Kasarani Maternity and Nursing Home – Privacy Policy
This Privacy Notice sets out how Kasarani Maternity & Nursing Home ( “we”, “our”, or “us”) collects, uses, stores, and protects your personal data when you visit or interact with our website. It also sets out your rights as a data subject under Kenya’s Data Protection Act, 2019.
We know that the information you share with us, especially anything related to your health is personal in the truest sense. We do not take that lightly. Every member of our team is bound by strict standards of confidentiality, professionalism, and ethical conduct. Our practices are designed to comply fully with the Data Protection Act, 2019, its accompanying regulations, and the medical ethics obligations that apply to healthcare providers in Kenya.
Kasarani Maternity & Nursing Home acts as both a Data Controller and a Data Processor in relation to the personal data you provide to us, and we are duly registered with the Office of the Data Protection Commissioner (ODPC) in both capacities, as required by law.
1. Introduction
1.1. Kasarani Maternity & Nursing Home has operated at the heart of the Kasarani community since 1990, providing maternity and nursing care to families across Nairobi and beyond. Our website supports that mission by serving as an information and communication platform, a place where patients, caregivers, and members of the public can learn about our services and reach us directly.
1.2. Through our website, you can explore what we offer and get in touch with us whether to ask a question, request an appointment, or send a general enquiry via our contact forms. Our website does not include patient portals, user accounts, or mobile applications, and you are never required to register or create a profile to access information on our site.
1.3. In running our website and responding to incoming messages, we collect a limited amount of personal data, only what is reasonably necessary to respond to you effectively. This may include basic contact details and, in some cases, health-related information you choose to share with us voluntarily. Where you share anything relating to your health, we treat that information as sensitive personal data under the DPA 2019, and handle it with the highest level of care, confidentiality, and legal compliance.
1.4. We process the personal data collected through this website only for legitimate healthcare, administrative, and communication purposes that are directly connected to the services we provide. We do not collect your data for its own sake, and we do not use it for any purpose that would surprise you.
1.5. This Privacy Notice applies specifically to personal data collected through our website. Information gathered during in-person consultations, medical treatment, or other offline engagements is governed by the Data Protection Act, 2019, our professional and ethical obligations as a licensed healthcare provider, and our internal data governance policies.
1.6. We may update this Privacy Notice from time to time, for instance, to reflect changes in the law or adjustments to how we operate. Any updates will be published on this page, and the version currently displayed will be the one in effect. We encourage you to check back periodically.
1.7. This Privacy Notice applies to all visitors to our website and to anyone who engages with us through this platform, including patients, caregivers, and members of the public
2. Definition of terms
2.1. We/our/us/ Refers to Kasarani Maternity & Nursing Home .
2.2. Data Protection Officer refers to the designated officer responsible for overseeing compliance with the Data Protection Act, 2019, handling data subject requests, advising on data protection matters, and acting as the primary contact point with the Office of the Data Protection Commissioner.
2.3. Data Collection refers to the act of gathering information that relates to you, whether directly from you or through your interaction with our website.
2.4. Personal data means any information relating to an identified or identifiable natural person, whether directly or indirectly. In the context of our website, this may include information such as your name, phone number, email address, identification details, and any other information you voluntarily provide when making enquiries or requesting appointments
2.5. Sensitive personal data means personal data that requires a higher level of protection under the law. This includes information relating to your health, medical history, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, or any other data classified as sensitive under the Data Protection Act, 2019. In a healthcare setting, this primarily includes health and medical information.
2.6. Processing means any operation or set of operations performed on personal data, whether by automated or manual means. This includes collection, recording, organisation, storage, use, disclosure, transmission, retrieval, consultation, restriction, or deletion of personal data.
2.7. Data Controller & Processor Refers to Kasarani Maternity & Nursing Home , which determines the purpose and manner in which personal data is processed in accordance with the Data Protection Act, 2019.
2.8. Website Refers to the official website operated by Kasarani Maternity & Nursing Home , through which information about our healthcare services is provided and through which enquiries or appointment requests may be submitted.
2.9. You/ Your (s) Refers to any individual who accesses our website, submits personal data through it, or otherwise interacts with Kasarani Maternity & Nursing Home via the website.
2.10. Consent Means any freely given, specific, informed, and unambiguous indication of your wishes by which you signify agreement to the processing of your personal data, including by submitting information through our website where consent is required by law.
3. Data Collection
3.1. We collect personal data through our website to facilitate communication, respond to your enquiries, and help patients and prospective patients access information about our services. We only collect what is necessary, relevant, and proportionate to those purposes, nothing more.
Depending on the nature of your enquiry or request, we may process the following categories of personal data:
Personal Data we process
3.1.1. First Name – To address you respectfully and ensure our communication feels personal rather than generic.
3.1.2. Last Name – To identify you accurately and maintain reliable correspondence records.
3.1.2. Phone Number – To reach you in connection with your enquiry, appointment request, or follow-up and to share any information relevant to your care.
3.1.3. Email Address – To respond to your enquiries, confirm appointments, share relevant health information, and keep a record of our correspondence.
3.1.4. Health-Related Information (where voluntarily provided) – You may choose to include brief medical details when submitting an enquiry or appointment request. If you do, that information is treated as sensitive personal data under Section 2 of the Data Protection Act, 2019, and handled with the highest standard of confidentiality and legal care at all times
All of the above is collected only when you choose to provide it, by submitting an enquiry, requesting an appointment, or reaching out through the contact forms on our website. We do not collect your data passively, automatically, or without your active participation through these forms.
Sensitive Personal Data
As a healthcare provider, we understand that anything touching on your health is deeply private. On occasion, you may choose to include health-related details when reaching out to us through our website for instance, when describing the reason for an appointment request. Where that happens, we treat that information as sensitive personal data under Section 2 of the Data Protection Act, 2019, and apply enhanced safeguards to protect it.
This means your health information is:
- Accessible only to staff who genuinely need it to respond to your enquiry
- Handled with strict confidentiality, in line with our professional and legal obligations as a licensed healthcare provider
- Never shared, sold, or disclosed to third parties except where the law requires it or where you have given us clear consent to do so
A note on what to share through our website forms: Our website forms are designed for general enquiries and appointment requests; they are not a clinical channel. We do not ask for detailed medical records, identification documents, financial information, or biometric data through our website, and we actively encourage you not to include extensive medical detail in your messages unless you are specifically prompted to do so. If your matter is clinically urgent or sensitive, please contact us directly by phone or visit our facility, where our team can assist you appropriately and securely.
Children’s Data
As a maternity and nursing home, children including newborns are naturally central to the care we provide. We take the protection of their personal data seriously.
We do not knowingly collect personal data directly from children through our website. Where our services involve a minor, any personal data shared with us is expected to come from a parent, guardian, or other person with legal responsibility for that child. In those cases, we process the information provided in accordance with the Data Protection Act, 2019, our professional obligations as a licensed healthcare provider, and the best interests of the child.
If you believe that a child’s personal data has been submitted to us through our website without appropriate parental or guardian involvement, please contact us at admin@kasaranihospital.co.ke and we will take prompt steps to review and, where necessary, delete that information.
As with all data we collect, we limit what we hold to only what is reasonably necessary to respond to your enquiry and support legitimate healthcare communication.
3.2. How we collect Data
We collect your personal data transparently and, where the law requires it, with your explicit consent. At all times, the information we gather is limited to what is genuinely necessary to respond to your enquiry, process appointment requests, and support the delivery of our healthcare services.
We may collect your personal data in the following ways:
3.2.1. Directly from You
We collect personal data directly from you when you voluntarily provide information through our website. This may occur when you Complete and submit a contact or enquiry form, Request an appointment, Submit a general enquiry regarding our medical services, Provide your contact details to enable us to respond to you.
In some cases, you may voluntarily include brief health-related information when making an inquiry. Any such information is treated as sensitive personal data and handled with strict confidentiality.
By submitting your personal data through our website, you acknowledge that you have read and understood this Privacy Notice and, where applicable, consent to the collection and processing of your personal data for the purposes outlined herein.
3.2.2. Automated Means
When you access our website, certain limited technical information may be collected automatically through standard internet technologies. This information helps us ensure that the website functions properly, remains secure, and provides a reliable user experience.
Such technical data may include: Internet Protocol (IP) address (in anonymized or aggregated form), Browser type and version, Device type and operating system, Date and time of access, Pages visited and general usage patterns,
Cookie data and similar tracking technologies.
This information is primarily used for website administration, performance monitoring, and security purposes.
You may manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality or performance of the website. We do not use automated data collection tools for profiling, automated decision-making, or targeted advertising based on personal data collected through our website.
4. General Principles for Protecting Personal Data
We are firmly committed to processing personal data in accordance with the principles established under the Data Protection Act, 2019. In all matters involving personal and health-related information, we are guided by the following core principles:
We are firmly committed to processing personal data in accordance with the principles established under the Data Protection Act, 2019. In all matters involving personal and health-related information, we are guided by the following core principles:
4.1. Transparency: We believe you have every right to know how your information is handled. We are open and straightforward about how we collect, use, and protect personal data. This Privacy Notice is our primary means of communicating those practices, and we take deliberate steps to ensure that every individual whose data we process is properly informed.
4.2. Purpose Limitation: Personal data is collected and processed only for specific, legitimate, and lawful purposes namely, the provision of healthcare services, administrative operations, communication, and regulatory compliance. We do not process your information for any purpose that is incompatible with the reason it was originally collected.
4.3. Lawful Processing: We process personal data only where a clear and valid legal basis exists for doing so. In the case of sensitive personal data particularly health information processing is carried out in strict accordance with the law and the professional obligations that govern healthcare practice.
4.4. Data Minimization: We collect only what we genuinely need. The personal data we gather is limited to what is necessary and relevant for the specific purpose at hand. We make a conscious effort to avoid excessive or redundant data collection, ensuring that the information we process is always proportionate to the services being provided.
4.5. Accuracy: We take reasonable and proactive steps to ensure that the personal data we hold is accurate, complete, and current. Where your circumstances change, we encourage you to notify us so that our records can be updated accordingly.
4.6. Confidentiality and Security: Your personal and health information is treated with the highest level of confidentiality. We maintain appropriate technical and organisational measures to protect your data against loss, misuse, unauthorised access, alteration, or inadvertent disclosure. These safeguards are reviewed and strengthened as necessary.
4.7. Data Retention: We do not hold onto personal data longer than we need to. Information is retained only for as long as is necessary to fulfil the purpose for which it was collected, or as required by law and applicable healthcare professional standards. Once data is no longer needed, it is securely deleted or rendered irreversibly anonymous.
5. Why do we collect your personal data?
5.1. Personal data collected through our website is processed for clearly defined, lawful, and legitimate healthcare-related purposes. Every processing activity we carry out is conducted in full compliance with the Data Protection Act, 2019, as well as the medical and regulatory obligations that govern our practice.
5.1.1. Responding to Inquiries and Requests
5.1.2.To receive, review, and respond to enquiries submitted through our website concerning our medical services
5.1.3. To schedule, confirm, or follow up on appointment requests.
5.1.4. To provide relevant information about our healthcare services in response to your queries.
5.2. Communication with Patients and Prospective Patients
5.2.1. To communicate with you using the contact details you provide, including phone calls or emails, in relation to your enquiry or appointment.
5.2.2. To clarify information necessary to facilitate appropriate care or administrative support.
5.2.3. To provide updates relating to appointment scheduling or service availability.
5.3. Provision of Healthcare-Related Information
5.3.1. To provide general information about our services, facilities, or medical offerings.
5.3.2. Where necessary, to guide you on the appropriate next steps for consultation or treatment (without conducting medical diagnosis through the website).
5.4. Relationship Management and Service Improvement
5.4.1. To maintain appropriate communication records for continuity and consistency.
5.4.2. To monitor and improve the quality, efficiency, and responsiveness of our communication processes.
5.4.3. To enhance patient experience and administrative service delivery.
5.5. Record Keeping and Administrative Purposes
5.5.1. To maintain internal records of enquiries and correspondence for operational and administrative purposes.
5.5.2. To ensure accountability and appropriate follow-up where required.
5.6. Legal and Regulatory Compliance
5.6.1. To comply with applicable legal, statutory, and regulatory obligations, including obligations under the Data Protection Act, 2019.
5.6.2. To comply with professional healthcare standards and regulatory requirements.
5.6.3.To respond to lawful requests from regulatory authorities, courts, or law enforcement agencies where required.
5.6.4. To protect the rights, safety, and legitimate interests of Kasarani Maternity & Nursing Home , its patients, staff, and other stakeholders.
5.7. Processing Limitations
5.7.1. Personal data collected through the website is not used for automated decision-making, profiling, behavioural analysis, or targeted advertising.
5.7.2. All personal data is processed strictly for the purposes outlined above and is not used in a manner that is incompatible with those purposes.
6. Legal Basis for Processing Personal Data
All personal data we process is handled in accordance with the Data Protection Act, 2019 of Kenya. We process personal data only where a defined and lawful basis exists for doing so, ensuring that your information, particularly any health-related data,is treated lawfully, fairly, and transparently at all times.
The lawful bases upon which we rely include the following:
6.1. Consent
6.1.1. Where you freely and voluntarily provide your personal information through our website such as when completing an enquiry or appointment request form, we process that data on the basis of your consent.
6.1.2. Where sensitive personal data, including health information, is involved, processing is carried out either on the basis of your explicit consent or on another lawful basis permitted under the Data Protection Act, 2019.
6.1.3. You have the right to withdraw your consent at any time. Withdrawal will not affect the lawfulness of any processing that took place prior to your withdrawal, but it may limit our ability to respond to your enquiry or continue providing certain services.
6.2. Legitimate Interests
6.2.1. We may process personal data where doing so is necessary for the purposes of our legitimate business interests, provided those interests do not override your fundamental rights and freedoms.
6.2.2. Our legitimate interests include responding to enquiries received through the website, communicating with prospective and existing patients, maintaining appropriate records of correspondence, and ensuring the efficient and reliable operation of our healthcare services.
6.3. Legal Obligations
6.3.1. We process personal data where necessary to comply with applicable legal and regulatory requirements, including obligations under the Data Protection Act, 2019, healthcare regulatory standards, and any other relevant laws or lawful directives.
6.3.2. This may include processing data to respond to lawful requests from regulatory authorities, courts, or law enforcement agencies, or to satisfy the record-keeping and compliance obligations imposed on us by law.
6.4. Limitation of Processing
6.4.1. We do not process personal data for any purpose that falls outside the lawful bases outlined above. Personal data collected through our website is not used for automated decision-making, profiling, behavioural analysis, or any marketing activities that would require additional consent.
7. Data Sharing & Disclosure
We are firmly committed to protecting the confidentiality of the personal and health information entrusted to us. We do not sell, rent, or commercially exploit personal data in any form. Disclosure of personal data occurs only in limited and clearly defined circumstances, as set out below.
7.1. Internal Access
7.1.1. Personal data may be accessed internally by authorised healthcare professionals and administrative staff, and only on a strict need-to-know basis. All members of our team are bound by confidentiality obligations and the professional standards applicable to their respective roles.
7.1.2. Healthcare-Related Disclosures, Where necessary to support patient care, personal data may be shared with relevant third parties, including diagnostic laboratories, medical specialists or referral facilities, and health insurers where applicable. Any such sharing is limited strictly to what is necessary for the purposes of treatment, billing, or ensuring continuity of care.
7.2. Legal and Regulatory Disclosure
7.2.1. We may disclose personal data where we are required to do so by law, court order, or a lawful request from a competent authority. Where it is lawful and reasonably practicable, we will take steps to notify you before any such disclosure is made.
7.3. Legal and Regulatory Disclosure
7.3.1. We may disclose personal data where we are required to do so by law, court order, or a lawful request from a competent authority. Where it is lawful and reasonably practicable, we will take steps to notify you before any such disclosure is made.
7.4. Safeguards on Disclosure
7.4.1. In all cases where personal data is disclosed, we ensure that only the minimum amount of information necessary is shared. We take deliberate steps to ensure that any disclosure is carried out securely and in full accordance with applicable data protection laws.
7.5. No International Transfers via Website
7.5.1. Personal data collected through our website is not intentionally transferred outside of Kenya. Should a cross-border transfer ever become necessary, it will be conducted strictly in accordance with the Data Protection Act, 2019 and subject to appropriate and adequate safeguards.
8. Data Security
We implement appropriate technical and organisational measures to protect personal data and in particular, sensitive health information against loss, misuse, unauthorised access, alteration, or disclosure.
8.1. Security Measures
8.1.1. Access Controls: Access to personal data is strictly limited to authorised personnel whose roles and responsibilities require it. We maintain rigorous access controls to ensure that your information is only handled by those with a legitimate need to do so.
8.1.2. Confidentiality Controls: All staff are bound by confidentiality obligations and professional secrecy requirements. These obligations apply both during and after their period of employment or engagement with us.
8.1.3. System Security: We deploy technical safeguards designed to protect our systems and the data they hold against unauthorised access, alteration, interception, or disclosure. These measures are kept under regular review and updated as necessary.
8.1.4. Regular Audits: We conduct periodic security audits and assessments to identify potential vulnerabilities within our systems. This process allows us to proactively address emerging risks and continuously strengthen our defences before issues can materialise.
8.2. Data Breach Response
In the unlikely event of a personal data breach, we are committed to responding swiftly, transparently, and decisively to protect those affected and minimise any potential harm. We maintain a comprehensive incident response plan specifically designed to enable the prompt management and containment of data security incidents.
Where a personal data breach meets the reporting threshold under the Data Protection Act, 2019, we will notify the Office of the Data Protection Commissioner (ODPC) within seventy-two (72) hours of becoming aware of the breach, unless a lawfully justified reason for delay exists.
8.2.1. Immediate Assessment and Containment: Upon detecting a breach, our security team will act without delay to assess the nature and scope of the incident. Immediate steps will be taken to contain the breach, secure all affected systems, and prevent any further unauthorised access or data exposure.
8.2.2. Website User and Authority Notification: We will notify any individuals whose personal data has been affected as soon as it is reasonably practicable to do so, providing clear information about the nature of the breach, the categories of data involved, and the steps being taken to address it. Notification to the relevant regulatory authorities will be made in accordance with our legal obligations.
8.2.3. Mitigation and Remediation: Our team will move quickly to address the root cause of the breach, mitigate any harm that may have resulted, and implement remedial measures to reinforce our security protocols and prevent recurrence.
8.2.4. Continuous Improvement: Following any security incident, we will conduct a thorough post-incident review to understand what occurred and why. The findings of that review will directly inform improvements to our security practices, helping us to build a stronger and more resilient data protection environment going forward.
9. Your Rights and Choices
9.1. Under the Data Protection Act, 2019, you have the following rights:
9.1.1. Right to Access: You have the right to request confirmation as to whether we process your personal data and, where such processing occurs, to request access to that personal data. This includes the right to be informed of the nature of the data held, the purposes for which it is processed, and how it is used.
9.1.2. Right to Correction: You have the right to request the correction of any personal data that is inaccurate, incomplete, or outdated. We take reasonable steps to ensure that personal data is accurate and up to date and will act promptly upon receiving a valid correction request.
9.1.3. Right to Deletion: Under certain circumstances, you have the right to request the deletion of your Personal Data. This may include situations where the data is no longer necessary for the purposes for which it was collected, or if you withdraw your consent and there is no other legal ground for processing.
9.1.4. Right to Object: You have the right to object to the processing of your Personal Data in specific situations, such as for direct marketing purposes or when processing is based on our legitimate interests, and you feel it impacts your fundamental rights and freedoms.
9.1.5. Right to Restrict Processing: You may request the restriction of processing of your personal data in certain situations, such as where you contest the accuracy of the data or where processing is unlawful but you prefer restriction over deletion.
9.1.6. Right to Withdraw Consent: If you have provided consent for the processing of your Personal Data, you have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of any processing carried out before your withdrawal.
9.1.7. To exercise any of these rights, please submit a written request to the designated Data Protection Officer using the contact details provided below. Requests will be acknowledged within seven (7) days and responded to within twenty-one (21) days in accordance with the Data Protection Act, 2019. Kasarani Maternity & Nursing Home may request proof of identity before processing your request to protect your personal data.
10. Data Retention
10.1. Personal data collected through the website is retained only for as long as necessary to respond to inquiries, provide services, or meet legal and regulatory requirements.
10.2. Once the data is no longer required, it is securely deleted or anonymized in accordance with applicable laws.
10.3. For website-related data, indicative retention periods include:
- Website enquiries and correspondence – retained for up to twelve (12) months
- Appointment requests – retained for operational follow-up and audit purposes
- Technical website logs – retained for a limited period for security and performance monitoring
Detailed retention rules are governed by Kasarani Maternity & Nursing Home ’s internal Records Retention Schedule.
10.4. We may retain your personal data for a longer period if the retention is:
10.4.1. Required or authorized by law.
10.4.2. Reasonably necessary for a lawful purpose.
10.4.3. Authorized or consented by you.
10.4.4. Is necessary for the purpose of responding to a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
10.4.5. For historical, statistical or research purposes.
11. Third Party links and services
11.1. Our website may contain links to third-party websites for informational purposes.
11.2. These websites operate independently and are governed by their own privacy notices. Kasarani Maternity & Nursing Home is not responsible for their data handling practices.
11.3. Accessing third-party websites through links on our website is done at your own discretion and risk. We encourage you to carefully review the privacy notices and terms of use of any third-party website before providing any personal data or engaging with their services.
11.4. The inclusion of any third-party links on our website does not constitute an endorsement, approval, or recommendation of the third party, its services, or its data protection practices.
11.5. We shall not be liable for any loss, damage, or misuse of personal data arising from your interaction with third-party websites linked from our website.
12. Consequences of not providing personal data
12.1. The decision to share your personal information with us is entirely yours, and we respect that. That said, certain details, specifically your name, phone number, and email address are necessary for us to be able to respond to you meaningfully. Without them, we simply have no way of getting back to you.
12.2. You are always welcome to browse our website freely, with no obligation to share anything. However, if you choose not to provide the basic contact details we need, we may be unable to respond to your enquiry, follow up on an appointment request, or give you the kind of personalised guidance our services require. Where you are comfortable sharing only some information, we will always do our best to assist you with what you have provided.
13. Contact
Your privacy matters to us, and we want you to feel genuinely confident in how your personal data is handled. If you have questions about this Privacy Notice, want to exercise any of your data subject rights, or wish to raise a concern, please reach out to us. We are here to help.
Email: admin@kasaranihospital.co.ke – Our team is available to assist you with any privacy-related questions or issues.
Address: P.O BOX 31524-00600 NAIROBI, KENYA – You can write to us at our physical address for any formal correspondence.
We are committed to responding to all privacy-related queries and concerns promptly, professionally, and with the care and confidentiality that your information deserves.
Notice Effective Date: 19th May 2026
This Privacy Notice was last updated on 19th May 2026