It has been five years since Kenya introduced its first data protection law, a critical step towards promoting privacy and protecting personal information. The Data Protection Act sets out clear obligations for organisations that collect and process personal data. Over the past two years, the Office of the Data Protection Commissioner has taken several enforcement actions against violators of the Act, including imposing fines and awarding compensation to affected data subjects. One of the key departments responsible for ensuring compliance is HR, which plays a pivotal role in managing employee data. HR professionals must ensure data privacy compliance to at every stage of the employee lifecycle. Beyond compliance, they must also address the growing threat of cyberattacks targeting sensitive employee information, all while fostering a culture of privacy and trust within their organisations.While many HR professionals are familiar with the basics of data protection, emerging challenges and nuanced obligations under the law require a deeper understanding. Here are five key emerging data protection considerations for HR professionals: 1. Deleting Data Doesn’t Mean It’s Gone When HR teams delete resumes, contracts, or other employee records, it is often assumed that the data is gone for good from the IT systems. However, in many cases, fragments of this information can linger in backup systems, shared folders, or archived databases. These remnants, if not properly managed, could become a compliance risk or a target for cybercriminals. Compliance Tips Establish robust data retention and deletion policies that align with legal and organisational requirements. Use secure deletion tools designed to permanently erase data from all systems, including backups and cloud storage. Conduct regular audits to identify and eliminate residual or unnecessary data that may no longer serve a lawful purpose. 2. Employee Monitoring Must Balance Privacy and Compliance Employee monitoring tools are increasingly being used to track productivity and ensure compliance with workplace policies, especially in remote and hybrid work environments. While these tools can offer valuable insights, they also introduce privacy concerns that HR professionals must carefully address. Excessive monitoring or a lack of transparency can lead to legal liabilities and erode trust within the organiaation. HR professionals must strike a balance between monitoring for legitimate business purposes and respecting employees’ privacy rights. The Kenya Data Protection Act emphasises the importance of proportionality and transparency by requiring organisations to inform employees about monitoring practices and obtain consent where necessary. Compliance Tips Define clear policies outlining the scope and purpose of employee monitoring, ensuring these align with data protection laws. Communicate monitoring policies transparently to employees, fostering a culture of openness and trust. Regularly review monitoring practices to ensure they remain necessary, proportionate, and compliant with evolving legal standards. 3. Background Checks must Comply with Privacy Requirements HR professionals must ensure that background checks are conducted in a lawful, ethical manner, tailored to the specific requirements of each role. They should also be careful to collect only the necessary information, avoiding any intrusion into employees’ privacy. In addition, the HR department must have clear processes in place to manage and respond to requests for background check information effectively. Compliance Tips Tailor background checks to the role’s requirements, ensuring compliance with both local and international data protection laws. Obtain clear and informed consent from candidates before initiating any checks. Establish robust policies for securely handling, storing, and disposing of information obtained during the screening process. 4. Cybersecurity Risks can Affect HR Data Too! HR departments are prime targets for cybercriminals due to the large amounts of sensitive personal data they manage. Threats like phishing attacks targeting payroll information and ransomware aimed at employee records are on the rise, presenting significant risks. Cybersecurity should be as much a priority for HR as it is for the IT department. Compliance Tips Train HR staff to recognise phishing attempts and adopt cybersecurity best practices. Implement advanced security measures, such as encryption, multi-factor authentication, and role-based access controls for HR systems. Work closely with IT teams to regularly test and update security protocols, ensuring they can withstand emerging threats. 5. The Right to be Forgotten: Managing Ex-Employee Data Requests Under the Data Protection Act, individuals, including former employees, have the right to request the deletion of their personal data. However, HR professionals must balance this right with legal requirements to retain certain records for compliance purposes, such as tax and employment law regulations. Mishandling these requests can lead to non-compliance or operational risks. HR departments need clear procedures for managing data deletion requests while ensuring that statutory obligations are met. Transparency and thorough documentation are key to navigating this complex requirement effectively. Compliance Tips Establish a formal process for handling data deletion requests, including clear timelines and escalation procedures. Identify and segregate records that must be retained for legal or regulatory purposes from data that can be securely deleted. Maintain an audit trail of deletion requests and actions taken to demonstrate compliance with legal requirements. In conclusion, HR professionals are key to ensuring data protection compliance and safeguarding employee information. By staying informed, implementing clear policies, and taking proactive steps, HR can manage data privacy effectively while building trust within the organisation. Contact us today to learn how we can support your HR team in managing data privacy risks and ensuring compliance with the latest regulations.
Year: 2024
Recent ODPC Decisions on the use of Personal Photos & Videos in Kenya
In recent years, Kenya has witnessed significant developments in data protection. One key development has been the commitment to safeguarding personal and sensitive information, which is underscored by the enforcement actions taken by the Office of the Data Protection Commissioner (ODPC). Specifically, the ODPC has established mechanisms for receiving and determining complaints related to data protection. We have been tracking decisions taken by the ODPC with the aim of understanding the impact of the decisions on our clients’ operations. Below is a highlight of the key decisions: In the case of Liburuwen Lesanguru Kweri v Beehive Media Limited, [ODPC Complaint No. 0740 of 2023], Beehive Media Limited (Beehive”), was contracted by Capwell Industries Limited to provide advertising services for their maize flour products (“Soko” and “Amaize”). In executing its mandate, Beehive obtained an image from a public and royalty free image repository known as Shutterstock for use in a Father’s Day campaign. It was not in dispute that the image was obtained from Shutterstock and that there was no express consent from the data subject for use of the image. In its defence, Beehive stated that: – The ODPC determined that Beehive’s action of using an individual’s stock image for advertisements without their express consent violated their rights. However, the ODPC dismissed the complaint on the basis that Beehive had taken immediate steps to resolve the matter including pulling down the advertisements in dispute, terminating the contract they had with Shutterstock Inc., and reaching out to the data subject to try and settle the matter amicably. In the case of Isaya Lemerketo v Kenya School of Law [ODPC Complaint No. 0608 of 2023], The Kenya School of Law (“School”) made flyers featuring the complainant’s image and distributed them on their social media platforms (Instagram, Facebook & Twitter) and hardcopy marketing collateral without his consent. Upon receipt of the complaint, the School withdrew the flyers within 24 hours, took down the social media posts and communicated its actions to the data subject. The ODPC determined that the School’s action of using a person’s image without their consent violated his rights over his image. However, the ODPC commended the immediate actions taken by the School to resolve the matter and marked the complaint as resolved. In Edith Andeso v Olerai Schools Limited, [ODPC Complaint No. 725 of 2023], Olerai Schools Limited (“School”). Prior to termination of employment, the complainant was a full-time teacher at the School. After she was terminated, she raised a complaint that the School took photos of her and posted them on the School’s Facebook page without her consent. She further asserted that the photo created a perception that she was a member of the School thereby limiting her employment options. In its defence, the School stated that: – The ODPC determined that the complainant had knowledge of the purpose and context in which the photos were to be used and by her clear affirmative action, she consented to the processing of her personal data by the School. Therefore, the ODPC dismissed the complaint. In the case of Christine Wairimu Muturi v Roma School Uthiru, [ODPC Complaint No. 0841 of 2023], the complainant alleged that she was a parent at Roma School, Uthiru and that the School had processed images of pupils (minors) on TikTok, without the express consent of their parents or guardians. The School created a WhatsApp group through which it informed parents of its intention to publish minors’ images and videos on TikTok. This action prompted the parents to raise objections and leading to the filing of the complaint. In its response to the Data Commissioner, the School stated, without producing evidence that: – The Data Commissioner conducted independent investigations and determined that the respondent operates a TikTok and Facebook page on which it posted images and videos of pupils. As result, the Data Commissioner held that the School had failed to abide by the requirements of the Data Protection Act including the principles of data protection and protecting the rights of minors by seeking consent. The Commissioner issued an Enforcement Notice and a Penalty Notice and fined the School the sum of Kenya Shillings Four Million, Five Hundred Thousand (Kes. 4, 500,000/-) In the case of Abdinur Kassim & Luqman Hussein Kassim (Minor suing through his father and next friend) v Joyce Njoki Ngugi T/A Kora Spa [ODPC Complaint No. 0660 of 2023], the complainant alleged that the respondent processed the personal information relating to the minor for commercial purposes without consent of the data subject and minor’s guardian. The complainant visited the respondent’s place of business at Fedha Business Park Embakasi with the sole purpose and intention of obtaining barber services. While receiving the services, agents of the respondent took their photographs, without offering any explanation. Five days after their visit, the complainants discovered that the respondent had published the photographs on Facebook and Instagram without their consent. In response, the respondent denied the complainant’s allegations and stated that: The ODPC determined that posting the images on the respondent’s social media pages amounted to commercial use of personal data which required consent. The respondent failed to demonstrate that they had obtained the express consent of the complaint and his guardian. Further, the ODPC was unable to establish how long the images remained online after publication and before being pulled down. Therefore, the ODPC issued the respondent with an Enforcement Notice. In the case of Perpetual Wanjiku v Casa Vera Lounge, [ODPC Complaint No. 0607 of 2023], the Respondent, a popular bar and restaurant joint, captured images of the data subject and featured them on their Facebook, Instagram and WhatsApp platforms without her consent . The Complainant filed a complaint alleging breach of privacy. In response to the complaint, the respondent stated that: – The ODPC conducted a site visit and ascertained that the notice was not visible to customers upon their entry to the respondent’s premises. As such, it was not considered to be sufficient notice as envisaged in the Act. Consequently, the..