The Office of the Data Protection Commissioner (ODPC) orders NCBA Group to compensate their employee, Rose Wambui Muigai, Ksh. 250,000 for illegal disclosure of the Wambui’s personal data.
After Wambui rose the complain to the office of ODPC against NCBA Group, alleging that the bank released her personal data to third parties who were former employees, without a lawful basis, ODPC launched an investigation which found that the violation occurred between May 2023 and June 2024, after the third parties had ceased working for the bank.
ALSO READ:
- Tusker Lite Delivers Electrifying Weekend Experience For Its Fans
- NCBA Group PLC Reports SH 9.8 Billion Half-Year Profit Despite Challenging Operating Environment
“The Complainant alleges that the Respondent disclosed her personal data to third parties, who were the Respondent’s former employees, without a lawful basis,” read part of the ODPC statement.
However, the bank has failed to address the critical question of how the former employees accessed the complainant’s personal data without valid credentials or access logs.
The Office determined that the bank failed to fulfill its obligations under Sections 25(a), 41, and 43 of the Data Protection Act, 2019, which require data controllers to process personal data in accordance with the right to privacy, implement appropriate technical and organizational measures, and report personal data breaches to the Commissioner.
Read Also: NCBA Bank licensed to operate as a Real Estate Investment Trust Trustee
Consequently, the Office ordered the bank to compensate the complainant KES 250,000 for the unlawful and unauthorized disclosure of her personal data and issued an enforcement notice against the bank.
The determination highlights the importance of robust data protection measures and the consequences of failing to safeguard personal data, even from former employees.
