Jeff Nduko vs One Acre Fund/ODPC

Cases Detail

Cases

Jeff Nduko vs One Acre Fund/ODPC

Country: kenya
Court:
Status: Determination
Tags: data protection,privacy,breach

Attachments:

Complaint No. 0574 of 2023 - link 

The Complainant, Jeff Nduko, filed a complaint against One Acre Fund regarding the unwarranted and unlawful use of personal data. Specifically, the Complainant alleged that the Respondent infringed on his right to privacy by sending unwarranted messages and making unnecessary calls requiring the Complainant to pay back a loan that the Complainant never took. The Complainant stated that he had been receiving messages from the Respondent despite not being a client or having used the Respondent's services or products. 

The Respondent in response to the complaint  admitted that they erroneously entered the Complainant's phone number into their database, mistaking it for another client's number. They clarified that the Complainant was not and had never been a client of the organisation, and they did not have access to the Complainant's personal information apart from the mistakenly entered phone number. Furthermore, the Respondent emphasised that they took immediate steps to rectify the error upon notification of the complaint. They updated their records to ensure that the Complainant no longer received messages from them. The Respondent highlighted their compliance with the Data Protection Act, 2019, and its regulations, indicating their commitment to data protection standards. In demonstrating the commitment, the Respondent outlined various mitigation measures they had implemented or planned to implement to address the complaint effectively. These measures included stopping the loan repayment messages to the Complainant, organising additional data protection training for staff, implementing phone number verification steps in the customer enrollment process, and improving data validation mechanisms in their systems. 

Issues for Determination

The issues for determination in this case were:- 

1.    Violation of Data Protection Principles:

The primary issue was whether the Respondent, One Acre Fund, had violated the principles of data protection as outlined in the Data Protection Act, 2019. This included the processing of personal data obtained from customers, specifically the erroneous processing of the Complainant's phone number.

2.    Compliance with Data Protection Regulations:

Another key issue was to assess the Respondent's level of compliance with the Data Protection Act, 2019, and its regulations. This involved examining the Respondent's data protection policies, procedures, and mitigation measures adopted to address the complaint.

3.    Rectification of Data Processing Error:

A crucial aspect of the determination was to evaluate the Respondent's response to the data processing error, specifically the steps taken to rectify the Complainant's data stored in their system. This included verifying the correction of the erroneous personal data without delay.

4.    Resolution of the Complaint:

The overarching issue was to determine whether the Respondent's actions, including the implementation of mitigation measures and compliance with data protection laws, were sufficient to resolve the complaint filed by the Complainant. This involved assessing the effectiveness of the Respondent's response in addressing the privacy infringement and unwarranted messages received by the Complainant.

Determination 

The Office of the Data Protection Commissioner made the following determinations based on the complaint:

1.    The Respondent, One Acre Fund, acknowledged and rectified the error in storing the Complainant's data in its system after the complaint was raised. The Complainant confirmed the correction and rectification of their data.

2.    The Complainant did not initially exercise his right under the Data Protection Act, 2019, to address the issue directly with the Respondent but brought the complaint to the Data Protection Commissioner's office as the first point of contact.

3.    The crux of the complaint revolved around the principles of processing personal data, particularly the erroneous processing of the Complainant's phone number instead of a client's number.

4.    The Respondent provided evidence of mitigation measures taken, such as stopping the loan repayment messages to the Complainant, organising additional data protection training for staff, implementing phone number verification steps, and improving data validation mechanisms.

5.    The Respondent demonstrated a commitment to compliance with the Data Protection Act and its regulations, as evidenced by providing their Company's certificate of registration as a data controller and data protection policy.

6.    The Data Commissioner noted that compliance with data protection laws is an ongoing process that requires not only documentation but also implementation and operationalization of data protection measures.

7.    The Data Commissioner closed the determination based on the findings of the investigation, considering the Respondent's corrective actions, the Complainant's confirmation of the correction, and the evidence of compliance and mitigation measures provided by the Respondent.

Case Analysis

This case highlighted the fact that more citizens are now aware of their data protection rights and the avenues through which they can file complaints on infringement of rights. It also demonstrated that companies are now aiming to be more compliant with the provisions of the Data Protection Act through mechanisms and processes put in place to safeguard client / customer personal data as well as in house complaint resolution before filing a complaint with the Office of the Data Protection Commissioner. The following key issues were observed:- 

1.    Data Processing Error: Data processing errors are likely to occur when principles of data protection are not taken into consideration as prescribed under section 25 of the DPA. The principle of data minimization as well as lawfulness, may not have been strictly applied in the data collection processes. Notably, privacy by design as highlighted in section 41 would have prevented such a data processing error as the  Respondents must have accessed the complainants contacts in the same way although he did not apply for a loan service. as prescribed under section The complaint stemmed from an erroneous data processing incident where the Respondent mistakenly stored the Complainant's phone number instead of a client's number. This error led to the Complainant receiving unwarranted messages regarding a loan he did not take.

2.    Compliance and Mitigation Measures: The Respondent, One Acre Fund, demonstrated compliance with the Data Protection Act, 2019, by promptly rectifying the data processing error upon notification of the complaint. They also provided evidence of mitigation measures taken, such as stopping the loan repayment messages to the Complainant and enhancing data protection training for staff. Mitigation is one of the key elements of rectifying data breach provided for under section 43(5) c of the DPA.

3.    Cooperation and Transparency: The case underscores the importance of cooperation and transparency in addressing data protection complaints. The Respondent's willingness to acknowledge the error, take corrective action, and provide evidence of compliance and mitigation measures played a crucial role in the determination.

4.    Complaint Procedures and Mechanisms: The Data Commissioner's final determination closed the complaint, recognizing the Respondent's efforts to rectify the data processing error and comply with data protection regulations. The Complainant's confirmation of the correction further supported the resolution of the case. Section 43 (6) of the DPA notes that in the event of breach, where the data controller or data processor has implemented appropriate security safeguards  there is no further need to report the breach and in this case no need to have filed a complaint with the Office of the Data Protection Commissioner. 

This case brings out the importance of accurate data processing, proactive compliance with data protection laws, and swift resolution of data protection complaints. It highlights the need for continuous improvement in data management practices, demonstrating the progress already being made and the significance of accountability and transparency in data processing activities.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.