Kenya: Employees data and the Data Protection Act

published on 7 March 2022 | reading time approx. 2 minutes

There have been developments in governance that affect the management of data relating to employees. This implies there are structures and processes that have been designed to ensure accountability, transparency and existence of rules embedding certain principles through which information about employees should be administered.

The Data Protection Act No. 24 of 2019  and the Data Protection Regulations, 2021 (the law), comprise a key feature of these developments. This law implements Article 31 (c) and (d) of the Constitution which provides for the right to privacy and particularly  the right not to have information relating to a person’s family or private affairs unnecessarily required or revealed or the privacy of their communication infringed.
 
Information collected by Employers regarding employees in line with the provisions of the Employment Act, contains aspects of personal data and sensitive personal data within the meaning of the law hence falling within the scope of regulation. It is thus important to appreciate that whereas the Employment Act empowers an employer to obtain information from an employee for purposes of the employment contract, the law provides the salient features of a framework within which these data should be processed.
 
To that extent, employers are required to ensure that an employee’s personal data is:

• Processed in accordance with the right to privacy;
• Processed lawfully and is only collected for legitimate purposes and not used for a different purpose;
• Accurate and where necessary kept up to date with measures in place to ensure any inaccurate personal data is erased or rectified without delay;
• Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
• Kept in a form which identifies the data employee for no longer than is necessary for the purposes for which it was collected; and
• Is not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the employee.

The law further provides for  the rights that an employee may exercise in relation to the personal data collected, the duties of the employer in relation to the use of a framework that supports compliance and the action to be taken in the event of a personal data breach.
 
A personal data breach may arise due to the happening of an event that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the personal data. The law defines the categories of data that would cause real risk of harm to an employee and therefore what should be reported to the Data Commissioner in form of a Notification and the timelines within which the Notification should be made.
 

Compliance and Audit

The law establishes a corporate entity called the office of the Data Protection Commissioner (ODPC) to over­sight compliance. To implement this, the ODPC is empowered to  carry out periodical audits of the processes and systems that have been put in place to ensure compliance with the law. The ODPC may therefore carry out  a Data Protection Audit. The law has also defined categories of organisations (based on the nature of their business) that must register with the ODPC as part of compliance.
 
This therefore implies that adherence to the provisions of the law is mandatory hence integral to organisational objectives and operations.