The passing of Kenya’s Data Protection Act (No. 24 of 2019) (hereinafter “the Act”) on 25th November 2019 breathed life to the pre-existing right to privacy guaranteed under Article 31 of the Constitution, 2010, by providing for regulation of the processing of personal data.
In the employment sphere, the Act and its subsidiary regulations set out the requirements to be met by an employer as a data controller and the employer’s data processors when dealing with prospective employees, current employees, and former employees.
Recruitment by employers must be conducted against the backdrop of the principles of data protection set out in the Act, comprising of: –
i. Respect for privacy
The employer must be careful not to unnecessarily intrude in the applicant’s private affairs.
ii. Transparency, lawfulness and fairness
To ensure that an applicant’s data is processed in this manner, an employer should have a privacy notice explaining to the applicant how and why their data is being collected and how it will be used. In this way, applicants are notified of the collection and processing of their data and maintain the rights to determine how their data is handled.
iii. Purpose Limitation
This requires that an employer may only collect data for the explicit, specified and legitimate purpose of recruitment. The data collected cannot be further processed in a manner incompatible with the recruitment in question.
iv. Data Minimisation
Data collected from applicants should be adequate, relevant, and limited to what is necessary for recruitment.
v. Family Affairs
An employer must provide a valid explanation to require information relating to family or private affairs from an applicant.
The employer must ensure that the data collected from applicants is accurate – it can do so by giving applicants the right to correct any inaccurate information in the application portal. Any inaccurate personal data should be erased or rectified without delay.
vii. Storage Limitation
Personal data relating to applicants should only be retained for a reasonable period.
viii. Transfer Limitation
Personal data of an applicant should not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the applicant (in the event of a transfer of sensitive personal data).
ix. Confidentiality, availability and integrity
An applicant’s right to privacy is underpinned by the employer’s duty to ensure that their personal data is kept confidential. This is attained by implementing and managing policies and procedures for information security.
Confidentiality is further enhanced by restricting personal data access to only authorized persons.
The employer bears the fundamental duty of adequately informing the applicant regarding collecting and processing their personal data.
During the recruitment process, personal data is processed in several ways, with each instance requiring the employer to adhere to data protection principles above.
1. Candidate Sourcing
An employer typically interacts with a host of personal data belonging to job applicants when sourcing out and identifying prospective employees, including identity documents, contact details, academic records, work history, among others.
The cardinal rule to be followed when collecting personal data is to ensure that the data is collected directly from the job applicant.
An applicant’s data may be collected indirectly (for example, from companies that carry out background checks or online) in very limited instances, including:
a. the data is contained in a public record;
b. the applicant has deliberately made the data public (for example, in a social media profile that is accessible to the public);
c. the applicant has consented to collection from another source;
d. collection from another source would not prejudice the interests of the applicant;
e. collection of the data from another source is necessary for other reasons permitted under the Act.
Direct collection of an applicant’s personal data is done through their job applications.
To avoid privacy breaches, it is prudent to have one channel for receiving applications, such as a dedicated email address.
An employer may also opt to recruit through a HR recruitment agency. Such agencies are bound by the same safeguards relating to personal data of the applicants to be followed by employers. The employer’s agreement with the agency should cater for data protection matters.
2. Job Application Forms
3. Automated decision-making
Once applications are made, an employer may opt to apply an electronic system to select the suitable candidates for shortlisting without human intervention. This is commonly known as an Applicant Tracking System. Such a system may conduct an automated scoring process for all job applications.
In this case, the employer must inform the applicant of the decision-making process and have mechanisms for reconsidering a decision made. A manual system should also be available upon request by an applicant, especially in reconsidering a decision.
4. Pre-employment checks
A critical stage of recruitment involves conducting background checks on the applicants to verify data relating to them and to evaluate whether they meet the job requirements. This may involve looking into the applicant’s references, previous employment, verifying academic information, medical checks, and social media checks.
Background checks should be done with the applicant’s knowledge and consent and conducted in a lawful manner. The employer should inform the applicant early in the recruitment process that the checks will be done. The applicant has a right to object to the checks, at which point the employer must assess the reasons and respond appropriately.
Employers must make the following considerations to ensure they comply with data protection rules and principles during recruitment: –
a. Conduct a data inventory to determine all types of personal data the employer collects;
b. Use the inventory to develop a privacy notice for job applicants and ensure that it is available to them prior to collection of their personal data;
c. Outline the types of personal data they require for recruitment;
d. Outline security measures they have in place for recruitment records;
e. Include a background checks policy elaborating when and how background checks are conducted and what information is needed from the applicant to conduct the checks.
Researched & written by Isabel Gakuo
Edited by Anne Babu