The Complete Guide to Document Lifecycle in Kenya
From creation through approval, active use, archival, and disposition — a Kenya-specific walkthrough of how to manage documents through their entire lifecycle.
The Complete Guide to Document Lifecycle in Kenya
This guide walks through the full lifecycle of an enterprise document in a Kenyan organisation — from creation to permanent disposition. It is opinionated, practical, and built on the regulatory realities of the DPA, the Public Archives Act, the Tax Procedures Act, and sector-specific regimes.
The five phases
Every document moves through five phases, in order:
- Creation — drafted, uploaded, or captured
- Active use — being read, edited, approved, referenced
- Maintenance — kept available but rarely changing
- Archival — preserved but rarely accessed
- Disposition — disposed of (deleted) or transferred to permanent archive
Bad document management blurs these phases. Good document management makes them explicit, time-bounded, and auditable.
Phase 1 — Creation
A document is created either internally (drafted) or externally (received). In Papyrus terms:
- Internal: someone uploads via web/mobile/desktop agent, or generates from a template
- External: a supplier emails an invoice, a customer signs a contract, a regulator issues a notice
In both cases, the document needs to be classified, owned, and located immediately. Default to:
- Classification: AI suggests, human confirms within 24 hours
- Owner: the uploader's user record, unless overridden
- Location: the appropriate folder (auto-resolved by classification)
- Permissions: inherited from the folder
If your folder structure forces users to think hard about where to file, they'll stop filing. Inherit permissions and tags from the upload context (the watching folder, the email source, the originating workflow).
The document is read, edited, commented on, approved, signed, shared. This is the noisy phase — most of the audit log entries for any document are generated here.
Active use is also where compliance posture is tested. Three principles:
- Every action is logged: views (for sensitive docs), edits, downloads, shares, approvals
- Every share is bounded: time-limited, password-protected if external, watermarked if Restricted
- Every approval has rationale: rejection requires a comment; approvals are encouraged to
Phase 3 — Maintenance
Active use eventually quiets down. The document is still referenced (during audits, customer queries, periodic reviews) but is not actively changing.
In Papyrus, the document stays in its working folder but typically transitions through lifecycle states:
Draft→Active→UnderReview→Approved→Archived
The transition from Approved to Archived typically happens 90-365 days after the last active edit, depending on document type.
Phase 4 — Archival
Documents in archival are preserved for compliance reasons but no longer actively accessed. Different retention regimes apply by document type:
| Document Type | Minimum Retention (Kenya) |
|---|---|
| Tax records (KRA) | 5 years |
| Employee records | 7 years post-termination |
| Contracts | 6 years post-expiry |
| Procurement records | 6 years |
| Board minutes | Permanent |
| Customer correspondence | 3 years |
| Audit working papers | 7 years |
| Patient records | 25 years (KMPDC) |
Set these as Retention Policies in Papyrus. They run automatically.
Phase 5 — Disposition
When retention expires, disposition options are:
- Delete: Permanent removal (subject to litigation hold check)
- Archive externally: Export to long-term cold storage outside Papyrus
- Transfer: Move to a permanent archive (e.g., the Public Archives for government records)
Disposition is a workflow, not an automatic action. The Records Officer reviews the disposition queue weekly. Documents under litigation hold are flagged and skipped.
The audit-defensible documentation
Auditors test lifecycle controls by asking: “Show me the lifecycle of this document”. A Papyrus tenant answers in one screen:
- When created (and how, and by whom)
- Every action since (audit log)
- Current state and assigned retention policy
- Disposition date and method (if applicable)
- Linked litigation holds (if any)
This is what “compliance-first” looks like in practice. Not a binder of policies. A system that enforces them.