Eldoret Hospital (“Hospital”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data in full compliance with the Kenya Data Protection Act, 2019 (DPA) and its subsidiary legislation. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://eldorethospital.com/, use our services (including medical treatment, outpatient/inpatient care, online appointment booking, or any interaction with our facilities), or communicate with our staff.
We are dedicated to transparency and ensuring that your personal data, especially sensitive medical data, is handled lawfully, fairly, and with utmost confidentiality. By accessing our website or using our healthcare services, you acknowledge the practices described in this policy.
2. Data Controller
For the purposes of the Kenya Data Protection Act, the Data Controller is:
Medical & Health Data (Special Category): Patient medical history, diagnoses, test results (lab/radiology), prescriptions, treatment plans, surgical records, insurance claims, and any other health-related information. This data is processed under strict confidentiality as required by medical ethics and the DPA.
Technical Data: IP address, browser type, device identifiers, cookies, and usage statistics when you browse our website.
Communication Data: Any correspondence via phone, email, social media, or contact forms.
4. How We Collect Your Data
We collect personal data through the following lawful means:
Direct interactions: When you fill patient registration forms, admission documents, consent forms, book appointments online, call our call center, or visit the hospital physically.
Automated technologies: Cookies, server logs, and analytics tools when you browse our website (e.g., to improve user experience).
Third parties: Referring doctors, diagnostic laboratories, insurance companies, NHIF, or emergency services — only with your explicit consent or as permitted by law for treatment continuity.
5. How We Use Your Personal Data
We process your personal data only for legitimate purposes related to healthcare and hospital administration:
✅ Providing medical diagnosis, treatment, nursing care, and rehabilitation.
✅ Managing appointments, admissions, discharges, and billing.
✅ Communicating test results, treatment updates, health reminders, and follow-ups.
✅ Processing insurance claims, NHIF reimbursements, and payments.
✅ Enhancing patient safety, medical research (anonymized), and quality improvement.
✅ Complying with legal obligations (e.g., notifiable disease reporting to Ministry of Health, court orders).
✅ Website analytics to improve navigation and patient experience.
6. Legal Basis under Kenya DPA
Under the Kenya Data Protection Act, we rely on the following lawful bases:
Consent: For processing sensitive medical data (where not necessary for treatment) or marketing communications.
Contractual necessity: Processing required to provide medical treatment and healthcare services you requested.
Legal obligation: Compliance with Kenyan laws (e.g., Public Health Act, Medical Practitioners Act).
Vital interests: To protect someone’s life or in emergency situations.
Legitimate interests: For improving our services, fraud prevention, and internal administration, provided your rights do not override such interests.
7. Data Sharing & Disclosure
We do not sell or rent your personal data. However, we may share your data with:
🔹 Healthcare providers: Consultants, specialists, labs, pharmacies, and radiology partners involved in your care (under strict confidentiality agreements).
🔹 Insurance companies & NHIF: For claim verification and payment processing.
🔹 Legal & regulatory authorities: When required by Kenyan law or court order.
🔹 IT service providers: Third-party vendors hosting our website or electronic medical records (only under data processing agreements compliant with DPA).
Any transfer of data outside Kenya (e.g., cloud backup) will only occur with adequate safeguards and your consent where required by the DPA.
8. Data Security
We implement appropriate technical and organizational measures to protect your data from unauthorized access, loss, alteration, or disclosure. These include:
🔐 Encryption of electronic medical records and website data (SSL/TLS).
🔐 Role-based access controls: Only authorized medical staff can view patient data.
🔐 Regular security audits, staff training on data protection, and incident response protocols.
🔐 Physical security at our hospital premises (CCTV, access cards).
However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
9. Data Retention
We retain your personal data only as long as necessary for the purposes set out in this policy and to comply with legal obligations (e.g., Kenya’s Medical Practitioners and Dentists Act requires retention of medical records for a minimum of 7 years from last treatment). After the retention period, data will be securely anonymized or deleted.
10. Your Data Protection Rights
Under the Kenya Data Protection Act, you have the following rights:
Right to access – Request a copy of your personal data held by us.
Right to rectification – Correct inaccurate or incomplete data.
Right to erasure (Right to be forgotten) – Request deletion of your data, subject to legal retention requirements (e.g., medical records).
Right to restrict processing – Limit how we use your data in certain circumstances.
Right to data portability – Receive your data in a structured, machine-readable format.
Right to object – Object to processing based on legitimate interests or direct marketing.
Right to withdraw consent – Withdraw previously given consent at any time (without affecting lawfulness of processing before withdrawal).
Right to lodge a complaint – With the Office of the Data Protection Commissioner (ODPC) in Kenya.
To exercise any of these rights, please contact our Data Protection Officer using the details in Section 14. We will respond within 30 days as required by the DPA.
11. Cookies & Tracking Technologies
Our website uses cookies to enhance user experience, analyse site traffic, and remember your preferences. When you first visit the site, a consent notice lets you Accept non-essential cookies or Decline them (in which case only strictly necessary cookies are used). Your choice is stored on your device and respected on subsequent visits. We do not use cookies to collect sensitive medical data. You may also control or delete cookies at any time through your browser settings; disabling cookies may affect some functionality of the site.
You can review or change your cookie choice at any time:
12. Children’s Privacy
Our healthcare services are directed to individuals of all ages, but for minors (under 18 years), personal data will be collected with the consent of a parent or legal guardian. We do not knowingly collect data from children without parental consent. If you believe we have inadvertently collected such data, please contact us immediately.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements, our data practices, or operational needs. The revised version will be posted on this page with an updated “Last Updated” date. We encourage you to review this policy periodically. Material changes will be notified via a notice on our website or direct communication where required by law.
14. Contact Us / Data Protection Officer (DPO)
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact our Designated Data Protection Officer:
Data Protection Officer
Eldoret Hospital Ltd.
Makasembo Road, P.O. Box 2234-30100, Eldoret, Kenya. Email:dpo@eldorethospital.com | Phone: +254 733 618 833 Office Hours: Monday – Friday, 8:00 AM to 5:00 PM.
You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at: www.odpc.go.ke | P.O Box 3098-00100, Nairobi, Kenya.