In today’s digital age, Human Resource (HR) professionals are handling more data than ever before — from recruitment and onboarding to performance tracking and employee wellness. In Kenya, the increasing digitization of HR functions brings with it a host of data privacy concerns, especially with the implementation of the Data Protection Act, 2019, and its accompanying Data Protection (General) Regulations, 2021 (collectively “DPA”).

Understanding these emerging issues is crucial for HR teams who are passionate about protecting employee data and ensuring that they stay compliant. Here’s a closer look at the top data privacy concerns Kenyan HR professionals should be paying attention to:

1. Compliance with the DPA

The DPA, enforced by the Office of the Data Protection Commissioner (ODPC), places strict responsibilities on employers who collect, store, or process employee data. HR professionals must now:

• Obtain clear and informed consent before collecting personal data.
• Ensure data is collected for a specific, lawful purpose.
• Maintain data accuracy and limit retention to the necessary period.

Failure to comply can lead to significant penalties, including fines as well as reputational damage.

2. Increased Use of Employee Monitoring Tools

With the rise of remote and hybrid work models, many Kenyan companies have turned to digital monitoring tools to track productivity and engagement. However, like any other technology, this too raises serious privacy concerns that must be adequately addressed. To address it, some of the important questions that the HR team must ask themselves include:

• Is employee monitoring being done transparently?
• Are employees aware of what data is being collected and how it’s used?
• Does monitoring infringe on employee rights?

It is only by addressing such concerns that HR teams will be able to strike a balance between performance management and respecting employees’ privacy rights.

3. Handling of Sensitive Employee Information

HR departments handle highly sensitive data on a day-to-day basis — including health records, disciplinary reports, financial information, and biometric data (e.g., fingerprints for access control). Under the DPA, such sensitive personal data requires:

• Stricter safeguards for storage and access.
• Explicit consent for collection and processing.
• Consideration of legitimate interest vs. legal obligation as lawful bases for processing.

Mismanagement or unauthorized access can lead to serious legal consequences. It is therefore imperative that that HR teams understand how they collect, store, and process sensitive personal data to avoid legal consequence for noncompliance.

4. Data Security Risks

HR databases are a prime target for cybercriminals due to the wealth of personal data they contain. The risks are amplified if:

• HR platforms are not properly secured.
• Data is shared via unsecured channels.
• Cloud-based HR systems are misconfigured.

To mitigate risk, HR teams must work closely with IT departments to ensure strong data security protocols, encryption, and employee training are in place.

5. Cross-Border Data Transfers

Many HR systems in Kenya are cloud-based and hosted abroad. The DPA requires organizations to ensure adequate protection of data when transferring it outside Kenya. HR professionals should:

• Understand where their HR platforms store data.
• Review contracts and Standard Contractual Clauses (SCCs) with vendors.
• Conduct Data Protection Impact Assessments (DPIAs) if needed.

6. Use of Artificial Intelligence (AI) in Hiring and HR Analytics

As Kenyan firms begin adopting AI-powered recruitment tools and HR analytics, new ethical and legal issues arise:

• Bias in algorithms could result in unfair hiring practices.
• Lack of transparency in automated decision-making can undermine trust.

HR professionals must ensure AI tools comply with the principles of fairness, accountability, and transparency, as required by the DPA.

7. Employee Consent and Awareness

In employer-employee relationships, consent is often not freely given due to the power imbalance between the employer and the employee. Under the DPA, however, HR teams must:

• Avoid relying solely on consent where another legal basis exists (e.g., contractual necessity).
• Provide clear and accessible privacy notices.
• Regularly educate employees on their data rights, including access, correction, and deletion.

Conclusion

Data privacy is no longer just a legal issue — it’s a core component of building trust in the workplace. For HR professionals in Kenya, this means going beyond compliance to foster a culture that values employee privacy and data protection.

By staying informed and proactive, HR leaders can help their organizations navigate the evolving data privacy landscape while ensuring ethical and lawful management of employee data.

Need Help Navigating Data Protection Laws?

Contact us today for expert advice and assistance in navigating data protection concerns within your organization!

Disclaimer!

This article provides general information for educational purposes only and should not be construed as legal advice.