Allen Waiyaki Gichuhi & 1 other vs Florence Mathenge & 1 other

Complaints Detail

Complaints

Allen Waiyaki Gichuhi & 1 other vs Florence Mathenge & 1 other

Country: Kenya
Court:
Sources: ODPC Complaint No. 677 of 2022
Tags: Data Protection,Privacy,Breach

Attachments:

Summary

Applicants: Allen Waiyaki Gichui and Charles Wamae

Respondents: Florence Mathenge and Ambrose Waigwa.

The applicants submitted a complaint to the ODPC on 21st July 2022, the basis of which was third-party data sharing contrary to the provisions of the Data Protection Act. The applicants complaint suggested that the 1st respondent shared and disclosed personal and sensitive information to a third party (2nd Respondent) without the consent of the data subjects and applicants. Further, the third party in question was not entitled to any communication sent as he was no longer an employee of the law firm associated with the applicants. The ‘personal and sensitive’ information shared through documents by the 1st respondent to the 2nd respondent included court pleadings of cases handled by the applicant's law firm Wamae & Allen Advocates.

The applicant's further complaint was that the 1st respondent shares the firm's trade secrets and intellectual property with the 2nd respondent without authorization noting that the sharing was in breach of sec 72 of the Data Protection Act. The following issues of determination were identified:-

  • Jurisdiction of the ODPC in determining issues raised by the applicants/complainants.
  • Whether there was a breach of the Data Protection Act.
  • Whether the complainants are entitled to any remedy under the Data Protection Act.

The ODPC determined that it has jurisdiction to hear the complaint as presented since the complaints were founded within the scope of the Data Protection Act and within its mandate to determine issues on data protection. The ODPC could not sufficiently identify any breach of data protection according to the claims established in the complaint because the complainants failed to produce shared documents to enable the Data commissioner to ascertain whether the documents contained personal and sensitive data.

The applicant's complaint was dismissed as a result of the above findings by the ODPC with the applicants being granted leave to appeal the matter.

Analysis

This case established key areas of focus in looking at the application of the Data Protection Act, the jurisdiction of the ODPC to hear matters of a certain nature, and the application of the DPA to organisations and institutions whether or not they are registered as data controllers or processors.

Application of the Data Protection Act (DPA)

The DPA applies to any processing activities that relate to personal data. The complainants in this matter had to establish that the respondents shared personal and sensitive data to third parties without authorization as was their claim. Documents shared included court documents i.e., supporting documents, affidavits, applications, submissions, and legal opinions. In determining the complaint, the commissioner relied on the definition of personal and sensitive data as provided under the DPA. Section 2 defines personal data as any information relating to an identified or identifiable person. Having analysed all the documents submitted before it by the respondents, the Commissioner established that most of the documents were already in the public domain and, complaints of a data breach could not be brought on documents that were already in the public domain. As such, the complaint on whether the documents constituted a breach of personal data was dismissed.

The Data commissioner elaborated on the application of the DPA in establishing what constituted a data breach, who a data subject is, and whether the applicants were in fact data subjects and as such could file a complaint. Sec 56(1) provides that a data subject may lodge a complaint with the Data Commissioner where aggrieved. Personal data breach by unauthorised sharing of company documents was the main basis of the complaint against the respondents. Personal data breach in the DPA constitutes a breach of security leading to accidental or unlawful loss , alteration , destruction unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed.

A reading of the section and facts of the case would suggest that there was a data breach occasioned by the unauthorised sharing of documents, however, this breach is negated by the fact that a complaint of breach cannot be brought on the basis of documents that are already in the public domain as established earlier.

This case further establishes who is considered a proper complainant. The main complainants in this suit were partners in a law firm jointly owned. The DPA defines a data subject as an identified or identifiable natural person. An identified or identifiable natural person is further defined in the Act as, a person who can be identified directly or indirectly by reference to an identifier such as name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity. By this definition, it was established that a law firm (or any company or organisation) in its capacity whether incorporated or unincorporated cannot lodge a complaint for personal data breach under the act as they are not categorised as data subjects.

Jurisdiction of the ODPC.

The jurisdiction of the ODPC to hear the matter was called into question. The ODPC derives its jurisdiction from sec 56(1) of the DPA on lodging a complaint. The nature of the complaint is established under section 43(1) of the DPA where, the complaint must be of, acquiring or access to personal data by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access. The complaint to the Commissioner was grounded on section 72 (1) and (2) of the DPA respectively on offences of unlawful disclosure and unauthorised disclosure of personal data processed by a data controller respectively. Based on the provisions and facts of the case, the Commissioner rightfully established its jurisdiction to determine the complaint as brought before it.

Application of the DPA whether Registered as a Data Controller or not.

A key highlight of the case was the determination that the DPA applies whether one is registered as a data controller or not. One of the main arguments of both complainant and respondent was that both parties in their capacity had not registered as data controllers by the time of lodging the complaint as such the provisions of the Act could not apply retrospectively. The DPA defines a data controller as a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data. Registration of data controllers and processors is guided by section 18 and the Registration of Data Controllers and Data Processors Regulations, 2021. It is an offense under the Regulations to process personal data without registration in accordance with the provisions of the Regulations. (regulation 18). All persons, organisations or institutions processing any form of personal data are required to register as processors or controllers. Non -registration is an offense and not an exemption from the application of the provisions of the DPA as such compliance with the Act is mandatory and any breach of personal data can be and will be mitigated by the ODPC.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.