Big data protection consideration as work spaces reopen

Photo Credit | ProductTank Nairobi

As the confirmed cases of COVID-19 infections in Kenya continue to rise at an alarming rate, the delicate balance between saving lives and safeguarding livelihoods has become the waking nightmare for the Government and its advisers


Therefore, any sound re-opening strategy must necessarily include data protection safeguards for any
personal information extracted from employees as well as visitors to the workplace.

While this measure is likely to be encouraged or even made
mandatory by Government, employers will have to ensure that the gadgets they use for this purpose do
not capture or store any additional data except body temperature and the readings are not used for any
other purpose.


This duty involves disclosing the identity and other relevant personal information of the infected employee
as well as the persons who may have previously interacted with the employee.

This is a delicate exercise
for employers as they will have to balance their civic duty of disclosing such information against their
obligations to the employee under the Data Protection Act.


While the law allows the disclosure of personal data where it is required in compliance with a legal
obligation, the employer must in so doing observe the relevant statutory safeguards to avoid violating the
privacy rights of the employees and their contacts.


To achieve compliance, employers will need to invest in technological measures such as
pseudonymization (to ensure that personal data can no longer be attributed to a specific individual without
additional information) and encryption (to conceal both the identity of the data subject and the information
itself).


Employers who engage third party data processors such as cloud service providers for data storage
services should consider entering into legally enforceable data processing agreements with such service
providers to safeguard the integrity of the personal information shared for storage.


Foreign entities operating in Kenya which routinely transfer details of their employees’ personal
information outside Kenya will have to review their practices to ensure that such transfer is done in strict
compliance with the legal provisions governing the transfer of sensitive personal data.

This new reality challenges employers to invest more in technologies,
systems and policies that will safeguard the integrity of personal data handled away from the normal
workplace.

Original Article by William Maema & Dennis Gathara

William Maema (wmaema@ikm.co.ke) is a Senior Partner at DLA Piper Africa, IKM Advocates. Dennis Gathara (dgathara@ikm.co.ke) is an Associate at the same firm.