The COVID-19 pandemic has disrupted the lives and livelihoods of many individuals. Many businesses are still trying to catch up with the new normal which has greatly affected how transactions take place.

Sectors that were used to cash payments are now accepting cashless payments. This leads  to processing of more personal data than was processed pre-COVID. On personal data, businesses and other registered entities are finding themselves being forced to collect personal data to aid contact tracing in compliance with public health laws. 

Processing Sensitive Data

Many entities now require people to have their temperature checked before granting them admission to their premises. Temperature records are not considered personal data but it may be considered personal data if it is linked to a natural person. Since it is health information, such information falls under the category of ‘sensitive personal information’ according to the Data Protection Act. 

Businesses usually handle health data but mostly of their employees especially when providing private health insurance. Before COVID-19, details of an employee’s ailment would not have been an issue of interest for other employees but due to how COVID-19 spreads, businesses are finding themselves in situations where they have to be intermediaries in the fight against COVID-19. They have to inform employees who have unfortunately been in contact with an infected employee that they should self isolate, be on the lookout for COVID symptoms and where appropriate go for testing.

What the Law Says About Health Data

The handling of health data of a natural person is regulated by law. The Data Protection Act(DPA), 2019 states that the personal data relating to the health of a data subject may only be processed by or under the responsibility of a health care provider or by a person subject to the obligation of professional secrecy under any law. 

The DPA also says that this condition is met if the processing is necessary for reasons of public interest in the area of public health. This provision raises the issue of public health that the DPA addresses further through exempting from the scope of the Act processing of personal data by an individual where necessary for public interest. One may argue that this means that due to the public interest aspect of the pandemic, the provisions of the Data Protection Act are not applicable.

What Data Protection Authorities Think

The Office of the Data Protection Commissioner which was set up in November 2020 is yet to offer guidance on the matter. Its European peer, the European Data Protection Board released a Statement on the processing of personal data in the context of the COVID-19 outbreak that was adopted on the 19th of March 2020.

The Statement says that in the employment  context,  the  processing of  personal  data may  be  necessary  for  compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.

The Statement also acknowledges that the General Data Protection Regulations (GDPR) also  foresees derogations to the  prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the area of public health or where there is the need to protect the vital interests of the data subject.

On whether an employer can disclose that an employee is infected with COVID-19 to his colleagues or to externals?  The Statement says that employers should inform  staff  about  COVID-19  cases and take  protective  measures, but they should not communicate more information than necessary. In the unfortunate situations where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned  employees shall  be  informed  in  advance  and their dignity  and  integrity  shall  be protected. 

What businesses should know:

• The Kenyan Data Protection Act 2019 contains provisions on the protection of the health data that is applicable to the COVID-19 situation.
• Businesses should inform  staff  about  COVID-19  cases and take  protective  measures, but they should not communicate more information than necessary. 
• Before revealing the name of the employee(s) who contracted the virus (e.g. in a preventive context) the concerned  employees should  be  informed  in  advance and employee dignity maintained..