Introduction
1. At Gertrude’s Institute of Child Health and Research (“Gertrude’s” “training School” or “we” or “our”), we are committed to safeguarding the privacy and security of your personal data.
2. Personal data means ‘any information relating to an identified or identifiable natural person’.
3. This Student Data Privacy Notice describes how we collect and use personal data about you, in compliance with the Data Protection Act, 2019 (the Act) and the regulations under the Act, (all together, Data Protection Legislation).
4. Gertrude’s is a “data controller”. This means that we are responsible for deciding how we hold and use personal data about you. The Data Protection Legislation requires that we notify you of the information contained in this privacy notice.
5. It is important that you read this privacy notice together with any other privacy policy or notice, we provide on specific occasions when we collect or process personal data about you to ensure that you are fully aware of how and why we are using your data and what your rights are under the data protection privacy.
2. The kind of personal data we process about you
We will collect, use, store, transfer or otherwise process personal data about you including:
a. Personal details such as your name, title, gender, nationality, marital status, date of birth, place of birth, age, national identification/passport number, addresses, telephone numbers, personal email addresses, genetic information, biometric data, information about your next of kin, dependents, and other family members.
b. Application and Admission Data: including initial inquiries, application forms, academic records, credentials, CVs, interview details, admission letters, and certificate verification details.
c. Student File Data: containing student biodata, admission form, and next of kin details.
d. Biometric Data: fingerprints taken for access control.
e. Examination Data: including details and results from virtual/online and written/in-class examinations, stored on the examination/e-learning portal.
f. Attendance Records: Class attendance registers/attendance sheets.
g. Library Records: Details necessary to process library pass and issue books.
h. Third-Party Sharing Data: Details shared with third-party institutions for attachment/training purposes.
i. Any other data necessary for the provision of educational services.
3. How is your personal data collected?
1. We collect your personal data from a variety of sources, but in most circumstances directly from you.
2. We will collect your personal data throughout the application and admission process directly from you.
3. You will typically provide your personal data through application forms, emails, submitted documents, and during interviews and registration processes.
4. In some circumstances, personal data may be collected indirectly through monitoring devices or by other means (for example, building and location access control and monitoring systems), if and to the extent authorized by applicable laws.
5. Apart from your own personal data, we may also require that you provide us with the personal data of third parties such as your dependants and other family members, for purposes of school administration, including the administration of emergency contacts.
6. Before you provide us with such third-party personal data, you must first inform these third parties of any such information that you intend to provide and of the processing that we will carry out, as detailed in this notice.
4. How do we use your personal data?
Subject to applicable law including the Data Privacy Legislation, we may store and process your personal data for the following purposes:
a. Admissions and Enrollment:
i) To process applications and determine eligibility for courses.
ii) To verify the authenticity of provided documents. iii) To issue admission letters.
b. Student Records Management:
i) To create and maintain student files.
ii) To record and manage attendance.
c. Academic Activities:
i) To facilitate access to school/hospital facilities. ii) To conduct examinations and record results.
iii) To share examination results with the Nursing Council of Kenya (NCK) and the TVET, where applicable.
iv) To issue graduation certificates.
d. External Training and Engagements:
i) To share details with third-party institutions for attachment/training purposes.
e. Library Services:
i) To enable library access and book issuance.
f. Use of data for profiling and predictive analysis.
g. Complying with legal obligations.
5. Legal basis for processing your personal data
We will only collect, use, and share your personal data where we are satisfied that one of the following legal bases apply to a specific processing activity:
a. The processing is necessary for us to comply with a legal obligation to which we are subject, for example, disclosing information to regulatory authorities.
b. The processing is necessary for the performance of a contract to which you are a party or to take steps, at your request, prior to entering into such a contract, for example, processing information for your enrollment and academic activities.
c. The processing is based on your consent.
d. The processing is necessary for the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or rights and freedoms which require protection of personal data.
e. The processing is necessary to protect your interests (or someone else’s interests).
f. The processing is necessary to perform a task carried out in the public interest or for official purposes.
g. Processing for Historical, statistical, journalistic, literature and art or scientific research, and must be processed in a manner that would not result in the personal data being published in an identifiable format.
5. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
6. If you fail to provide your personal data
If you fail to provide certain personal data when requested, we may be unable to provide you with our services, such as processing your enrollment or facilitating your academic activities.
7. Change of purpose
a. We will use your personal data solely for the purposes for which it was collected, unless we reasonably believe that we need to use it for another reason that is compatible with the original purpose.
b. If we need to use your personal data for an unrelated purpose, we will notify you, explain our legal basis and obtain your consent to process your personal data for that unrelated purpose.
c. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
8. Who do we share your personal data with?
a. We may share your personal data with third parties including:
i) Third-party service providers, including our professional advisors.
ii) Regulatory bodies such as the Nursing Council of Kenya (NCK) and TVET. iii) Third party institutions for attachment/training purposes. iv) Vendors
b. We will share your personal data with third parties where it is required by law, where it is necessary to administer your academic engagement with us, or where we have another legitimate reason to do so.
c. We require third parties to respect the security of your personal data and to treat it in accordance with the law.
d. We will also share your personal data with third parties where you request us in writing to do so. However, we do not have control over how such third parties will use your personal data.
9. Transferring personal data outside Kenya
We may transfer your personal data to other regulatory and governmental authorities, and other entities located in countries outside Kenya, including countries which have different data protection standards to those which apply in Kenya.
When we transfer your personal data outside Kenya to other entities, we will ensure that they protect your personal data in accordance with the requirements under the Data Protection Legislation and that it is kept secure and receives at least a similar level of protection as that which it receives in Kenya.
10. How long will we use your personal data?
We will only retain your personal data for as long as necessary to accomplish the purposes for which it was collected, including complying with any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether those purposes can be achieved through alternative means, and the applicable legal requirements.
In some circumstances, we may anonymize your personal data so that it can no longer be linked to you, in which case we may use such anonymized information without notifying you further.
Student files are retained by the school indefinitely, while biometric data is deleted upon student clearance, in accordance with our data retention schedule.
11. What Data Protection Rights Do You Have?
Subject to certain exceptions and limitations, you have a number of legal rights in relation to the personal data that we hold about you. These rights include the right to:
a. Right to be informed and duty to notify: Data subjects have the right to be provided with clear and concise information about how their personal data will be used.
b. Right to Access personal data
c. Right to object to processing of personal data
d. Right not to be subject to automated decision-making
e. Right to rectification or erasure of personal data: rectify inaccurate data and can request their data to be erased.
f. Right to data portability
If you want to exercise any of these rights, please contact our Data Protection Committee in writing dpc@gerties.org
We will process your request without undue delay and in accordance with the requirements of the Data Protection Legislation.
12. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and the Office of the Data Protection Commissioner of a breach where we are legally required to do so.
13. Automated Decision-Making
We do not currently engage in automated decision-making. If this changes, we will notify you and provide you with the opportunity to object.
14. CCTV and Surveillance
CCTV cameras are used on school premises for security and safety purposes. Recordings will be kept for a limited period and accessed only by authorized personnel.
15. Parental Consent
Where the student is a child (under 18 years), we will obtain consent from a parent or guardian for the processing of the child’s personal data.
16. Publication of Exam Results
We will not publish exam results in a manner that publicly discloses individual student’s results without explicit consent.
17. Photographs and Videos
Photographs and videos of students will only be taken and used with valid consent for school-related purposes.
18. Changes to this privacy notice
We may change this privacy notice from time to time. When we make changes, we will notify you.
19. Contact Us
If you have any questions about this privacy notice or how we handle your personal data, please contact us. dpc@gerties.org or TrainingSchool@gerties.org
