Tag: ODPC

  • Eldoret hospital to pay client Ksh 525,000 for data misuse

    Eldoret hospital to pay client Ksh 525,000 for data misuse

    St Luke Orthopaedic and Trauma Hospital Eldoret has been ordered to pay a complainant Ksh 525,000 as compensation for illegal sharing of her data with a third party.

    The Office of the Data Protection Commissioner (ODPC) determined that the hospital unlawfully disclosed the Complainant’s sensitive health data to a third party without obtaining her explicit and informed consent.

    According to the complainant by the name Merceline Akoth Odeyo, the hospital mishandled her sensitive personal data by failing to maintain its accuracy and currency, and by disclosing medical records of an unrelated individual as though they were hers.

    St Luke Orthopaedic and Trauma Hospital Eldoret is said to have issued the patient medical
    results belonging to a third party who shared a similar first name but a different surnames on two separate occasions.

    In order to clarify the matter, the hospital  contacted the third-party lab conducting the test for clarification which the patient had to consented to.

    According to Data Commissioner Immaculate Kassait, the acts by the hospital violated the principle of transparency under Section 25 of the Data Protection Act and the Complainant’s right to be informed under Section 29.

    ODPC in its ruling said the admission by the hospital to the administrative error demonstrates a failure to implement adequate technical and organizational measures to secure the Complainant’s
    personal data, violating Section 41 of the Act.

    The hospital has now been ordered to pay the said amount as compensation. The parties now have 30 days to appeal the determination to the High Court of Kenya.

  • Kenyans warned against sharing personal data on social media

    Kenyans warned against sharing personal data on social media

    The Office of the Data Protection Commissioner (ODPC) has cautioned the public against sharing consolidation and sharing of personal contacts, location and details of family members of MPs on social media.

    In a statement issued Wednesday, the commissioner noted that the practice violates data protection laws and individuals’ privacy rights.

    “The Office of the Data Protection Commissioner (ODPC) has established that there has been a recent trend of consolidating and sharing of personal information (names, telephone numbers, location and details of family members) of a certain category of citizens through social media platforms,” the statement reads in part.

    The Commissioner expressed concern that the practice has been happening without the consent of the affected individuals contrary to the provisions of Article 31 of the Constitution and the Data Protection Act of 2019.

    “The Office wishes to advise members of public to refrain from further sharing of personal information which infringes on individuals’ rights to privacy.”

    This comes after Kenyans on various social platforms, including X, shared phone numbers of MPs in a bid to pressure them to reject the Finance Bill 2024.

    The ODPC has urged any individuals whose privacy has been compromised to file a complaint via; complaint@odpc.go.ke.

    Article 31 of the Constitution stipulates that every person has the right to privacy, including the right not to have their person, home, or property searched; their possessions seized; information relating to their family or private affairs unnecessarily required or revealed; or the privacy of their communications infringed.

  • State eyes Ksh 2B daily collection from e-Citizen

    State eyes Ksh 2B daily collection from e-Citizen

    The government is targeting to increase e-Citizen enrollment across the country in a bid to ensure smooth transition to digital identity cards and realize daily collection of Ksh 2 billion in service fees.

    Immigration and Citizen Services Principal Secretary Prof Julius Bitok says the government is undertaking enrollment of all Kenyans having transferred 16,750 services to the platform which is currently accessible to 13 million account holders.

    “On average we are enrolling about 30,000 people every day on E-citizen and now we are at 13 million and we are looking at the entire adult population of Kenya which is 32 million. Within another one year to two, we should have everybody having digital identity,” said Prof Bitok.

    Speaking during the Network of African Data Protection Authorities (NADPA) conference held in Narobi, Bitok said with additional enrollment on the platform, the government would be able to double current collection of Ksh 700 million.

    “Kenyans are continually using these services. Our plan in the short term is to ensure that we are collecting Ksh 2 billion per day and we are making progress because if you look at where we are coming from, we started with Ksh 50 million, now we are at Ksh 700 million and in the short term we should be able to get to Ksh 2 billion,” he stated.

    This comes as state targets issue digital identification cards to all persons in a bid to enhance service delivery across the country.

    The government plans to issue Maisha number for newborns to be used all their lives, Maisha Card which is a smart ID and the virtual version, Maisha Digital ID which will be used through the phone when seeking various services.

    Additionally, Maisha integrated database which is connected to e-citizen and will allow interoperability among state agencies.
    While state plans for the roll out of Maisha Namba, integrity of personal data has come into question with fears over data misuse.

    “In as far as the issue around Maisha Namba is concerned, as an office we have offered an advisory and I can confirm that we have received the data protection impact assessment from the Ministry of Interior. We have also offered training and in addition to that we continue to do an audit,” assured Immaculate Kassait, Data Commissioner.

  • Stronger data governance to drive digital economy

    Stronger data governance to drive digital economy

    The Office of the Data Protection Commissioner (ODPC) has issued 60 enforcement notices, eight penalties and six fines since being operationalised in 2019.

    Data Commissioner Immaculate Kassait says ODPC has a complaint resolution rate of 75pc after receiving over 5,300 complaints to date mainly from data protection issues related to use of personal data by data handlers.

    In September last year, ODPC imposed fines totalling Ksh 9.3 million on three distinct businesses found guilty of breaching data protection regulations.

    The data protection office says its efforts have not been in vain, as it seeks to streamline data protection compliance especially by data handlers.

    The compliance also stems from awareness even as the country is beginning to grapple with emerging issues such as the use of Artificial Intelligence in data handling.

    This comes as Kenya prepares to host the 9th Annual General Meeting and Conference of the Network for Africa Data Protection (NADPA) which is expected to come up with data governance frameworks that will enable a more secure digital future for African states.

    “The conference is expected to strengthen the data protection framework of member states and nations,” Kassait.

    NADPA will also foster partnerships, enhance regional collaboration as well as strengthen the best practices to enhance data protection.

    Cabinet Secretary for Information and Digital Economy, Eliud Owalo said the AGM and Conference will serve as a platform to provide thought leadership for Africa in the area of data governance.

    “In the face of rapid digitalization, we have been encountering numerous issues and concerns regarding data privacy and data protection. This platform will therefore provide us, as one African data governance family, the opportunity to discuss our future course of action concerning the data governance framework,” said Owalo.

    According to Owalo, data is a critical resource that drives economic growth and development; therefore, data protection is imperative and needs to be managed carefully considering there are emerging technologies such as Artificial Intelligence (AI), big data, machine learning and the internet, the forum will help address issues of data privacy and protection.

    “In a proactive manner, we need to strengthen our data governance framework by formulating clear policies, laws, and regulations. These will facilitate cross-border data transfer, enhance the level of data privacy and data protection, and ensure that we establish a unified governance framework for our data management,” he added.

    The conference is set to host players in the tech and data protection industry with over 700 delegates, 40 speakers, 50 organizations and entities, and 50 Ministries, Departments, and Agencies (MDAs) from 25 countries.

  • ODPC urges Department Heads to lead the charge for data safety

    ODPC urges Department Heads to lead the charge for data safety

    The Office of the Data Protection Commissioner (ODPC) has urged Heads of Departments to be key drivers of data protection as part of ongoing efforts to ensure data safety across across various Ministries, Departments and Agencies (MDAs) of the government.

    Addressing a gathering during an awareness sensitization program in Eldoret, Uasin Gishu, North Rift Regional Head, Katumbi Mailu, the North Rift Regional Head of the ODPC, emphasized the ODPC’s commitment to the continued promotion of data safety.

    “Leaving data and documents accessible to unauthorized individuals is a risk we cannot afford. Embracing a clear desk policy ensures that data is only accessible to authorized personnel,” said Mailu.

    Mailu stressed that data protection is a global concern, alerting departmental heads of the need for updated, collected, and safeguarded data, a mandate derived from the Data Protection Act (DPA), 2019, aligning with the constitutional right to privacy.

    Mailu urged departmental heads to adopt the principles of data protection, which include lawfulness, fairness and transparency, integrity and confidentiality, purpose limitation, data minimization, storage limitation, accuracy, and accountability, to ensure that data is only accessible to authorized persons.

    She lauded the ODPC for its achievements, including active DPA enforcement, office automation with Content Management System (CMS) and Enterprise Resource Planning (ERP) systems, and maintaining an up-to-date register of data controllers and processors.

    She went on to shed light on the lawful basis of processing personal data, involving consent, performance contracts, legal obligations, vital interests, public interest, and authority across government priority areas such as agriculture, health, housing, digital infrastructure, MSMEs, and more.

  • Data Commissioner fines three firms Ksh 9.4M for data misuse

    Data Commissioner fines three firms Ksh 9.4M for data misuse

    The Office of the Data Protection Commissioner (ODPC) has issued penalty notices to three companies totaling Ksh 9.4 million for breaching regulations as set out in the Data Protection Act.

    Data Commissioner Immaculate Kassait says the three data controllers, Casa Vera Lounge, Roma School and Mulla Pride Ltd which operates two mobile lending apps, KeCredit and Faircash failed to observe Data Privacy Rights to data subjects.

    Digital credit provider, Mulla Pride for instance which has been fined Ksh 2.98 million was found culpable of using names and contact information of lenders obtained from third parties to send threatening messages and phone calls.

    “This penalty will ensure that digital lenders and financial institutions notify data subjects when collecting and processing their data, and the intention of processing the said data. It will further ensure that the data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data,” said Kassait in a statement.

    Casa Vera Lounge on the other hand found itself in trouble for itself in trouble for posting a picture of one of their customers in their social media pages without consent.

    The restaurant which operates along Ngong Road in Nairobi has been fined Ksh 1.85 million in a move expected to further deter clubs and lounges from posting their clients images online without consent.

    Roma School which is based in Uthiru in Nairobi County will pay the largest fine amounting to Ksh 4.55 million for posting pictures of minors without approval from parents.

    “This being the first and the highest penalty to an educational facility sends a message to schools and other facilities handling minor’s personal data to obtain consent from parents and guardians prior to processing minor’s data,” she added.

    ODPC says it has also conducted compliance audit on WhitePath a digital credit provider and Naivas Supermarkets which was hit by a ransomware in April this year.

    The office also plans to commence conducting 40 compliance audits on various data controllers and processor in the current financial year.