Why Data Privacy Matters
Since the enactment of the Data Protection Act, 2019 (the Act), Kenya has taken a firm stance on the collection, use, storage, sharing, and general handling of personal data. Employee data, including CVs, identification details, biometrics, payroll information, and disciplinary records, is some of the most critical personal data an organization holds. Therefore, the principles, rights, and obligations outlined in the Act affect day-to-day HR processes.
With the Office of the Data Protection Commissioner (ODPC) now actively enforcing the law, data privacy has moved from policy formation and compliance concerns to real accountability involving practical remedies, including monetary compensation. This has shifted control over personal data back to individuals while placing clear responsibilities on organizations.
What It Means for Employers
For employers, taking control of data means moving from informal handling to deliberate, lawful, and accountable practices. Employers are required to treat employee data as a matter of rights, responsibility, and accountability.
The data protection principles, including lawfulness, transparency, fairness, and accountability, must guide how organizations collect, use, and safeguard personal data. In the practical sense, this involves:
- Registering as Data Controllers or Processors with the ODPC;
- Collecting employee data lawfully, transparently, and for a specific purpose;
- Understanding the lawful bases of processing employee data, including:
- Consent;
- Contract obligations, such as fulfilling employment contracts;
- Legal obligation, such as when undertaking tax and statutory remittances;
- Legitimate interests, such as when conducting disciplinary investigations;
- Public interest, such as in cases of criminal activity; and
- Vital interests, such as in medical emergencies.
- Putting in place appropriate security safeguards;
- Training employees on proper handling of personal data and mitigating organizational risks;
- Developing clear privacy notices and internal data protection policies;
- Responding promptly to employee data requests and complaints.
When these measures are embedded into operations, employee data is protected, and employers build trust, confidence, and compliance.
What It Means for Employees
For employees, these legal safeguards mean that they can take an active role in protecting their personal data by:
- Understanding their rights – Employees are entitled to know how their personal data is used, what data is being held by their employer, object to unlawful or excessive data processing, request that inaccurate data is corrected or deleted, among others.
- Enforcing their rights – If the organization infringes on these rights, employees are at liberty to lodge complaints with the ODPC. These rights apply throughout the entire employment lifecycle, from recruitment, onboarding, during employment, and even after exit. Personal data must be safeguarded before the employment relationship is formalized, and after it ends.
Your personal data is protected by law.
The Bottom Line
Ultimately, data privacy is about who controls personal data, how it is used, and who is accountable. With the proactive approach taken by the ODPC, it is clear that data protection obligations are being taken seriously, which means compliance must become a top priority in business operations.
Contact Person & Contributor: Isabel Gakuo
Email: igakuo@hrfleek.com
For more information, please reach out to:
HRFLEEK Services Limited
I&M Bank House, 3rd Floor, 2nd Ngong Avenue
Tel: 0117 646 059
Email: info@hrfleek.com