By November 17, 2022 No Comments


The passing of Kenya’s Data Protection Act (No. 24 of 2019) (hereinafter “the Act”) on 25th November, 2019 breathed life to the pre-existing right to privacy guaranteed under Article 31 of the Constitution, 2010 by providing for regulation of the processing of personal data.

In the employment sphere, the Act and its subsidiary regulations set out the requirements to be met by an employer as a data controller and the employer’s data processors when dealing with prospective employees, current employees, and also former employees.

Recruitment by employers must be conducted against the backdrop of the principles of data protection set out in the Act, comprising of: –

  1. Respect for privacy

The employer must be careful not to intrude in the applicant’s private affairs unnecessarily.

  1. Transparency, lawfulness and fairness

To ensure that an applicant’s data is processed in this manner, an employer should have a privacy notice that explains to the applicant how and why their data is being collected, and in what way it will be used. In this way, applicants are notified of the collection and processing of their data and maintain the rights to determine how their data is handled.

  • Purpose Limitation

This requires that an employer may only collect data for the explicit, specified and legitimate purpose of recruitment. The data collected cannot be further processed in a manner incompatible with recruitment.

  1. Data Minimisation

Data collected from applicants should be adequate, relevant, and limited to only what is necessary for recruitment.

  1. Family Affairs

An employer must provide a valid explanation to require information relating to family or private affairs from an applicant.

  1. Accuracy

The employer ensure that the data collected from applicant is accurate – it can do so by giving applicants the right to correct any inaccurate information in the application portal. Any inaccurate personal data should be erased or rectified without delay.

  • Storage Limitation

Personal data relating to applicants should only be retained for the period that it is necessary for recruitment. The information should only be retained for a reasonable period.

  • Transfer Limitation

Personal data of an applicant should not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the applicant (in the event of transfer of sensitive personal data).

  1. Confidentiality, availability and integrity

An applicant’s right to privacy is underpinned by the employer’s duty to ensure that their personal data is kept confidential. This is attained by implementing and managing policies and procedures for information security. Confidentiality is further enhanced by restricting access the personal data to only authorized persons.

The employer bears the fundamental duty of adequately informing the applicant regarding the collection and processing of their personal data.

During the recruitment process, personal data is processed in several ways with each instance requiring the employer to adhere to data protection principles above.

  1. Candidate Sourcing

An employer typically interacts with a host of personal data belonging to job applicants when sourcing out and identifying prospective employees, including, identity documents, contact details, academic records, work history, among others.

The cardinal rule to be followed when collecting personal data is to ensure that the data is collected directly from the job applicant.

An applicant’s data may be collected indirectly (for example, from companies that carry out background checks or online) in very limited instances, including:

            Where –

  1. the data is contained in a public record;
  2. the applicant has deliberately made the data public (for example in a social medial profile that is accessible to the public);
  3. the applicant has consented to collection from another source;
  4. collection from another source would not prejudice the interests of the applicant;
  5. collection of the data from another source is necessary for other reasons permitted under the Act.

Direct collection of an applicant’s personal data is done through their job applications.

To avoid privacy breaches, it is prudent to have one channel for receiving applications, such as a dedicated email address.

An employer may also opt to recruit through a HR recruitment agency. Such agencies are bound by the same safeguards relating to personal data of the applicants to be followed by employers. The employer’s agreement with the agency should cater for data protection matters.

  1. Job Application Forms

Many employers require job applicants to complete a standard job application form. The employer’s privacy policy should be incorporated into the form to ensure that the applicant is aware of their data protection rights and that they agree to their data being processed for recruitment. The policy should set out how the data collected shall be utilized.

For many employers, job application is normally done through a recruitment portal or website. Reading and understanding the privacy policy should appear as the first step before an applicant makes their application.

  1. Automated decision-making

Once applications are made, an employer may opt to apply an electronic system to select the suitable candidates for shortlisting without human intervention. This is commonly known as an Applicant Tracking System. Such a system may conduct an automated scoring process for all the job applications.

In this case, the employer is required to inform the applicant of the decision-making process, and have mechanisms for reconsideration of a decision made. A manual system should also be available upon request by an applicant especially in reconsidering a decision.

  1. Pre-employment checks

A critical stage of recruitment involves conducting background checks on the applicants to verify data relating to them and to evaluate whether they meet the job requirements. This may involve looking into the applicant’s references, previous employment, verifying academic information, medical checks, and social media checks, among others.

Background checks should be done with the applicant’s knowledge and consent, and conducted in a lawful manner. The applicant should be informed by the employer early on in the recruitment process that the checks will be done. The applicant has a right to object to the checks, at which point the employer must assess the reasons and respond appropriately.


It is imperative that employers make the following considerations to ensure they comply with data protection rules and principles during recruitment: –

  1. Conduct a data inventory to determine all types of personal data the employer collects;
  2. Use the inventory to develop a privacy notice for job applicants and ensure that it is available to them prior to collection of their personal data;
  3. Outline the types of personal data they require for recruitment;
  1. Outline security measures they have in place for recruitment records;
  2. Include a background checks policy elaborating when and how background checks are conducted, and what information is needed from the applicant to conduct the checks.


Researched & written by Isabel Gakuo

Edited by Anne Babu