The Guidelines introduce a duty for a public or private entity to assess and map out the risks associated with bribery and corruption within the entity and to develop a plan to mitigate these risks. This plan should be included in the Procedures. Additionally, the Guidelines require each entity to develop its Procedures in writing, in one of Kenya’s official languages, i.e. English or Kiswahili. However, where an entity operates internally in a language other than English or Kiswahili, for instance a foreign organisation that frequently communicates in its national language, then the Guidelines permit translation of the Procedures into the appropriate language, after they are first articulated in English or Kiswahili.
Furthermore, the Procedures must include an implementation structure that takes into account the entity’s size, scale and nature of operation, alongside the identified risks and methods of mitigation. In particular, the implementation structure must include a commitment from the entity’s leadership, it must involve all employees, and it must allocate and provide for the resources required for implementation, to name a few. Moreover, the Procedures must designate a person or people in authority to set up an enforcement structure that will provide for appropriate action for violations of the law, regulations, or the Procedures.
Notably, the Guidelines provide that the Procedures should create a reporting mechanism, both within the entity and outside the entity, to the EACC, should an instance of bribery or corruption occur. However, the Guidelines do not provide practical direction on how an entity can formulate these mechanisms and how this would vary based on the size of the entity, its organogram, and nature of work. This therefore leaves room for interpretation and implementation as an entity develops its Procedures, given that the practical aspects appear to be at the entity’s discretion. Nonetheless, what is clear is that the reporting mechanisms must provide for the receiving, recording, processing and dissemination of reports for feedback and appropriate action. It is key to note, that these reporting mechanisms are exempt from the provisions of the Data Protection Act 2019 (DPA), as section 51 of the DPA excludes the processing of personal data that is required to be disclosed under any written law from the scope of the DPA.
In addition to the above, the Guidelines state that an entity’s Procedure should include:
- effective measures for the protection of whistle-blowers, informants and witnesses;
- effective communication, training, awareness-creation and dissemination to internal and external stakeholders; and
- appropriate measures for monitoring, evaluating, and reviewing of the Procedures, emerging risks, and improvements.
Notably, public and private entities are entitled to seek the EACC’s advice and may collaborate with other agencies within their sector or industry as they develop their Procedures.
We are happy to assist with advising and formulating Procedures in view of these recent Guidelines. Please get in touch with the authors if you so require.