Cases Detail

Cases

Shakunt R. Shah vs. Prime Bank Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,consent

Case Summary

In the case of Shakunt Shah v. Prime Bank Limited, Shakunt Shah filed a complaint with the Office of the Data Protection Commissioner (ODPC), alleging that Prime Bank disclosed his joint bank account details without his consent, resulting in financial loss and reputational damage. Shah sought compensatory damages and civil discipline against the bank. Prime Bank contended that the disclosure was legally required and made to the executors of the estate of the late Mrs. Sudha Shah. The ODPC investigated and determined that Prime Bank had a lawful basis for processing Shah's personal data, dismissing the complaint and denying the remedies sought.

Issues for Determination

  1. Was there a lawful basis for the processing of Shakunt Shah's personal data by Prime Bank?
  2. Did the disclosure of Shah's joint bank account details constitute an unauthorised personal data breach?
  3. Is Shakunt Shah entitled to the remedies sought, including compensatory damages and civil discipline?

Determination

The ODPC determined that Prime Bank had a lawful basis for processing Shah's personal data, the disclosure did not constitute an unauthorised breach, and Shah was not entitled to the remedies sought.

Analysis

On whether the complainant's claim on infringement of his right to privacy by the respondent has merit according to the data protection act

The ODPC found that Prime Bank had a lawful basis for processing Shah's personal data as required under the Data Protection Act. The bank's disclosure was made to the executors of the estate of the late Mrs. Sudha Shah, who had a legal right to access the account information. This lawful basis aligns with the provisions allowing data processing for compliance with legal obligations.

The key issue was whether Prime Bank Limited's disclosure of the Complainant’s personal data to the executors of the late Mrs. Sudha Shah’s estate constituted a violation of the Data Protection Act. Section 30(1)(b) of the Data Protection Act allows for the processing of personal data when necessary for compliance with a legal obligation. The Respondent disclosed the joint account details upon receiving instructions from the legal executors, who provided the required legal documentation. This documentation included the grant of probate, establishing their authority to access the account information.

The Data Protection Act requires that personal data be processed lawfully, fairly, and transparently. Prime Bank’s actions were consistent with these requirements, as they acted under a legal obligation to provide the information to the executors. This legal basis is further supported by Section 27 of the Law of Succession Act, which grants executors the right to access and manage the deceased’s estate, including joint bank accounts.

On whether the respondent in its actions or otherwise caused a personal data breach against the complainant 

Regarding whether the disclosure constituted an unauthorised personal data breach, the ODPC concluded that it did not. Since the executors were legally authorised to receive the account details, the bank's actions were justified and did not violate data privacy regulations. A personal data breach involves unauthorised access, disclosure, or loss of personal data. The Respondent demonstrated that the data was disclosed only to the authorised legal executors, which does not constitute a breach. The Complainant did not provide sufficient evidence to support the claim that his data was disclosed to any unauthorised third party. The Respondent’s actions were aligned with the Data Protection Act’s provisions, specifically Section 40(1), which outlines conditions for lawful processing, including compliance with legal obligations.

On whether the complainant is entitled to the remedies sought for the alleged breach

Lastly, on the issue of entitlement to remedies, the ODPC denied Shah's request for compensatory damages and civil discipline against Prime Bank. The investigation revealed that the bank acted within the legal framework, thus Shah's claim for remedies lacked merit. This decision highlights the necessity for complainants to substantiate their claims with evidence of unlawful processing or breach of data privacy.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.