accounts for delayed litigation by adults regarding childhood care |
| Maternity and obstetric records | 25 years from date of last entry | MOH guidelines; potential litigation related to birth injuries in later life |
| Mental health records | 20 years from date of last clinical encounter | Mental Health Act 2022; long-term nature of mental health conditions |
| HIV/ART treatment records | Lifetime of patient; minimum 20 years | HIV & AIDS Prevention and Control Act 2006; National AIDS & STI Control Program (NASCOP) guidelines |
| Immunization records | Lifetime of individual | Kenya Expanded Program on Immunization; lifelong health relevance |
| Laboratory results | 10 years from date of result | Consistent with parent health record retention |
| Prescription / dispensing records | 10 years from date of dispensing | Pharmacy and Poisons Act (Cap. 244) |
| Audit and access logs | 7 years | KDPA accountability requirements; limitation periods under Kenyan law |
| Aggregate public health / analytics data | 10 years (anonymized / aggregate) | Public health policy and trend analysis; no individual rights affected (anonymized) |
Upon expiry of the applicable retention period, health data shall be disposed of securely and permanently:
A personal data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, health data processed through NOVA. Crucibel maintains a formal breach management procedure aligned with the Kenya Data Protection Act 2019.
| Notification To | Timeframe | Content Required |
|---|---|---|
| Crucibel Data Protection Officer | Immediately / within 1 hour of discovery | Nature of incident, systems affected, preliminary assessment of scope, immediate actions taken |
| Client Data Controller | Within 24 hours of Crucibel becoming aware | Full breach notification per Data Processing Agreement; nature of breach, data affected, likely consequences, measures taken |
| Office of the Data Protection Commissioner (ODPC) | Within 72 hours of becoming aware (KDPA S.43) | Nature of breach, categories and number of data subjects affected, likely consequences, remediation measures. Joint notification with the data controller where appropriate. |
| Affected Data Subjects (Patients) | Without undue delay where the breach is likely to result in high risk to rights and freedoms | Clear description of breach; nature of data compromised; likely consequences; steps taken; contact details for further information |
Certain categories of health data carry heightened risks of harm if disclosed and are subject to enhanced protections under this Policy and Kenyan law.
Legal Basis: HIV and AIDS Prevention and Control Act 2006 (No. 14 of 2006)
Section 23 prohibits the disclosure of HIV test results of a person without their written consent, except in limited circumstances defined by law. Violation is a criminal offence.
NOVA is designed to enable the secure, authorized sharing of health data between healthcare providers to support continuity of care. Such sharing shall:
NOVA integrates with key national health information systems in Kenya, including:
All integrations with national systems are governed by data sharing agreements with the relevant Ministry of Health agencies and are restricted to the data elements and formats prescribed by those agreements.
Crucibel engages the following categories of sub-processors to support the delivery of NOVA:
All sub-processors are bound by Data Processing Agreements that impose data protection obligations at least equivalent to those in this Policy. Crucibel maintains a current Sub-Processor Register available to clients upon request. Clients will be notified at least 30 days before any new sub-processor is engaged.
Health data processed through NOVA may be made available for approved public health or medical research subject to the following conditions:
Crucibel has appointed a Data Protection Officer (DPO) who is registered with the Office of the Data Protection Commissioner as required under the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021. The DPO is responsible for:
The DPO can be contacted at: dpo@Crucibel.org
| Role | Data Protection Responsibilities |
|---|---|
| Board of Directors | Ultimate accountability for data protection compliance; approve this Policy; ensure adequate resources for DPO function |
| Chief Executive Officer | Executive accountability; ensure data protection is embedded in corporate strategy; approve major data processing decisions |
| Data Protection Officer | Day-to-day compliance monitoring; policy development and maintenance; staff training; ODPC liaison; DPIA oversight; breach management |
| Chief Technology Officer | Technical security of NOVA platform; Privacy by Design in product development; vulnerability management; incident response |
| Engineering Team | Implement Privacy by Design; conduct security code reviews; apply data minimization in feature development; report security issues to DPO and CTO |
| Client Success / Implementation Team | Ensure clients understand their data protection obligations; deliver client data protection training; manage DPA execution |
| Client System Administrators | Manage user access and roles at facility level; ensure staff training compliance; report breaches to Crucibel within 24 hours; conduct periodic access reviews |
The following training requirements apply:
Crucibel maintains a Register of Processing Activities (ROPA) as required under the KDPA and Data Protection (General) Regulations 2021. The ROPA records all health data processing activities conducted through NOVA, including processing purposes, legal bases, data categories, retention periods, and security measures. The ROPA is reviewed and updated quarterly and is available to the ODPC upon request.
Any patient, data subject, Crucibel staff member, or client organization with a concern about how health data has been processed through NOVA may raise a complaint through the following process:
Complaints may be submitted to the Office of the Data Protection Commissioner (ODPC) at any time:
Breaches of this Policy may result in:
This Policy shall be reviewed:
| Version | Date | Author | Summary of Changes |
|---|---|---|---|
| 1.0 | 1 July 2026 | Data Protection Officer | Initial version - Policy established for NOVA Kenya market launch |
| Role | Name | Date |
|---|---|---|
| Data Protection Officer | Tyson Lukale Bukachi | 1 July 2026 |
| Chief Executive Officer | Goodwin Joshua Omollo | 1 July 2026 |
| Board Chair | Goodwin Joshua Omollo | 1 July 2026 |