Grace Gatambu v AAR Healthcare Kenya Limited

Cases Detail

Cases

Grace Gatambu v AAR Healthcare Kenya Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,health data,data protection rights

 Case Summary

The complaint relates to the sharing of Grace Gatambi’s , (hereinafter ‘the Complainant’) confidential medical information contained within a medical form that pertained to their treatment at AAR Healthcare Kenya Limited’s (hereinafter ‘the Respondent’) clinic at Roysambu during December 2021. The information was leaked to a third party without the Complainant’s consent and was then used in January 2022 by the third party to market insurance products to the Complainant. Upon inquiring with the insurance agent, the Complainant understood that her contact was obtained through the medical form which was shared to the agent by the Respondent. The Respondent provided a verbal apology for the same however, the Complainant demanded a written acknowledgement and an apology along with an assurance that such a breach would not happen to her or any other client. The Respondent did not act upon this. 

The evidence adduced by the Complainant shed light on how the form they filled out under the Respondent was, in fact, shared with the insurance agent. On the other hand, staff responsible for the breach from the Respondent’s institution were extremely remorseful of the incident and were made aware of the situation through the Complainant. 

The Respondent stated that they found the actions of the recipient of the email as rather malicious and thought that they would disparage the name and conduct of the AAR Healthcare Kenya Limited. They further stated that they had a disclaimer email as part of technological and organisational safeguards as well as continue to educate its staff on the Data Protection laws within Kenya. 

Issues for determination

It was undisputed that the Respondent shared the Complainant’s medical information with a third party and so this was not considered as an issue. The following matters were considered instead:

1.      Whether the Respondent applied the Principles of Data Protection in processing of the Complainant’s personal data

2.      Whether the Respondent violated the Complainant’s right as a data subject

Determination

The Respondent was found liable for violating the Complainant’s rights by not applying the principles of the DPA and an enforcement notice was issued to the Respondent. This was in line with what a data subject’s rights are as well as Regulations that prohibited the use of sensitive personal data unless applicable under Section 25 of the Act. Its use further must not speak to direct marketing as set out in Regulation 15(1) of the General Regulations within the DPA (2021).  

Analysis

  1. Whether the Respondent applied the Principles of Data Protection in processing of the Complainant’s personal data

Health data falls specifically under sensitive personal data which is highly safeguarded through Section 44 of the Act barring any forms of processing not unless they fall within the scope of Section 25 of the Act (purpose limitation principle). The Respondent violated the principle of purpose limitation as the data was used for contrary purposes other than that  which it was originally collected for. Fairness and transparency were further violated through the provisions under Section 29 of the Act. 

  1. Whether the Respondent violated the Complainant’s right as a data subject

By not informing the Complainant the use to which her personal data was to be put to at the point of collection, violated her right to be informed. Other rights such as her right to object to any processing as done to an insurance agent was also violated through the Respondent’s fault. To add onto this, the violation of the right of erasure by the Respondent in not taking measures to inform the agent to erase the Complainant’s personal data save for the Respondent stating that they have disclaimers amounted to further infringement of the Complainant’s rights. 

No evidence of such disclaimers were presented to the ODPC and no such attachment was spotted through the records of emails between the parties. 

Therefore, the Respondent violated the rights of the Complainant by failing to adhere to the Principles of processing personal data under the DPA.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.