Log In
Join for free

Jeff Nduko Vs One Acre Fund

ODPC/COMP/0574/2023

1. Introduction

Parties:

  • Complainant: Jeff Nduko
  • Respondent: One Acre Fund

Core Issue: Unlawful processing of personal data due to erroneous phone number entry under Kenya’s Data Protection Act, 2019.

Table of Contents

2. Background of Complaint

Complaint Details:

  • Received unwarranted loan repayment messages (April 2023)
  • Persistent communications for debt not owed
  • No prior business relationship with respondent
  • Confirmed erroneous data entry by respondent

3. Key Violations Found

  1. Data Accuracy Failure:
    • Incorrect storage of complainant’s phone number (07XXX66877 instead of client’s 07XXX66977)
    • Failure to verify number authenticity during enrollment
  2. Privacy Infringement:
    • Unauthorized processing of non-client data
    • Continued messaging after error identification
  3. Process Deficiencies:
    • Inadequate data validation mechanisms
    • Lack of immediate rectification protocol

4. Respondent’s Response

  • Acknowledged data entry error
  • Immediately ceased all communications upon notification
  • Implemented corrective measures:
    • Additional staff training on data protection
    • Phone number verification step in enrollment
    • Enhanced KYC policy implementation
  • Provided evidence of data controller registration
  • Submitted company data protection policy

5. ODPC’s Determination

Legal Basis: Violations of Data Protection Act 2019:

  • Section 25(vi): Accuracy principle violation
  • Section 25(ii): Unlawful processing of non-client data
  • Section 44: Sensitive data processing safeguards

6. Case Resolution

  • Complainant confirmed cessation of unwanted messages
  • Respondent corrected database records
  • Case marked as closed by ODPC
  • No enforcement notice issued due to prompt remediation

7. Significance of the Case

This determination establishes important precedents:

  • Data Accuracy: Reinforces strict accountability for data entry errors in financial systems
  • Remediation Standards: Sets expectations for timely correction of data processing errors
  • Non-Client Protection: Extends data protection to individuals erroneously included in databases
  • Agricultural Sector: Highlights data protection obligations for agricultural finance providers
  • Operational Compliance: Emphasizes need for functional verification systems beyond policy documents

For full determination, click 🗃️

Tags:
I O

I O

Ian Olwana supports African organisations in turning data protection laws into practical, sustainable governance practices.

http://datagovernance.africa

Leave a Reply

Your email address will not be published. Required fields are marked *