| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | No Violation |
| Started: | 12 March 2025 |
| Decided: | 9 June 2025 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Martin Gikonyo vs. Kingdom Bank Limited |
| Case No.: | 0372 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Martin Gikonyo alleged Kingdom Bank unlawfully shared his personal data, including disability status, with the National Council of People with Disability and Consolidated Bank during an employment dispute mediation attempt. The Office found no violation, determining that the shared correspondence did not strictly identify the Complainant, and thus, the complaint was dismissed.
The Complainant had been employed by the Respondent since 2013 as a Senior Audit Officer. The employment dispute involved allegations of discriminatory treatment based on his disability. The Complainant’s Advocate sent an email and letter to the National Council for Persons with Disabilities (NCPWD) seeking intervention through mediation without the Complainant’s express consent, thereby disclosing his disability status and details of the employment dispute to a third party. The Complainant contended that this inadvertent disclosure further exposed his sensitive personal data without consent.
The Complainant subsequently lodged a complaint with the Office of the Data Protection Commissioner. In response, the Respondent stated that the Complainant had raised an employment dispute involving allegations of disability-based discrimination. The Respondent explained that their engagement with the Council was due to the Complainant being a registered member and that their enquiries were strictly limited to assessing the Council’s capacity and willingness to mediate. They asserted that no sensitive personal information about the Complainant was shared.
The Respondent further stated that they had notified the Complainant of their intent to engage the Council, in the spirit of transparency, and that the Complainant participated in the correspondence. Regarding the inclusion of Consolidated Bank of Kenya Limited, the Respondent’s counsel argued that this occurred due to inadvertently copying one of the enquiry emails while corresponding with the Council, and that the act was accidental and not directly attributable to the Respondent. Ultimately, the Complainant declined to pursue mediation through the Council, which effectively ended further discussions.
The Office of the Data Protection Commissioner (ODPC) limited its scope strictly to the data protection allegations, deliberately delinking from the underlying employment grievance. The primary issue for determination was whether the Respondent had violated the Data Protection Act and its attendant regulations by sharing the correspondence.
The ODPC reviewed the contents of the email correspondences that were adduced as evidence. The determination centered on the definition of personal data and whether the information shared could strictly identify the Complainant. The Office found that:
The ODPC therefore concluded that the email correspondences did not have any personal data that could be used to strictly identify the Complainant. As such, there was no violation of the Act and its attendant regulations.