ODPC Complaint No. 1085 of 2023: Data Protection Breach in the Medical Sector

/ Legal Updates & Insights / By

A Critical Examination of Privacy Obligations in Healthcare

In a recent decision, the Office of the Data Protection Commissioner (ODPC) in Kenya addressed a complaint involving sensitive medical data in ODPC Complaint No. 1085 of 2023. The case, Grace Gatambu v. AAR Healthcare Kenya Limited, sheds light on the critical data protection obligations healthcare providers must uphold, particularly in safeguarding patient information against unauthorized access and usage.

 Background of the Case

The complainant, Grace Gatambu, filed a grievance with the ODPC after learning that her medical information had been disclosed without her consent. Gatambu had visited AAR Healthcare’s Roysambu clinic, where she completed a medical claim form with personal and sensitive information, including her medical diagnosis, contact details, and employer information. However, in an unauthorized and inadvertent act, the information was shared with an insurance agent, who then attempted to market insurance products to Gatambu based on the details provided.

Key Legal Findings and Violations

The ODPC found that AAR Healthcare violated the Data Protection Act, 2019, on multiple grounds, with the following findings:

  1. Breach of Privacy: By disclosing Gatambu’s sensitive medical information to a third party without her consent, AAR Healthcare contravened Article 31 of the Kenyan Constitution, which protects the right to privacy. The healthcare provider’s actions failed to respect the principles of confidentiality and data protection, integral to the medical sector.
  2. Failure to Apply Data Protection Principles: Under Section 25 of the Data Protection Act, personal data must be processed lawfully, fairly, and transparently. AAR’s disclosure breached principles of purpose limitation and data minimization as Gatambu’s data, collected for treatment and insurance purposes, was subsequently misused for marketing. The Data Protection (General) Regulations of 2021 further prohibit processing sensitive personal data, such as health data, for direct marketing, which AAR disregarded.
  3. Inadequate Data Protection Mechanisms: The ODPC noted AAR’s lack of appropriate technical and organizational measures, such as a robust data protection policy or data protection impact assessment (DPIA), to safeguard patient information. Furthermore, AAR failed to inform Gatambu about the data breach within the mandated 72-hour window, a clear violation of its reporting obligations.
 ODPC’s Determination and Recommendations

In a definitive ruling, the ODPC issued an Enforcement Notice against AAR Healthcare, mandating compliance with the Data Protection Act’s provisions to rectify the breach. The ODPC underscored the need for medical institutions to adopt data protection by design and default, stressing that a proactive approach to data security is non-negotiable in handling sensitive health data. Healthcare providers are encouraged to implement comprehensive data protection policies, perform regular staff training, and utilize disclaimers in all communication to prevent unauthorized data dissemination.

Implications for the Medical Sector

This case serves as a critical reminder to healthcare providers of their heightened responsibility in safeguarding personal data. Sensitive health data, owing to its confidential nature, demands stringent handling and control mechanisms, including clear policies, regular staff training, and adherence to purpose limitation principles. The determination underscores the ODPC’s commitment to enforcing the highest standards in data privacy, sending a strong message to the medical sector on the importance of protecting patient information.

Final Thoughts

Healthcare institutions must embrace robust data protection frameworks that align with Kenya’s Data Protection Act, 2019, and the Constitution. This commitment not only safeguards patients’ rights but also enhances trust in healthcare services. As a healthcare provider, how prepared is your organization in meeting these privacy obligations? Now is the time to audit and strengthen your data protection practices.

For more insights on data protection and compliance, subscribe to our newsletter for regular updates and professional guidance on ensuring your organization adheres to the highest standards in data privacy.