THE IMPACT OF COVID 19 ON KENYA’S DATA PROTECTION ACT 2015


On 13th March 2020, the Government of Kenya received confirmation of the first case of COVID-19. The Government has been working to monitor the spread of the virus by putting in place measures and protocols across the country aimed at combating the virus and possibly mitigating the devastating effects of the illness.

1. As an Employer, how do I safeguard the health status of an Employee amid COVID 19?

The President of Kenya signed into law The Kenya Data Protection Act, 2019 on 8th of November 2019. The Data Protection Act is an answer due to the increased call for protection of both personal and private information, which may be readily and easily accessible in this digital era.

The Act regulates how data and information may be accessed, processed, stored, transmitted and used within legal parameters in Kenya.

2. In what circumstance can an Employer process the health status of an Employee?

An Employer may process an Employee’s data, despite their objection, if they prove there exists a compelling legitimate interest that overrides the subject’s interest or the processing of personal data is in the exercise of or defence of a legal claim. It can also be processed if it is necessary for public interest. In the event that this is done, an Employer should ensure that it is only processed by or under the responsibility of a health care provider or by a person subject to the obligation of professional secrecy under any law.

Section 37(2) provides a safety net to protect the Employee’s data from being used for commercial purposes by an Employer in a manner that exposes the Data Subject’s identity.

3. Does an Employer have a right to force an Employee to give information about their health status?

The Data Protection Act emphasizes on the importance of protection of privacy and personal data. Section 32 of the Act sets down the condition under which personal data is to be collected; an Employer bears the burden of proving that consent was obtained from the Employee before personal data is collected and processed. An Employer should only collect information of their employees if it is strictly necessary and essential to its operations and safety of the work place. Where Employers collect the health information of their employees, they should ensure that they have in place appropriate data security measures such as encryption to protect the data collected.

Where Employers wish to transfer the health data of their employees outside the country, they should ensure that they have appropriate data security measures for the transfer and that the recipient of the data has appropriate safeguards and commits to the security of the data. Employers should also check their privacy notices and employment contracts to ensure that the proposed collection and processing activities align with their contractual documentation. In the absence of any documents, Employers should put privacy notices in place to address the proposed revealing of information.

Article by Rodgers Muyodi.

Rodgers is an Advocate at MMAN Advocates.





1st Floor, Wing B, Capitol Hill Square, Off Chyulu Road, Upper Hill, Nairobi, Kenya.
P.O. Box 8418 Nairobi 00200 / T: +254-20-2737572/5/8 +254-20-2596994 / M: +254 718 268 683

Dropping Zone: No 62, Revlon Plaza

mman@mman.co.ke