Sharing a customer’s financial information without consent may appear routine in loan recovery, but a determination by the Office of the Data Protection Commissioner (ODPC) shows it can expose lenders to financial penalties under Kenya’s data protection laws.
Under the Data Protection Act 2019, personal and financial data may only be processed on specific lawful bases, including consent, contractual necessity, or compliance with a legal obligation. Any disclosure outside these grounds amounts to unlawful processing.
The law treats the disclosure of personal data by transmission, dissemination, or “otherwise making available” as processing. This means sending private financial documents to third parties, even in the course of debt recovery, must strictly comply with the Act.
These principles were underscored in ODPC Complaint No. 1966 of 2024, where a borrower lodged a complaint against a lender for unlawfully disclosing his confidential financial information.
The complainant told the ODPC that he had taken a credit facility from the lender and had engaged in a telephone conversation on November 28, 2024, regarding repayment arrangements.
Despite this engagement, the lender allegedly retrieved his private financial records and forwarded them via email to ABC Bank’s customer service address, an email account accessed by multiple individuals not authorised to handle private staff data.
According to the complaint, the same information was also shared with the complainant’s colleagues and guarantor without his consent.
The data disclosed included payslips for February, March, and April 2024, six months of bank statements, a promotion letter, a copy of the complainant’s national identity card, and the guarantors’ personal details, including identification numbers, telephone contacts, occupations, and gross pay.
The lender, a renowned microfinance institution, was formally notified of the complaint and required to respond, provide contractual documents, and explain the lawful basis for sharing the data, as required under the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.
However, the lender failed to respond to the notification. As a result, the ODPC proceeded to determine the matter on the basis that the allegations remained uncontroverted.
The Data Commissioner found that the respondent had failed to establish any lawful basis under Section 30 of the Act for processing and disclosing the complainant’s personal and financial data.
Consequently, the ODPC held the lender liable and ordered it to compensate the complainant Ksh 200,000, noting that damage under the Act includes both financial loss and non-financial harm such as distress. The parties were advised of their right to appeal the determination to the High Court within 30 days.
