| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 27 January 2024 |
| Decided: | 20 January 2025 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | Victory Loch Owino v.s. Institute of Certified Public Accountants of Kenya |
| Case No.: | 0174 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
A data subject complained that the Institute of Certified Public Accountants of Kenya (1st Respondent) shared her data without consent for election campaigns. The ODPC found ICPAK did not share the data as she hadn't consented. Instead, 2nd, 4th, and 5th Respondents (aspirants) used her data without consent or direct collection, infringing her rights. The ODPC found them liable and ordered compensation.
The Complainant, Victory Loch Owino, lodged a complaint against the Institute of Certified Public Accountants of Kenya (1st Respondent). Her main allegation was that the 1st Respondent shared her personal data with various aspirants for the Institute's elections who then contacted her severally via calls, texts, and emails during the campaign period without her consent.
She stated that before the September 2023 elections, the Institute sent out consent forms asking members if their information could be shared with aspirants for campaign purposes. She indicated that she did not consent to her information being given to the aspirants. Despite purporting to seek consent, and despite her refusal, she alleged the 1st Respondent still shared her data.
She also indicated that the 1st Respondent did not inform her what data was being shared with the aspirants. She felt she was incapable of making an informed decision during the consent process, arguing the attempt at obtaining consent did not fulfil the informed consent criteria because they failed to specify what information would be shared, under what circumstances, and the safeguards employed. She sought compensation and other remedies.
The 1st Respondent (ICPAK): Stated it holds annual elections and is legally mandated by the Accountants Act and Regulations to prepare and furnish candidates with campaign and voter registers. It denied giving out the Complainant's name or details in the campaign register circulated to aspirants. They circulated consent forms on 16th August 2023, and as an additional precaution, double-checked emails to ensure members who did not give consent were not included in the campaign register. The 1st Respondent explicitly stated that the Complainant did not give consent, and as such, her name was not included in the campaign register shared with candidates. They claimed reliance on the Accountants Act and Regulations for providing details of consenting members. They also provide a voter register (name, registration number, status) for inspection, but this is distinct from the campaign register. Measures taken for compliance included developing a Data Protection Policy and applying for registration.
The 2nd Respondent: Stated he was not a data controller or processor. Claimed the Complainant's personal data was readily available from multiple sources and in public records, implying she implicitly consented or that no prejudice was occasioned. He argued the complaint relates to an election dispute under the Accountants Act. He alleged the ODPC lacked jurisdiction, citing various reasons including failure to exhaust alternative mechanisms and conflict with other rights/laws.
The 3rd Respondent: Stated she was not issued, nor did she have access to, a campaign register from the 1st Respondent. Claimed the Complainant's email and other information were acquired through informal sharing networks. She stated her action was singular, without malintent, and the data was not used for other purposes. This Respondent expressed interest in Alternative Dispute Resolution. The matter was successfully resolved through negotiation, and the Complainant withdrew the complaint against the 3rd Respondent.
The 4th Respondent: Opposed being enjoined. Denied liability, stating information was freely circulating on social media and different digital campaign forums. While acknowledging candidates are legally supposed to be provided data by the institute, he claimed he did not have access to such data from the 1st Respondent. He suggested the Complainant impliedly consented by not unsubscribing from emails.
The 5th Respondent: Alleged the violations were unsubstantiated as he is not a registered Data Controller or Processor. Claimed the Complainant's data came from friends and colleagues, not from the 1st Respondent or any registered entity. He stated the data was used strictly for disseminating election-related information and was not shared further. He also claimed the Complainant's names are publicly available on Google and the LSK Advocates search engine.
The ODPC conducted investigations, reviewing documents, the 1st Respondent's registers, and the relevant Acts and Regulations.