ARTICLE
10 March 2023

Unauthorised Disclosure Of Personal Data

Affirmed its position as being a forum of dispute resolution for matters regarding personal and sensitive data.
Kenya Privacy

Continuing its trend of active enforcement of its mandate under the Kenya Data Protection Act (DPA), the Office of the Data Protection Commissioner (ODPC) recently published a significant ruling that:

  1. Affirmed its position as being a forum of dispute resolution for matters regarding personal and sensitive data.
  2. Emphasised that the DPA is enforceable against all persons regardless of their registration status.
  3. Provided guidance on the types of evidence that can be relied on to find a person liable for breaching the provisions of the DPA.

On 6 January 2023, the ODPC issued a decision in Allen Waiyaki Gichuhi & Charles Wamae v Florence Mathenge & Ambrose Waigwa. The complaint was filed by a Nairobi law firm, on its own behalf and on behalf of certain clients of the firm, against its former employees on 20 July 2022. The complaint alleged that one of the former employees disclosed personal and sensitive data, in the form of court documents, to the other former employee, via email, without the consent of the relevant data subjects. The firm argued that the former employee's conduct violated Section 72 of the DPA which prohibits the unauthorised disclosure of personal data by a data controller. The ODPC dismissed the complaint while also clarifying a number of important principles outlined below.

  • The ODPC has the jurisdiction to review complaints even if a matter is already before another judicial forum
    Notwithstanding the employees' assertion that the matters in dispute were already being adjudicated in different fora, the ODPC found that it had jurisdiction to decide matters relating to personal data regardless of whether there were ongoing proceedings on related matters. Section 64 of the DPA provides that a person who is aggrieved by any administrative action taken by the ODPC may appeal to the High Court. Courts have also been inclined to require that parties explore all the available mechanisms of dispute resolution before proceeding with litigation. All these considerations seem to confer primary jurisdiction over matters concerning violations of the DPA on the ODPC.
  • The ODPC has the power to receive complaints against both registered and unregistered entities
    At the time the law firm filed the complaint, it had not been registered as a data controller or data processor. The employees, therefore, contested the applicability of the DPA's provision to their former employer. In dismissing this argument, the ODPC declared that the DPA applies to data subjects' rights regardless of whether or not persons processing personal data are registered.
  • Disclosure of personal and sensitive data contained in court documents or public records cannot be the basis of a complaint concerning unauthorised access
    Sixteen of the alleged thirty breaches in the complaint related to pleadings, submissions and related documents, which formed part of court records and parliamentary proceedings. The Evidence Act classifies such documents as public records. As a result, the ODPC found that sharing a document that contains personal or sensitive data yet forms part of a public record does not constitute a breach of the DPA as the personal data has already been disclosed by the affected persons.

In addition, the law firm's failure to avail copies of the documents that it alleged contained personal data made it impossible for the ODPC to determine whether there had indeed been a breach of Section 72 of the DPA. The ODPC also noted that the law firm did not provide evidence showing it had been instructed by its clients to file the complaint on their behalf.

Conclusion
It is clear that the ODPC possesses and has begun exercising its wide-ranging powers to enforce the provisions of the DPA. Especially since the ODPC has the power to conduct its own investigations upon receiving a complaint. Entities must therefore prioritise understanding their compliance obligations under the DPA as this decision gives individuals the confidence to enforce their rights against data controllers or data processors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More