Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

AAR Healthcare Kenya Limited (the “Respondent”) was found liable for violating the Complainants right to privacy when sensitive personal data given to them by the Complainant in the course of accessing medical services, was released to a third party insurance firm, who used it for marketing purposes.

Facts

Grace Gatambu (the “Complainant”) alleges that AAR Health Services Ltd (”Respondent”) released personal data contained in a medical form, to third party insurance company whose employees then used the information to contact her in order to market insurance products.

The Respondent confirmed that information was mistakenly posted to the wrong insurance provider by an employee but did not activate appropriate responsive mechanisms to deal with the breach.

The Respondent acknowledged the breach but stopped short of issuing a formal apology for the breach to the Complainant which caused the Complainant to file the complaint with the ODPC.

The ODPC found that:

• The sharing of information for marketing purposes (instead of provision of medical care) violated the purpose limitation principle.
• The failure by the Respondent to provide the Complainant with a Data Privacy Policy violated the fairness and transparency principle.
• The Respondent failed to notify the Complainant and the ODPC of the breach, which is classified as a notifiable breach under the DPA,19, within 72 hours.
• Processing of sensitive personal data for marketing purposes is prohibited under the DPA,19 and the Respondent ought to have requested the insurance company to stop processing the data for those purposes and ask for its erasure.
• The Respondent did not instal an appropriate data compliance framework to safeguard personal data, which violated the Complainants right to privacy.

Holding

• The Respondent violated the Complainants right to privacy and the provisions of the DPA19.