Data Protection in Banking: Unpacking the Decision in Rose Wambui Muigai v. NCBA Bank PLC

/ Legal Updates & Insights / By

Introduction

In the era of stringent data protection, especially in sectors handling sensitive financial data, institutions are increasingly under the microscope. The Office of the Data Protection Commissioner (ODPC) recently addressed a significant case involving Rose Wambui Muigai (the Complainant) and NCBA Bank PLC (the Respondent), focusing on unauthorized disclosure and handling of personal data. This case sets an essential precedent for data protection in Kenya’s banking sector, highlighting both regulatory obligations and the serious implications of failing to adhere to data privacy laws.

Case Background

The complaint, lodged by Rose Wambui Muigai, revolved around the alleged unauthorized disclosure of her personal information by NCBA Bank’s former employees. Between May 2023 and May 2024, the Complainant reported receiving unsolicited calls and emails from individuals no longer employed by the Bank, claiming to assist with her motor vehicle insurance renewal. These individuals allegedly accessed her personal data, including full name, mobile number, vehicle details, and insurance status. In June 2023, the Complainant formally raised concerns, demanding remedial action from NCBA Bank, which responded by denying the allegations and advising her to resolve the issue with the implicated individuals directly.

Legal Framework
This case is assessed under the Data Protection Act, 2019, and the Constitution of Kenya. The Act mandates data controllers, such as banks, to process personal data responsibly, emphasizing principles such as data integrity, confidentiality, and security. Key provisions included:

  • Section 25(a): Ensures personal data processing respects the data subject’s privacy rights.
  • Section 41: Requires organizations to implement appropriate technical and organizational safeguards.
  • Section 43: Mandates reporting data breaches to the ODPC within 72 hours of awareness.

The complaint procedure followed the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, with NCBA Bank obligated to address the ODPC’s queries and propose mitigation measures.

Investigation and Findings
The ODPC’s investigation confirmed the complaint’s validity, establishing the following:

  1. Verification of Employment: NCBA Bank confirmed that the implicated individuals, were former employees with contracts ending in 2021. However, evidence showed they continued accessing the Complainant’s data for unauthorized purposes, despite no longer holding positions at the bank.
  2. System Security Gaps: NCBA’s inability to restrict former employees’ access to sensitive client information exposed a serious lapse in data protection compliance. The ODPC emphasized that the Bank failed to implement adequate internal controls to secure personal data from unauthorized access.
  3. Unreported Data Breach: The ODPC determined that NCBA did not report the data breach, failing to comply with Section 43 of the Act, which required immediate notification to the ODPC to safeguard the affected data subject.
Determination and Orders

Following its investigation, the ODPC made the following determinations:

  • Liability: NCBA Bank was found liable for violating the Complainant’s data privacy rights under the Act.
  • Monetary Compensation: The Bank was ordered to pay KES 250,000 to the Complainant as compensation for unauthorized disclosure of her personal data.
  • Enforcement Notice: An enforcement notice was issued against NCBA Bank to strengthen its internal data protection measures.

Conclusion
This case underscores the critical need for robust data protection measures within the banking sector and reinforces that lapses in data privacy can lead to severe financial and reputational consequences. Financial institutions must be vigilant, continuously reviewing and strengthening data security protocols to align with legal obligations. The ODPC’s ruling serves as a stark reminder that data protection is not optional but an integral part of maintaining client trust.

Stay updated on data protection trends and rulings by subscribing to our newsletter. For professional guidance on compliance, Mbuchi & Associates Advocates is here to assist—ensuring your business meets data protection standards in this evolving legal landscape.