The Nairobi Hospital has been held responsible for illegally using a patient’s image in promotional material and has been ordered to pay Sh500,000. The Office of the Data Protection Commissioner found that a hospital employee secretly recorded the patient during treatment and later allowed the content to appear in advertising campaigns, violating the Data Protection Act.
The issue began when Caroline Wanjiku filed a complaint in August 2025, claiming that her personal data had been misused. She stated that images and video recordings taken during her hospital stay in September 2024 were displayed on the hospital’s digital screens to promote services, without her knowledge or agreement.
Wanjiku told the Commissioner that she had not been informed or asked for consent before the recordings were made. She described discovering the footage in the hospital, which exposed her private medical experience to the public and used her image for commercial purposes without her permission.
The promotional material also included remarks from a senior nurse praising the hospital’s services, even though Wanjiku had not approved participation.
The hospital, in its defence, claimed that the videography had been authorised and that consent had been granted, arguing that the recordings were intended for internal training and learning purposes only.
Investigators, however, concluded that the material was used to advance the hospital’s business interests.
The Data Commissioner ruled, “From the evidence presented, it is clear that the respondent used recordings containing the complainant’s personal images to advertise its services.” The ruling added, “As such, the complainant's image was being used to advance the respondent's commercial and economic interests.”
The hospital was also criticised for failing to provide proof that consent had been obtained. The Commissioner highlighted that the law places the responsibility to demonstrate consent on the data controller, which in this case is the hospital.
Attempts to resolve the matter through alternative dispute resolution did not succeed, leaving a formal ruling. The hospital’s breach of the Data Protection Act resulted in a Sh500,000 fine, reinforcing the importance of protecting patient privacy and personal data.
