Jjob candidates are now legally entitled to access any adverse reports used to disqualify them.
A quiet phone call between two Human Resources (HR) managers can now cost an employer hundreds of thousands of shillings and potentially a lawsuit.
That warning is no longer theoretical. It is grounded in the Office of the Data Protection Commissioner's (ODPC) decision that is reshaping hiring practices and exposing a hidden culture of secret job references.
One decision concerned the case of Margaret Nzila, a financial sector expert and a job seeker. The ODPC found that her former employer shared adverse information with her prospective employer without her consent.
She never saw the reference. She only felt the consequences as the job opportunity slipped away after the new employer conducted background checks on her.
She had secured a new role as Finance Manager in January 2024 and was on a six-month probation when the employer changed its mind to hire her.
Unknown to her, the former employer sent negative reports based on internal audits conducted after she had left employment. In 2024, she lost another job offer for a chief executive officer position in a savings and credit society following the background checks.
The information was never shared with her, and when she demanded access to the reference letters, the former employer refused.
This prompted Nzila to seek the intervention of the Data Commissioner, arguing that she was in danger of potential loss of future job opportunities.
The regulator found that the employer had breached her right to access personal data and unlawfully processed her information.
“Reference checks constitute processing of personal data,” the decision states. “The data subject has a right to be informed and to access such data.”
The ODPC ruled that such references are not casual workplace conversations. They are personal data. And sharing them without a lawful basis violates the law.
Nzila was awarded Sh250,000 in compensation. The employer was also ordered to release the reference letters that had been kept from her.
The ruling has exposed a widespread but largely invisible practice in the labour market and hiring culture, involving quiet exchanges between employers that can make or break careers without explanation.
Another complaint before the regulator in 2023 alleged that a private higher education institution shared personal data about a teacher with a prospective employer without consent.
The new employer wrote to the school inquiring about the performance, validity or authenticity of his payslips, which he had provided as evidence of the salary he was receiving.
The HR manager of the previous employer reviewed the file and responded, confirming that the attached payslip was forged and the salary details were incorrect. It went further to furnish the teacher's new employer with the correct salary figures.
The teacher was aggrieved and filed a complaint with the Data Commissioner alleging breach of his rights.
The claim failed for lack of proof after the Commissioner found the complainant had signed an "Employee Privacy Notice" with his former employer, consenting to the processing of his personal information for "prevention of fraud".
However, the regulator affirmed that such disclosures are regulated processing. The case exposed a key problem—what is often said in private is hard to prove.
For decades, many employers and their hiring managers have relied on the backchannel calls and confidential references to vet job candidates.
Many of these conversations happen off the record, and some include negative or unverified claims about former employees.
Candidates rarely know what is said. They only receive rejection emails or silence from the prospective employer.
Now, long-standing HR discretion is being recast as regulated conduct under the Data Protection Act, 2019.
In a separate matter involving hiring checks, the regulator found that adverse information used during recruitment must be disclosed to the candidate on request, and that background reports are personal data.
"The respondent had an obligation to provide the complainant access to his personal data in the form of the purported adverse report against the complainant," said the regulator.
The decision underscored that job candidates must know what information influenced hiring outcomes. It reinforced a growing line of rulings that opaque vetting can breach data rights.
The complainant approached ODPC claiming negative use of his personal data by a micro-bank and discriminating against him in accessing a job opportunity. He sought to access the personal data that led to his disqualification from employment, but the bank did not share the information.
He had been interviewed for a job opportunity and signed a consent form authorising the bank to run background checks on him, including on his character and reputation.
The complainant argued that the processed data was used against his selection and hence it was in his best interest to access the data and the source to enable him to follow up for resolution. ODPC ruled that his rights were breached and ordered the bank to provide him with the information.
Legal experts say these decisions mark a turning point. “This is a clear signal that HR practices must comply with data protection principles,” said an advocate. “You cannot share personal information, especially adverse opinions, without consent and expect no consequences.”
The advocate added that employers must rethink how they conduct reference checks. “The law requires transparency, fairness and accountability. Anything less exposes employers to liability.”
Other ODPC decisions show a broader pattern of misuse of employee data. In another recent case, an employer was faulted for sharing a former employee’s ID with a third party without a lawful basis.
In another case, a telecommunications firm was penalised for secretly recording a former employee and refusing to delete the recording. A separate determination found that publicly exposing personal data breached the law.
Together, these rulings show that unlawful disclosure—whether to a new employer, a vendor or the public—is attracting sanctions.
The ODPC decision makes it clear that a reference is not just an opinion. It is regulated information tied to an individual’s identity and reputation.
Employers must now demonstrate a lawful basis before sharing such data. Consent is the most obvious route. Without it, the risk increases.
Equally important is the employee’s right to access that information. Nzila had asked for the reference letters. The refusal to provide them was found to be a separate breach of the law.
“Failure to provide such data upon request is a violation,” the regulator noted in its findings. “Data subjects have the right to access personal data held about them,” the ODPC stated.
However, employers insist candid references are necessary to avoid costly hiring mistakes and protect organisations from risky employees.
But workers see it differently. They argue that undisclosed, negative references amount to silent blacklisting that can destroy careers without explanation or recourse.
Human resource practitioners say the rulings could send shockwaves through the profession.
“Many HR managers are used to informal reference checks. It is how things have always been done,” said a senior HR consultant who requested anonymity due to the sensitivity of the matter.
“But these decisions may change everything. You now have to document, justify and sometimes even disclose what you say about a former employee.”
She warned that organisations without clear HR policies are most exposed.
“Some managers still pick up the phone and speak freely. That is risky. If the information is negative and the candidate was not aware, it can lead to complaints and penalties.”
The shift could force companies to review internal procedures.
Employers are being advised to formalise reference requests, obtain written consent from candidates and ensure that any information shared is accurate and necessary.
Anything beyond that could be deemed excessive. The stakes are high because employment decisions often hinge on trust. A single negative remark, even if informal, can derail a candidate’s prospects.
Yet the law now demands that such remarks be handled with care. The ODPC, in its rulings, has also emphasised that employees retain rights over their data even after leaving employment or a job interview. That includes the right to know who has received their information and what was shared.
This principle is particularly significant in a competitive job market where background checks are becoming more common.
Employers argue that references are essential to avoid hiring risks. They say they need candid assessments to protect their organisations.
But regulators are drawing a line. “Processing must be lawful, fair and transparent,” the ODPC noted in its decision. “Personal data shall not be processed in a manner that infringes on the rights of the data subject.”
This balancing act, between employer caution and employee rights, is now at the centre of evolving workplace law.
Cases like Nzila’s suggest that the era of unchecked HR discretion is ending. Instead, employers are being treated as data controllers with legal obligations.
Failure to comply can attract financial penalties, reputational damage and legal action.
For job seekers, the emerging rulings offer a measure of protection in an old, opaque system.
It gives them the right to question, to access and to challenge information that may affect their careers.
But enforcement remains a challenge as many candidates may never know that a negative reference was shared, while others may lack the resources to pursue complaints.
Even so, the message from the regulator is clear: Quiet conversations about employees are no longer private; they are regulated acts with legal consequences.
Follow our WhatsApp channel for breaking news updates and more stories like this.
