Blog By

Ms. Jane Ombiro, CIPP/E, CIPM, FIP

Data Protection Expert 

South-End Tech Limited

Date: 18^th June 2024.

The Kenyan Data Protection Act, 2019 defines biometric data as personal data resulting from specific technical processing based on physical, physiological or behavioral characterization including blood typing, fingerprinting, DNA analysis, earlobe geometry, retinal scanning and voice recognition.

Biometric data falls under the sensitive category of personal data.  Biometric data is inherently sensitive due to its uniqueness to a data subject and the increased potential for harm if it is compromised. In Kenya biometric data must be processed in line with section 44 and 45 of the Kenyan Data Protection Act.  

Section 45 stipulates the following grounds which may be used as legal bases for processing biometric data: –

1. Processing the data in the course of legitimate activities of a foundation, association or an NGO with a political, philosophical, and religious or trade union aim.
2. The data has been made public by the data subject.
3. The processing is necessary to establish, exercise or defend a legal claim.
4. The processing is necessary to protect a data subject’s or another person’s vital interest.
5. The processing is necessary to carry out the obligation and exercise the specific rights of a controller or a data subject.

Processing of biometric data is prohibited in the European Union and the United Kingdom unless the processing meets one of the criterion set out in Article 9(2) of both the EU and the UK General Data Protection Regulations.

When processing biometric data in the workplace employers must handle the data with utmost regard for an individual’s right to privacy and the principles of data protection. Employers must also process the data in full compliance with all the applicable data protection laws that affect the organization’s operations.

Failure to adhere to the above could result in an enforcement notice being issued against an organization. On 19^th February, 2024 the United Kingdom Information Commissioner issued an enforcement notice against Serco Leisure, Serco Jersey and 7 associated community leisure trust. 

The investigation by the Information Commissioner’s Office (ICO) revealed that Serco and the trusts had been using Facial Recognition Technologies (FRTs) and Fingerprint scanning for employment attendance checks and subsequent payment of employees for time worked as captured in the attendance.

The Information Commissioner ordered Serco and the trusts to stop using facial recognition technologies and fingerprint scanning to monitor employee attendance. 

The Kenyan Data Commissioner is yet to make a similar determination. However, since the British system heavily influences Kenya’s legal system should the Kenyan Data commissioner be faced with similar facts her decision may be heavily influenced by ICO’s determination.

Processing biometric data has substantial privacy impact, employers are thus advised to refrain from processing the data for the purposes of monitoring employee attendance and subsequently using the attendance to justify the remuneration for the work done.

Organizations are further advised to employ the use of less intrusive means to monitor employee attendance such as radio frequency identification cards or fobs and manual sign in and sign out sheets.

For more information on processing sensitive personal data in Kenya refer to our blog https://southendtech.co.ke/sensitive-personal-data-how-and-when-to-process/