News

Banks, telcos staff face jail for client data leaks leaks

ICT

ICT secretary Joe Mucheru. PHOTO | SALATON NJAU | NMG

Employees of Kenyan companies and government agencies who leak private customer data to third parties face stiff fines and jail terms under new tough laws that seek to shape how institutions collect, use and store personal information.

Sharing or offering for sale personal information could land those responsible for their safe storage five-year jail terms or fines of up to Sh5 million.

The Data Protection Bill 2018 fronted by ICT secretary Joe Mucheru also proposes sweeping new rights for people to know how their data is used, and to decide whether it is shared or deleted by businesses.

“A data controller or data processor shall collect, store or use personal data for a purpose which is lawful, specific and explicitly defined,” says the proposed law.

Commercial banks, technology companies like Safaricom, Airtel and Telkom Kenya, media groups, retailers, hospitals and hotels are among those targeted due to the vast amounts of customer information they hold.

Some financial institutions are required to collect detailed customer information for anti-money laundering, tax and accounting reasons.

Expressed concern

Privacy experts around the world have in the recent past expressed concerns about how personal data is collected and used by companies.

“It is the employees of these organisations who breach the data privacy guidelines who will face the responsibility,” said Mr Mucheru yesterday evening.

Questions have been raised on what happens, for instance, when a company that has access to consumers’ financial records from their shopping habits sells such data to third parties or uses it to tailor-make their marketing activities.

“A data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such data has been collected commits an offence,” says the proposed law.

“A person who offers to sell personal data where such personal data has been obtained in breach of subsection (1) commits an offence and is liable, on conviction, to a fine not exceeding Sh5 million or to a term of imprisonment for a period not exceeding five years or both.”

The proposed law applies to the processing of personal data, which it defines as information “entered in a record, by or for a data controller or processor, by making use of automated or non-automated means.”

Health insurance and providers of health care also face the stringent fines in case they breach the privacy of patients by sharing such data with third parties.

READ: NJIHIA: Here is user’s role in keeping the digital assets safe

READ: NJIHIA: The personal data dilemma, getting citizens to buy in

State agencies

The proposed law, however, exempts information exchanged between State agencies.

“This Act shall not apply to the exchange of information between government departments and public sector agencies where such exchange is required on a need-to-know basis,” it says.

It proposes the creation of the Office of the Data Protection Commissioner whose mandate will be to oversee the implementation of and be responsible for the enforcement of the Act.

They office is expected to establish and maintain a register of data controllers and data processors as well as exercise control on all data processing operations.

It borrows heavily from the West where data privacy concerns have seen firms sued by consumers incurring heavy losses.

In May this year, the European Union (EU) introduced General Data Protection Regulation (GDPR) that saw Facebook and Google face several lawsuits from consumers who accused the companies of coercing users into sharing their personal data.

READ: Why EU’s data privacy rules matter for Kenyan businesses

Facebook complaint

A complaint against Facebook was filed with Austrian data regulators while one against tech giant Google was filed with French regulators.

Popular networking site WhatsApp was also slapped with a suit that was lodged with German regulators while another social site Instagram saw a suit filed with Belgian regulators as soon as the law took effect.

The Kenyan proposed law like in other jurisdictions will require companies to obtain clear consent and justification for any personal data collected from users.

In the West similar guidelines have pushed companies across the Internet to revise their privacy policies and collection practices.

Activists say data protection policy is critical as development in jurisprudence internationally strengthens the recognition of privacy as a fundamental human right.

With the help of digital technology, companies have increasingly been able to reach their audiences more efficiently.

But this ease has also raised concerns about data privacy and how companies use and store their customers’ data.