Kenya Personal Data Protection Concerns Around COVID-19 measures

Kenya’s confirmed COVID-19 cases reached 700 people at the start of the second week of May 2020, well within the numbers the region is reporting, though far from the tens of thousands reporting across Europe and the United States. Nevertheless, Kenyan health authorities have consistently maintained the need to ensure confidentiality of patients personal identifiable data is maintained, citing both doctor-patient confidentiality, as well as confidentiality on account of personal data and privacy laws.

Below, we address some key personal data protection concerns and considerations that businesses ought to have when implementing  the use of most wide-spread ‘health check’ on people (visitors, employees etc), that is, the thermo-scanner and similar checks.

Processing of health data

The World Health Organisation lists fever among COVID-19’s most common symptoms, which has led to prevalent use of thermo-scanners (temperature guns) prior to entry into many of Kenya’s malls, stores, commercial premises, and even parks and forests , all of which have generally remained open as Kenya did not enforce a full ‘lock-down’. Many workplaces are taking and checking employees’ body temperature at least once a day, with the general assumption being that body temperature above normal is indicative of illness, and in these times, may indicate COVID-19 infection.

Whilst not immediately apparent to many businesses in Kenya, temperature and any other body measurements are a type of ‘health data’, defined in the Data Protection Act as data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the data subject to the provision of specific health services. As such, Coronavirus symptom-checkers like temperature measurements ought to be regarded and treated as incidents of processing of personal data, and accordingly, should be conducted in-keeping data protection rights and principles. These include the following:

Privacy: Most workplaces and commercial premises are leaving temperature-checking to security personnel and guards at building/office entrances, a process that is almost always absent of any privacy whatsoever, and with companies’ Human Resources personnel practically completely removed from the process. We recommend reconsidering this, and for example in offices, involving only HR personnel in such exercises. observing employee privacy when taking the measurements.

Accuracy: Many of the thermos-scanners in use are simple handheld devices. It is important that employers and business owners ensure that the devices are reasonably in good working order and are used correctly, in order to take accurate measurements. Whilst inaccurate temperature measurements may not normally have serious consequences (particularly because thermos-scanners are usually used in health facilities where several diagnostic tests are likely to be conducted upon a finding of fever), in the wake of COVID-19, a higher than normal temperature measurement may result not only in an incorrect assumption of having the virus but additionally result in an employee or visitor being quarantined, with resultant economic and psychological consequences.

Notification: Most business premises are not providing sufficient information regarding temperature checking, such as, whether it is pre-requisite to entry, the result of a particular finding (will fever result in quarantine or other further testing?), asking whether or not the subject may be on anti-fever medication that may reduce the efficacy of the result, informing about whether the measurements taken or recorded are stored and if so for what purpose and duration. Security personnel guards taking measurements are likely ill-equipped to answer these questions, and this by no means exempts the business/employer, the data controller in this case, from the notification obligations in the Data Protection Act.