Kenya’s data protection regulator has raised fresh concerns over the robustness of customer data controls in regional banking operations after fining Diamond Trust Bank (DTB) Kenya and its Uganda subsidiary a combined Sh500,000 for a cross-border data handling failure.
The Office of the Data Protection Commissioner (ODPC) found that the two DTB units breached the Data Protection Act, 2019 after a customer, Aaditi Rajput, received another person’s financial statements for nearly three years while her own account alerts were disabled. The prolonged error exposed weaknesses in internal verification and cross-border data linking between the two entities.
Investigations showed that DTB Kenya wrongly implemented a “Do Not Contact” instruction without properly confirming account details. At the same time, DTB Uganda improperly linked the customer’s account to a third party without consent, contravening key principles of accuracy, privacy and protection by design.
The ODPC ordered each bank to pay Sh250,000 in compensation and issued an enforcement notice to DTB Uganda to correct its data handling practices. Data Protection Commissioner Immaculate Kassait said the ruling highlights the growing need for stronger accountability and safeguards as digital banking and cross-border data flows increase.
The two banks have 30 days to challenge the decision at the High Court, even as the case sharpens regulatory focus on how regional lenders manage and secure customer information.
