Introduction

This is the Dr. Rasik Kantaria Jalaram Medical Services (RKJMS) Privacy Notice.

This Privacy Notice is written to inform you about how, when, why your information may be
collected, processed or shared. In part, it also informs you how RKJMS is complying with
the Data Protection Act, 2019(‘the Act’), The Data Protection General Regulations 2021,
The Data Protection (Registration of Data Controllers and Data Processors) 2021, The Data
Protection (Complaints Handling and Enforcement Procedures) Regulations 2021 as may
be amended from time to time, and any other regulations made thereunder (collectively,
“the Data Protection Legislation”).

Who we are

RKJMS is a medical service provider in Parklands in Nairobi, Kenya.  For more information
about us, please visit our website: www.jalarammedicalservices.org.
RKJMS is registered as a Data Controller with the Office of the Data Protection
Commissioner of Kenya and our registration number is 01571 dated 30 January 2023.
You may reach out to our Data Protection Officer through the following email address:
dpo@jalaramnairobi.org

What does this Privacy Notice cover?

1.1 This Privacy Notice details RKJMS collection and processing of data for data
subjects in line with the data protections regulations. It also explains your rights
under the law relating to your personal data.

1.2 We will process any personal data we collect from you in accordance with this
Privacy Notice (together with any other documents referred to in it). Kindly carefully
read this Notice carefully so that you can understand how we handle your personal
data.

Amendments to this Privacy Notice

We may change, modify or adopt a new Privacy Notice from time to time.
If we do so, we will post it on our website and at RKJMS. It’s your responsibility to check the
Privacy Notice every time you submit your personal data to us.
This version was last updated on 26th July 2024

Definitions

Personal data is defined as information relating to a living individual that can identify them.
Examples include name, date of birth, telephone, email or any information relating to an
identified or identifiable natural person.

Sensitive personal data are defined as: race, health status, ethnic social origin,
conscience, belief, genetic data, biometric data, property details, marital status, family
details including names of the person’s children, parents, spouse or spouses, sex or the
sexual orientation of the data subject.

Our Data Protection Principles

At RKJMS, we are committed to protecting your privacy and ensuring that your personal
data is handled lawfully, fairly, transparently, safely and in a responsible manner. This
Privacy Notice explains how we collect, use, disclose, safeguard and how you can access
your personal information in compliance with the Kenya Data Protection Act of 2019.

Dr Rasik Kantaria Jalaram Medical Services (RKJMS) needs to collect and process
personal data about people with whom it deals to carry out its business and provide its
services. This includes but is not limited to patients, employees (present, past and
prospective), suppliers, regulators, governments and other business contacts.

RKJMS collects and handles personal data in line with the following principles:

i. RKJMS collects and processes data Lawfully, Fairly and Transparently
ii. Purpose Limitation – RKJMS collects and processes Personal data for
specified, explicit and legitimate purposes.
iii. Data Minimization – RKJMS only collects and processes data that is necessary
to meet or achieve the purpose for which it is collected. This data, however,
must be adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed.
iv. Accuracy – RKJMS is committed to the accuracy of the data collected and/or
processed.
v. Storage Limitation – RKJSM keeps data according to the periods specified in
the RKJMS document retention policy.
vi. Integrity and Confidentiality – As RKJMS, we work to secure the data in our
possession to prevent loss and protect against un-authorized access. We treat
your personal information confidentially. All our staff sign confidentiality
agreements.
vii. RKJMS does not sell your personal information.

Controller of Personal Information

As required under Section 18 of the Data Protection act, RKJMS is duly registered with the
Office of the Data Protection Commissioner as a Data Controller and a Data
Processor. RKJMS is the controller of the personal information we hold about you in
connection with your use of our services. This means that we determine and are
responsible for how your personal information is used, in line with the data protection act
2019.

Legal Basis for Processing Personal Information

In each circumstance, we process your personal information based on at least one the
following legal grounds:

i. Your consent.
ii. Performance of a contract with you or to which you are a party.
iii. Compliance with a legal obligation.
iv. Protection of your vital interests.
v. Legitimate interests of RKJMS, where applicable.
vi. In the interest of the Public
vii. Compliance with the law

Understanding Your Personal Data

Each time you visit Dr Rasik Kantaria Jalaram Medical Services (RKJMS), a record of your
visit is created. This record usually contains your name and other information that may
identify you, your symptoms, examination and test result, diagnoses, treatment, plan for the
future care, and financial information. This collected data is sometimes referred to for
treatment, or for RKJMS to measure the quality of care provided to you. We may also
collect your data any time you access our website through cookies and whenever we
engage with you on online platforms such as patient feedback platforms, or whenever you
accompany an individual to the hospital.

1. How we use your Personal Data and when it may be shared

Uses and disclosures: Dr Rasik Kantaria Jalaram Medical Services is permitted by
Kenyan privacy laws to use and disclose your health information for purposes of treatment,
payment, and healthcare operations (among other lawful bases highlighted above).
Personal Data is the information we create and obtain in providing our services to you and
interacting with you as described above. Such information may include information that
identifies you and your background, documentation of your symptoms, examination, and
test results, diagnosis, treatment, and application for future care or treatment. It also
includes billing documents related to those services.

Example of use of your health information for treatment purposes: During your
treatment, the physician determines whether he/she will need to consult with a specialist. If
so, the physician may share the information with the specialist and obtain his/her input.

Example of use of your health information for payment purposes: We submit request
for payments to your health insurance company. The health insurance company request
information from us regarding the medical care we provide. We will provide information to
them about you and the care we provided to you.

Example of use of your information for healthcare operations: We may use or disclose
your health information, as needed, to support the business activities of our medical
practice. These activities include, but are not limited to, training and education, quality
assessment and improvement activities, risk management, claims management, legal
consultation, licensing, credentialing, medical review, insurance purpose and for
promotional activities.

Promotional activities

With your consent or as otherwise permitted by applicable law, we may use your personal
information for purposes relating to the promotion of our services. This means that we may
from time to time:

  • Send you newsletters, press releases, event announcements and other similar
    communications regarding the services that we offer.
  • Market or promote our services to you.
  • Solicit input from you regarding improvement of our services.
  • Use your personal information with your consent for other purposes that we disclose
    to you at the time we obtain your consent.

You may at any time opt-out from receiving marketing related communication from us, by
contacting us at dpo@jalaramnairobi.org

2. Other Disclosures and Uses

Communication with Family: Using our best judgment, we may disclose to a family
member, other relative, close friend, or any person you identify, health information relevant
to that person’s involvement in your care or in payment for such care of you do not object or
in an emergency.

Notification: Unless you object, we may use or disclose your health information to notify, or
assist in notifying, a family member, personal representative, or other person responsible
for your care, about your location, and about your general condition, or your death.

Data Processors: We enter into contracts with third-party entities know as business
associates. These Data Processors provide services to or perform functions on our behalf,
e.g., accountants, consultants and attorneys. We may disclose your health information, as
needed, to Data Processors once they have agreed in writing to safeguard your medical
information. Data Processors are also required by law to protect the privacy of your health
information.

Research: We may disclose information to researchers when an institutional review board
that has reviewed the research proposal and established protocols to ensure the privacy of
your health information has approved the research proposal.

Fundraising: We may use certain information to contact you as part of our fundraising
efforts. If you receive such a communication from us, you will be provided an opportunity to
opt-out of receiving such communication in the future.

Required by Law: Kenyan laws and regulations may sometimes require us to disclose
patients’ health information. For example, we are required to report child abuse or neglect
and must provide certain information to law enforcement officials whenever we receive a
court order for the same.

Disaster Relief: We may use and disclose your health information to assist disaster relief
efforts.

Workers Compensation: If you are seeking compensation for a work-related illness or
injury, we may disclose your health information as required by applicable Workers’
Compensation laws.

Law Enforcement: We may disclose your health information to law enforcement in limited
circumstances, such as to identify or locate suspects, fugitives, witnesses or victims of
crime, to report deaths from crime, to report crimes on our premises or in emergency
treatment situations.

Legal Proceeding: We may disclose your health information in a judicial or administrative
proceeding if ordered to do so by a court.

Health Oversight: We may disclose your health information to a government agency that
oversees our operations and personnel. These agencies need health information to monitor
our compliance with the laws and regulations.

Public Health: We may use your health information for public health activities such as
reporting births, deaths, communicable diseases, injuries, or disabilities; ensuring the safety
of drug and medical devices; and for workplace surveillance or work-related illness or injury.

Pharmacy and Poisons Board (PPB) and product suppliers: We may disclose to the
PPB health information relative to adverse events with respect to food, supplements,
product or products defects, or post-marketing surveillance information to enable product
recalls, repairs or replacement. We may share limited personal data to the suppliers of
products involved in such events for completeness of information.

Postmortem pathologists, Medical Examiners and Funeral Directors: We may disclose
health information consistent with applicable law concerning deceased patients to
pathologists, medical examiners and funeral directors to assist them in carrying out their
duties.

Correctional Institutions: If you are an inmate, we may disclose information necessary for
your health and the health and safety of other individuals in the institutions or its agents.

Other Uses and Disclosures: If we wish to use or disclose your health information for a
purpose not discussed in this notice, we will seek your authorization. Specific example of
uses and disclosures of health information requiring your authorization include (I) most uses
and disclosures of psychotherapy notes (private notes of a mental health professional kept
separately from a medical record); (ii) most uses and disclosures of your health information
for marketing purposes.

You may revoke your authorization at any time by delivering a written revocation to us,
except to the extent we already have taken action in reliance on your authorization.

It is possible that RKJMS holds information on you as part of someone else’s record. 
Under the Act you may still be entitled to receive a copy of this information, so long as it
would not breach the confidentiality of the person whose records hold the information, or
there is another reason not to provide it.

A. PATIENTS, ACCOMPANYING PERSONS AND EXTERNAL CLIENTS
SEEKING SERVICES AT RKJMS

  1. Personal Information We Collect
    We may collect and process the following categories of personal information (the examples
    under each category are not exhaustive):
    i. Contact Information: Name, address, email address, and phone number.
    ii. Other demographic data: Age, gender, residence.
    iii. Health Information: Medical history, treatment records, and other health-related information.
    iv. Payment Information: Insurance status, Credit card details and billing information.
    v. Technical Information: IP address, browser type, and usage data collected through cookies and
    similar technologies.
    vi. Audiovisual information – We may capture your images, videos and sounds through any of the
    audiovisual equipment that may be in operation at RKJMS including CCTV cameras, audiovisual
    recording of events at RKJMS and associated with RKJMS, audiovisual medical records, and
    audiovisual publicity processes.

  2. How we collect personal data
    RKJMS may collect your data whenever you:
    i. Pick a ticket or log into the Hospital’s Queue Management System.
    ii. Are being registered for the provision of medical services.
    iii. Are in consultation with a medical professional or an agent of the hospital.
    iv. Contact us
    v. Apply or register for electives, internships, employment, or any affiliation of any kind.
    vi. Apply or register for electives, internships, employment, or any affiliation of any kind.
    vii. Reach our to us as a potential business partner or engage in any of our business
    partner processes, including as suppliers and as partners.
    viii. Engage with us or are present in while we are undertaking marketing initiatives.
    ix. Access the hospital website.
    x. Fill in record/security books.
    xi. Are present in areas covered by our CCTV cameras.
    xii. Participate in events sponsored by the Hospital such as medical education events,
    medical camps, sponsorship or subsidized or free services.
    xiii. We may also collect your data from third parties including those seeking reference checks,
    business entities that interacted with a data subject such as former schools, colleges, regulatory
    bodies and government agencies and from publicly available sources.

  3. Use of Personal Information
    We may share your personal information with:
    i. Provide medical services and treatment.
    ii. Communicate with you about your care
    iii. Process payments for our services.
    iv. Improve our services and ensure the security of our systems.
    v. Ensure physical security.
    vi. Comply with legal and regulatory obligations.

  4. Sharing of Personal Information
    We may share your personal information with:
    i. Healthcare providers involved in your care.
    ii. Third-party service providers who process data on our behalf, which includes providers of our
    information technology platforms.
    iii. Regulatory authorities, where required by law.
    iv. Government and government agencies responsible for public health, where there are public health
    requirements to share data.
    v. Other parties with your consent or as directed by you.

1. Data Security

We implement appropriate technical and organizational measures to protect your personal
information against unauthorized access, loss, or damage. These measures include data
encryption, access controls, and regular security assessments. While we strive to secure
your personal information, we cannot warrant or guarantee that this information will be
protected under all circumstances, including those beyond our reasonable control.

2. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for
which it was collected, comply with legal and regulatory obligations, and resolve disputes.
We have established personal data retention schedules to manage this process.

B. EMPLOYEES, PROSPECTIVE EMPLOYEES, INDEPENDENT CONSULTANTS

RKJMS collects and processes personal data to facilitate the engagement with employees,
prospective employees, independent consultants, and other data subjects engaged with us
in ways that fall under Human Resources. This includes information that you may provide to
us in employment contracts, applications for employment, applications for placements and
any other application to or contact with our human resource department. This information
may also include what is contained in correspondence with the HR department or other
departments in the hospital but then forwarded to the HR department for human resource
management purposes. The personal information you provide includes basic contact
information about you, such as your name, physical and postal address details, contact
details, referee name, referee postal address, referee email address, referee phone
number, nationality, marital status, date of birth, university transcripts, academic
certificates, practice licenses, national ID number, NSSF number, NHIF number, KRA Pin
number, bank details, spouse details (name, passport photo, date of birth), marriage
certificate, dependant details (name, birth certificate, passport photo), next of kin details
(name, phone number, address) and medical history among other personal data.

We may also collect and retain background information as permitted under applicable law
and other information relevant to meeting our obligations under the employment laws and to
process the periodic payroll.

This information is only collected for the purposes of human resource management,
determination of employee status, processing statutory deductions, tax compliance, payroll
processing, employee processing benefits, alternative point of contact, pre-employment
medical assessment and recruitment.

With respect to former employees and independent consultants, we archive the records and
only use them on lawful basis only as permitted by the law. After the required retention
period (in line with Income tax Act and Companies Act), the records are destroyed.

We may additionally collect and process your personal information through audiovisual
systems to support the business activities of the organization. Such activities may include
promotional activities including marketing.

We may further collect and process your personal information obtained through security
systems such as CCTV and biometric access control access control devices. This
information is for security purposes. We may further collect your personal information as
you interact with technologies in the hospital that may store your information, including our
website and the various Health Information Management Systems. This information is to
support the business activities of the organization.

Recruitment

We may use your personal information you provide to us through email or physically or any
other forum while applying solely for the purposes of processing your job application for the
position you have shown interest in and in accordance with this privacy notice and
applicable law. This may also include data we collect from third parties such as your
references, prior employers and educational history in order to identify and evaluate
candidates for potential employment. We may conduct vetting for specific job roles, which
may include background checks as permitted by local laws. With your consent, we may
retain a record of your job application and references after the role is filled.

C. BUSINESS PARTNERS

For all counterparties doing business with us, we collect information that qualifies as
personal data. This could be personal email addresses provided in course of
communications and names and contacts of (company) representatives. It may also include
information about the company. Information collected though these processes is only used
for disinfection activities in out-patient centres, formalizing institution rescue services
agreement and supplier on-boarding procedures.

To ensure we do business with reputable, honest and qualified business partners we may
also conduct due diligence checks on companies and their directors and shareholders to
establish the legal status of all potential new business partners to evaluate whether they
may be involved in illegal or corrupt practices. Such checks may include the collection of
personal identification documents for such directors and shareholders.

We use your personal information to facilitate our ongoing and proposed business dealings with you.
This includes:

  • To process business transactions with us;
  • To communicate with you about updates to our services
  • To respond to questions or inquiries or complaints that you may have about our services.

We may use your personal information as required for us to comply with relevant laws and
regulations relating our business.

3. Your Rights as a Data Subject

As a data subject, you have the right to:

  • Request access to your health information. You have a right to look at your own
    health information and get a copy of that information. Health information that is maintained
    electronically may be obtained in an electronic format. Any such request should be submitted
    in writing to the Data Protection Officer (DPO). If you request a copy of your health information
    (paper or electronic), we may charge you a reasonable (as determined by RKJMS) fee to provide
    you with the requested copies. You will be guided through the process. Please note that the
    process is not instantaneous and will take time as prescribed in the process related to your
    request.
  • Request amendment to your medical information. If you examine your health information and
    believe that some of the information in wrong or incomplete, you may ask us to amend your records.
    Any such request should be submitted in writing to the Data Protection Officer. We may deny
    request if you ask us to amend information that (I) was not created by us; (ii) is not part of the health
    information kept or for Dr Rasik Kantaria Jalaram Medical Services; (ii) is not part of the information
    that you would be permitted to inspect or copy; or (iv) is accurate and complete. If your request is denied,
    you will be informed of the reason for the denial and will have an opportunity to submit a statement of
    disagreement to be maintained with your records.
  • Request restrictions. You have the right to request a restriction on uses or disclosures of any part of your
    health information for a particular reason related to treatment, payment or health care operations.
    We will consider your request, but we are not legally obligated to agree to a requested restriction except in
    the following situation:
    If you have paid for services out-of-pocket in full, you may request that we not disclose information related
    solely to those services to your health plan. We are required to abide by such a request, except where we are
    required by law to make the disclosure. Any request for a restriction should be submitted in writing to the
    Data Protection Officer.
  • Request to receive confidential communication. You have the right to receive confidential communications
    from us by alternative means or at an alternative location. Such a request should be submitted in writing to
    the Data Protection Officer. There may be a cost attached to this request at a fee determined by RKJMS.
  • Request an accounting of disclosure. You have the right to receive a paper copy of the current Notice of
    Privacy Practices for Personal Data by making a request to our office location(s). There may be a
    cost attached to this request at a fee determined by RKJMS.
  • Request to be informed of the how your personal data is collected and processed. This is through
    this privacy notice.
  • Request not to be subjected to automated decision-making. You have the right to demand human intervention
    in instances where decisions about your health care and data may otherwise be processed automatically
    using algorithms.
  • Request to be deleted (Have your data removed from the hospital records) – We will consider your request,
    but we are not legally obligated to agree to a requested deletion as it may interfere with other legal bases of
    data processing and may conflict with other legal bases of data processing.
  • Withdraw consent despite already having given consent.

Important to note while exercising your rights that:

  • The documentation we maintain are the physical property of Dr Rasik Kantaria Jalaram Medical Services.
    The information in it, however, belongs to you.
  • While RKJMS recognizes the above rights, it also recognizes that the Data Protection Act, 2019 and
    its attendant Regulations provides for certain scenarios in which the Hospital may decline to act in a manner
    requested by data subjects. If the Hospital declines, it will act in compliance with the Data Protection Act, 2019
    communicate the grounds thereof with the data subject in a manner stipulated under the said law.
  • RKJMS being a duly registered corporate body, it complies with several regulatory bodies that are formed by
    statutes passed into law. Where there are conflicting positions in the laws that govern such regulatory
    bodies, while acting on requests made by data subjects, RKJMS shall comply and or act in a manner or practice
    approved by the regulator in charge of the specific request made by a data subject. For instance, where a
    request is made relating to healthcare matters, RKJMS will act in the manner prescribed by the Kenya
    Medical Practitioners and Dentists Council and or where a request is made relating to sharing of tax related
    information, RKJMS shall act in a manner or practice approved by the Kenya Revenue Authority.
  • While a data subject has the right to object to provision of any personal data that may be requested by RKJMS,
    it is imperative that the data subject also take note of the fact that failure to provide requested data needed
    for operational purposes maylead to services not adequately and or ultimately being provided.

How your patient records are used to help you.

  • Your doctor, nurse or any other healthcare professional involved in your care needs to
    have accurate and up-to-date information to assess your health.
  • A record of any treatment or care you receive in hospital needs to be kept, in case you
    return for further treatment.
  • This information is available should you have to see another doctor at RKJMS.
  • Your records are a good basis for hospital staff to assess the type and quality of care you
    have received.
  • Your concerns can be properly investigated if you need to complain.

How your patient records are used to help RKJMS.

  • Review the care we provide for you and other patients, to ensure it is of the highest standard.
  • helps to ensure sure our services can meet patients’ needs in the future.
  • Teach and train healthcare professionals.
  • Conduct health research and development.
  • Make sure your hospital gets paid for your treatment.
  • Audit Hospital’s services and accounts.
  • Investigate complaints, legal claims or untoward incidents.

Anonymous statistical information may also be passed to organisations with a legitimate
interest in health care and its management, including universities, community safety units
and research institutions.

Where it is not possible to use anonymous information, personally identifiable information
may be used for essential hospital purposes such as research and auditing.  This will only
be done with your consent, unless permitted by the law.

How we keep your records confidential

Everyone working for RKJMS has a legal duty to keep information about you confidential.

You may receive care from other people as well as RKJMS. We may need to share some
information about you so that we can all work together for your benefit. We will only ever
use, or pass on, information about you if others involved in your care have a genuine need
for it such as our partner organisations which we have listed in this booklet.

We will not disclose your information to third parties outside health and social care without
your consent unless there are exceptional circumstances.  These may be in situations when
the health and safety of others is at risk, or where the law permits information to be passed
on.  Anyone who receives information from us is also under a legal duty to keep it
confidential.

We are required by law to report certain information to the appropriate authorities. This is
only provided after formal permission has been given by a qualified health professional.

Occasions when we must pass on information include:

  • Where we encounter infectious diseases which may endanger the safety of others, such
    as meningitis, or measles (but not HIV/AIDS).
  • Where a formal court order has been issued.
  • Where a serious crime has been committed or a terrorist incident.

Complaints and Legal Claims

In order to deal with issues raised by you or to process your complaint or claim, staff within
our medical department will access your medical records and may share this information
with other staff as well as external third parties where applicable, including our lawyers.

Social Media

When you use our website or interact with our social media presence (e.g. Twitter,
Instagram and Facebook) your data (e.g. comments, likes, reviews) may be visible to
providers of social networking services and their users.

We suggest that you review the privacy and security settings of your social media accounts
to ensure you understand how your data may be shared and used.

Automated decision-making and profiling

RKJMS does not carry out automated decision making but if it does so in future it will notify
you.

Transfers of your information outside of Kenya or international organisations

It may sometimes be necessary to transfer personal information overseas. When this is
needed information is only shared where appropriate safeguards have been put in place to
protect your information.

Any transfers made will be in full compliance with all aspects of current data protection
legislation.

How long do we hold your information for?

We retain health records for various period as per our Data Retention Policy at RKJMS; we
may keep it for longer if we believe doing so will be of benefit to you or we are not able to
delete it, due to a technical issue for example.

We have a duty to:

  • Maintain full and accurate records of the care we provide to you.
  • Keep records about you confidential and secure.

Your rights in respect of restricting our processing of your information:

  • Your right to access:

This means you have a right to access your data. In this Privacy Notice we have provided how
you can access your personal data.

  • Your right to be informed:

This means you have a right to be informed about the way we collect and use your data. 
This is why we are publishing this Privacy Notice.

  • Your right to rectification:

This means you have the right to have inaccurate (incorrect or misleading as to any matter
of fact) personal data corrected or completed.

  • Your right to have your personal information erased:

This right is not absolute and only applies in certain circumstances.

You can request either in writing or verbally to have your information erased. We will
respond to your request within fourteen (14) days.

When does the right to erasure not apply?

If the processing is necessary for public health purposes in the public interest (eg protecting
against serious cross-border threats to health, or ensuring high standards of quality and
safety of health care and of medicinal products or medical devices); or

  • if the processing is necessary for the purposes of preventative or occupational
    medicine (e.g. where the processing is necessary for the working capacity of an
    employee; for medical diagnosis; for the provision of health or social care; or for
    the management of health or social care systems or services).
    • to comply with a legal obligation;
    • for the performance of a task carried out in the public interest or in the
      exercise of official authority;
    • for archiving purposes in the public interest, scientific research
      historical research or statistical purposes where erasure is likely to
      render impossible or seriously impair the achievement of that
      processing; or
    • for the establishment, exercise or defence of legal claims.
  • Your right to Restrict processing:

This means that you can request the processing of your data is blocked and your data
stored separately.

  • You may request a restriction verbally or in writing. This is not an absolute right
    and will depend on the circumstances of your request.
    • The length of time the restriction will apply for will depend on the
      circumstances of your request.
    • If you restrict our processing of your data we are permitted to store the
      personal data, but not use it.
    • We will respond to your request within fourteen (14) days.

You have the right to restrict the processing of your information in the following
circumstances:

  • You contest the accuracy of your personal data and we are verifying the accuracy of the data.
    • We no longer need the personal data but you need to keep it in order to establish,
      exercise or defend a legal claim; or
    • You have objected to RKJMS processing your data under section 34(1) of the Act,
      and RKJMS is considering whether RKJMS’s legitimate grounds override
      yours (the individual).
    • How might we restrict processing?

      We may:
      • Make the data unavailable to users.
  • When will a restriction be removed?

Once we have made a decision on the accuracy of the data, or whether our legitimate
grounds override those of the individual, we may decide to lift the restriction. We will inform
you before we lift the restriction.

  • Your right to data portability

This means that you can request a secure transfer of your data to another Data Controller.
The right to data portability only applies when:

  • the data is about you and that it was provided by you to RKJMS.
    • where the processing is based on your consent or for the performance of a contract; and
    • when processing is carried out by automated means
  • Your Right to object
    • This means that you have the right to object to RKJMS processing your data where the processing
      is based on:
      • legitimate interests or the performance of a task in the public interest/exercise of
        official authority (including profiling);
      • direct marketing (including profiling); and
      • processing for purposes of scientific/historical research and statistics.

You must have an objection on “grounds relating to your particular situation”.
The right to object to direct marketing is an absolute right and we will not send you any
direct marketing communication (text, email…) unless we have your explicit consent.

  • We will stop processing your information unless:
    • We can demonstrate compelling legitimate grounds for the processing, which
      override your interests, rights and freedoms; or
    • the processing is for the establishment, exercise or defence of legal claims.
    • RKJMS is conducting research where the processing of personal data is
      necessary for the performance of a public interest task, in which case RKJMS is
      not required to comply with an objection to the processing.
  • Your right to withdraw your consent

This means that in situations where you have given your explicit consent for your
information to be processed you have the right to withdraw your explicit consent for the
processing of your information. 

Please note that this does not apply to your individual care which is provided under other
legal basis (please see previously).

You can withdraw your consent by informing the department / team that took your consent.
You can do this in writing or verbally.

The fact that consent may be obtained for confidentiality purposes does not mean that
consent must also be the lawful basis applied for the purposes of processing data in
compliance with the Act.

It should be noted that Data protection requirements (the Act) do not affect the common law
duty of confidence (confidentiality).

Please keep us informed of any changes to your personal data by emailing us with full
details of the changes at dpo@jalaramnairobi.org

2. Closed Circuit Television (CCTV)

RKJMS makes use of CCTV systems for security and crime prevention and the lawful basis
for processing CCTV generated personal data is our legitimate interest as the data
controller.

3. If you email us

Please note that emails sent to us may not be secure in transit and that we cannot take any
responsibility for the security of your email before it is received by RKJMS. We may choose
not to reply via email if we have concerns regarding confidentiality and/or security.  Please
also note that we may use email monitoring or blocking software.

Email is not a guaranteed delivery service – if your communication is important please
confirm we have received it by other means.

You have a responsibility to ensure that any email you send to us is within the bounds of
the law.

4. Further information

If you would like to know more about how we use your information or if, for any reason, you
do not wish to have your information used in any of the ways described in this leaflet, then
please speak to your health care professional.

You can also contact dpo@jalaramnairobi.org

If you feel that we have not adequately dealt with your query or complaint regarding how we
process your information you can raise the issue with the Office of the Data Commissioner
who is the supervisory authority for Kenya (the Regulator) at the address below:

Office of the Data Protection Commissioner of Kenya
By phone: 0207801800
By email: info@odpc.go.ke
Website: https://www.odpc.go.ke/

5. How you can get access to your information

The Data Protection Legislation allows you to find out what information is held about you on
computer and in certain manual records, including your health records, personnel files (for
staff)  and other systems. This is known as the “Right of Subject Access”, a Subject Access
Request.

Although the Act does not require you to fill in a form, doing so will help RKJMS in
identifying the information you require and guide you in what proof of identity you need to
provide.

If you choose apply by letter we would ask you to be as clear as possible in stating the
information you require and to provide the proofs of identity.  We have provided forms on
our website.

Please note:

  • You can ask for corrections to the record.  RKJMS will either make the necessary
    correction or make a note in the relevant part of the record of the matters which
    you say are inaccurate. You will be provided with a copy of the correction or note
    free of charge.
  • In line with the Act we aim to provide a copy of the record within one month of
    receipt of the completed application form and fee (if applicable).  Please bear in
    mind the turnaround time if you have upcoming appointments where the records
    may be required.  It is also not possible to provide copies of records for in-
    patients as the records are still required on the ward.
  • If you wish to make a complaint on any aspect of the way in which we have
    handled your request for access to your information, you can write to the Data
    Protection Officer.  Please see below for details.

Please send completed application form / letter of request plus copies of proof of ID and
Address etc to:

dpo@jalaramnairobi.org Data Protection Officer

Should you remain unhappy after our communication, you can apply to:

The Office of the Data Protection Commissioner
By phone: 0207801800
By email: info@odpc.go.ke
Website: https://www.odpc.go.ke/

Privacy Notice