| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 20 June 2025 |
| Decided: | 17 September 2025 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | EFK vs. Quest Holdings Limited |
| Case No.: | No. 0884 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
EFK complained that a Quest Holdings employee erroneously attached confidential NCBA customer data to a mail merge, disclosing it to unintended recipients. The ODPC found a systemic lapse in data protection safeguards, beyond mere human error. Consequently, Quest was ordered to pay KES 250,000 compensation.
The Complainant, EFK, alleged that on 23rd May 2025, an employee of Quest Holdings erroneously attached a confidential Excel file to a mail merge email while acting within the scope of their employment. This file contained the sensitive personal data of 461 NCBA Bank customers, including their full names, email addresses, and specific outstanding financial amounts owed to the bank. EFK asserted that this confidential information was disseminated to an undisclosed number of unintended recipients over the course of an entire week. The applicant further noted that the employee admitted culpability for the breach and that NCBA Bank, acknowledging the severity of the security lapse, took the decisive step of suspending its contractual agreement with the Respondent.
Quest Holdings acknowledged that a data breach had occurred on 23rd May 2025, affecting approximately 400 customers. The Respondent argued that the disclosure was inadvertent and not malicious in nature. They maintained that they had fulfilled their procedural obligations under the Data Protection Act by reporting the breach to the ODPC within 72 hours of its occurrence and by disseminating apology emails to all affected recipients. Quest Holdings also pointed to the suspension of their contract by NCBA Bank as a form of accountability already rendered for the incident.
The Office of the Data Protection Commissioner (ODPC) determined that the incident constituted an unauthorised disclosure of personal data. While acknowledging that the Respondent met the reporting timelines, the ODPC found that this did not absolve them of liability for the underlying failure to protect data. The Commissioner noted that the fact that the dissemination occurred incrementally over a week without detection pointed to a systemic lapse in organizational and technical measures rather than a simple, isolated human error. Specifically, the Respondent was found to have failed in its duty to implement "privacy by design and by default," as there were no monitoring systems capable of identifying or halting irregular data flows. The ODPC concluded that Quest Holdings failed to demonstrate that they had taken reasonable steps—such as adequate staff training and access controls—to ensure employee compliance with security measures.
In the final determination the Data Commissioner ruled as follows: