HR Professionals Guide to Data Protection
On 25th November 2019, Kenya enacted the Data Protection Act. If you are a Human Resource practitioner, you need to familiarise yourself with the requirements of this Act because it places a high compliance burden with regard to the handling of personal data. This article looks at ways in which the Data Protection Act will affect the HR function and how HR practitioners can prepare for compliance.
The Data Protection Act (“The Act”) seeks to protect people’s personal data in several ways. First, it imposes rules relating to the collection and use of personal data. Secondly, it provides individuals with rights over their data. Third, it provides a mechanism for enforcement of the law through the establishment of the Data Commissioner’s office.
Effectively, the Data Commissioner is the Regulator and enforcement officer in relation to data protection matters. The position of Data Commissioner was advertised in March 2020. There is a general expectation that the office shall be fully operational by the first quarter of 2021. Once established, the Data Commissioner will provide guidelines for registration and licensing of data controllers and data processors.
The Act obliges persons handling personal data to report personal data breaches or losses to the Data Commissioner within 72 hours of the occurrence of the breach. Further, it gives powers to aggrieved individuals to lodge a complaint to the Data Commissioner where their data isn’t handled in accordance with the Act. The Data Commissioner has powers to investigate complaints and to impose financial penalties to a maximum of Kes 5 Million or 1% of your organisation’s gross annual turnover (whichever is lower). Apart from lodging complaints, aggreived data subjects are entitled to seek compensation. What all this means is that organisations cannot afford to take a lax approach to compliance.
Definition of Key Terms
Before we delve into the requirements of the Act, it is important to define some of the key terms used in the Act. In the outline below, I have set out some selected terms and how they may be applied in the context of HR.
- Personal Data – refers to any information that can be used to identify an individual. For example, name, national identification information, date of birth, phone number, email address, online identifiers(e.g. IP addresses, usernames, passwords; etc), banking information, photographs, videos, etc.
- Sensitive Personal Data: this includes data revealing a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s spouse, children parents, sex or sexual orientation of the data subject. This information is often provided once a person has been offered an employment contract.
- Data Subject – identified or identifiable natural person (human being) who is the subject of personal data. For example, a job applicant or an employee in a given company.
- Data Controller – an individual, public, or private organization that determines the purpose and means of processing data. For instance, an employer is a Data Controller because he collects data from prospective or current employees and determines processing modes e.g. a CV may be collected for job interviews.
- Data Processor – an individual, private or public entity that processes data on behalf of the Data Controller. For instance, a payroll company or a recruitment agency that handles information on behalf of employers.
- Processing – includes actions done on personal data such as collection, storage, transmission, retrieval, erasure, destruction, etc.
Data Protection in HR
Your organisation’s needs will determine the need for collection and use of personal data. Some organisations require personal data from their clients whilst others transact with minimal need for personal data. However, any organisation that functions through employees or consultants or contracted workers of any nature must at some point request for and use their personal data. For this reason, the HR function cannot be ignored in the protection of personal data.
As an HR practitioner, you need to have an understanding of the concepts of data protection outlined in the Act. In the following sections, I will discuss some of the key concepts underpinning the Act and how they will apply in the context of HR.
It is worthy to note that the Act requires data controllers and processors to practice data protection by design and by default. In other words, you should develop appropriate technical and organisational measures to implement data protection principles and safeguard individual rights. The regulator will not prescribe what sort of measures you should have in place – you need to apply your judgment based on your understanding of the law and your business operating model. However, data protection should take center stage in all your processing activities.
1. Data Collection Principles
If you intend to process personal data, you must adhere to the data collection principles set out in the Act. In summary, there are eight data collection principles, namely:-
a) Lawfulness, Fairness, and Transparency: employers should have a lawful basis for processing HR data. What is a lawful basis? As per the Act, it is lawful to process data if you are doing so pursuant to the following:-
- fulfillment of a contractual or legal obligation
- data subject consent
- legitimate interests
- protection of a data subject or other person’s vital interests
- performance of a task by a public authority
- performance of a task in the public interest
- for historic, statistical, journalistic, literature and art or scientific research
In the context of HR, the most commonly applied lawful basis is “fulfillment of a contract or legal obligation”. For example, you are hiring an individual in your organisation, you can request for their personal data at different stages of hiring. The CV and contacts may be required at the recruitment stage. At the appointment stage, you would need identification documents, educational certificates, banking information, etc. All these are necessary for the fulfillment of your contractual or legal obligations as the employer. Alternatively, you may assert that you have legitimate interests in processing the data. For example, you may justify keeping a record of your employees’ next of kin so as to reach out to them in the event of an emergency. It is in the legitimate interest of your company to process the information.
Consent is another basis for processing. However, if you rely on consent as a basis for processing information, you must show that the consent has been given freely and unequivocally. In other jurisdictions such as the EU, it has been argued that consent by an employee to an employer can’t be considered as “free” due to the unequal bargaining power between an employer and an employee. As such, employers hardly rely on employee consent alone as a basis for processing data. It is still early days to dive into the interpretation of the DPA but considering that Kenyan employment laws tilt heavily in favour of employees, the argument may also pass here.
In addition to lawful processing, you should process data in a fair and transparent manner. Be open to staff about the fact that you are collecting their data and provide adequate assurances on the safety of the data.
b) Purpose Limitation: You should specify the purposes of the collection or processing of personal data. For example, if you are collecting details of a data subject’s family (spouse + children) indicate why you need the information e.g. for enrollment to medical or pension scheme. If you need to use the same data for different processing purposes, you should seek the data subject’s consent. For example, if you later introduce a Group Life Cover to your company and wish to enroll your employees onto the cover, inform them, and identify a basis for processing.
c) Data Minimization: Collect only what you need for the purposes you have identified. For example, if you need personal data so as to enroll someone to your medical cover, you may need to collect their names and those of their dependants, IDs, date of birth, etc. However, you may not need their driver’s license, bank details for this activity.
d) Accuracy: Ensure that you maintain accurate and up-to-date personal data. Further, any inaccurate personal data must be rectified without delay.
e) Storage Limitation: You should have data retention limits. Ideally, personal data should not be kept in a form which identifies the data subject for longer than necessary. This means that HR databases should be reviewed regularly and data should be kept within retention limits.
f) Transfer Limitation: Unless there are adequate safeguards or the data subject consents, personal data should not be transferred outside Kenya.
2. Take Extra Care with Personal Sensitive and Health Data
You must have a lawful basis for processing personal sensitive data. In addition to the lawful basis we have identified above, there are some additional basis which includes establishment or defence of a legal claim, protecting vital interests of the data subject or carrying out your obligations as a data processor or controller. Therefore, it is permissible to process biometric information or information relating to an employee’s family as long as you can demonstrate a lawful basis. However, personal data relating to children cannot be processed without express consent from the child’s parent or guardian. Therefore HR processes need to take this into account.
With regard to health data, processing may only occur under the authority of a health care provider, if it is in public interest or if it is carried out by a person who is obliged to observe confidentiality.
3. Your Employees Have Rights to their Personal Data
As data subjects, employees enjoy several rights such as the right to information. Whenever you collect information from them you should be transparent about the fact that you are collecting data on them. Apart from this, you should inform them of any intended consequences stemming from failure to provide the requested information.
Employees also have the right to access any of their personal data that may be in your custody and to object to the processing of any or all of their personal data. Further, they have the right to demand correction or erasure of their personal data. Quite apart from that, they have data portability rights. That is, the right to receive their personal data in a structured, commonly used, and machine-readable format e.g. through email or on a portable storage device.
Additionally, data subjects should not be subjected to decisions solely based on automated processing and profiling. Both these activities relate to decisions made by automated means or through computer systems/programs. For example, you may configure your HR system to disqualify candidates whose resumes do not meet set criteria for a role. You can only carry out such types of decisions if they are necessary for the entry into or performance of a contract, or if the data subject has provided consent.
Sometimes you may need to use employee photographs, videos, or images in the promotion of your organisation’s products or services. You should not do this without the data subject’s express consent. If you must use the personal data it should be anonymized such that the data subject is no longer identifiable.
4. Data Impact Assessments
Where data processing may result in high risks to the rights and freedoms of a data subject, by virtue of its scope and purpose, you must carry out a data protection impact assessment. The aim of this exercise is to aid in identifying and minimising the possible risks to your employees/data subjects. For example, if you intend to migrate from a manual HR system to an automated one, you may need to carry out an impact assessment. Alternatively, if you wish to embark on the installation of biometric systems you may need to conduct an impact assessment.
5. Data Protection Officers
Public and private institutions should designate a Data Protection Officer (“DPO”) if their core processing activities involve regular and systematic monitoring of data subjects or processing of sensitive personal data. Since most HR departments handle sensitive personal data, the requirement for DPO appointments may be necessary for most data controllers or processors. DPO’s are responsible for:
- advising on data processing requirements;
- ensuring compliance with the Act;
- facilitating capacity building for all staff involved in data processing operations;
- advising on data protection impact assessments; and
- cooperation with the Data Commissioner and any other authority on matters relating to data protection.
Do you need to create a position and hire for the role of DPO? No. An existing employee may perform the functions of a DPO if they possess the relevant academic, professional, and technical skills. However, if the employee is performing dual roles, take care to ensure that the appointment doesn’t give rise to a conflict of interest.
You need to publish your DPO’s contact details on your organization’s website. You should also inform the Data Commissioner of the appointment and the contact details which shall also be published on DC’s website.
Steps to Compliance
So where should you start your compliance journey? My thoughts on some of the practical steps you can take towards compliance are as follows:-
a) Start with a Data Map
A data map is basically an evaluation of all the personal data that is held within HR. It gives you an opportunity to understand the kind of data that you hold as well as the possible gaps that exist in your current management of personal data. You can use any tool for creating a data map but I find that MS Excel is also an effective tool. Some sample questions you can ask yourself when defining your map:-
- At each stage of the HR lifecycle, what types of data do we collect?
- Do we notify our data subjects during collection? Do we seek consent?
- What purposes does the data serve?
- Where do we store the data?
- Who has access to the data?
- Do we share data shared with third parties?
- Do we transfer data outside Kenya? Are there adequate safeguards?
b) Develop Key Documents
Further, if you contract data processors such as payroll processors or recruitment agencies you may need to amend your engagement contracts to stipulate data protection obligations.
c) Train Employees on Data Protection
It’s still early days for Data Protection in Kenya. However, once the Data Commissioner’s office is set up the pace of enforcement is expected to pick up rapidly. Don’t get caught out. Work on strengthening compliance before you get bogged down with too many demands.
Disclaimer: The information on this blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no advocate-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional advocate, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date. While the blog is revised on a regular basis, it may not reflect the most current legal developments.