Douglas Muiruri Mbugua v Standard Chartered Bank Kenya Limited

Cases Detail

Cases

Douglas Muiruri Mbugua v Standard Chartered Bank Kenya Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,, privacy breaches,data protection rights

Case Summary

The Complainant worked for the Respondent from 21 September 2015 until 10 March 2022, when his employment was terminated. The allegations against the Complainant were corruption, and they were the basis of the termination.

Through the complaint, the Complainant alleged that the Respondent obtained and recorded a telephone conversation between himself and a third party, resulting in his termination. 

As such, the Complainant alleged that the Respondent mishandled his personally identifiable data by recording him without his consent. Stating that he was not informed on the capture and use of his personal data or given an option to object to the process, the Complainant stated that the actions infringed his rights as a data subject as per Section 26 and 29 of the Data Protection Act. In addition to this section, the Complainant also stated that there was breach of Section 30 of the Act due to the Respondent processing his personal data without consent leading to unemployment as well as physical and psychological trauma. 

As part of his evidence, the Complainant provided a forensic report on the alleged breach alongside a forwarding letter with recommendations, a letter of termination of his employment contract (indicative of gross misconduct from his part)  and two witness statements.  

On the other hand, the Respondent provided copies of relevant documents to the matter. They indicated that the Complainant signed and was informed through his employment contract that the Bank collected personal data through monitored telephone systems of the Group-under which the phone call in question fell. 

The Respondent also acknowledged that the telephone conversation became a matter of public record as a result of the Milimani Employment and Labour Relations Court’s directive in May 2023-a directive that was not viewed as an infringement by the Complainant at the time with respect to his right to privacy. They further stated that the Complainant’s information was processed as a result of the controls they have put in place to monitor business conducted on the company’s communication lines and placed reliance on Section 36 of the Data Protection Act which prescribes for ‘compelling legitimate interest’ as an exemption to processing of data. This exemption was relied on to give the Complainant a fair hearing. They further reaffirmed that the information collected is retained and stored in a manner that meets legal requirements and was used as evidence during their investigation process in line with their policies and standards. 

Issues for determination

  1. Whether the Respondent breached the Complainant’s rights under the Act; 
  2. Whether the Respondent fulfilled the duty to notify under Section 29 of the Act; and
  3. Whether there was any legal basis relied upon to process the Complainant’s telephone conversation recordings as per Section 30 of the Act.

Determination

The ODPC, therefore concluded that the Respondent did not breach the Complainant’s rights under the DPA. The Respondent was also entitled to process the personal data through a legal basis and fulfilled their duty to notify the Complainant of this through the employment contract aside from their legitimate interest. 

Analysis

  1. Whether the Respondent breached the Complainant’s rights under the Act 

The Complainant was informed of the use to which his personal data was to be used by acknowledging and signing his employment contract thereby upholding Section 26 of the Act by the Respondent. In addition to this Section 36 of the Act was also rightfully applied in that the exemption of where data controllers demonstrate compelling legitimate interest in the processing can override the data subject’s interests. As the Respondent was conducting internal investigations into an allegation, the recording would be used in this matter overriding the Complainant’s interest to object to the processing of the telephone conversation (to which they also obtained a court order).

Therefore, the Complainant’s rights were not breached by the Respondent as he was duly informed of the use of his personal data via the employment contract and the application of legitimate interest,

  1. Whether the Respondent fulfilled the duty to notify under Section 29 of the Act

Section 29 places an obligation on data controllers to inter alia before collecting personal data, inform the data subject of their rights under Section 26-the fact and purpose of collecting personal data. The employment contract between the parties was clearly indicative of the monitoring practices in place between the parties alongside the consent of the employee in processing his personal data in the context of his employment.

Therefore, the Respondent duly informed the Complainant of the collection and purpose of personal data and the Complainant failed to demonstrate their allegations against breach despite stating so.

  1. Whether there was any legal basis relied upon to process the Complainant’s telephone conversation recordings as per Section 30 of the Act

The right to privacy as envisaged by Article 31 has exemptions as those in Section 30 of the Act with respect to the processing of personal data by data controllers and processors. It calls for consent of the data subject when it is necessary for the performance of a contract to which they are subjected to-in this case the employment contract. 

There was legitimate interest in the processing of personal data through the telephone conversation as supported by the court order and employment contract serving the legal basis to process it thereby.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.