Aligning Human Resource Functions with the Data Protection Requirements in Kenya

Introduction

The Human Resource (“HR”) Office has today evolved to become a critical component of an organization encompassing a variety of functions such as recruitment, training, employee satisfaction, and employment law compliance. Today human resources represent a sine- qua non condition in the production process, a factor that can directly influence the level of performance of the organization. By managing the most important asset, people, the HR department in any company is a vital part that ensures the smooth running of the business, the engagement of the workforce and the prevention of detrimental lawsuits regarding labour matters.
The emergence of new regulations in the field of personal data protection laws and regulations such as the Data Protection Act, No. 24 of 2019 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, requires organizations, through their HR departments working together with the office of the Data Protection Officer (“DPO”) created under Section 24 of the DPA, to pay more attention to the way they process the data of candidates, employees and former employees. It is undeniable that HR departments act as the custodians of significant volumes of often sensitive or confidential personal data within any organization and must therefore take center stage as this demanding law bites.
Everything starting from the resumes sent by applicants to employment contracts contain personal data. By the nature of their work, HR departments collect and process an immense amount of personal data not only from their employees, but also from job applicants and former employees. The information they possess includes sensitive data such as health information, medical records, payment details, next of keen details amongst other details.
To better help in appreciating the key data touch-points for HR departments, an appreciation of the key functions of the department is necessary. There are three key stages involved in HR functions that are critical in understanding how to best safeguard organizations from data breach claims and coming into conflict with the law. These areas include; a) Recruitment
b) Hiring and Performance of the Contract; and
c) Subsequent to the termination of Employment

A. RECRUITMENT
This stage marks the first step of data collection by an organization in the identification and sourcing of a suitably qualified individual to fill a vacancy within the organization. It traditionally begins when a manager initiates an employee requisition -a document that specifies job title, department, the date the employee is needed for work, and other details. Candidates are the data subjects because they can be identified through the personal data they give to companies when they apply for a job. The applicants’ resume may include their names, addresses, or phone numbers.
The question that naturally arises is, which are the mandatory elements of a resume or what personal data one must provide when applying for a job. Generally, the main elements in a resume remain the same: personal information (name, address, and contact information), employment history, and education.
It is critical for organizations to minimize the amount of data collected starting at this stage. The data minimization principle applies to limit organizations in the collection of personal information only to what is relevant for the purpose for which the data is being collected. A starting point for organizations at the recruitment stage is the adoption of standardized application forms as opposed to usual norm of calling for application resumes. This will help organizations avoid receiving unnecessary information from candidates.
However, the adoption of standardized forms is one that requires a meticulous balance with organizations needing to determine what category of information is absolutely necessary, what information will be treated as potentially discriminatory and thus lead to more exposure. Are such details as gender, race, age, convictions, national origin, citizenship, disabilities, religion, colour and marital status necessary in a standardized application form?
It cannot be denied that during the recruitment stage, an organization will process various types of personal data, such as: identification details (all those details included in an identity card), contact details (home address, email, phone number), data on physical characteristics such as gender, age and sometimes image in form of a photograph, educational background, professional experience etc. This processing is purely legal and falls within the categorization  of lawful processing of personal data under Section 30 of the Data Protection Act.
An employer’s obligation to protect personal data is not waived for reasons of having outsourced the recruitment function. The employer must ensure that there are adequacy decisions that guarantee an adequate level of protection of personal data. There is a general restriction on the transfer of data, particularly outside Kenya, unless there is cogent proof of data protection safeguards or consent from the data subjects.

B. EMPLOYMENT CONTRACT AND PERFORMANCE
The onboarding process and the management of the performance of the Contract of Employment naturally requires the continued generation and processing of a series of data including; unique identifiers such as the National Identification Card, work card/staff card, banking details, amount of salary, position and job, leave days, health data -mostly comprising of information obtained on compulsory medical checks as well as that resulting from sick leave, photographic image, biodata information, trade union membership, Kenya Revenue Authority details such as the PIN number, as well as religious beliefs. Such processing is allowable under section 30 of the Act, being one that is necessary for the performance of a contract to which the data subject is a party-the payment of salaries, for compliance of statutory obligations-taxes, duties and National Hospital Insurance Fund (NHIF), related to preventive medicine or occupation medicine amongst other allowable purposes under the Act. The processing of this data must be done in strict compliance with the attendant obligations of the data controller under the Data Protection Act as well as the Data Protection (General) Regulations, 2021.

C. TERMINATION OF THE EMPLOYMENT CONTRACT
The processing of personal data at this stage is essentially reduced to the question of storage of existing personal data in the personnel file. An organization, on its account or upon the request of the former employee, may delete personal data from the personnel file, except data where there is a legal obligation to keep such as tax related data which survives a cycle of 5 years.
 Specific Interventions to Ensure Compliance and Minimize Organizational Exposure
i. Employee Privacy Notice
Employees have a right to know what data the employer is processing, why they are processing it, with whom they share and how long they need it for. An Employee Privacy Notice is the best way to give this information. In preparing this Notice, we begin by mapping the personal data that an organization processes, who the data is likely to be shared with and why, and the period for the same. Having mapped out, we shall then prepare a draft Employee privacy Notices helping to provide the necessary information in a clear and concise manner.
It is important that the Employee Privacy Notice clearly states a special category of sensitive personal data indicating conditions under which such data will be processed.
ii. Collecting and Retaining Employee Personal Data
The collection and processing of employee personal data is an inevitable action in the employment relationship. The challenge becomes on how long the same data should be retained after the departure of an employee. The answer in this regard is not as obvious as it may appear. For various reasons, it will not be recommendable for employee data to be destroyed immediately upon the termination of the employment relationship. Balancing the right to be forgotten with other statutory obligations and requirements means that the decision on retention shall remain to be a black spot for organizations.
First, as a guiding starting point, Section 90 of the Employment Act, 2007 requires disputes arising out of an employment relationship to be lodged within 3 years. It therefore follows, that as a matter of course, employee records and information must survive this period in anticipation of any disputes arising therefrom.
Secondly, under the Income Tax Act (Cap 479), the Kenya Revenue Authority is allowed to go back 5 years when conducting a tax audit. Depending on the nature of personal information held and subject to taxation requirements such as PAYE, some of the details are required to be kept for this period.
iii. Formulation of Data Retention Schedules and Destruction Plans
An evaluation of how personal information is stored and kept is critical to ensuring that the organization is shield from any data breach claims. Most importantly, depending on the organizational policy on the retention period, it will help in evaluating and determining which information/details are due for destruction. It is critical that organizations formulate a proper retention schedule with a destruction procedure. We are conversant with the preparation of drafting retention schedule and assist in providing advice on what information is needed in compliance with the laws as well as the organization’s strategy and appetite.
iv. Mapping Data Movement
In the ordinary course of business, companies work together to achieve their set objectives. The process of working together is enabled by their respective employees and the attendant consequence is that data is continuously moving from company to company, and country to country. As controllers of personal data, organizations need to be aware of what is being transferred or processed, to where and why. A data mapping exercise if therefore critical.
v. Training Line Managers
Training of HR managers on how data is handled, with whom it is shared and where it is kept are all important areas that HR professionals need to be equipped on. An annual training calendar will be critical to ensuring that HR professionals are constantly up to date with advancements in data protection and apply the same to their functions.
Conclusion
It is essential for HR departments to find workable solutions that will help improve organizational preparedness, reduce risk from exposure and constantly stay ahead of the pack in compliant with the Data Protection requirements.
By:
Zakayo Alakonya- Managing Partner

zack@alakonyalaw.co.ke

4th July 2023