A recent case involving the United Bank of Africa (UBA) highlights the significant consequences of neglecting data privacy, underscoring the need for robust data protection practices.
UBA was ordered to pay a customer ₦8,000,000 ($5,080) for gross violation of her right to data privacy, serving as a stark reminder of the vulnerabilities present in the banking sector.
A Lagos court found that UBA had failed to adequately protect Miss Folashade Molehin's personal data when a domiciliary account was created in her name and without her consent, leading to significant distress and financial loss.
After filing a complaint with Paradigm Initiative's (PIN) digital rights reporting platform Ripoti, the case was prosecuted and decided in June.
This incident is not isolated; it reflects a broader issue which necessitates immediate attention and action within the banking industry.
Kenya's legal framework for data protection
Kenya's data protection landscape is governed by the Data Protection Act, 2019 with enforcement by the Office of the Data Protection Commissioner (ODPC).
This Act is designed to protect personal data and ensure that entities handling such data do so responsibly and transparently.
According to the Act, personal data is defined as "any information relating to an identified or identifiable natural person." This includes, but is not limited to:
- Identity details (e.g., name, identification number, passport number)
- Contact information (e.g., address, phone number, email)
- Financial data (e.g., bank account details, credit information)
- Sensitive personal data (e.g., health information, biometric data)
The Act outlines several principles for data processing, including the need for data to be processed lawfully, transparently, and for a specific, legitimate purpose.
It also mandates data controllers and processors to implement appropriate security measures to protect personal data from unauthorised access, alteration, disclosure, or destruction.
ODPC observes that fintech companies, especially digital lenders, are the most reported entities for breaching data privacy in Kenya.
With the legal penalties amounting to Sh3 million, the violators often become repeat offenders.
Role of banks in data protection
Banks, as custodians of vast amounts of sensitive personal data, bear a significant responsibility in ensuring data privacy.
The financial sector is particularly vulnerable to data breaches due to the high value of financial data on the black market. Therefore, banks must implement stringent data protection measures, including:
- Data encryption: Ensuring that all personal data is encrypted both in transit and at rest to prevent unauthorised access.
- Access controls: Limiting access to personal data to authorised personnel only, and implementing robust authentication mechanisms.
- Regular audits: Conducting regular audits of data protection practices to identify and mitigate potential vulnerabilities.
- Employee training: Training employees on data protection best practices and the importance of safeguarding customer information.
- Incident response plans: Developing and maintaining comprehensive incident response plans to address potential data breaches swiftly and effectively.
In an increasingly digital world, where data is a critical asset, safeguarding personal information is not just a legal obligation but a moral imperative.
This content was created with the help of an AI model and verified by the writer.