Up Again Kenya: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Yes. However, the procedure must comply with the provisions of the Data Protection Act, 2019 (DPA). The DPA classifies personal data relating to a person’s health status as “sensitive personal data.”

Section 46 of the DPA provides that personal data relating to a person’s health may only be processed by or under the responsibility of a healthcare provider or a person subject to an obligation secrecy.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Yes. However, all such data must be processed in accordance with the provisions of the DPA. Measures must be taken to ensure the security and integrity of the sensitive personal data, including but not limited to pseudonymisation and encryption.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

No. An employee cannot be compelled to provide this information. Every person has a constitutional right to privacy, including the right to not have information relating to their family or private affairs unnecessarily required or revealed.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Yes. This must, however, be done while respecting the affected employees’ right to privacy. As such, since one’s health status is classified as sensitive personal data, we would not recommend disclosing the employee’s identity or any information that can be traced back to the employee.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

Yes. Pursuant to the Public Health (Prevention, Control and Suppression) of COVID-19 Rules, 2020, which makes it mandatory for all employers to notify a medical officer of health, public health officer, a medical practitioner or the nearest administrator of any employee suffering from COVID-19.

However, this must be done in a manner that safeguards the individual’s right to privacy.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Yes. However, the transfer of personal data outside Kenya is subject to the approval of the Data Protection Commissioner. One must also demonstrate that the appropriate safeguards are in place to ensure the transfer including but not limited to the existence of commensurate data protection laws.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Yes. An employer has a duty to ensure the safety and wellbeing of all persons in the workplace, including observing social distancing and other measures recommended to curb the spread of COVID-19.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

Yes. All personal data must be processed in accordance with the principles set out in the DPA including:

  • processing in accordance with the right to privacy of the data subject;
  • processing lawfully, fairly and in a transparent manner in relation to any data subject;
  • collecting for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
  • collecting only where a valid explanation is provided whenever information relating to family or private affairs is required;
  • accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  • kept in a form which identifies the data subject for no longer than is necessary for the purposes which it was collected; and
  • not transferring outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

Violation of the provisions of the DPA is an offence that can attract a penalty of KES3 million (approx. USD30,000) or imprisonment for a term not exceeding ten years or both a fine and imprisonment.

The DPC can also impose administrative fines for the violation of provisions of the DPA up to KES5 million (approx. USD50,000), or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower.

This material was prepared by DLA Piper Africa, Kenya (IKM Advocates)