| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 25(a), 41(1) and (4) 43(a), 65(1) and (4) of the Data Protection Act, 2019; Regulations 32 of the Data Protection (General) Regulations, 2021; Regulation 14 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 2 August 2024 |
| Decided: | 30 October 2024 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | Rose Wambui Muigai vs. NCBA Bank PLC |
| Case No.: | 1178 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Rose Wambui Muigai filed a complaint against NCBA Bank PLC with the ODPC, alleging unauthorized disclosure of her personal data to former bank employees. The ODPC found that a data breach occurred, the Bank failed to adequately explain how the former employees accessed the Complainant’s data and the Bank failed to report the breach. The Bank was ordered to compensate the Complainant and issued an enforcement notice.
This case involves a complaint filed by Rose Wambui Muigai (the Complainant) against NCBA Bank PLC (the Respondent) with the Office of the Data Protection Commissioner (ODPC) in Kenya.
The Complainant alleged that the Respondent disclosed her personal data to third parties, who were former employees of the Respondent, without a lawful basis.
The Complainant had a financial account with the Respondent, opened on 31 May 2021, which included a facility for an annually renewable insurance premium. Between 25 May 2023 and 28 May 2024, the Complainant received multiple calls and messages from two individuals, Dn M and R*t M, who disclosed her personal data and offered to assist with renewing her motor vehicle insurance.
These individuals were later identified as former employees of the Respondent. The Complainant filed a demand letter with the Respondent, alleging a breach of privacy.
The Respondent denied the allegations and claimed that the individuals in question were not employees at the time of the alleged breach. They argued that upon termination of employment, both individuals were required to return all data and had their access to internal systems revoked.
They also submitted evidence of cease and desist letters sent to the former employees and an internal investigation report that found no conclusive evidence linking the former employees to the Complainant's data.
The ODPC investigation confirmed that the individuals contacting the Complainant were indeed former employees of the Respondent.They found that the alleged breach occurred when these individuals were no longer employed by the Respondent.
The ODPC determined that there was a personal data breach as the Complainant’s data was unlawfully disclosed by unauthorised individuals. This constituted a violation of the Complainant's right to privacy.
Crucially, the ODPC found the Respondent failed to adequately explain how the former employees accessed the Complainant’s data, especially considering their access should have been revoked.The ODPC also noted that the Respondent failed to report the data breach to them as required by law.
Legal Provisions Reviewed
The ODPC reviewed the following provisions of Kenyan law: