DATA PROTECTION LITIGATION TRENDS IN AFRICA

Data protection litigation is on the rise across Africa as countries implement stricter privacy laws and individuals become increasingly aware of their rights. Countries like Kenya are already seeing litigation in data protection with organizations facing hefty fines for failure to comply with data protection standards. This week, we zone in on the recently decided case of Allan Chacha v. The County Assembly of Migori.

Factual Matrix

The case concerned a complaint by Mr. Chacha (the Complainant) that the County assembly (the Respondent) processed and continued to process his personal data contrary to data protection laws. The complainant had applied for the position of Speaker of the Migori County Assembly and had submitted his curriculum vitae pursuant thereto. Without the Complainant’s consent, the Respondent had published Mr. Chacha’s CV on its website, making it publicly accessible. The Complainant’s grievance was that the Assembly had exposed his personal data, such as his name, address and contact details, as well as his sensitive personal data, such as his marital status and religious beliefs without his consent and had thus violated his right to privacy. He further stated that the confidential information of the individuals he had listed as his referees, such as their names and contact information, had also been compromised.

In its defence, the Assembly argued that by applying for the position, the Complainant has subjected himself to the provisions envisaged for the election of the Speaker, particularly Standing Order 5 which required that a list of all qualified candidates as well as copies of their CVs be published and made available to the members of the Assembly. Thus, the Respondent argued, that it had a legitimate legal basis for publicizing the Complainant’s data as it was required to do so by a written law, being the County Government Act. According to the Assembly, publishing candidate information on the website was necessary to adhere to these procedural rules.

Decision of the Office of the Data Protection Commissioner

The case came before the Kenyan Office of the Data Protection Commissioner (ODPO), which held that the Standing Orders only required that the list and CVs be shared with members of the Assembly, not with the public. Thus, publishing Mr. Chacha’s CV in such a manner, without a lawful basis and without adequate safeguards, was an infringement of his privacy rights.

The ODPO found the Respondent liable and ordered it to delete all CVs published on its website within 7 days and to compensate the Complainant in the sum of KES 900 000 (the equivalent of BWP 93 000 or USD 7 000).

Key Takeaways

This ruling is significant for Kenya and other African countries implementing data protection laws, as it reinforces the importance of respecting individuals’ privacy rights and adhering to lawful data processing practices.

A key lesson for HR Professionals is to be careful in their handling of the personal data of their employees and prospective employees alike.

For Professionals in general, this case is a wake up call to be careful when listing third parties as referees in your CV. Instead of listing full names and contact details, opt for “references available upon request” in order to safeguard the personal data of third parties.

?

Article by Princess Musa Dube

If you have interest in an in-depth discussion on this subject matter or any Data Protection issues, feel free to contact us at [email protected] Tel: 3116371

Disclaimer: This article is for information purposes only and should not be taken as legal advice.