Benjamin Muthengi v ABSA Bank Kenya PLC

Cases Detail

Cases

Benjamin Muthengi v ABSA Bank Kenya PLC

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,, privacy breaches,, compliance

Case Summary

In February 2021 the Complainant opened an account with the Respondent. The Complainant averred that each time he transacted with his registered phone number, he did not receive transactions notification on his phone. The Complainant visited the Respondent’s River Road Branch in 2021 to find out why he was not receiving transaction notifications. Upon further investigations, the Respondent discovered that they entered the wrong number into their database, and the Complainant was requested to fill in a Change request Form to update the number. 

Via an email on 20th March 2021, the Respondent informed the Complainant that his number was updated. The Complainant confirmed that shortly after, he began receiving the transaction notifications. However, in April 2021, after receiving a loan from the Respondent, he stopped receiving any transaction notifications. The Complainant updated his number again.

In February 2023, the Complainant applied for another loan, and when it was processed, he stopped receiving transaction notifications. 

Furthermore, on 7 April 2023, the Complainant received a call from an unknown individual with a similar phone number informing them they received the Complainant’s Bank-Mpesa transaction notifications.

Additionally, The Complainant averred that they were charged additional costs when sending money to family and friends.

The Respondent stated that the reason for not receiving transaction notifications was an error when the Complainant’s number was incorrectly captured on its system. The Respondent further contented that neither the Complainant’s account number or his card number was shared with any third party. Furthermore, the Respondent claimed that all additional costs were refunded to the Complainant.

Issues for Determination

  1. Whether there was infringement of the Complainants Personal Data Under the Act 
  2. Whether the complaint was sufficiently addressed by the Respondent 
  3. Whether the complainant is entitled to the remedies under the Act

Determination

The case centered on ABSA Bank's repeated errors in capturing the complainant's phone number, leading to failures in transaction notification and privacy breaches. Despite corrective actions taken by the bank, the recurring nature of these errors suggests deeper systemic issues in data management practices that need addressing.

ABSA Bank demonstrated a degree of responsiveness by updating the complainant’s phone number whenever errors were brought to their attention. However, the repetitive nature of the issue indicates a need for the bank to strengthen their data verification and update processes.

Data Protection Compliance:

The bank contended that their actions were compliant with Section 25 of the Data Protection Act, emphasizing accuracy, minimization, and privacy of personal data. They corrected the phone number and refunded the additional transaction costs, aiming to align with these legal principles. The ODPC ultimately concluded that the bank had upheld the complainant’s rights by resolving the errors without further penalties.

Analysis

  1. Accuracy and Management of Personal Data

The core of this case lies in the repeated incorrect capture of the complainant's phone number by the respondent, leading to multiple instances over several years where the complainant did not receive transaction notifications. The issue was compounded by a third party inadvertently receiving these notifications, raising significant concerns about privacy and data security. Although the respondent took corrective actions, the recurring nature of the problem points to potential systemic issues in data management practices.

  1.  Responsiveness and Remedial Actions

Each time the error was recognized, the respondent provided a remedy by updating the phone number upon the complainant's request. This action demonstrates a degree of responsiveness. However, the repeated occurrence of the same issue suggests that the underlying processes for data verification and update need strengthening to prevent future errors.

  1. Data Protection Compliance

The respondent contended that their actions were in compliance with Section 25 of the Data Protection Act, which emphasizes the need for accuracy, minimization, and privacy of personal data. By ultimately correcting the phone number and refunding the additional transaction costs, the respondent aimed to align with these principles.

Significance of the Case: 

This complaint highlights the importance of robust data management systems that not only prevent errors from occurring but also have effective mechanisms for quickly rectifying issues when they arise. It underscores the need for financial institutions to invest in technologies and processes that ensure data accuracy and privacy.

The case serves as a reminder of the legal obligations under the Data Protection Act to protect consumer data and provide transparent mechanisms for correcting any inaccuracies. It stresses the importance of these frameworks in building consumer trust and confidence in digital banking platforms.

From a consumer rights perspective, this case reinforces the right of individuals to have their data managed correctly and to receive timely remedies when errors occur. It also places a responsibility on institutions to not only address complaints but to take proactive measures to enhance their data handling processes to prevent similar incidents.

Broader Impact on Trust in Digital Transactions:

Frequent issues with transaction notifications can undermine trust in digital banking systems. Ensuring that such systems work flawlessly is crucial for the broader acceptance and reliability of digital financial services.

In conclusion, while the ODPC found that the rights of the complainant were upheld and the case was resolved without further penalties to the bank, the recurring nature of the problem highlights areas for improvement in the bank’s operational handling of personal data. This case is a clear indicator of the ongoing challenges in data management within the financial sector and the need for continuous improvement in compliance with data protection laws.

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.