Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

The Complainant's CRB report was disclosed by the Respondent's employee to Pauline Muvya, who used it in court. The Bank was found liable for failing to prove a lawful basis for sharing the data and breaching security safeguards. An Enforcement Notice was issued. Pauline was deemed criminally liable for failing to appear before the ODPC.

Facts

The Complainant, Victor Akidiva, alleged that his CRB report was disclosed by the Respondent (Co-operative Bank of Kenya Limited) to a third party named Pauline Kanini Muvya (Pauline). The Complainant was a client of the Respondent, holding a personal loan. Pauline subsequently submitted this CRB report as evidence against him in an ongoing children's court case. The Complainant reported the matter to the police and raised the issue with the Respondent. Further, the Complainant alleged that a confirmation from TransUnion CRB showed the report was generated by a user within the Respondent Bank.

The Respondent informed the Office that the Complainant was a former staff member and they were investigating the complaint. The Respondent admitted that a member of its staff, who had the right to generate CRB reports in the course of her duties, accessed the Complainant’s CRB report. This staff member claimed the report was generated regarding non-performing loans in her portfolio, and she asserted that she did not issue the report to non-account holders. However, the Respondent claimed it was unable to establish that the same report was shared with Pauline and lodged investigations with the Directorate of Criminal Investigations (DCI) to determine how Pauline obtained the report. The Respondent also stated that it had taken steps, such as core briefs and a Data Protection Policy, to sensitise its employees on data privacy.

The Office of the Data Protection Commissioner (ODPC) found that the Complainant's rights were violated by both the Respondent and Pauline.

Regarding the Respondent, the Office found that:

• The Respondent failed to fulfil its obligations under the Act.
• The Respondent failed to discharge the burden of proof to establish how the Complainant's personal data was shared with a third party without his consent.
• The Respondent, being unable to establish the circumstances under which the CRB report was shared with Pauline, failed to demonstrate that they had a lawful basis to further process the Complainant's data by sharing it with a third party. This violated the Complainant’s right to be informed of the use of his data.
• The Respondent, as a Data Controller, failed to implement appropriate technical and organisational measures necessary to integrate safeguards for data protection throughout the processing, which is a breach of Section 41 of the Act.

Regarding Pauline Kanini Muvya, the Office found that:

• Pauline accessed the Complainant's personal data contrary to the provisions of the Act.