Protecting data privacy amid battle on pandemic

As the confirmed cases of Covid-19 infections in Kenya continue to rise at a rate that can only be described as alarming, the delicate balance between saving lives and safeguarding livelihoods has become the waking nightmare for the government and its advisers.

Despite the grim statistics that CS Mutahi Kagwe and his team religiously dole out to Kenyans every afternoon, the imminent re-opening of East Africa’s largest economy appears to be inevitable. With this unyielding prospect, the workplace is poised to become the spot where the rubber meets the road.

The government will undoubtedly issue specific guidelines to employers following the recommendations of the World Health Organisation (WHO), but it is unlikely that data protection considerations will feature in such guidelines.

Proactive employers are already busy working on comprehensive “return to work’ guidelines as they eagerly await marching orders from the government.

The right of privacy is enshrined in the Constitution and reinforced by the Data Protection Act, 2019. Therefore, any sound re-opening strategy must necessarily include data protection safeguards for any personal information extracted from employees as well as visitors to the workplace.

To minimise the risk of employees contracting the coronavirus from fellow employees or clients, employers will be expected to implement extraordinary practical measures over and above those prescribed under the Occupational Safety and Health Act (OSHA). Concomitantly, they will have to protect their clients and visitors to the workplace against the risk of infection.

Most business premises are already conducting temperature checks on all employees and visitors before allowing them entry into the workplace. While this measure is likely to be encouraged or even made mandatory by Government, employers will have to ensure that the gadgets they use for this purpose do not capture or store any additional data except body temperature and the readings are not used for any other purpose.

Employers and commercial property owners must, therefore, ensure that the devices used by their security personnel at the entrance are incapable of capturing or storing a person’s health information. Such information is classified as sensitive personal data and can only be processed under the responsibility of a healthcare provider or a person who is subject to professional secrecy.

Since there are not enough health professionals to go around, the devices should not have the capability of identifying the person on whom the test was done.

New technologies are being developed across the world for conducting tests, ensuring social distancing and contact tracing. Some of these include facial recognition combined with thermometers and social distancing monitors.

While such technologies are welcome and it is only a matter of time before they are deployed in Kenya, employers should ensure that such use does not expose them to landmines in the data protection field.

Contact tracing which involves identifying, assessing, and managing people who have been exposed to the coronavirus might prove to be the riskiest endeavour for employers. Where an employee or visitor to the workplace is found to have contracted the disease, the employer is required to relay such information to the relevant government authorities to facilitate contact tracing.

This duty involves disclosing the identity and other relevant personal information of the infected employee as well as the persons who may have previously interacted with the employee. This is a delicate exercise for employers as they will have to balance their civic duty of disclosing such information against their obligations to the employee under the Data Protection Act. It might also undermine the relationship with employees.

While the law allows the disclosure of personal data where it is required in compliance with a legal obligation, the employer must in so doing observe the relevant statutory safeguards to avoid violating the privacy rights of the employees and their contacts.

Once the employer has captured the employee’s Covid-19 status, the next obligation is to ensure that the information is stored in a manner that is compliant with the applicable statutory requirements.

To achieve compliance, employers will need to invest in technological measures such as pseudonymisation (to ensure that personal data can no longer be attributed to a specific individual without additional information) and encryption (to conceal both the identity of the data subject and the information itself).

Employers who engage third party data processors such as cloud service providers for data storage services should consider entering into legally enforceable data processing agreements with such service providers to safeguard the integrity of the personal information shared for storage. This is critical because, ultimately, the employer is responsible for any breach of the statutory obligations relating to such information.

Foreign entities operating in Kenya which routinely transfer details of their employees’ personal information outside Kenya will have to review their practices to ensure that such transfer is done in strict compliance with the legal provisions governing the transfer of sensitive personal data.

Maema is a Senior Partner at DLA Piper Africa, IKM Advocates. Gathara is an Associate at the same firm.