It has been five years since Kenya introduced its first data protection law, a critical step towards promoting privacy and protecting personal information. The Data Protection Act sets out clear obligations for organisations that collect and process personal data. Over the past two years, the Office of the Data Protection Commissioner has taken several enforcement actions against violators of the Act, including imposing fines and awarding compensation to affected data subjects.
Here are five key emerging data protection considerations for HR professionals:
1. Deleting Data Doesn’t Mean It’s Gone
When HR teams delete resumes, contracts, or other employee records, it is often assumed that the data is gone for good from the IT systems. However, in many cases, fragments of this information can linger in backup systems, shared folders, or archived databases. These remnants, if not properly managed, could become a compliance risk or a target for cybercriminals.
Compliance Tips
- Establish robust data retention and deletion policies that align with legal and organisational requirements.
- Use secure deletion tools designed to permanently erase data from all systems, including backups and cloud storage.
- Conduct regular audits to identify and eliminate residual or unnecessary data that may no longer serve a lawful purpose.
2. Employee Monitoring Must Balance Privacy and Compliance
Employee monitoring tools are increasingly being used to track productivity and ensure compliance with workplace policies, especially in remote and hybrid work environments. While these tools can offer valuable insights, they also introduce privacy concerns that HR professionals must carefully address. Excessive monitoring or a lack of transparency can lead to legal liabilities and erode trust within the organiaation.
HR professionals must strike a balance between monitoring for legitimate business purposes and respecting employees’ privacy rights. The Kenya Data Protection Act emphasises the importance of proportionality and transparency by requiring organisations to inform employees about monitoring practices and obtain consent where necessary.
Compliance Tips
- Define clear policies outlining the scope and purpose of employee monitoring, ensuring these align with data protection laws.
- Communicate monitoring policies transparently to employees, fostering a culture of openness and trust.
- Regularly review monitoring practices to ensure they remain necessary, proportionate, and compliant with evolving legal standards.
3. Background Checks must Comply with Privacy Requirements
HR professionals must ensure that background checks are conducted in a lawful, ethical manner, tailored to the specific requirements of each role. They should also be careful to collect only the necessary information, avoiding any intrusion into employees’ privacy. In addition, the HR department must have clear processes in place to manage and respond to requests for background check information effectively.
Compliance Tips
- Tailor background checks to the role’s requirements, ensuring compliance with both local and international data protection laws.
- Obtain clear and informed consent from candidates before initiating any checks.
- Establish robust policies for securely handling, storing, and disposing of information obtained during the screening process.
4. Cybersecurity Risks can Affect HR Data Too!
HR departments are prime targets for cybercriminals due to the large amounts of sensitive personal data they manage. Threats like phishing attacks targeting payroll information and ransomware aimed at employee records are on the rise, presenting significant risks. Cybersecurity should be as much a priority for HR as it is for the IT department.
Compliance Tips
- Train HR staff to recognise phishing attempts and adopt cybersecurity best practices.
- Implement advanced security measures, such as encryption, multi-factor authentication, and role-based access controls for HR systems.
- Work closely with IT teams to regularly test and update security protocols, ensuring they can withstand emerging threats.
Under the Data Protection Act, individuals, including former employees, have the right to request the deletion of their personal data. However, HR professionals must balance this right with legal requirements to retain certain records for compliance purposes, such as tax and employment law regulations. Mishandling these requests can lead to non-compliance or operational risks.
HR departments need clear procedures for managing data deletion requests while ensuring that statutory obligations are met. Transparency and thorough documentation are key to navigating this complex requirement effectively.
Compliance Tips
- Establish a formal process for handling data deletion requests, including clear timelines and escalation procedures.
- Identify and segregate records that must be retained for legal or regulatory purposes from data that can be securely deleted.
- Maintain an audit trail of deletion requests and actions taken to demonstrate compliance with legal requirements.