GTB SCANLAB NAKURU LIMITED
DATA PROTECTION POLICY
GTB Scanlab Nakuru ltd is registered both as a data processor and data controller by the Office of the Data Protection Commissioner (ODPC). The CERTIFICATE is valid for 2 years from registration date (30th October 2023).
Our Registration number is 556-0731-645E
Definition
Data protection or data security is a set of strategies and processes that are used to secure the privacy, availability, and integrity of data in an organization that either processes or controls data.
Purpose
GTB ScanLab Nakuru Ltd borrows from the different sections of Kenya’s laws that pertain to data protection. This is because we obtain, use, store and otherwise process personal data relating to our clients, partners, stakeholders such as potential and current employees, former staff, current and former, contractors, website users and contacts, collectively referred to in this policy as data subjects.
This policy therefore seeks to ensure that we:
- Clarify our expectations to data processors and controllers within the organization on how personal data for employees and clients will be handled.
- Seek compliance with the existing data protection laws.
- Inform all our stakeholders and especially our employees on their obligations to data security.
- Uphold integrity and reputation by ensuring that personal data is processed in accordance with data subject’s rights.
- Safeguard data through all possible means and protect ScanLab from risks of personal data breaches and other breaches of data protection law.
Guiding Principles
Data protection is implemented under the guidelines of:
- Lawfulness,
- Fairness, and transparency;
- Purpose limitation;
- Data minimization;
- Accuracy;
- Storage limitation;
- Integrity and confidentiality; and
- Accountability
Definition of Key Terms
Consent: |
Agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them. |
Data Controller: |
The person or organization that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the DPC. GTB ScanLab is the Data Controller and Data Processor of all personal data relating to employees, clients, and other stakeholders. |
Data processing: |
Any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. |
Data Protection Officer: |
The person appointed as such under the DP provisions and in accordance with its requirements. A DPO is responsible for advising the organization (including its employees) on their obligations under various data protection laws, for monitoring compliance with data protection law, as well as with ScanLab’s polices, and providing advice. |
Data Subject: |
A living, identified or identifiable individual about whom we hold personal data.
|
Personal Data: |
Any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers possess or can reasonably access. Personal data includes sensitive personal data and pseudonymized personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behavior. |
Natural individual: |
A person who has rights and obligations that should be respected |
Personal Data Breach |
Any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission. |
Profiling: |
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Profiling is an example of automated processing. |
Scope
This policy applies to all sensitive personal data we process for our clients, employees, contractors, suppliers, shareholders, and other stakeholders. It also applies to the data that is in the files in the different offices, on our desktops, servers, websites, email domains, and other social sites that we participate in.
This policy shall be read by the employees, shared with our clients, and other stakeholders who will then be expected to comply with the provisions of it. A failure to comply with this policy for the employee may result in disciplinary action.
All the heads of departments are responsible for ensuring that all staff within their area of responsibility complies with the policy and should implement appropriate practices, processes, controls and training to ensure that compliance.
The Managing Director is responsible for overseeing this policy.
GTB ScanLab Administrator is the Data Protection Officer (DPO) and can be reached at dpo@scanlabkenya.com
Implementation and Operation
At Scanlab Center and as directed by the Act, we directly or indirectly collect information pertaining to natural persons through their own consent or that of their guardians. The purpose of our collection of such data is to ensure we give them the services they require and that we comply with the regulations set by law in case of employees.
However, the rights that govern a data subject include:
- Right to be informed of the use of the data acquired
- Right to access collected data
- Right to object to the processing of all of their personal data
- Right to ask for correction of false or misleading data
- Right have deleted false or misleading data about them require that you frequently update personal data you
On our side as data processors and controllers we will strive to:
- At the point of giving services, inform the data subject why we are collecting and processing their data.
- Request the data subjects to consent willingly to the acquiring of their information.
- Provide a platform which will allow data subjects to access their personal data in our possession at all times, upon request.
- Respond to data subject’s wish to stop processing their personal data, correct incorrect or false personal data in regards to the data subject or delete any false, misleading or incorrect information about the data subject, upon their request.
- Set measures in place to establish the age of a data subject so as to safeguard the rights of any minor that may be accompanied by a guardian.
- Ensure that there is a human component in the processing of any data.
- If we have to share any information outside the country, we will ensure that we get proof of security of the data being shared
Means of Data collection
- Request forms from your clinicians.
- Personally, from you through questions and answers.
- Feedback forms that you fill.
- From phone calls you make to the organization.
- From interaction with our websites.
- Employment agencies you/ we have used.
- Documentation you submit for a job application or possible recruitment.
- During the on-boarding by submitting documents/ information required by the HR department; submitting your financial information (e.g., bank name, branch & account) & statutory information (e.g., KRA PIN, NHIF, NSSF numbers) to facilitate payroll, tax, pension, medical insurance processing.
- When carrying out job-related activities throughout the period of you working for us.
- When the employee contract is severed by either party by completing documentation related to the exit process.
- Capturing your images for marketing purposes or security purposes e.g., via CCTV cameras, official photography or video recording.
- CCTV footage captured via CCTV cameras installed in some of our locations to provide a secure & safe working environment.
- Clinicians or medical establishments e.g., sick leave documentation.
- Directorate of Criminal Investigations or the police.
- By conducting background reference checks e.g., referees, previous healthcare providers, previous employees, credit reference bureaus, professional regulatory & licensing bodies, colleges etc. This may be done by the organization or by a background check provider.
- Social media platforms.
- Registrar of Companies.
- Banks
Data Collected
- Personal information such as name, title, photos, date of birth, gender, marital status, next of kin, national ID or passport, disability details, nationality, your doctor’s name, facility where you are attended, driver’s license number, name of your employer.
- Personal contact details such as telephone numbers, email addresses, postal address; emergency & next of kin contact details, details of the physical location where you come from.
- Clinical history and names of tests or procedures requested.
- Background checks e.g., previous medical interventions done, employment history verification, qualifications verification, criminal record data and checks.
- Statutory documents e.g., Insurance provider, NHIF, NSSF, and KRA PIN.
- Compensation and bank account details.
- Academic and professional qualifications, skills, experience and employment history, including start and end dates, with previous employers and with GTB Scanlab Nakuru Ltd.
- Periods of leave taken including, sick leave, annual leave, maternity leave, paternity leave and other reasons for leave.
- Details of disciplinary or grievance procedures, any warning issued and related correspondence.
- Performance evaluation – performance reviews, performance improvement plans, disciplinary records etc.
- Health data e.g. via sick leave records, safety incident records etc.
- Data collected in accident reports and risk assessments.
- Biometric information (e.g. fingerprints, sound recordings).
- IP addresses
How do we use your data?
GTB Scanlab Nakuru Ltd. collects and processes data for the following reasons:
- To conform to test requirements
- To provide quality results through the information shared
- To ensure privacy of your test results
- Ensure effective general HR and business administration.
- Maintain accurate and up-to-date employee and client records including contact details.
- Provide references on request for current or former employees and referring doctors.
- Support the achievement of business & department goals through a performance management framework e.g., key performance indicators, performance appraisals etc.
- Disciplinary and grievance records to ensure acceptable conduct within the workplace;
- Facilitate recruitment, transfers and promotion processes.
- Meet obligations under health and safety laws e.g., maintain records of safety incidents.
- Keep records as required by effective workforce management.
- Respond to and defend against legal claims.
- Maintain and promote equality in the workplace.
- To facilitate workforce management and shift planning.
- To provide security, health and safety services in emergencies (e.g., for evacuation of staff in dangerous or life-threatening situations).
- We share relevant data with our partners as follows:
- Government agencies e.g., KRA, NHIF, NSSF for statutory deductions compliance; regulatory bodies to show compliance with requirements for professional registration & licensure where applicable.
- Referring facilities receive test results to facilitate treatment planning
- Patients receive their test results to help them manage their conditions e.g., diabetes patients
- Contracted processors e.g. Enterprise resource planning (ERP) providers who provide us with the human resources information system (HRIS) that we use.
- Back ground check providers who carry out back ground checks on our behalf in the recruitment process.
- Law-enforcement agencies, courts or other public authorities in response to a demand issued with the appropriate lawful mandate and where the form and scope of the demand is compliant with the law.
- Third party security firms in order to provide security to you;
- Publicly available and/ or restricted government databases to verify your identity information in order to comply with regulatory requirements;
- Survey agencies that conduct surveys on behalf of GTB Scanlab Nakuru Ltd;
- Scanlab Center will disclose your data to third parties where this supports the administration of recruitment, your employment or where we are legally obliged to.
How do we store your data?
We securely store your data as follows i.e.
- Enterprise resource planning (ERP) platform with data security precautions that include individual user login credentials, HR module access restriction, audit trails & having a data processing agreement with the supplier/ vendor etc. Data is backed up regularly via:
- An onsite server under lock & key with restricted
- Cloud storage through a contracted service Information is backed up regularly.
- Physical data is stored in access restricted locations and
- International data transfer where applicable will done in accordance with data protection laws. We will keep your HR data for as long as required for the purposes set out above or as required by Section 10(6) of the Employment Act 2007 [Rev 2012]. Once retention times have expired, your data will be deleted, destroyed or anonymized. Section 10(6) of the Employment Act 2007 states:” The employer shall keep the written particulars prescribed in subsection (1) for a period of five years after the termination of employment”
RACI MATRIX
DIRECTOR |
MANAGERS |
DPO |
MEMBERS OF STAFF |
|
Complying to data protection registration |
R |
I |
A |
I |
Responsibility of creating and updating |
R | A | A | I |
Complying with rules pertaining to data protection execution |
R |
A |
A |
R |
Custodian of acquired data/ records in a central point |
R/A |
R/A |
R |
I |
Liaison that answers questions about compliance |
R |
A |
R |
C |
Responsible over work done that guides type of data collected and processed |
R |
A |
A |
A |
Handling data breach |
R/I/C |
R/I/C |
A |
R/I/C |
Participates in actual processing of the data and directs on how to control it |
R |
R/A |
A |
A |
Giving direction on how data is processed or controlled |
R |
R |
R |
I |
Putting in place measures of ensuring there is data safety |
R |
C |
A |
I/C |
R-Responsible (In-charge/ make decisions)
A-Accountable (Ensuring it is done/ answerable)
C-Consulted (Provide comments)
I-Informed (Those made aware of what is happening and adherence)
Marketing
We would like to send you information about products and services or special offers that we think you might like.
If you do not wish to receive such calls or messages, you can opt out by letting us know here https://scanlabkenya.com/contact-us/
Where you opt out of receiving direct marketing messages, this won’t apply to personal data provided for a service already sought.
What are your data protection rights?
We would like to make sure you are fully aware of your data protection rights. Clients are entitled to the following (legal & contractual exceptions apply):
- The right to information – You have the right to be informed about the processing of your personal data.
- The right to access – You have the right to request us for copies of your health record (paper or electronic). In some instances, we may charge you a small fee for this service.
- The right to rectification – You have the right to request us to correct any information you believe is inaccurate or incomplete.
- The right to erasure – You have the right to request us to erase your personal data, under certain conditions. For example, we may “no” where your request contradicts a legal obligation, acts against public interest in the area of public health or prohibits the establishment of a legal defense or exercise of other legal claims. In such cases, you will be informed about the reason(s) for that decision.
- The right to restrict processing – You have the right to request us to restrict processing of your personal data, under certain conditions.
- The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
- The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
To exercise your rights, we may require proof of your identity or proof of your authorization for someone else to act on your behalf where the request is made via a representative.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please process a Data Subject Request or contact us.
What are cookies?
Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology.
For further information, visit aIIaboutcookies.org.
How do we use cookies?
Our Company uses cookies in a range of ways to improve your experience on our website, including:
- Keeping you signed in
- Understanding how you use our website
- Tracking previously viewed items, shopping preferences, engagement, and behavior on site.
What types of cookies do we use?
There are a number of different types of cookies, however, our website uses:
- Functionality — Our Company uses these cookies so that we recognize you on our website and remember your previously selected preferences. These could include what language you prefer and location you are in. A mix of first-party and third-party cookies are used.
- Advertising — Our Company uses these cookies to collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address. Our Company sometimes shares some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our website.
How to manage cookies
You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
Privacy policies of other websites
Our website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy, cookie policies & terms of use.
Changes to our privacy policy
This privacy policy is under regular review and therefore subject to change. We therefore reserve the right to modify this privacy policy. This privacy policy was last updated on 30th January 2024.
How to contact us.
If you have any questions about this policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us via any of the following means:
- Website: via the “contact us” tab or https://scanlabkenya.com/data-subject-requests/
- Polo Centre, Ground Floor, Kenyatta Avenue, Nakuru,
- Telephone: +254722149505/ +254202500017.
- P.O. Box 999-20100 Nakuru, Kenya.
- Email: dpo@scanlabkenya.com
How to contact the appropriate authority
Should you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the office of the data protection commission.
Effective date
The effective date of this notice is 30th January 2024 (V2).