Data Protection Commissioner Immaculate Kassait ruled that both respondents had breached the ex-employee’s right to privacy, as enshrined in the Constitution, and failed to adhere to data regulations under the Data Protection Act, which guarantees individuals the right to be informed about the use of their data.
The Office of the Data Protection Commissioner (ODPC) has ruled in favour of a former employee in a data privacy case, ordering Becton Dickinson & Company (BD East Africa) and Safaricom PLC to pay her Ksh 500,000 for unlawfully processing her data without consent. Additionally, Becton Dickinson & Company has been instructed to register as a data controller. The company is also facing further charges at the High Court of Kenya, including allegations of human rights violations, bribery, and unfair labour practices.
In November 2024, the former employee complained, alleging that BD East Africa had shared a copy of her national ID with Safaricom without her consent. The unauthorised disclosure was reportedly made to facilitate the transfer of her work-issued SIM card back to her identity after her employment had been terminated.
According to the Office of the Data Protection Commissioner (ODPC), BD East Africa violated data protection laws by failing to obtain the ex-employee’s explicit consent before transferring her mobile number and processing her data.
Safaricom, on the other hand, was found to have acted improperly by processing personal data without verifying the complainant’s authorisation.
Data Commissioner Immaculate Kassait ruled that both respondents had breached the ex-employee’s right to privacy, as enshrined in the Constitution, and had failed to adhere to data regulations under the Data Protection Act, which guarantees individuals the right to be informed about the use of their data.
- “The complainant’s ID copies should not have been shared without her direct consent. The law mandates that any personal data processing be lawful, fair, and transparent,” the ruling stated.
Additionally, the ODPC found that BD East Africa had transferred the ex-employees personal data across borders by copying South African-based employees in email correspondences without providing adequate data protection safeguards. However, since South Africa has established data protection laws, the ODPC ruled that the cross-border transfer did not constitute a violation.
The ruling also highlighted Safaricom’s failure to ensure proper procedures were followed when transferring the ex-employee’s SIM card. The Kenya Information and Communications (Registration of SIM Cards) Regulations require telecommunication companies to verify a subscriber’s identity in person before effecting such changes.
Although the ODPC does not have jurisdiction to issue constitutional declarations or permanent injunctions, the office awarded the ex-employee a total of Sh500,000 in damages, citing emotional distress and a violation of her privacy rights.
BD East Africa, having been found non-compliant with Kenyan laws that require data controllers to be registered, was ordered by the ODPC to register as a data controller. Both BD East Africa and Safaricom have 30 days to appeal the decision in the High Court of Kenya.
This ruling comes as Becton Dickinson & Company faces additional charges of human rights violations, bribery, and unfair labour practices at the High Court of Kenya.
