This legal alert summarizes the Office of the Data Protection Commissioner’s (ODPC) decision in ODPC Complaint No. 677 of 2022.
The complaint was brought under section 56(1) of the Data Protection Act, 2019 (the Act) which covers complaints to the Data Commissioner. It provides that a data subject who is aggrieved by a decision of any person under the Act may lodge a complaint with the Data Commissioner in accordance with the Act.
The respondents are former employees of a law firm (the Firm) and the complainants are its partners. The complaint was submitted on two different levels: first, on behalf of the Firm in relation to the disclosure of the Firm’s intellectual property to unauthorized parties, and second, on behalf of the Firm’s clients, who might be either natural people (meaning living human beings) or corporations.
Nature of the Complaint
The complaint involved the disclosure of personal and sensitive data to a third-party without consent of the data controller. The following claims were made:
- That the first employee allegedly sent confidential information from the Firm to her personal email as well as to the second employee while the first employee was still working for the Firm;
- That the first employee shared and disclosed personal sensitive data to a third-party (being the second employee) without consent of the data subjects and the complainants;
- That the documents shared by the first employee to the second employee are the Firm’s trade secrets and intellectual property which cannot be disclosed to an external party without authorization;
- That section 72 of the Act, which forbids data controllers and processors from disclosing personal data in any manner that is incompatible with the purpose for which the data was collected, was violated by the actions of both employees.
It was alleged that the documents shared included court documents such as pleadings and supporting documents, applications, affidavits, submissions and legal opinions. Other documents allegedly shared include bank statements, written correspondence, invoices and subscription emails.
Issues for Determination
The ODPC considered inter alia whether there was a breach of the Act and whether the complainants are entitled to any remedy under the Act.
- For the purposes of the Act, a legal person (corporate entity) is not a data subject. Section 2 of the Act defines a “data subject” as an identified or identifiable natural person who is the subject of personal data;
- There is no violation of the Act if the information in question falls under the definition of public records as stated in section 79 of the Evidence Act (Cap. 80, Laws of Kenya) and section 2 as well as the Schedule to the Public Archives and Documentation Service Act (Cap. 19, Laws of Kenya). The materials in dispute in this instance were court records that were already publicized on the Kenya Law Reports website;
- In order for the ODPC to examine the consents and determine whether the document in question contains any personal data and whether that data was disclosed, the relevant documents must be presented;
- If the affected data subject is not one of the complainants, the ODPC cannot make a determination;
- If you are acting on behalf of a data subject, you must show that you are authorized to do so.
The complaint was dismissed.
Access the decision in ODPC Complaint No. 677 of 2022: