| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 25(4), 26 of the Data Protection Act, 2019; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 26 September 2023 |
| Decided: | 15 October 2024 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | John Onkangi vs. National Bank of Kenya Ltd & Anor |
| Case No.: | 1766 of 2023 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
The National Bank of Kenya Limited was liable for the actions of its employee and the breach of data protection regulations when an employee forwarded the bank account details and loan statement of the Complainant to a third party without a legal basis. The employee was deemed to be working in the ordinary course of his duties when he committed the wrongdoing after NBK failed to adduce proof of actions it had taken to deal with the alleged errant employee on the basis of the alleged wrongdoing.
The case involves a complaint from a data subject who alleged that the National Bank of Kenya Limited (the “1st Respondent”) a financial services provider, forwarded his bank account details and loan statement to a third party without his approval or other legal basis.
The complainant was a customer of the Bank and had a loan facility with the bank which had gone into default.
The 1st Respondent indicated that its staff are required to adhere to policies and procedures observing privacy, including having a Data Protection and Privacy Policy, staff training, HR Code of Ethical Conduct, Staff Confidentiality Policies, and technical security measures. The 1st Respondent stated that the staff member who shared the Complainant's Account Statements with the third party acted against its Code of Ethical Conduct, and the Bank was conducting a full investigation into the matter - The 1st Respondent however failed to adduce evidence to prove this.
Its important to note that the employee worked as a remedial analyst whose role included offering support to collection teams in respect of errant debts.
The 1st Respondent stated that it shared information with the 2nd Respondent to facilitate contact with the Complainant as per the service contract, and reiterated that the 2nd Respondent has a duty to uphold confidentiality.
The 2nd Respondent did not respond to the notification, and the Complainant did not provide proof to support the claim against the 2nd Respondent.
The Complainant failed to meet the burden of proving a viable claim against the 2nd Respondent.
The employee, who shared the Complainant's details without consent or other legal basis, was deemed to be working in the ordinary course of his duties when he committed the wrongdoing. Therefore, the 1st Respondent is held vicariously liable for the actions of its employee under the Act.
The Office of the Data Protection Commissioner (ODPC) held that: