Log In
Join for free

Lucy Kinyanjui & Easy Coach Limited

ODPC/COMP/0537/2023

1. Introduction

Parties:

  • Complainant: Lucy Kinyanjui (passenger)
  • Respondent: Easy Coach Limited (transport company)

Core Issue: Unauthorized disclosure of passenger personal data under Kenya’s Data Protection Act, 2019.

Table of Contents

2. Background of Complaint

Incident Details:

  • Complainant boarded bus on 10th April 2023
  • Received accusatory calls from third party using her personal details (April 2023)
  • Respondent admitted details likely leaked from passenger manifest
  • Police report filed (OB number provided)

3. Key Violations Found

  1. Data Security Failure:
    • Unauthorized access to passenger manifest by third party
    • Inadequate protection of sensitive personal data (ID number, phone)
  2. Process Deficiencies:
    • Overly permissive access to passenger manifests
    • No verification of manifest access requests
  3. Privacy Infringement:
    • Disclosure led to harassment of complainant
    • Failure to prevent secondary use of collected data

4. Respondent’s Response

  • Implemented immediate corrective measures:
    • Redacted passenger manifests (names/IDs only for drivers)
    • Restricted full data access to station managers only
  • Enhanced policies:
    • Revised Data Protection and Privacy Policies
    • New Complaints Handling Procedures
  • Scheduled staff training (3rd-7th July 2023)
  • Provided evidence of existing safeguards:
    • Secure data storage systems
    • Privacy policy acceptance during booking

5. ODPC’s Determination

Legal Findings:

  • Section 25: Data protection principles violated regarding data security
  • Section 29: Duty to notify properly fulfilled (policy disclosures)
  • Section 30: Valid legal basis for initial data collection (contract performance)
  • Section 41: Initial technical/organizational measures insufficient

6. Final Ruling

  1. Respondent found partially compliant with DPA 2019
  2. Corrective measures deemed appropriate but require verification
  3. Must provide proof of staff training within 7 days
  4. Failure may result in enforcement notice

7. Significance of the Case

This ruling establishes important precedents for Kenya’s transport sector:

  • Passenger Data Security: Sets standards for handling passenger manifests in transport industry
  • Limited Access Principle: Affirms need for strict role-based data access controls
  • Remediation Framework: Demonstrates acceptable corrective measures for data breaches
  • Policy vs Practice: Highlights importance of operationalizing data protection policies
  • Sector-Specific Guidance: Provides compliance roadmap for passenger transport operators

For full determination, click 🗃️

Determination dated 7th July 2023

Tags:
I O

I O

Ian Olwana supports African organisations in turning data protection laws into practical, sustainable governance practices.

http://datagovernance.africa

Leave a Reply

Your email address will not be published. Required fields are marked *