Introduction
The complaint was filed by the Complainant against Malibu Pharmacy for alleged unlawful processing of her sensitive personal data. Specifically, the pharmacy had disclosed the Complainant’s medical information on the packaging of her medication without her consent, violating her right to privacy as outlined in the Data Protection Act, 2019.
Facts of the Case
The Complainant placed an order for prescription medicine with Malibu Pharmacy. The medicine was delivered to the Complainant’s residence; however, the package had her name, phone number, house location, the type of prescription, and a wrong diagnosis printed and visible on the outside. The Complainant claimed that this sensitive personal data was shared with third parties (e.g., the delivery rider) without her consent. Furthermore, the wrong diagnosis appeared not only on the package but also on the medical insurance form sent to her insurer, despite the Complainant raising concerns with the pharmacy about the accuracy of the information.
Legal Basis
- Article 31(c) & (d) of the Constitution of Kenya: Guarantees the right to privacy, particularly the protection of personal information from unnecessary disclosure.
- Data Protection Act, 2019: Under the Act, health data is classified as sensitive personal data, and strict protections must be in place to ensure it is processed lawfully and with the data subject’s consent.
- Section 25 of the Data Protection Act: Outlines the principles for processing personal data, including processing with respect to privacy and in a lawful, fair, and transparent manner.
- Section 44 of the Act: Governs the processing of sensitive personal data, particularly health data, requiring that it be processed by a healthcare provider or a person under legal professional secrecy.
Issues for Determination
Whether Malibu Pharmacy processed the Complainant’s health data in accordance with the law.
Whether the Complainant was entitled to remedies under the Data Protection Act and the regulations.
Complainant’s Arguments
The pharmacy wrongly diagnosed her condition without consulting her primary doctor and attached the erroneous diagnosis on the medication package in a manner that was visible to third parties, violating her right to privacy. The same wrong diagnosis was also included on her insurance claim form, which was sent to her insurance provider despite assurances from the pharmacy that the issue would be corrected. The Complainant feared that the visible label on the package exposed her sensitive health data to third parties, including the delivery rider, without her consent.
Respondent’s (Malibu Pharmacy) Arguments
The Respondent claimed that the Complainant had been a long-standing client of the pharmacy, and her personal information was used solely for processing her prescription and delivering the medication. The Respondent insisted that no third parties had accessed the Complainant’s data and that all personal data was processed internally by employees of the pharmacy for lawful purposes, such as insurance reimbursement.
The pharmacy also argued that the disclosure of the Complainant’s name, phone number, and address was necessary for delivery purposes and did not violate any data protection principles.
Findings
The ODPC found that Malibu Pharmacy violated the Complainant’s right to privacy by exposing her sensitive health data (the wrong diagnosis) on the outside of the medication package. This violated Section 25(a) of the Data Protection Act, which requires personal data to be processed in a way that respects the right to privacy. Additionally, the principle of data minimization under Section 25(d) was breached. The pharmacy should have only disclosed information necessary for delivering the medication (e.g., name and address), and the health diagnosis was unnecessary for this purpose. There was no evidence to support the Complainant’s claim that the rider or other third parties accessed her personal data beyond the pharmacy’s employees.
Conclusion and Remedies
The ODPC ruled in favor of the Complainant and found that Malibu Pharmacy had unlawfully processed her health data, particularly by exposing her medical diagnosis inappropriately. The pharmacy was ordered to pay the Complainant Kshs. 700,000 in compensation for the unlawful processing of her sensitive personal data, pursuant to Section 65(1) of the Data Protection Act. Additionally, the ODPC issued an Enforcement Notice against Malibu Pharmacy, directing them to implement data protection measures to avoid similar breaches in the future. Both parties were informed of their right to appeal the decision to the High Court within 30 days.
Key Legal Principles
1. Right to Privacy: The case highlights the importance of safeguarding personal data, especially sensitive health information, under the Data Protection Act.
2. Data Minimization: Data controllers must ensure that only necessary information is processed and disclosed, with unnecessary data not exposed during routine activities like delivery.
3. Lawful Processing of Health Data: Health data, being sensitive, should only be processed by individuals with appropriate legal responsibilities, such as healthcare providers or those under professional confidentiality obligations.
Implications
This case serves as a reminder to healthcare providers and related entities that processing sensitive personal data must be done with utmost care and in strict adherence to data protection laws. Data subjects have a right to privacy, and breaches may result in significant penalties, including compensation and enforcement actions.
Our firm, Mbuchi & Associates Advocates, assists organizations and businesses in complying with the Data Protection Act, 2019. We provide comprehensive legal guidance, tailored compliance strategies, and practical steps to ensure your data processing activities align with the law. For consultations on data protection compliance and related matters, feel free to reach out to us.
Let us help you safeguard your organization’s data and avoid the legal pitfalls associated with non-compliance. Reach us at mbuchiadvocates@gmail.com or call 0713188474 to schedule your consultation.