Case Summary: ODPC Complaint No. 1080 of 2024 Against Migori County Assembly
Introduction:
In ODPC Complaint No. 1080 of 2024, the Complainant, Allan Chacha, lodged a complaint against the Migori County Assembly for unlawfully disclosing his personal data. The personal data, contained in his curriculum vitae (CV), was published on the Migori County Assembly’s public website without his consent. This was done during his application for the position of Speaker of the County Assembly, allegedly violating his right to privacy.
The Complainant based his claim on Article 31 of the Constitution of Kenya, which guarantees the right to privacy, and the Data Protection Act, 2019 (DPA). Under the Act, the Office of the Data Protection Commissioner (ODPC) is responsible for ensuring compliance with data protection principles, receiving complaints, and investigating infringements of data rights.
The Complaint:
The Complainant submitted his CV to Migori County Assembly in his bid to be elected Speaker. However, without obtaining his consent, the Assembly published the CV on their website, exposing his personal and sensitive information, including his full name, identification number, phone number, religious beliefs, and marital status. Additionally, the CV contained personal information of third parties listed as referees, whose data was also made public without authorization.
Respondent’s Defense:
Migori County Assembly defended its actions by arguing that it was acting within the law. They referred to Section 9A(1) of the County Government Act, 2012, and Migori County Assembly’s Standing Order 5(5), which required the publication of candidates’ details for the Speaker’s election. The Assembly further argued that, as part of the electoral process, sharing the CVs with the Assembly members was mandatory and lawful.
Key Issues for Determination:
- Whether Migori County Assembly processed the Complainant’s personal data in accordance with the data protection principles.
- Whether the Assembly had a lawful basis for processing the Complainant’s personal data.
- Whether the Complainant was entitled to any remedies under the Data Protection Act.
Findings: The ODPC found that:
- Violation of Data Protection Principles: The Assembly published the Complainant’s CV, which contained personal and sensitive data, on a public website in violation of Sections 25(a) and (c) of the Data Protection Act. While the Assembly was required to publicize the names of qualified candidates, the publication of full CVs was only meant to be accessible to Assembly members, not the general public.
- Lack of Lawful Basis for Data Processing: The Assembly’s Standing Orders did not justify the public disclosure of the Complainant’s CV. The processing of the Complainant’s personal and sensitive data without his consent, or any other lawful basis as required under Section 30 of the Act, was deemed unlawful.
- Sensitive Personal Data: The CV contained the Complainant’s sensitive personal data (religious beliefs and marital status), the processing of which required strict compliance with Sections 44 and 45 of the Data Protection Act. The Assembly failed to justify the public disclosure of this data.
Remedies: The ODPC directed Migori County Assembly to:
- Delete the CVs published on its website within seven days.
- Compensate the Complainant with KES 900,000 for the unlawful disclosure of his personal and sensitive data.
- Issued an Enforcement Notice to ensure compliance with the Data Protection Act.
- Informed both parties of their right to appeal this decision to the High Court within 30 days.
Conclusion: This determination reinforces the obligations of public institutions to safeguard personal data, especially when processing sensitive data. It serves as a cautionary tale for data controllers, emphasizing the need for strict adherence to data protection laws and principles when handling personal information in Kenya.
For further insights on data protection cases and updates, visit our blog.