Privacy Policy & Data Protection Notice

Our Commitment to Your Privacy

Dr. B. Mbira Gikonyo ("we", "us", or "the Practice") is committed to protecting the privacy and confidentiality of your personal and health information. This Notice describes how information about you may be used and disclosed, and how you can obtain access to that information.

We are committed to complying with the Kenya Data Protection Act, 2019 (the "DPA") and any regulations made thereunder, as administered by the Office of the Data Protection Commissioner (ODPC). We will only collect, use, and share your personal data in the ways described in this Notice.

Information We Collect

Health & Clinical Information

As part of providing medical care, we collect and maintain records including:

• Medical history, diagnoses, and treatment records
• Test results, imaging, and laboratory reports
• Medications prescribed and administered
• Notes from consultations and follow-up appointments

Personal Information

We also collect personal contact and billing information including your full name, address, date of birth, national ID or passport number, phone number, email address, insurance details, and payment records.

Website Information

When you visit our website, we may collect standard technical information such as IP address, browser type, and pages visited. This data is used only to improve our website and is not linked to your health records.

Legal Basis for Processing

Under the Kenya Data Protection Act 2019, we process your personal data on the following legal bases:

• Consent: Where you have provided explicit consent, such as when you complete our contact or booking forms.
• Contractual Necessity: To provide the healthcare services you have requested.
• Legal Obligation: Where processing is necessary to comply with Kenyan law, including the Medical Practitioners and Dentists Act, the Public Health Act, and the Work Injury Benefits Act (WIBA).
• Vital Interests: To protect your vital interests or those of another person in an emergency.
• Legitimate Interests: For our legitimate business interests, such as improving the quality of care, where these interests are not overridden by your rights.

How We Use Your Information

Treatment

We use your health information to provide, coordinate, and manage your healthcare and any related services. We may share your information with other physicians or healthcare providers involved in your treatment, with your knowledge and consent.

Payment & Insurance

We may use your health information to process payment for services rendered, including billing your insurance provider (e.g., SHA/NHIF, Jubilee Health, AAR, Britam, CIC, APA, Madison, UAP, Resolution Health, or other panels). We may also process payments via M-Pesa, card, or cash.

Healthcare Operations

We may use your health information for operational purposes including quality assessment and improvement, reviewing the competence of healthcare professionals, medical education, legal services, and auditing functions.

Disclosures Required or Permitted by Law

We may disclose your health information without your authorisation in the following circumstances, as required or permitted under Kenyan law:

• Public Health Activities: To report communicable diseases, injuries, or adverse drug reactions as required by the Public Health Act (Cap. 242) or Ministry of Health directives
• Law Enforcement: Under specific legal circumstances, including court orders or formal requests from authorised agencies
• Judicial Proceedings: In response to a court order, subpoena, or other lawful judicial process
• Research: Under strict privacy protections, with appropriate ethical approval from a recognised Kenyan ethics review body (e.g. KEMRI SERU or NACOSTI)
• Serious Threats: To prevent a serious and imminent threat to public health or safety
• Work Injury Benefits: For work-related injuries and illnesses under the Work Injury Benefits Act, 2007

Your Rights Under the Kenya Data Protection Act 2019

Under the DPA, you have the following rights with respect to your personal data:

• Right of Access: Request a copy of the personal data we hold about you (Section 26, DPA)
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data where it is no longer necessary for the purpose it was collected, subject to legal record-keeping obligations
• Right to Object: Object to the processing of your data for direct marketing or where processing is based on legitimate interests
• Right to Restrict Processing: Request that we limit how your data is used in certain circumstances
• Right to Data Portability: Receive your data in a structured, commonly used format where technically feasible
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact our Data Protection Officer (details below). We will respond within the timeframes required by the DPA.

Website Privacy

Our website does not use tracking cookies for advertising purposes. We use only essential cookies necessary for the site to function correctly. Any data submitted through our contact or booking forms is transmitted over a secure (HTTPS) connection.

Our website may contain links to external websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

Data Security

We implement appropriate technical, administrative, and physical safeguards to protect your personal data against unauthorised access, use, or disclosure, in accordance with the Kenya Data Protection Act 2019. All electronic health records are stored on encrypted systems with access restricted to authorised staff only. Staff who handle patient data are trained on data protection obligations.

Data Retention

We retain patient health records for a minimum of 10 years from the date of the last consultation, in line with Kenyan medical practice guidelines and the Limitation of Actions Act. After this period, records are securely destroyed. Contact and enquiry data submitted via our website is retained for no longer than 2 years unless you become a patient.

Changes to This Notice

We reserve the right to update this Notice from time to time to reflect changes in law or our practices. The current version will always be available on our website. If we make material changes, we will notify you directly where practicable.

Complaints

If you believe your data protection rights have been violated, you may:

• Contact our Data Protection Officer directly (details below)
• Lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya — the supervisory authority under the Data Protection Act 2019

We will not retaliate against you for exercising your rights or filing a complaint.