Privacy Policy

Afya International Hospital — Effective: [Insert Effective Date]
This notice explains how we collect, use, disclose and protect personal data for patients, visitors and users of our services.
Print / Save PDF

Overview

At Afya International Hospital ("we", "us" or "the Hospital") we are committed to protecting the privacy and security of personal data. This policy is written from the perspective of our Data Protection Officer (DPO) and is intended to meet the requirements of the General Data Protection Regulation (GDPR), the Kenyan Data Protection Act 2019 and other applicable laws.

1. Data we collect

We may collect the following categories of personal data when you access our services, visit our facilities or use our website:

  • Identification: name, date of birth, national ID/passport number, next of kin.
  • Contact: telephone numbers, email address, postal address.
  • Health / Clinical: medical history, diagnoses, treatment records, prescriptions, lab results, radiology images and notes — this is special category data under GDPR.
  • Financial: insurance details, billing and payment records.
  • Technical: IP address, device information, patient portal usage, cookies.

2. How we use your data

We process personal data to:

  • Provide medical care, diagnosis and treatment;
  • Maintain medical records and manage appointments and billing;
  • Fulfil legal and regulatory reporting obligations;
  • Communicate with you about your care, test results, or appointments;
  • Improve our services, run quality assurance and staff training.

3. Lawful basis for processing

Our legal bases for processing personal data include:

  • Contract: necessary to provide healthcare services and manage payments;
  • Legal obligation: where law requires reporting or retention (e.g. public health reporting);
  • Vital interests: processing required to protect life in emergencies;
  • Consent: where we ask for explicit consent (e.g. marketing communications);
  • Legitimate interests: for operational improvements and security (balanced against your rights).

4. Sharing and disclosure

We only share personal data when necessary and with appropriate safeguards:

  • Other healthcare professionals involved in your treatment;
  • Laboratories, diagnostic partners and referral hospitals;
  • Insurers and payment processors (with your authorisation where required);
  • Regulatory or public health authorities when required by law;
  • IT and cloud providers who process data on our behalf under contract and confidentiality terms.

5. Data retention

We retain personal data only as long as necessary for the purposes for which it was collected or to meet legal obligations. Typical retention periods (please update with your hospital policy):

  • Medical records: [7–10 years] after last treatment or in line with statutory requirements;
  • Financial and billing records: [6–10 years] (for audit and tax purposes);
  • Website logs and cookies: [up to 24 months] depending on purpose.

At the end of the retention period, records are securely deleted or anonymized.

6. Data security

We implement appropriate technical and organisational measures, including:

  • Encryption of data in transit (TLS/SSL) and at rest where practicable;
  • Role-based access controls and user authentication for staff;
  • Regular staff training, audits and security assessments;
  • Contractual safeguards with third-party processors.

7. Your rights

Under GDPR and the Kenyan Data Protection Act you have rights, including:

  • Access: request a copy of your personal data;
  • Rectification: correct inaccurate information;
  • Erasure: ask us to delete data subject to legal limits;
  • Restriction: request processing be limited in certain cases;
  • Portability: obtain your data in a structured, machine-readable format;
  • Object: object to processing based on legitimate interests or direct marketing;
  • Withdraw consent at any time where processing is based on consent.

To exercise your rights, contact the Data Protection Officer at the details on the right. We will respond within applicable statutory timeframes.

8. Cookies & online services

We use cookies and similar technologies on our website to provide essential functionality and improve user experience. You can manage cookie preferences in your browser. For details about the cookies we use and their purpose, see our Cookie Notice.

9. International transfers

If we transfer personal data outside Kenya or the EU/EEA, we will ensure appropriate safeguards are in place such as Standard Contractual Clauses, binding corporate rules or other measures to ensure an adequate level of protection.

10. Children’s data

We only collect and process personal data of children where necessary for their healthcare and with the consent of a parent or guardian.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified on our website and, where appropriate, by other means.

Short data flow diagram (who we share with)
  1. Patient → Hospital intake system (medical + contact data)
  2. Hospital → Clinical teams (treatment)
  3. Hospital → External labs / imaging partners (test results)
  4. Hospital → Insurer / billing (payment)
  5. Hospital → Regulators (where legally required)

Prepared by the Data Protection Officer — Afya International Hospital

If you need this policy in another language or an accessible format contact the DPO.