Data Privacy Policy

The Aga Khan University Hospital, Nairobi’s (AKUH, N also hereinafter referred to as, “the Hospital”), vision is to be a premier teaching and tertiary referral health facility in Sub-Saharan Africa. At AKUH, N we are committed to providing patients with world class health care. The health care practices at AKUH, N are of the highest quality, as benchmarked against international standards.

All personal data collected will be processed in accordance with the provisions of the Data Protection Act, 2019, Data Protection (General) Regulations 2021, Data Protection (Complaint handling Procedure and Enforcement) Regulations, 2021 and the Data Protection (Civil Registration) Regulations, 2020.

As required under Section 18 of the Data Protection AKUH, N is duly registered with the Office of the Data Protection Commissioner as a Data Controller and a Data Processor. AKUH, N has a duly appointed Data Protection Officer who may be reached via email sent to dpo.akuhn@aku.edu copied to client.relations@aku.edu.

At AKUHN we are committed ensure that all personal data collected by us such as a natural person’s race, health status, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of a person’s children, parents, spouse, sex or the sexual orientation of patients, students, residents, staff and or suppliers is processed in a fair and transparent manner, with appropriate data protection measures in place to safeguard personal data against unauthorized access, disclosure, or loss.

AKUH, N has put procedures in place to protect against breaches in data security and will notify data subjects and any applicable regulator of any suspected breach, where legal necessitated to do so.

While processing personal data in our possession we shall ensure that we uphold the key principles of lawfulness, transparency, purpose limitation, integrity, confidentiality, and availability, data minimization, accuracy, storage limitation and fairness.

To be precise, AKUH, N commits to ensure that all personal data shall be: -

a. Processed in accordance with the right to privacy of the data subject.
b. Processed lawfully, fairly and in a transparent manner in relation to the data subject.
c. Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes.
d. Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed.
e. Collected only where a valid explanation is provided whenever information relating to family or private affairs is required.
f. Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay.
g. Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected and,
h. Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Purposes as to Why We Collect Several Types of Data

a. Personal Data. This is any information that relates to an identified or identifiable natural person. It includes things such as names, age, identification card numbers, passport numbers, telephone numbers, postal addresses, email addresses, credit card details, debit card details, country of origin, and or residential addresses. Such information is collected for purposes of ensuring that you are properly identified, effective communication between yourself and the Hospital and seamless provision of quality services to the data subjects.
b. Sensitive Personal Data. This is information that reveals the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, including names of a person’s children, parents, spouse or spouses, sex or sexual orientation. The Hospital appreciates that data subjects come from diverse backgrounds that vary. As is the practice the world over in health care, for the Hospital to be able to provide quality services to data subjects certain issues such as the ones named above must be put into perspective and consideration.

AKUH, N shall only NOT process personal data, unless the processing is necessary: -

i. For the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract.
ii. For compliance with any legal obligation to which the Hospital is subject.
iii. In order to protect the vital interests of the data subject or another natural person.
iv. For the performance of a task carried out in the public interest or in the exercise of official authority vested in the Hospital
v. For the performance of any task carried out by a public authority.
vi. For the exercise, by any person in the public interest, of any other functions of a public nature.
vii. For the legitimate interests pursued by the Hospital or to a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
viii. For the purpose of historical, statistical, journalistic. literature and art or scientific research
ix. Further processing of personal data shall be in accordance with the purpose of collection.

Note:

 Where the Hospital may need to use a data subject’s personal data for unrelated purpose, the Hospital will notify the data subject and explain the grounds thereof and seek consent for such process such data for that unrelated purpose. Personal data shall not be used for unrelated purpose without consent.
 The Hospital may ONLY process personal data without the knowledge and or consent of the data subject to the extent that is permissible by the Data Protection Act, 2019.

Determination of what specific personal data and or sensitive data is collected is dependent on the product(s) or services(s) that one may need from the Hospital. Such determining factors may include but not limited to: -
i. Provision of health services.
ii. Provision of academic services.
iii. Management of and improvement of the Hospital’s relationships with its clients and service provider engagements, development analysis and corporate marketing.
iv. Need to engage in business related contractual engagements such as those relate to supply chain management and financial management.
v. Legal compliance and public purposes such as the need to meet our legal obligations by cooperating with public authorities whenever they make lawful requests, compliance with court orders and government regulations.
vi. Purposes of recruitment of employees. (Evaluating recruitment applications for employment, undertaking pre-employment screening and reference checks).
vii. Proper management of pension matters.
viii. Engagement of consultants.
ix. Need to ensure that there are proper working communication channels between the Hospital and the data subjects.
x. Effective management of security within the Hospital. (Operation of CCTV, governance audit and quality assurance processes and arrangements).
xi. Enhancement of both the safety of the Hospital and the data subject in the internet space.
xii. Purposes of enabling third party service providers to effectively provide product(s) and service(s) to the Hospital.
xiii. Compliance with obligations to donors and sponsors (Including our disclosure under their terms and conditions and policies).
xiv. To ensure business contingency planning and response to active incidents.
xv. For proper investigation and responding to complaints relating between the Hospital’s relationship with data subjects so as to maintain and or improve quality in service delivery.
xvi. Recording and monitoring telephone conversations, email correspondences so as to maintain service quality and security, for staff training and fraud monitoring and to deal with complaints disputes and potential criminal activity to the extent permitted by law.
xvii. For research and other statistical and artistic trend analysis conducted by way of de-identifying and aggregating or anonymizing source data with that of other data subjects and institutions to ensure that it cannot be re-worked so as identify the data subjects.

How Does AKUH, N Collect Your Personal Data?

Data may be collected in different ways whenever a data subject: -

i. Logs into the Hospital’s Queue Management System.
ii. Is being registered for the provision of medical services.
iii. Is in consultation with a medical service provider.
iv. Registers as a student and or resident with the Hospital and or its affiliate, the Aga Khan University.
v. Applies to be considered for a consultancy position within the Hospital or works as a consultant at the Hospital.
vi. Participates in the tendering process.
vii. Signs up for marketing purposes.
viii. Participates in a recruitment process.
ix. Registers on the Hospital website.
x. Fills the security books or is identified by the Hospital’s CCTV cameras.
xi. Participates in events sponsored by the Hospital such as fund raisers, medical camps and or sports day.

The Hospital may also collect personal data from third parties seeking reference checks, business entities that interacted with a data subject such as former schools, colleges, regulatory bodies and government agencies and from publicly available sources.

Rights of Data Subjects

AKUH, N recognizes and upholds all the rights of data subjects as stipulated in the Data Protection Act, 2019. For avoidance of doubts, among other rights, data subjects have right; -
i. To be informed of the use to which their personal data is to be put.
ii. To access their personal data in custody of the Hospital.
iii. To object to the processing of all or part of their personal data.
iv. To correction of false or misleading data.
v. To deletion of false or misleading data about them.
vi. To receive personal data concerning them in a structured, commonly used and machine-readable format.
vii. To object and opt out of the Hospital’s marketing services.

>Caution: Exercise of Rights of Data Subjects
 Whilst AKUH, N recognizes the above rights, it also recognizes that the Data Protection Act, 2019 and its attendant Regulations provides for certain scenarios through which the Hospital may decline to act in a manner suggested by data subjects. If the Hospital declines, it will act in compliance with the Data Protection Act, 2019 communicate the grounds thereof with the data subject in a manner stipulated under the said law.
 AKUH, N being a duly registered corporate body, it complies with several regulatory bodies that are formed by statutes passed into law. Where there are conflicting positions in the laws that govern such regulatory bodies, while acting on requests made by data subjects, AKUH, N shall comply and or act in a manner or practice approved by the regulator in charge of the specific request made by a data subject. For instance, where a request is made relating to healthcare matters, AKUH, N will act in the manner prescribed by the Kenya Medical Practitioners and Dentists Council and or where a request is made relating to sharing of tax related information, AKUH, N shall act in a manner or practice approved by the Kenya Revenue Authority.
 While a data subject has the right to object to provision of any personal data that may be requested by AKUH, N, it is imperative that the data subject also take note of the fact that failure to provide requested data needed for operational purposes may lead to services not adequately and or ultimately being provided.

Cookies
i. When a data subject uses the AKUH, N website, data about how the data subject’s use of the AKUH, N website is automatically collected using “cookies.” Cookies are text files placed on the data subject’s computer to collect standard internet log data and visitor behavior data. This data is used to track visitors’ use of our website and to compile statistical reports in website activity.
ii. Some of the pages on the AKUH, N website also use cookies set by carefully selected third party suppliers. None of the AKUH, N cookies store personal data. In addition to this, if a data subject goes on a web page on the AKUH, N site that contains embedded content, for example a video on You Tube, the data subject may receive cookies from those websites. AKUH, N does not control those cookies and therefore it is advisable that the data subjects check third-party websites for more data about their cookies and to manage them.
iii. Data subjects can set their browsers to not accept cookies and obtain up-to-date data about blocking and deleting cookies via www.aboutcookies.org.
iv. Viewing of the AKUH, N website by a data subject who shall have not changed his or her cookie settings will be taken as an implied consent to receive all cookies.

Notice on Sharing of Personal Data
While taking all laws into consideration, including but not limited to requirements for carrying out anonymization and or pseudonymization, AKUH, N may in consideration of the purpose and circumstances, share personal data belonging to data subjects with: -
i. External service providers where AKUH, N may have outsourced certain functions including but not limited to ICT and office systems, administrative and diagnostic services providers.
AKUH, N shall only disclose personal data to external service providers/ partners/ affiliates wherein it is determined that it is essential for the data to be disclosed and there is an appropriate contract in place that requires the third party to keep such data secure and not to use such data in any manner inconsistent with AKUH, N specified instructions.
ii. Its professional service providers such as legal representatives, accountants, tax advisors, insurers, auditors et al.
iii. Its partner organizations or affiliate entities such as the Aga Khan University.
iv. Persons where disclosure is required by law or to enable products and services to be provided to the data subjects.
v. Competent regulatory, prosecuting, tax or governmental authorities, courts or other quasi-judicial bodies.
vi. Relevant statutory or regulatory bodies.
vii. Sponsors or financiers of the Hospital.
viii. Prospective buyers as part of a sale, merger or other disposal of any business or assets.
ix. Any person duly authorized by the data subject by way of a consent.

If there is any need to contact the AKUH, N office of the Data Protection Officer, kindly do via the following email addresses dpo.akuhn@aku.edu copied to client.relations@aku.edu.
The office of the Data Protection Officer and or that of the Client Relations Department will endeavor to respond and act on all requests/ complaints in a timely fashion.

Back