The Nairobi Hospital has been ordered to pay Sh500,000 for the illegal use of a patient’s personal image in commercial advertising without consent.
In a ruling, the Office of the Data Protection Commissioner found the hospital liable for breaching the Data Protection Act after a staff member covertly recorded the patient during medical treatment. The images were later used to promote the hospital’s services.
The case stemmed from a complaint filed by Caroline Wanjiku, a former patient, in August 2025, alleging misuse of her personal data.
The dispute arose when Ms Wanjiku discovered that images and video recordings taken during her admission in September 2024 had been displayed on the hospital’s digital screens as part of promotional advertisements.
She told the Data Commissioner that the recordings were made secretly, without her knowledge or consent, while she was receiving medical care. The promotional video also featured commentary from the hospital’s senior nurse endorsing the facility’s quality of care — again without her permission.
The hospital defended its actions, claiming the videography was authorised and that consent had been freely given. It argued that the footage was meant solely for internal educational purposes.
However, investigators determined that the material was used to advance the hospital’s commercial interests.
“From the evidence presented, it is clear that the respondent used recordings containing the complainant’s personal images to advertise its services,” the Data Commissioner ruled. “As such, the complainant's image was being used to advance the respondent's commercial and economic interests.”
The decision followed failed attempts to resolve the matter through alternative dispute resolution.
The Commissioner criticised the hospital for failing to provide verifiable proof of consent, emphasising that the burden of proof lies with the data controller — in this case, the hospital.
“The respondent claimed it recorded the complainant with her consent but offered no supporting evidence,” the ruling stated.
The Commissioner stressed that legal consent must be express, specific, informed and verifiable, particularly when personal data is used commercially.
The hospital was found to be in violation of Sections 32 and 37 of the Data Protection Act. As redress, it was ordered to compensate Ms Wanjiku Sh500,000 and delete all advertisements containing her personal data from its platforms, submitting proof of compliance.
Failure to comply with the deletion order would result in an enforcement notice. Both parties retain the right to appeal the decision in the High Court.
