Kenya Data Protection Act Compliance: HR Guide for Background Checks | Peleza

Kenya’s Data Protection Act (2019) completely reshaped how employers collect, store, and use candidate information. For HR professionals, it marked the shift from casual data handling to legally accountable processing. Every copy of an ID, every background check, every email holding a CV, each now falls under strict rules of consent, purpose, and protection.

A compliant background check process shows candidates that your organization values privacy and integrity. It strengthens your brand and builds trust from the very first interaction. Candidates feel safer sharing their personal data when they know it’s handled transparently, with their consent, and for legitimate reasons.

Compliant background checks protect not just your data, but your organization’s reputation, legal standing, and peace of mind. This guide breaks down what every Kenyan employer needs to know to stay both trusted and compliant under the Data Protection Act when conducting background checks:

Understanding the Data Protection Act (DPA) 2019

The DPA, enforced by the Office of the Data Protection Commissioner (ODPC), regulates how organisations collect, use, store, and share personal data in Kenya.

What Counts as Personal Data in Hiring?

When you conduct background checks, you’re processing several types of personal data:
Basic personal data:
  • Full name
  • National ID number
  • Date of birth
  • Contact information
  • Residential address
Sensitive personal data:
  • Criminal records
  • Health information
  • Biometric data (fingerprints, photos)
  • Academic records
  • Financial history
The DPA has stricter requirements for sensitive data and most background checks involve collecting it.
The 7 Principles of Data Processing
Under the DPA, all data processing (including background checks) must follow these principles:
  1. Lawfulness, fairness, and transparency – You must have a legal basis and be upfront about what you’re doing
  2. Purpose limitation – Only collect data for specific, stated hiring purposes
  3. Data minimization- Only collect what’s necessary for the background check
  4. Accuracy** – Ensure the data you collect and use is correct
  5. Storage limitation – Don’t keep background check data longer than needed
  6. Integrity and confidentiality- Protect data from breaches and unauthorized access
  7. Accountability – Document your compliance efforts
Violating any of these can trigger ODPC penalties.

Step-by-Step: Compliant Background Checks

Step 1: Get Explicit Consent
This is non-negotiable.
Before conducting any background check, you must:
  • Obtain written consent from the candidate
  • Explain exactly what you’ll verify (ID, education, criminal records, etc.)
  • State why you need this information (for employment eligibility)
  • Inform them of how long you’ll keep the data
  • Tell them who will have access to the information
 Step 2: Establish a Lawful Basis
Under the DPA, you need a legal justification for processing personal data.
For hiring, your lawful bases are:
  • Consent (already obtained in Step 1)
  • Contract (necessary to enter into an employment contract)
  • Legal obligation (if certain checks are mandated by law—e.g., financial sector KYC requirements)
Document which basis applies to each type of check you’re conducting.
Step 3: Work with Compliant Verification Partners
If you use a third-party provider (like Peleza), ensure they:
  • Are registered with the ODPC as a data processor
  • Have a clear data processing agreement with you
  • Follow ODPC guidelines on data security
  • Can demonstrate compliance (ask for their ODPC registration certificate)
Your responsibility doesn’t end when you outsource.
You remain the data controller and are accountable for how your partners handle candidate data.
Step 4: Secure Data Storage
Background check reports contain sensitive information.
ODPC requires you to:
  • Store data in secure, encrypted systems (not in open Excel files or email)
  • Limit access to authorized personnel only (HR, hiring managers)
  • Implement access logs (who viewed what, when)
  • Use password protection and two-factor authentication
Red flag: Keeping printed background check reports in unlocked filing cabinets is a compliance violation.
Step 5: Limit Data Retention
You can’t keep background check data indefinitely.
ODPC guidelines recommend:
  • For hired candidates: Retain checks for the duration of employment + 3-5 years (for legal defense if needed)
  • For rejected candidates: Retain for 6-12 months maximum (in case of disputes)
  • After this period, you must securely delete the data—not just archive it.
Set up automatic deletion schedules or annual audits to stay compliant.
Step 6: Honor Candidate Rights
Under the DPA, candidates have the right to:
  • Access their data – Provide a copy of their background check report upon request
  • Correct inaccurate data – Update errors in their records
  • Object to processing – Withdraw consent (though this may affect hiring eligibility)
  • Data portability – Transfer their data to another controller if requested
Build processes to handle these requests within 30 days (DPA requirement).
Step 7: Document Everything
Compliance is about proving you did the right thing.
Maintain records of:
  • Consent forms (signed and dated)
  • Data processing agreements with vendors
  • Security measures implemented
  • Data retention and deletion schedules
  • Staff training on data protection
  • Incident response plans (in case of breaches)
If ODPC audits you, this documentation is your defense.

Common Compliance Mistakes (And How to Avoid Them)

Mistake 1: Running Checks Without Consent
Fix: Never start verification until you have signed consent.
Mistake 2: Using Unregistered Verification Providers
Fix: Ask for ODPC registration proof before engaging any vendor.
Mistake 3: Sharing Reports Too Widely
Fix: Limit access to hiring decision-makers only. No forwarding to department gossip chains.
Mistake 4: Keeping Data Forever
Fix: Set deletion schedules and stick to them.
Mistake 5: Ignoring Candidate Requests
Fix: Respond to access/correction requests within 30 days.

How Peleza Ensures Compliance

At Peleza, we have built our verifications and platform with data privacy compliance at the core:
  • Registered data processor with ODPC
  • Encrypted data storage on secure servers
  • Consent tracking for every check
  • Access controls and audit logs for all users
  • Data retention processing
  • Candidate rights – access, correction, deletion requests
When you use Peleza, you’re not just getting background checks, you’re getting a compliant process from start to finish.
Need Help to process your Background Checks in a compliant manner?
Peleza handles the compliance heavy lifting so you can focus on hiring great people.
Book a demo and see how we make compliant background checks simple: Book Demo
About Peleza
Peleza is Kenya’s leading background check and identity verification platform, fully compliant with the Data Protection Act 2019. We help businesses conduct thorough, secure, and legally defensible background checks, KYC and KYB verifications.
Trust built on data.