Barrack Manono Shironye v. Equity Bank Ltd

Cases Detail

Cases

Barrack Manono Shironye v. Equity Bank Ltd

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,data processing,data disclosure,compliance

Case Summary

The case is a comprehensive determination issued by the Office of the Data Protection Commissioner in response to a complaint filed by Barrack Manono Shironye against a financial institution, Equity Bank Kenya Ltd. The complaint alleges a violation of the complainant's right to privacy, specifically related to the disclosure of personal information to a debt collector, despite the complainant having settled their debt with the respondent.

The determination begins with an introduction, outlining the nature of the complaint and the respondent's refutation of the claims. It references the legal basis for the determination, citing relevant sections of the Data Protection Act, 2019, and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021. This sets the stage for the subsequent analysis of the evidence presented by both the complainant and the respondent.

The case then delves into a summary of the evidence adduced, categorising it into the complainant's evidence and the respondent's evidence. The complainant submitted screenshots of a text message from Elite Debt Management, identified as Elite Debt Management by the respondent, asking for debt repayment. On the other hand, the respondent provided information about the complainant and the loan in arrears submitted to debt collectors for recovery, along with emails notifying and updating the debt collectors on the status of outsourced loans and data processing agreements.

The determination proceeds to address specific issues for determination, including whether the respondent infringed on the complainant's right to privacy, whether the respondent demonstrated compliance with the Data Protection Act, and whether the complainant is entitled to the remedies sought for the alleged breach. Each issue is thoroughly analysed, referencing relevant sections of the Act and regulations.

After careful consideration of the evidence, the determination concludes that the respondent did not infringe on the complainant's right to privacy. The ODPC dismisses the complaint against Equity Bank Kenya Ltd and provides the option for the complainant to appeal the determination to the High Court of Kenya within 30 days.

Issues for determination

The issues for determination in the case are as follows:

  1. Whether the Respondent infringed on the Complainant's right to privacy according to the Act.
  2. Whether the Respondent has sufficiently demonstrated compliance with the Data Protection Act with regards to the Complainant's issues.
  3. Whether the Complainant is entitled to the remedies sought for the alleged breach.

Determination

The determination of the case is that the complaint against Equity Bank Kenya Ltd is dismissed. The Data Commissioner found that the Respondent did not infringe on the complainant's right to privacy and has sufficiently demonstrated compliance with the Data Protection Act with regards to the Complainant's issues. Additionally, the determination states that the complainant has the right to appeal this determination to the High Court of Kenya within 30 days.

Analysis

The case involves a complaint filed against Equity Bank Kenya Ltd by a client, Barrack Manono Shironye, alleging a violation of the client's right to privacy. The determination provides a comprehensive analysis of the evidence, legal provisions, and relevant regulations to arrive at a decision regarding the complaint.

The determination begins by outlining the context of the complaint, which revolves around the respondent's disclosure of personal information to a debt collector despite the complainant having settled their debt with the respondent. The evidence submitted by both the complainant and the respondent is thoroughly examined. The complainant provided screenshots of a text message from Elite Debt Management, while the respondent submitted information about the complainant and the loan in arrears submitted to debt collectors for recovery, along with emails notifying and updating the debt collectors on the status of outsourced loans and data processing agreements.

The determination addresses the specific issues for determination, which include whether the respondent infringed on the complainant's right to privacy according to the Data Protection Act, whether the respondent has sufficiently demonstrated compliance with the Data Protection Act with regards to the complainant's issues, and whether the complainant is entitled to the remedies sought for the alleged breach.

After a detailed analysis of the evidence and relevant legal provisions, the determination concludes that the complaint against Equity Bank Kenya Ltd is dismissed. It is determined that the respondent did not infringe on the complainant's right to privacy and has sufficiently demonstrated compliance with the Data Protection Act with regards to the complainant's issues. Additionally, the determination states that the complainant has the right to appeal this determination to the High Court of Kenya within 30 days.

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.