Thursday, December 26, 2024
Home > Counties > Data breaches pose threat to Kenyans

Data breaches pose threat to Kenyans

When a woman identified only as Mama Shirleen received a call from a stranger informing her that her daughter urgently needed sh70,000 for hospital admission following a sudden seizure, she had no time to verify the authenticity of the information.

For one, she knew her daughter had a history of convulsions since she was born, and therefore the information could only be candid.

She therefore sent sh90,000 to the ‘good Samaritan’ to cater for taxi charges and the fee for her daughter’s admission.

She afterward rushed to the school where her daughter was enrolled to follow up on the matter, but to her shock and dismay, she found her child well and up in class.

Only then did it dawn on her that she had been duped by someone who had her details and those of her daughter’s health condition.

Her caller had exploited this information to the maximum, swindling her off the money she would not have lost had she been sensitised on the importance of data protection.

Patrick Kagwe, an officer from the Office of the Data Protection Commission (ODPC), says Mama Shirleen’s incident is just one among hundreds of victims falling prey to fraudsters who take advantage of loopholes in data storage to con innocent Kenyans.

Kagwe says fraudsters are taking advantage of existing gaps in how individual information is recorded in public or private places, which at times are exposed to misuse.

In the case of Mama Shirleen, the fraudster most likely got her details from a health facility where she had taken her daughter for routine clinic visits.

“Criminals are using the very details we leave behind any time we put our details on paper in places where such information can be scrutinised by all and sundry. This can be at the guard’s desk in a public office or a private facility where one is required to write down his name, contacts, and national identity number. Once such information is left there, anybody can always quickly skim through or even take a quick photo using his phone and later use the data to advance his criminal activities,” he told KNA.

In the case of Mama Shirleen, Kagwe says her vulnerability arose from the fact that she was dealing with an emergency for her child, whose medical history she was well conversant with.

There was therefore no time for her to verify the authenticity of the information, which she could have done by simply calling the school administration where her daughter was learning.

Alternatively, she could have rushed to the hospital where her daughter was reportedly taken to follow up on the matter, a process that could have saved her from the subsequent loss.

Kagwe says the commission is currently undertaking grassroots sensitization programmes to educate the public on the risks of exposing personal details to every Tom, Dick, and Harry and the dos and don’ts for those handling personal data.

He says the commission is planning training workshops for officials working in the security sector, the ICT department, and the media to help in cascading this information to the general public.

“Any breach of an individual’s data should be reported to us within 72 hours of failure to which, the person in possession of this data becomes liable to a fine of up to Sh 3 million. Such a breach may arise from a simple photo taken without the consent of the person and later shared on social media platforms such as Facebook or Instagram. The Data Protection Act of 2019 compels persons intending to use personal information and photographs of individuals to first get written consent from them to avoid a scenario where they will have nowhere to run to in case of a complaint,” he explains.

In addition, those with grievances arising from the violation of their rights as far as private information is concerned should immediately lodge such complaints to the commission through its online portal.

The officer nevertheless says that where public interest rules are paramount, the rights to privacy may sometimes take a second stage.

“Those working in the media industry, research firms, and security agencies are, in most cases, given the leeway to share personal information such as photos and other details if such information is for the public good. Notwithstanding, even in such instances, players must be guided by a code of conduct as stipulated by their organizations. In addition, they should not use such information to advance ulterior motives against a person or a group of people,” he adds.

And while acknowledging the herculean task involved in safeguarding a person’s private information, Kagwe says the ODPC has made significant strides in ensuring there is compliance in adhering to protecting the rights of Kenyans as outlined in Article 31(c) and (d) of the constitution.

Among the measures put in place include reigning on errant digital lenders who used to prey on government employees (after obtaining their contacts through unauthorised means) as easy targets for dishing out quick loans with unrealistic interest rates.

“One of the problems we have managed to sort out is outlawing digital lenders from calling individuals to market their products after obtaining their details without their consent. This had been the way of life in the past, but not any longer. Any digital lender who obtains an individual’s contact information without his consent is liable for a fine of between Sh 2 million and Sh 3 million for a breach of trust,” he explains.

On September 26, 2023, ODPC fined three firms a total of sh9.4 million for infringing on personal data.

Mulla Pride Ltd., a digital credit provider, that operates KeCredit and Faircash mobile lending apps, was penalised sh2.98 million for sharing complainants’ contact information and names with third parties where threatening messages and phone calls were used.

Casa Vera Lounge, located along Ngong Road in Nairobi, was slapped with a sh1.9 million fine for posting a client’s image on its social media platform without consent.

Finally, Roma School, a learning institution in Uthiru, in Kiambu County, was ordered to pay the regulator Sh 4.6 million for posting minors’ pictures without the parents’ consent.

By Samuel Maina

Leave a Reply