| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 25(4), 26, 28 of the Data Protection Act, 2019; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 10 March 2024 |
| Decided: | 7 June 2024 |
| Published: | Yes |
| Fine: | KES.250,000/- |
| Parties: | Carolyne Alaka Mage vs. CIC General Motor Insurance & Anor |
| Case No.: | 0359 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
The ODPC found that the 1st Respondent violated Section 26 of the DPA,19 on lawful use of data. This occurred when the 1st Respondent shared the Complainant's personal information with a third party who had purchased a salvage vehicle belonging to the Complainant. This sharing of information was done without the Complainant's consent and was not anticipated as part of the motor vehicle claims process by her.
Carolyne Alaka Mage's (the “Complainant”) lodged a complaint primarily against the 1st Respondent, alleging unauthorized sharing of her personal information. The Complainant initially engaged the 1st Respondent for car insurance and submitted her personal information, including copies of her vehicle’s logbook, KRA PIN, and National ID.
The vehicle was involved in an accident in December 2016, leading to a claim processed by the 1st Respondent during which time she submitted her original logbook for processing of the claim.
She claimed that the 1st Respondent shared her logbook, which contained her personal details, with third parties without her knowledge or consent.
In February 2017, the claims manager of the 1st Respondent allegedly released her logbook to a third party without authorization. In 2020, she stated that her logbook was shared again with another third party, again without her consent.
The Complainant reported receiving an anonymous call in February 2024 from an individual requesting that she transfer her written-off vehicle to him, indicating possible fraudulent activity linked to her personal data.
Following the call, she received a password reset notification for her ECITIZEN account, suggesting that her account may have been hacked. She thereafter received notification of successful transfer of the vehicle to a third party when she also realised that she could not access her NTSA-TIMS account, the portal within ECITIZEN that holds motor vehicles, and through which transactions impacting motor vehicles is conducted.
She reported the issue to the police who advised her to involve National Transport Service Authority (the “2nd Respondent ”). The 2nd Respondent placed a caveat on the vehicle and then restored her access to her NTSA-TIMs account with them.
The 1st Respondent denied allegations of hacking her ECITIZEN and NTSA accounts, stating that they had set up safeguards to protect client information. The 1st Respondent did confirm that since the Complainants claim had been processed and she had been compensated for her loss, they initiated sale proceedings of the vehicle under their salvage protocols and the vehicle was subsequently sold to a third party. The 1st Respondent averred further that the total loss discharge documents signed by the Complainant contained surrender of title clause to the 1st Respondent.
The 2nd Respondent claimed that they processed her application based on her consent via the ECITIZEN platform, arguing that they acted within the principles of the Data Protection Act. The 2nd Respondent also averred that it placed a caveat against the transfer of the vehicle when notified of the attempted fraud.
The ODPC found that the Respondent violated the provisions of section 26 by sharing the Complainant's personal data with third parties for a use not communicated and without her consent.