What is sensitive personal data?

According to Kenyan’s Data Protection Act,2019, “sensitive personal data” has been defined as data revealing a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex, or the sexual orientation of the data subject.

In most organizations, HR processes most of these sensitive personal data belonging to staff before employment (during recruitment), in the course of employment, and even during separation from an organization The word “processing” has also been used to mean any operations or sets of operations performed on personal data or on sets of personal data whether by automated means or not, such as:

    • Collection, recording, organization, structuring
    • Storage, adaptation, or alteration
    • Retrieval, consultation, or use
    • Disclosure by transmission, dissemination otherwise making available; or
    • Alignment or combination, restriction, erasure, or destruction.

A Data controller is defined as a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data, while a Data processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

In human resource management, HR practitioners play the role of both data collectors and data processors. For example, if Company X is doing recruitment, they have an obligation to protect the data they are collecting. The first stage in any recruitment exercise is usually the submission of applications by job applicants in response to vacancy advertisements.



At this stage, Company X must state the purpose for which they are collecting the data. If it is for the purposes of hiring, then that purpose must be clearly stated. Let us look at a case of an individual (who we shall name Jane) submitting her application to Sentinel Africa for the role of say, a Project Manager. At this stage, any information that Jane submitted shall be used solely for hiring purposes and not to be used for registration into an internal Sacco for instance. Jane retains rights over her data throughout the entire process. If Jane is successful through the interviews up to the offer stage and the company would like to undertake a background check on her as per the requirements of any ISO 27001 certified organization, then prior authorization must be sought from Jane before embarking on the exercise.

Once the decision to onboard her has been reached, all Jane’s data must be kept safely out of reach of any unauthorized access. Jane reserves the right to access her data anytime, she reserves the right to the processing of her data either wholly or part of it, or to correct or update her information during the course of her employment with Sentinel Africa. If Sentinel Africa was to perform any other activity with Jane’s data is separate from the activity that her initial data was collected, then HR has an obligation to request for authority to use the already collected data or collect new data from Jane altogether.

In the above case, Jane is a data subject who is disclosing personally identifiable information during her job application, Sentinel Africa represented by Human Resource Management is the data controller and processor. Data Protection requires that both the Data Processor and the Data Controller comply with the requirements of the Act.

Why Data Privacy?

Human resource professionals are involved in the data processing. They come into contact with employees’ data which is usually personal and confidential. The Data Protection Act provides regulations for processing personal data, the rights that data subjects have over their own data, and the obligations of data controllers and processors. Data Privacy ensures that data is processed in a manner that protects the privacy of the data subjects. Initially, the data subjects have not had any control or rights over their own data including the sensitive data. The Act has so far given data subjects rights and remedies for protecting personal data from any processing that may not be in line with the requirements of the Act. Data privacy subject provides that personal data should be:

▪ Processed in accordance with the right to privacy of the data subject;
▪ Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes;
▪ Adequate, relevant, limited to what is necessary for relation to the purposes for which it is processed;
▪ Collected only where a valid explanation is provided whenever information relating to family or private affairs are required;
▪ Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
▪ Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
▪ Not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject

Every data subject has the right under the Data Protection Act to the following:
▪ Informed of the purpose for which their data is to be put.
▪ Access their personal data
▪ To object to the processing of all or part of their data
▪ To the correction of false or misleading data and to deletion of false or misleading data about them.

In this era of information technology, HR professionals have been exposed more to information management systems that have increased their access to personal data as well as the frequency of processing such data. An example being the use of HRMIS to process payroll, recruitment, leave, biometric data, training for staff, performance appraisals, background checks, medical insurance among other systems that are used to process employee data. Information technology has increased the exposure of information systems to cyber threats, for instance, the automation of HR processes has exposed personally identifiable information that is entered into the information systems to cyber-attacks.

Research in information security has shown that people are the weakest link in the information security control landscape in organizations. Awareness is therefore key to curb cybersecurity flaws and should target HR professionals especially.

Failure to comply with the Data Protection Act has consequences to the organization, staff, and to the data subject.

To the Organization

▪ The organization may face heavy penalties and fines of up to 2% of the previous year turnover.
▪ It may cause a huge reputation risk to the organization.

To the Staff

▪ It may lead to disciplinary measures which may cost them their job as well as their reputation.

To the Data Subject

▪ To a data subject, his or her reputation may be affected depending on the data that has been exposed.

Way Forward

By Lilian Ambani, Senior Human Resource Officer