Safaricom Fined After Company Shares Ex-Employee ID

The Office of the Data Protection Commissioner (ODPC) has fined telecommunication giant Safaricom and healthcare product dealer Becton Dickinson (BD) East Africa Ksh 250,000 each for a data breach.

The case arose from a complaint filed on November 27, 2024, after Becton Dickinson East Africa shared the ex-employee Catherine Kainyu Murithi’s national ID with Safaricom without her consent.

Consequently, Safaricom transferred the employee’s SIM card from the company’s corporate account to her personal account without direct authorization.

The ODPC ruled that both companies violated Kenya’s Data Protection Act by processing the complainant’s personal data without consent.

As a result, they were each fined Ksh 250,000 and directed to implement measures to prevent future violations.

Safaricom Fined After Becton Dickinson Shares Ex-Employee ID

ODPC found that the respondents were liable for infringement of the Complainant’s rights right to be informed under Section 26(a) of the Act and for the unlawful processing of the Complainant’s personal data without her consent.

“The Data Commissioner therefore makes the following final determination. The 1^st Respondent to pay the complainant a sum of Kenya Shillings Two Hundred and Fifty Thousand (Ksh250,000) as compensation,” ODPC ruled.

“The 2nd Respondent to pay the Complainant a sum of Kenya Shillings Two Hundred and Fifty Thousand (Ksh 250,000) as compensation.”

Also Read: Safaricom Money Market Fund for Islam Faithfuls Approved

According to the complainant, who was employed by BD as the Global Health Leader for Africa, upon her hiring on August 16, 2021, BD’s Office Administrator requested various personal documents, including her national identity card, marriage certificate, and KRA PIN certificate.

Although she provided these documents, she was not informed about how her personal data would be used or shared.

The complainant expected her information to be handled securely and not disclosed without her consent.

Company Shared Catherine Kainyu’s Details After She was Sacked

After her employment was terminated on September 30, 2024, due to redundancy, the complainant discovered that BD’s Office Administrator had shared her national ID with Safaricom to facilitate the transfer of her mobile number from BD’s account to her personal account.

This transfer occurred without her consent and raised concerns about the legality of sharing her sensitive information.

The complainant further stated that not only was her national ID shared without authorization, but her personal data was also mishandled by BD and Safaricom during the process.

The Complainant stated that asking Safaricom to terminate or deactivate the BD billed line was in order and was the only administrative action that BD was supposed to execute.

“However BD went ahead to unlawfully share the Complainant’s National ID card details and copies to third parties (Safaricom) including cross-border transfer of her data to persons not known to her (L*** M*********” finance department, BD, South Africa and K***** R¥*KHHE (Trainee,BD South Africa) without the Complainant’s consent,” read part of the case documents seen by The Kenya Times.

Also Read: Safaricom Announces Internship Opportunities for Graduates & Students

Emails Show How BD Authorized Safaricom to Transfer Ex-Employee’s Number

Emails revealed that BD authorized Safaricom to transfer the complainant’s mobile number without her involvement, which she argues was a violation of her privacy rights.

BD, through the Office Administrator, informed Safaricom as follows: “Greetings B**** T hope you are doing well. Please note that Catherine Murithi +254 7******** is no longer with BD,” the ruling further read.

“Please help transfer her line above, including accumulated bonga points from the BD account to her personal use, effective immediately. Her ID number is Q¥##KEEEX, kindly let us know once actioned and in case you have any questions.”

OPDC said both BD and Safaricom, as data controllers and data processors by their acts or omissions, initiated a security breach that affected the dignity, confidentiality, integrity and availability of the Complainant’s personal data, resulting in a personal data breach.

Follow our WhatsApp Channel and join our WhatsApp Group for real-time news updates.