{"id":981,"date":"2026-05-16T11:27:52","date_gmt":"2026-05-16T11:27:52","guid":{"rendered":"https:\/\/baadvocates.com\/?p=981"},"modified":"2026-05-21T13:06:04","modified_gmt":"2026-05-21T13:06:04","slug":"employee-data-vs-employer-control-who-owns-workplace-data","status":"publish","type":"post","link":"https:\/\/baadvocates.com\/index.php\/2026\/05\/16\/employee-data-vs-employer-control-who-owns-workplace-data\/","title":{"rendered":"EMPLOYEE DATA VS EMPLOYER CONTROL: WHO OWNS WORKPLACE DATA"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong><u>Privacy Exists, But Not in Isolation<\/u><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If your employer can access your work laptop, can they also read your WhatsApp messages? If you once consented to your image being used at work, does that consent last forever? And how far can an employer go when investigating you?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Article 31 of the Constitution guarantees every person the right to privacy, including the protection of personal data and communications. However, within the employment context, this right does not operate in a vacuum.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Employers have legitimate interests: protecting their reputation, ensuring productivity and investigating misconduct. The law therefore does not prevent employers from accessing or processing employee data. Instead, it regulates how far they can go and under what circumstances.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Data Protection Act, 2019 (DPA) further reinforces this by requiring that any processing of employee data must have a specific Legal Basis (Section 30), such as the performance of a contract or compliance with a legal obligation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Recent court decisions make it clear that the real issue is no longer whether employers can act, but how they do so.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><u>When is the Line Crossed?<\/u><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This boundary was tested in <strong>Mwangi v ABSA Bank Kenya PLC (2024)<\/strong>, where an employer went beyond workplace concerns and delved into an employee\u2019s private life. A private investigator was engaged to scrutinize activities outside working hours, an approach the employer justified on the basis of maintaining integrity in the banking sector.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The court, however, found this to be excessive. It held that extending investigations into an employee\u2019s personal life without sufficient justification violated the constitutional right to privacy. The ruling established that there must be a nexus between the private conduct being investigated and the employee&#8217;s fitness to perform their professional duties.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><u>When is Employer Control Justified?<\/u><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In <strong>Musa v Makini Schools Limited (2025)<\/strong>, the court upheld an employer\u2019s decision to rely on WhatsApp messages retrieved from a work-issued laptop.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The employee argued that accessing these messages without consent amounted to unlawful surveillance. The employer, on the other hand, maintained that the device was company property and that the messages were relevant to serious allegations affecting its reputation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In siding with the employer, the court focused on context. The court applied the &#8220;Proportionality Test&#8221;: Was the intrusion necessary to achieve a legitimate goal? Because the access was tied to a specific investigation and involved a company-owned device, it was deemed justifiable. This highlights that ownership of the hardware creates a lower expectation of privacy for the employee, provided a clear ICT policy is in place.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><u>Consent Is Not Forever<\/u><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Another common misunderstanding in workplace data practices is the belief that once consent is given, it continues indefinitely.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This assumption was rejected in <strong>Moja Expressway Company v Cyrus Mwaniki.<\/strong> In that case, an employer continued using a former employee\u2019s image in promotional materials after the employment relationship had ended, relying on consent previously given during employment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The court dismissed this argument, holding that consent tied to an employment relationship is not permanent. Once the relationship ends, the basis for that consent may no longer exist.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The court held that consent tied to an employment relationship is not permanent. Under Section 32 of the DPA, a data subject (employee) has the right to withdraw consent at any time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once the relationship ends, the purpose of the processing often expires. This shows that consent is contextual, time-bound and must be reassessed when circumstances change.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><u>Biometric and CCTV Surveillance<\/u><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">In <strong>Kenya Union of Journalists v Kenya Broadcasting Corporation (KBC),<\/strong> the introduction of a mandatory facial recognition system without consultation, transparency or a Data Protection Impact Assessment led to a decisive ruling against the employer.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The court found violations of constitutional rights, including privacy, access to information and principles of transparency and accountability.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Crucially, the employer failed to conduct a Data Protection Impact Assessment (DPIA) as required under Section 31 of the DPA for high-risk processing. The court ordered the deletion of all collected biometric data. This serves as a warning: Management Prerogative does not exempt an employer from statutory compliance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><u>What are the courts saying?<\/u><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Looking across these decisions, a consistent three-part test emerges for any employer wishing to monitor or investigate an employee:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Legality<\/strong>: Is there a clear policy or law allowing this action?<\/li>\n\n\n\n<li><strong>Legitimacy<\/strong>: Is there a valid reason (e.g., theft, security, productivity)?<\/li>\n\n\n\n<li><strong>Proportionality<\/strong>: Is this the &#8220;least intrusive&#8221; way to get the information?<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><u>The Compliance Reality for Employers<\/u><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For organisations, the message is becoming harder to ignore. It is no longer enough to rely on internal policies or assume that operational needs justify data use. Courts are increasingly demanding evidence of compliance, not just intention.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Employers must move from assumption to accountability. The Best Practice checklist now includes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Drafting robust ICT and Privacy Policies.<\/li>\n\n\n\n<li>Conducting DPIAs before installing CCTV or Biometrics.<\/li>\n\n\n\n<li>Issuing &#8220;Privacy Notices&#8221; to employees explaining exactly what is monitored.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\"><u>A shared responsibilit<\/u>y<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Employees, too, must navigate this space with awareness. While their rights to privacy remain intact, the use of employer-issued devices and systems introduces a level of oversight that cannot be ignored. The workplace is not a privacy-free zone but neither is it a space of absolute privacy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It is a shared environment, where both rights and responsibilities must be understood.<br><br><strong>Conclusion<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In light of recent judicial trends, it is evident that workplace data privacy in Kenya is no longer governed solely by internal HR policies, but by the rigorous standards of the Constitution and the Data Protection Act, 2019.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The central takeaway is that management prerogative is not absolute. While employers retain the right to protect their business interests and maintain productivity, they must navigate a delicate balance where transparency, legality and proportionality are the guiding stars.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The courts have made it clear:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Ownership of a device does not grant a blanket check to invade an employee\u2019s private life.<\/li>\n\n\n\n<li>Consent is a shifting baseline, not a permanent waiver of rights.<\/li>\n\n\n\n<li>High-risk surveillance (like biometrics) requires strict procedural compliance, such as conducting Data Protection Impact Assessments (DPIAs).<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Ultimately, the shift is from assumption to accountability. For a stable and legally compliant workplace, employers must transition toward a culture of &#8220;<em>privacy by design<\/em>,&#8221; ensuring that every instance of data processing can withstand the scrutiny of the three-part test of legality, legitimacy and proportionality.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the digital age, the most successful organizations will be those that view data protection not as a hurdle, but as a fundamental component of the<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><em>Disclaimer:<\/em><\/strong><em>&nbsp;The information provided in this article is for general informational purposes only and does not constitute legal advice. The author\/website is not responsible for any errors or omissions and a party desiring legal advise should get in touch with the authors<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Privacy Exists, But Not in Isolation If your employer can access your work laptop, can they also read your WhatsApp messages? If you once consented to your image being used at work, does that consent last forever? And how far can an employer go when investigating you? Article 31 of the Constitution guarantees every person [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":982,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-981","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-privacy"],"_links":{"self":[{"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/posts\/981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/comments?post=981"}],"version-history":[{"count":8,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/posts\/981\/revisions"}],"predecessor-version":[{"id":996,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/posts\/981\/revisions\/996"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/media\/982"}],"wp:attachment":[{"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/media?parent=981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/categories?post=981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/tags?post=981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}