Staff Privacy Statement
UNIVERSITY OF NAIROBI
Staff Privacy Statement
The University of Nairobi is aware of its obligations under the Kenya Data Protection Act (2019) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with the Data Protection Act 2019, the types of data that we hold on you as an employee of the University. It also sets out how the University will use that information, how long the information will be kept and other relevant information about your data.
This notice applies to current and former employees, workers and contractors.
Data controller details
The University is a data controller, meaning that it determines the processes to be used when using your personal data. Our contact details are as follows: [University of Nairobi, P.O. Box 30197, GPO, Nairobi, Kenya; Tel: (+254-20) 491 0000]
Data protection principles
In relation to your personal data, the University will:
- Process it fairly, lawfully and in a clear, transparent way
- Collect your data for the reasons the University finds proper for the course of your employment in ways that have been explained to you
- Collect your data pursuant to any law provided that prior to the collection of such data, an explanation shall be availed to you.
- Only use it in the way that the University has explicitly told you about
- Ensure it is correct and up to date
- Keep your data for only as long as it shall be needed
- Process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), except what is covered by the Act as exemptions.
Types of data the University will process
The University shall hold the following data about you;
- Your personal details including your name, address, date of birth, email address, phone numbers
- Gender
- Marital status
- Signatures
- Biological identifiers
- Personal data images
- Dependants, next of kin and their contact numbers
- Medical or health information including whether or not you have a disability
- Information used for equal opportunities monitoring about your religion or beliefs and ethnic origin
- Information included on your CV including references, education history and employment history
- Documentation relating to your right to work in Kenya
- Bank details
- KRA Tax Pin
- National Hospital Insurance Fund Number
- Current and previous job titles, job descriptions, pay grades, pension entitlement, hours of work and other terms and conditions relating to your employment with us
- Formal warnings and other documentation with regard to any disciplinary proceedings
- Internal performance information including measurements against targets, formal warnings and related documentation with regard to appraisal forms
- Leave records including annual leave, compassionate leave, sickness, leave of absence etc.
- Training details
How data will be collected
The University shall collect data about you in a variety of ways. The initial collection of your personal data will be during a recruitment exercise where you directly provide the data. This includes the information you would normally include in a CV or a recruitment cover letter, or notes made by our recruiting officers during a recruitment interview. Further information will be collected directly from you again, when you complete forms at the start of your employment, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation such as your passport or other right-to-work evidence.
In some instances, the University will collect data about you from third parties, such as former employers when gathering references or credit reference bureaus.
Personal data shall be stored manually in physical personnel files or electronically within the University’s human resource information systems.
Using cookies
Cookies are pieces of information stored directly on the computer that you are using. Cookies allow the collection of information such as browser type, time spent on the Services, pages visited, language preferences, and other traffic data. The University may use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalize your experience.
Why process your data?
The Data Protection Act, 2019 allows the processing of your data for the following reasons only:
- In order to perform the employment contract that we are party to
- In order to carry out legally required duties
- In order to carry out legitimate interests
- To protect your interests and
- Where the processing is in public interest.
All of the personal data processing carried will fall under any one of the permitted reasons. For example, the University shall need to process your personal data in order to:
- Carry out the employment contract that entered into with you and
- Ensure you are paid.
Your data shall also be processed in order to ensure compliance with legal requirements such as:
- Ensuring your statutory obligations are paid out, for example tax and National Hospital Insurance are paid
- Carrying out checks in relation to your right to work in Kenya and
- Making reasonable adjustments for disabled employees.
Other legitimate reasons for the University to process your data are:
- Making decisions about who to offer initial employment to, and subsequent internal appointments, promotions etc.
- Making decisions about salary and other benefits
- Providing contractual benefits to you
- Maintaining comprehensive up to date personnel records about you to ensure, amongst other things, effective correspondence can be achieved and appropriate contact points in the event of an emergency are maintained
- Effectively monitoring both your conduct and your performance and to undertake procedures with regard to both of these if the need arises
- Offering a method of recourse for you against decisions made about you via a grievance procedure
- Assessing training needs
- Implementing an effective sickness absence management system including monitoring the amount of leave and subsequent actions to be taken including the making of reasonable adjustments
- Gaining expert medical opinion when making decisions about your fitness for work
- Managing statutory leave and pay systems such as maternity leave and pay etc.
- Dealing with legal claims
- Preventing fraud
- Ensuring our administrative and ICT systems are secure and robust against unauthorized access
Special categories of data
Special categories of data are data relating to your:
- Health
- Race
- Ethnic origin
- Biometric data
- Religion
- Conscience
- Belief
- Genetic data
- Property details
- Marital status
- Family details including names of your children, parents, spouse or spouses
- Sex or your sexual orientation
The University shall process special categories of data in accordance with more stringent guidelines. These special categories of data shall be processed when the following applies:
- You have given explicit consent to the processing
- Processing the data in order to carry out our legal obligations
- Process data for reasons of substantial public interest
- You have already made the data public.
The University shall also process your special category data:
- For the purposes of equal opportunities monitoring
- In sickness absence management procedures
- To determine reasonable adjustments
Although consent may not be needed in order to process the special categories of personal data in order to carry out legal obligations or exercise specific rights under employment law, consent will be sought when the University is called upon to process particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld.
Consent, once given, can be withdrawn at any time with no consequences.
If you do not provide your data to us
Should you not provide us with the personal data that is needed for the University to carry out its legal obligation expected under your contract of employment, the University will subsequently be unable to perform the said duties for example. ensuring you are paid correctly. The University may also be prevented from confirming, or continuing with, your employment in relation to the legal obligations if you do not provide this information e.g. confirming your right to work in Kenya or, where appropriate, confirming your legal status for carrying out your work via a criminal records check.
Sharing your data
Your data will be shared with colleagues within the University where it is necessary for them to undertake their duties. This includes, for example, your immediate supervisor for their management of you, the personnel department for maintaining personnel records and the finance department for administering payment under your contract of employment.
The University will share your data with third parties in order to meet regulatory obligations such as statutory remittances to KRA, obligations to Disclose, Deduct and Discharge payments to HELB or for other reasons to comply with a legal obligation upon us.
The University does not share your data with bodies outside Kenya.
Protecting your data
The University fully protects your data against accidental loss or disclosure, destruction and abuse by implementing both organizational and technical security measures.
Data shared with third parties is in line with requirements in the Data Protection Act, 2019 and the third parties must also implement appropriate technical and organizational measures to ensure the security of your data.
How long the University keeps your data
Your personal data will be retained only for as long as may be reasonably necessary to satisfy the purpose for which it is processed and following the data retention guidelines in the University’s Records Management Policy.
Automated decision making
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Your rights in relation to your data
The Data Protection Act, 2019 has prescribed the following rights to you as the data owner:
- The right to be informed. This means that the University must tell you how your data is used and this is the purpose of this privacy notice
- The right to access. You have the right to access your data. Access to records and information shall be provided within the existing University regulatory framework
- The right for any inaccuracies to be corrected. If any data held about you is incomplete or inaccurate, you are able to have it corrected
- The right to have information deleted. If you would like to stop processing your data, you have the right to ask for deletion from our systems where you believe there is no reason for the University to continue processing it
- The right to restrict the processing of the data. For example, if you believe the your data is incorrect, the University will stop processing the data (whilst still holding it) until the data has been corrected
- The right to portability. You may transfer the data about you for your own purposes
- The right to object to the inclusion of any information. You have the right to object to the way your data is used where the University may be using it for its legitimate interests
Where you have provided consent to the use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that the University will stop processing the data that you had previously consent to use. There will be no consequences for withdrawing your consent.
If you wish to exercise any of the rights explained above, please contact the VC’s office.
Making a complaint
The supervisory authority in Kenya for data protection matters is the Data Commissioner (DC). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the Data Commissioner’s office.
Last Updated on January 18, 2024