Data Protection and the KRA Data Privacy Statement

KRA Data Protection Officer

KRA as a data controller is required to have a data protection officer whose role is to oversee and ensure compliance to the Data Protection Act , 2019. The contact details of KRA's data protection officer is as follows:

Mr. Joseph Tonui

Deputy Commissioner - Corporate Data Office


Telephone: 0709017166


1.              PRIVACY STATEMENT


This Privacy Statement provides information on how and why the Kenya Revenue Authority (KRA) collects and processes your personal data.

This statement should be read together with the Terms and Conditions of use for other KRA Services. Where there is a conflict, this privacy statement will prevail.

This statement applies to all taxpayers, KRA staff, students, consultants, 3rd parties, parastatals, development partners and all visitors to any of KRA premises.


2.             DEFINITIONS


The Authority/KRA/We/our/ours/us/ means the Kenya Revenue Authority established under Act of Parliament Chapter 469 of the laws of Kenya.


Data Protection Officer is a person designated or appointed by the Authority to monitor compliance with the Data Protection Act, No. 24 of 2019 and the Regulations made under the Act.


Data Collection means gathering of information that relates to you.


Personal data means information about you that identifies you directly or indirectly as a unique individual such as name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.


Processing means any operation or sets of operations which is performed on your personal data whether or not by automated means, such as: collection, recording, organization or structuring; Storage, adaptation or alteration; Retrieval, consultation or use; Disclosure by transmission, dissemination, or otherwise making available; Alignment or combination, restriction, erasure or destruction.


Sensitive personal data is data revealing your racial or ethnic origin, political opinions, professional membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's gender.


Third Party - means a natural or legal person, public authority, agency or body other than you and KRA, who under the direct authority of KRA are authorized to process your personal data.


You/ Your (s) means:

  1. Taxpayer – a person who holds a Personal Identification number (PIN) and liable for tax under the Kenyan tax law whether or not you have accrued any tax liability in a tax period.
  2. Any staff who has been employed by Kenya Revenue Authority
  3. Any student who has enrolled with the Kenya School of revenue and administration (KESRA)
  4. Any agent, dealer and/or merchants who has signed an agreement with us and is recognized as a merchant or agent in accordance with any applicable laws or Regulations.
  5. Any visitor that is a person (including contractors/subcontractors or any third parties) who gains access to any KRA premises.
  6. Any supplier/ service provider who has been contracted by KRA.
  7. Any external lawyer who has tendered his/her application and/or signed a service level agreement with KRA.
  8. Any Auditor who has signed an agreement with KRA.



The Kenya Revenue Authority processes your personal information as permitted by the applicable Tax Laws, Data Protection Law and its internal policies:

  1. With your consent
  2. Where processing is necessary for carrying out the mandate of the Authority
  3. For the performance of a contract to which you are party to or at your request before entering a contract.
  4. In compliance with any legal obligation to which KRA is subject.
  5. For protecting the vital and legitimate interests of KRA or another person.
  6. For the performance of a task carried out in public interest.
  7. For historical, statistical, or scientific research.


3.1 Collection of Personal Data

KRA collects your personal data both directly and indirectly in accordance with the law. We collect your personal information with your knowledge and consent with exception to cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.


The personal data we collect includes name, email, national identification number/passport number/Alien identification number, date of birth, income, employer, Address, phone number, profession, bank account details, business ownership, property, gender, photographs, videos, tax residence status, citizenship, sources of income, educational qualifications, biometric data, religion, ethnicity, marital status, family details, surveillance footage, or any other data of a personal nature.


KRA also collects information that cannot be used to personally identify you such as anonymous usage data, general demographic information, referring/exit pages and URLs, platform types, preferences that are generated based on the data that you submit and number of clicks.

3.1.1 Sensitive Personal Data

The Authority collects special category of personal data about you revealing details about your race, health status, ethnic origin, belief, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, gender and biometric data.

KRA shall ensure that sensitive personal data about you is processed in accordance to your right of privacy and as permitted in Part V of the Data Protection Act, 2019.


3.2 Use of Personal Data



Personal data collected


Individual taxpayer

Identity type, name, postal and physical address, location, phone number, date and place of birth, email address, age, marital status, family details, gender, bank account details, income brackets, profession, supporting personal documents, closed circuit television surveillance recordings.

Tax Registration, Tax Assessment, tax payments and refund processing, responding to queries, implementation of tax laws

KESRA Students

Identity type, name, postal and physical address, location, phone number, date of birth, email address, age, gender, academic details, bank account details, closed circuit television surveillance recordings.

Educational administration


Identity type, name, postal and physical address, location, phone number, date of birth, email address, age, gender, dependant details, academic details, profession, biometric information such as fingerprints, Closed circuit Television surveillance recordings, health records

Management of Employment relationship and benefit processing

Staff dependent’s

Identity type, name, postal and physical address, location, phone number, date of birth, email address, age, gender

Employee dependant benefit processing

Interns and attachés

Identity type, name, postal and physical address, location, phone number, date and place of birth, email address, age, gender, account details, family details-next of kin, academic details, profession, closed circuit television surveillance recordings,

Internship and attachment processing

Clearing agents

Identity type, name, postal and physical address, location, phone number, date of birth, email address, age, gender, closed circuit television surveillance recordings

Regulation of licensed agents


Identity type, name, postal and physical address, location, phone number, Name of educational institution, email address, closed circuit television surveillance recordings

Validation of request

Development partners /representatives

Name, phone number, email address, closed circuit television surveillance recordings, associated development partner

Management of relationships with development partners

Individual Internet Users

Uniform Resource Locator (URLs), name, postal and physical address, location, phone number, email address, age, gender, date of birth, academic information for job applications

Tax administration

Other individuals e.g., consultants, vendors, bidders etc.

Identity type, name, postal and physical address, location, phone number, date of birth, email address, age, gender, academic details, profession, closed circuit television surveillance recordings

Administration of procurement functions and contracts


3.3 Access to your Personal Data

Access to your personal data is restricted based on need to know and least privilege principle. We take steps to ensure that your personal data is not altered by unauthorized entities or persons. All authorized persons accessing your personal data are bound by a duty confidentiality.


3.4 Transfer of Personal Data

KRA shall transfer personal data with your consent and in a manner that is compatible with the purpose for which it was collected.

We may transfer or disclose the personal data we collect to third parties who provide support to KRA in providing its services. We shall also disclose or process your personal data to a third party when required by law and the request has been authorized by the designated Data Protection Officer.

It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by us.

Where necessary KRA may transfer personal data to other countries, stakeholders, partners or entities outside Kenya so long as those countries, stakeholders, partners or entities have equivalent data protection laws.

In the event that KRA undergoes a business transformation, your personal data may be among the assets to be transferred to new platforms or entities and the acquirer of data assets may continue to process the personal data.


3.5 Protection of Personal Data

The Authority ensures that access to electronic and physical repositories containing your personal data is controlled based on reasonable and appropriate administrative, physical, and organizational safeguards.

We implement security measures designed to protect your information from unauthorized access.

Your account is protected by your account password and KRA urges you to take steps to keep your personal information safe by not disclosing your password and by logging out of your account after each use.

By using the Authority’s systems, sites and access services, you acknowledge that you understand and agree to assume these risks. You also accept responsibility not to disclose your PIN and tax information to suspicious individuals or for nonofficial reasons.


3.6 Retention of Personal Data

We will only retain your personal data to fulfil the purposes for which we collect your data and to satisfy any legal requirements to which we are subject.  To determine the appropriate retention period, we consider the size, nature and sensitivity of the personal data, the purposes for which we process the data, the need to comply with internal policies and the applicable legal requirements.

Due to the nature of our mandate, we may retain your personal data indefinitely in administration of a tax law or in compliance with any other legal obligation.

You may however request destruction of your personal data before expiry of the retention period as provided in law. Such requests shall be processed in accordance with the Data Protection Act, 2019 and the KRA data protection and Privacy Policy. 



The Kenya Revenue Authority website use “cookies” to give you more personal, convenient website visits. This enables us to recognise you during subsequent visits. A cookie is a text file that is placed on your hard disk by a Web page server. Data stored in a cookie is created by the server upon your connection. This data is labelled with an ID unique to you and your computer and can only be read by a web server in the domain that issued the cookie to you.

You can accept or decline cookies. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Kenya Revenue Authority services or web sites you visit.

Within the Kenya Revenue Authority’s Corporate Website, there are embedded applications, plug-ins, widgets or links to non-Kenya Revenue Authority Websites (collectively “sites”). These sites operate independently of the Kenya Revenue Authority and have their own privacy policies. When you visit these sites, you leave our website and no longer will be subject to our privacy and security policies. The Kenya Revenue Authority is not responsible for the privacy or security practices or the content of other sites, and as such does give an endorsement of those sites or their content.



We reserve the right to amend this privacy statement at any time. All amendments to this privacy statement will be posted on KRA’s website. Unless otherwise stated, the current version shall supersede and replace all previous versions of the privacy statements.


6.             CONTACT

KRA welcomes your questions or concerns about how it processes your personal data or if you want to exercise any of your rights in relation to your personal data, on 0709 013211 or by writing to us on email: .

Data Privacy Statement