Simon Mukabane Okwomi vs. National Health Insurance Fund

Cases Detail

Cases

Simon Mukabane Okwomi vs. National Health Insurance Fund

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,data protection rights

Case Summary

On September 15, 2023, Simon Mukabane Okwomi filed a complaint with the Office of the Data Protection Commissioner (ODPC) against the National Health Insurance Fund (NHIF), alleging that NHIF incorrectly added unrelated individuals as beneficiaries to his NHIF card and unlawfully removed his wife from the list of beneficiaries. This error prevented his wife from using his card for medical treatment. Okwomi requested the immediate correction of the beneficiary list and sought compensation for the breach of his data.

The ODPC, under the Data Protection Act, 2019, and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, investigated the complaint. The NHIF admitted to an error in its system that allowed unrelated dependants to be added due to a lack of validation controls. They also acknowledged that they did not rectify the error promptly, which led to the complainant’s wife being unable to access medical services.

The Respondent's failure to correct the inaccuracies in Okwomi’s NHIF cover was found to be a violation of his rights under Sections 26 and 40 of the Data Protection Act, which guarantee the right to correction and erasure of inaccurate data. Additionally, the NHIF's lack of effective data protection measures indicated non-compliance with Section 25 of the Act, which mandates accurate and updated data handling. Although the Respondent eventually removed the unrelated dependants from the complainant’s cover, they did not provide evidence of this or demonstrate adequate corrective measures.

The complainant’s request for compensation was partially addressed by an Enforcement Notice, but the lack of detailed evidence regarding financial loss prevented the ODPC from awarding compensation. The final determination held NHIF liable for the data breach and non-compliance with the Act, leading to the issuance of an Enforcement Notice requiring corrective action.

Issues for Determination

  1. Whether NHIF violated the complainant’s data protection rights under the Data Protection Act, 2019.
  2. Whether NHIF met its obligations as a data controller under the Act.
  3. Whether the complainant is entitled to any remedies under the Act and the relevant regulations.

Determination

The ODPC found that NHIF violated Okwomi's rights under Sections 26 (d) and (e) and Section 40 of the Data Protection Act. Evidence from Okwomi, including demand letters and a membership data summary, showed that his wife was initially listed as a beneficiary but was later removed, and unknown dependants were added. NHIF’s admission of system errors supported the conclusion that Okwomi’s rights to accurate and updated personal data were infringed.

NHIF did not fulfil its obligations under the Act. The lack of proper validation controls in NHIF’s system led to incorrect data entries. NHIF’s response lacked proof of effective corrective actions or verification processes to prevent future issues, indicating non-compliance with the Act’s requirements.

Okwomi requested the removal of incorrect beneficiaries and compensation for medical expenses incurred due to NHIF’s errors. The ODPC issued an Enforcement Notice to NHIF to ensure data correction and compliance. However, due to the lack of specific details on the compensation amount, the request for financial compensation was not granted.

Analysis

On whether there was a violation of the complainant’s rights under the Act

The analysis of whether Simon Mukabane Okwomi’s rights were violated under the Data Protection Act, 2019, is based on the provided evidence and legal provisions. Okwomi’s complaint, supported by demand letters and screenshots of his NHIF data, demonstrates that his rights were infringed. The complainant alleged that unrelated dependants were incorrectly added to his NHIF card, and his wife was removed as a beneficiary, preventing her from accessing medical services. Under Section 26 (d) and (e) of the Act, Okwomi has the right to request correction and deletion of false or misleading data. The Respondent's admission of a system error on 9 July 2023, which led to the inclusion of unrelated dependants, confirms that NHIF failed to correct inaccurate data as requested. Section 40 (1) (a) and (b) further supports the complainant’s claim, as it provides for rectification and erasure of inaccurate data. NHIF’s failure to address these inaccuracies in a timely manner constitutes a violation of the complainant’s data protection rights.

On whether the Respondent fulfilled its obligations under the Act

To determine if NHIF met its obligations under the Data Protection Act, 2019, the focus is on compliance with the Act’s data protection principles. The Respondent's failure to rectify the errors in Okwomi’s NHIF cover, despite being notified of the issue, indicates a breach of their obligations. Section 25 (f) requires data controllers to ensure data accuracy and to rectify inaccuracies promptly. NHIF’s system update on 9 July 2023, which lacked necessary validation controls, resulted in unrelated dependants being incorrectly added, highlighting non-compliance with the principle of data accuracy. Section 41 mandates that data controllers implement data protection by design and default, ensuring systems are equipped to prevent and address data inaccuracies. The Respondent's admission of inadequate system controls and failure to demonstrate effective corrective measures underscores a breach of these obligations.

On whether the complainant is entitled to any remedies under the Act and the attendant Regulations

The analysis of whether Okwomi is entitled to remedies involves evaluating the requests for rectification and compensation. Regulation 14 (2) of the Enforcement Regulations requires the determination of appropriate remedies, which include data correction and compensation for damages. While the Respondent was found liable and an Enforcement Notice was issued to correct the data inaccuracies, the claim for compensation was not fully addressed due to the lack of specific evidence from the complainant. The complainant's request for compensation for medical expenses was not quantified, and Regulation 14 (3) necessitates that specific damages be justified for compensation to be awarded. Therefore, while the Enforcement Notice ensures correction of data, the compensation claim could not be upheld without detailed evidence of financial loss.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.