A DETAILED REVIEW OF ODPC COMPLAINT NO. 1212 OF 2023 IN PAULINE MUHANDA VS SAFARICOM PLC

Privacy is a fundamental human right that is essential for protecting human dignity. At its core, the right to privacy ensures that each individual has a personal space that remains untouched and secure. Privacy rights are fundamental to protect our personal information from misuse and exploitation. As we navigate the ever-evolving digital landscape, it is imperative for organizations and their employees to recognize the significance of privacy rights in preserving individual autonomy and safeguarding personal information. Organizations that collect and process personal data are required to implement security measures to prevent unauthorized access, disclosure, or loss of data. Furthermore, they must not only adhere to strict data protection principles, including transparency, purpose limitation, and data minimization but also ensure that their employees adhere to the measures.

In a Judgment delivered by the Office of the Data Protection Commissioner in ODPC COMPLAINT No. 1212 of 2023 IN PAULINE MUHANDA V SAFARICOM PLC, an employee was found personally culpable for disclosing the complainant’s MPESA statements without authorization or a court order. In our Legal Insight, we provide a comprehensive review of the decision and its implications.

Brief facts

By way of Summary of facts, the Complainant discovered through an Application lodged in Court that her law firm and herself had been under private investigation. These investigations led to production of MPESA statements of transactions conducted between 11th and 31st December, 2022 relating to herself and her law firm being produced in court. These statements had been accessed from a Safaricom PLC employee; who in her ordinary course of work handled Mpesa statements. The said statements were shared without the complainant’s consent or existence of any court order.

The Respondent on its end admitted that a personal data breach of its systems had occurred due to the actions of the employee. The Respondent stated that the employee, who was a Customer Care Agent was acting within her ordinary course of work when interacting with Mpesa statements. However, she went beyond the scope of her employment and violated the existing safeguards and policies by providing 3rd parties with the MPESA statements of the Complainant and her firm without her consent or the production of a court order.

The main issue for determination was whether the Respondent would be held vicariously liable for its employees’ conduct. In determination the ODPC relied on the close connection test in deciding whether the Respondent in this case is vicariously liable for its employee’s wrong doings. This test determines whether there is a sufficiently close connection between the work the employee was authorised to do and the wrongdoing, such that the wrong doing could be regarded as done by the employee in the ordinary course of employment.

The ODPC noted that handling or having opportunity to access personal data was part of her role, but unauthorized disclosure was not. The ODPC held that since Safaricom had put in place measures and policies to safeguard personal data that the employee failed to adhere to, her actions did not satisfy the close connection test since she acted outside her duties. Consequently, the ODPC held that the employee was personally responsible for the breach as per Section 72(3) of the DPA and as such the ODPC recommended her prosecution under the said section and the attendant regulations.

Implication/Highlights

The ruling serves as a reminder that whereas organizations are required to set safeguards, create policies and measures, it is the responsibility of employees to adhere to these measures. As we navigate the ever-evolving digital landscape, it is crucial for both organizations and their employees to safeguard themselves by establishing and adhering to the necessary data protection policies.

Conclusion

At JMK we have an extremely skilled team in audit and compliance. We ensure that our clients are properly registered as data processors and/or data collectors and that they have measures and policies in place to safeguard against any breaches. We eliminate any reservations a business may have regarding its data protection obligations through advisories and training sessions in real time.

Authored By: Newton Kariuki (Senior Associate Advocate)

For more information contact: [email protected]