The Office of the Data Protection Commissioner (ODPC) has ordered NCBA Bank to pay Ksh250,000 over a data privacy breach involving the mishandling of a customer’s email address.
ODPC imposed the fine after a report on data privacy breach, which resulted in repeated disclosure of confidential business information to an unintended recipient.
The penalty follows a complaint lodged on October 22, 2024, by a business owner whose efforts to have NCBA update his correct email address were” repeatedly ignored”.
According to court documents seen by The Kenya Times, the dispute traces back to May 29, 2019, when the complainant opened a business account under the name Versilia Enterprises at NCBA’s Lavington Branch.
During the process, two different email addresses were inadvertently provided, only one of which was valid and regularly used by the complainant.
NCBA was accused of sending sensitive transaction details to the incorrect email address which belonged to an unrelated third party, despite numerous requests and reassurances from the bank’s agents that the correction had been made.
Details of the case
The issue escalated in June 2023 when the complainant initiated a transaction involving a Japanese company at NCBA’s Westlands Branch.
However, the bank emailed the details of the transaction to the wrong recipient.
This prompted the third-party recipient, who had no affiliation with the complainant or NCBA, to contact the bank, questioning why she was receiving confidential business emails.
“The Complainant stated that the said third party one B***G******* owner of email address b********@gmail.com wrote back to the respondent enquiring why she was receiving emails and details of various transactions, yet she does not maintain any accounts with the respondent,” read part of the ruling.
Also Read: Zuku to Pay Ex-Client Ksh500K Compensation for Sending Him Promotional Messages
The complainant followed up in person at the Westlands Branch in July 2023, once again requesting the email address be corrected.
Although NCBA agents confirmed the update had been implemented, the complainant discovered in February 2024 that his business emails were still being sent to the incorrect address.
Further, the complainant averred that that the respondent negligently declined to update the correct email address for the business and continues to share the business transaction details to the said third party.
The ODPC found NCBA guilty of failing to rectify the complainant’s personal data despite having adequate time and opportunity to do so.
NCBA bank found guilty
The regulator noted that this negligence amounted to a violation of the Data Protection Act, citing the bank’s continued sharing of personal and business information with an unintended third party as a serious breach of privacy.
Also Read: Safaricom Fined After Company Shares Ex-Employee ID
“The respondent is hereby found liable for violating the complainant’s right to erasure under Section 40(1)(b) of the Act.
The respondent is hereby ordered to compensate the Complainant Kenya Shillings Two Hundred and Fifty Thousand (Ksh250,000),” the ruling adds.
Before the determination, NCBA was asked to provide the regulator with a response to the allegations made against it by the complainant, any relevant materials or evidence in support of the response, any relevant evidence in support of the response, and a detailed procedure on how data subjects can exercise their rights.
The bank was also tasked to provide the data protection policy addressing issues on data accuracy, rectification and erasure, mitigation measures adopted or being adopted to address the complaint to the satisfaction of the complainant and to ensure that such occurrence mentioned in the complaint does not take place again, and any other relevant information that the lender wished the ODPC to consider.
According to the regulator, the respondent submitted its response to the notification of complaint wide a letter dated November 13, 2024.
“This determination is therefore as a result of analysis of the complaint as received, the response submitted by the respondent and investigations conducted by the Office,” the ruling reads in part.
Parties have the right to appeal this determination to the High Court of Kenya within thirty days.
Follow our WhatsApp Channel and X Account for real-time news updates.
