25/05/2024
Aligning Human Resource Functions with the Data Protection
Requirements in Kenya
Introduction
The Human Resource (“HR”) Office has today evolved to
become a critical component of an organization encompassing a variety of
functions such as recruitment, training, employee satisfaction, and employment
law compliance. Today human resources represent a sine- qua non condition in the production process, a factor that
can directly influence the level of performance of the organization. By
managing the most important asset, people, the HR department in any
company is a vital part that ensures the smooth running of the business, the
engagement of the workforce and the prevention of detrimental lawsuits
regarding labour matters.
The emergence of new regulations in the field of personal data protection laws and regulations such as the Data Protection Act, No. 24 of 2019 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, requires organizations, through their HR departments working together with the office of the Data Protection Officer (“DPO”) created under Section 24 of the DPA, to pay more attention to the way they process the data of candidates, employees and former employees. It is undeniable that HR departments act as the custodians of significant volumes of often sensitive or confidential personal data within any organization and must therefore take center stage as this demanding law bites.
Everything starting from the resumes sent by applicants to
employment contracts contain personal data. By the nature of their work, HR
departments collect and process an immense amount of personal data not only
from their employees, but also from job applicants and former employees. The
information they possess includes sensitive data such as health information, medical records, payment details, next of keen
details amongst other details.
To better help in appreciating the key
data touch-points for HR departments, an appreciation of the key functions of
the department is necessary. There are three key stages involved in HR
functions that are critical in understanding how to best safeguard organizations
from data breach claims and coming into conflict with the law. These areas
include;
a)
Recruitment
b)
Hiring and Performance of the
Contract; and
c)
Subsequent to the termination of
Employment
A.
RECRUITMENT
This stage marks the first step of
data collection by an organization in the identification and sourcing of a
suitably qualified individual to fill a vacancy within the organization. It
traditionally begins when a manager initiates an employee requisition -a
document that specifies job title, department, the date the employee is needed
for work, and other details. Candidates are the data subjects
because they can be identified through the personal data they give to companies
when they apply for a job. The applicants’ resume may include their names, addresses, or phone numbers.
The question that naturally arises
is, which are the mandatory elements of
a resume or what personal data one must provide when applying for a job.
Generally, the main elements in a resume remain the same: personal information (name, address, and contact information),
employment history, and education.
It is critical for
organizations to minimize the amount of data collected starting at this stage.
The data minimization principle applies
to limit
organizations in the collection of personal information only to what is
relevant for the purpose for which the data is being collected. A starting point for organizations
at the recruitment stage is the adoption of standardized application forms as opposed to usual norm of calling
for application resumes. This will help organizations avoid receiving
unnecessary information from candidates.
However, the adoption of
standardized forms is one that requires a meticulous balance with organizations
needing to determine what category of information is absolutely necessary, what
information will be treated as potentially discriminatory and thus lead to more
exposure. Are such details as gender, race, age, convictions, national origin,
citizenship, disabilities, religion, colour and marital status necessary in a
standardized application form?
An employer’s obligation to protect
personal data is not waived for reasons of having outsourced the recruitment
function. The employer must ensure that there are adequacy decisions that
guarantee an adequate level of protection of personal data. There is a general
restriction on the transfer of data, particularly outside Kenya, unless there
is cogent proof of data protection safeguards or consent from the data
subjects.
B. EMPLOYMENT CONTRACT
AND PERFORMANCE
Such processing is allowable under section 30 of the Act, being one that is necessary for the performance of a contract to which the data subject is a party-the payment of salaries, for compliance of statutory obligations-taxes, duties and National Hospital Insurance Fund (NHIF), related to preventive medicine or occupation medicine amongst other allowable purposes under the Act. The processing of this data must be done in strict compliance with the attendant obligations of the data controller under the Data Protection Act as well as the Data Protection (General) Regulations, 2021.
C.TERMINATION OF THE
EMPLOYMENT CONTRACT
The processing of personal data at this stage is essentially reduced to the question of storage of existing personal data in the personnel file. An organization, on its account or upon the request of the former employee, may delete personal data from the personnel file, except data where there is a legal obligation to keep such as tax related data which survives a cycle of 5 years. Specific Interventions to Ensure Compliance and Minimize Organizational Exposure
i.
Employee Privacy
Notice
Employees have a right to know what
data the employer is processing, why they are processing it, with whom they
share and how long they need it for. An Employee Privacy Notice is the best way
to give this information. In preparing this Notice, we begin by mapping the
personal data that an organization processes, who the data is likely to be
shared with and why, and the period for the same. Having mapped out, we shall
then prepare a draft Employee privacy Notices helping to provide the necessary
information in a clear and concise manner.
It is important that the Employee
Privacy Notice clearly states a special category of sensitive personal data
indicating conditions under which such data will be processed.
ii.
Collecting and Retaining
Employee Personal Data
The collection and processing
of employee personal data is an inevitable action in the employment
relationship. The challenge becomes on how long the same data should be
retained after the departure of an employee. The answer in this regard is not
as obvious as it may appear. For various reasons, it will not be
First, as a guiding starting point, Section 90 of the Employment Act,
2007 requires
disputes arising out of an employment relationship to be lodged within 3 years. It therefore follows, that as a matter of
course, employee records and information must survive this period in
anticipation of any disputes arising therefrom.
Secondly, under the Income Tax Act (Cap 479), the Kenya Revenue Authority is
allowed to go back 5 years when conducting a tax audit. Depending on the nature
of personal information held and subject to taxation requirements such as PAYE,
some of the details are required to be kept for this period.
iii.
Formulation of Data
Retention Schedules and Destruction Plans
iv.
Mapping Data Movement
In the ordinary course of business,
companies work together to achieve their set objectives. The process of working
together is enabled by their respective employees and the attendant consequence
is that data is continuously moving from company to company, and country to
country. As controllers of personal data, organizations need to be aware of
what is being transferred or processed, to where and why. A data mapping exercise
if therefore critical.
Training of HR managers on how data is handled, with whom it is shared and where it is kept are all important areas that HR professionals need to be equipped on. An annual training calendar will be critical to ensuring that HR professionals are constantly up to date with advancements in data protection and apply the same to their functions.
Conclusion
It is essential for HR departments
to find workable solutions that will help improve organizational preparedness,
reduce risk from exposure and constantly stay ahead of the pack in compliant
with the Data Protection requirements.
By:
Zakayo Alakonya- Managing Partner
4th July 2023
This Article is provided free of charge for information
purposes only; it does not constitute legal advice and should be relied on as
such. No responsibility for the accuracy and/or correctness of the information
and commentary as set in the article should be held without seeking specific
legal advice on the subject matter. If you have any query regarding the same,
please do not hesitate to contact us on info@alakonyalaw.co.ke
