Address: Stima Investment Plaza 1, 3rd Floor Wing A

New ODPC ruling: Companies in Kenya must now obtain your explicit consent before using your image in any advertisements. Stay informed with CR Advocates LLP

NEW ODPC RULING – COMPANIES MUST OBTAIN CONSENT FROM YOU TO USE YOUR IMAGE FOR ADVERTISEMENTS

Introduction

In a landmark decision that has set a precedent for the protection of personal data in Kenya, the ODPC has ruled that the use of an individual’s image for commercial advertisements without their explicit consent is a violation of data privacy rights. The ruling delivered on 21st September 2024, in the case of Grace Gatumbu vs AAR Healthcare Kenya Ltd, ODPC Complaint No. 1085 of 2023, reinforces the importance of consent as a fundamental pillar under Kenya’s Data Protection Act, 2019. This determination serves as a critical reminder to companies and organizations that the unauthorized use of personal data – whether in the form of images, likenesses, or other identifiers, can attract serious legal consequences and reputational damage.

Background of the ODPC Complaint No. 1085 of 2023 Case

The complaint revolves around the alleged disclosure of the complainant’s sensitive medical information, contained within a medical form, to a third party without her consent. The said information pertained to her treatment at the Respondent’s clinic and was subsequently used for marketing insurance products to her.

According to the complainant, in January 2022, she was approached by an insurance agent attempting to sell insurance policies. Upon inquiring how the agent had obtained her contact details, it was revealed that they were acquired from her medical records, which the Respondent had inadvertently shared with the agent. The agent disclosed that she had been expecting her client’s results from the Respondent, but mistakenly received the complainant’s records instead.

The complainant noted that while the Respondent issued a verbal apology, due to the gravity of the breach, she requested a written acknowledgment, a formal apology, and an assurance that such an incident would not recur for her or any other patient. When the Respondent failed to provide this response, it prompted her to escalate the matter and lodge a complaint with the ODPC.

The Complainant filled out the complaint form and provided a copy of her medical form from her insurer. The medical form contained sensitive data such as her medical diagnosis, which revealed her medical conditions. It also contained personal data such as date of birth, name, mobile number, name of employer, and her signature.

The Respondent indicated that the Complainant duly filled and executed a Medical Insurance form for Madison General Insurance Kenya Limited and was aware that the Respondent would use the form to claim payments. It further averred that it received a complaint that indicated that the medical form was posted to the wrong insurance and the recipient contacted the Complainant seeking to sell her medical insurance policy.

Issues for determination by ODPC

The ODPC was called upon to determine;

  1. What are the applied principles of Data Protection in processing the Complainant’s personal data?
  2. Whether the Complainant’s rights as a data subject.

Issue 1 – What are the applied principles of Data Protection in processing the Complainant’s personal data?

In determining this, the ODPC noted to highlight the following;

  • That health data under the Data Protection Act is defined as the state of physical or mental health of the data subject and includes records regarding the past, present, or future state of health, data collected in the course of registration for, or provision of specific health services.
  • That sensitive personal data is defined as data revealing a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, and family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.
  • That section 44 of the Act provides that no category of sensitive personal data shall be processed unless Section 25 of the Act, which provides for the principles of data protection.

The ODPC noted that the Complainant visited the Respondent’s clinic and provided her personal data to be treated and for processing her medical insurance claim. She did not in any way consent to the sharing of her personal data with a third party. It noted that the further processing of the Complainant’s personal data with a third party was unlawful and goes against the principle of lawfulness and fairness.

It was further noted that the Complainant’s personal data was used for purposes other than those for which it was originally collected. It was also that Regulation 15 (1) of the Data Protection (General Regulations), 2021, prohibits the use of sensitive personal data for direct marketing.

The ODPC also noted that in section 29 of the Act, data controllers, and data processors are obligated to notify the data subjects of their rights specified in the Act, provide them with information about the purpose of data collection, disclose any third parties who may receive the data and the safeguards adopted, describe the technical and organizational securities measures and outline the consequences if data subjects fail to provide all or part of the requested data.

Issue 2 – Whether there was any violation of the complainant’s right as a data subject.

It was noted that the Complainant is founded on Article 31(c) of the Constitution of Kenya, which provides for the right to privacy, and further, section 26 of the Act which provides for the right of a data subject.

It was noted that not informing the Complainant of the use to which her personal data was to be put, at the point of collection of the personal data, violated her right to be informed. This is because the Respondent collected the personal data of the Complainant, including sensitive personal data contained in a medical form, and did not inform her that her data was going to be shared with an insurance agent.

The ODPC moreover, noted that the processing of sensitive personal data for direct marketing purposes is prohibited by the Data Protection (General) Regulations, 2021 and the Respondent had a duty to inform the insurance agent to stop using the Complainant’s data to market her products.

Members of the public are encouraged to stay vigilant and actively ensure that their personal data is handled with care. If you are required to provide sensitive information, ask how your data will be used and who will have access to it. Consent should always be sought and provided in a clear and documented manner. If you suspect a breach of your data rights, you have the right to seek redress through the ODPC. Protect your privacy—your data, your rights.

Take control of your Data – Your Privacy, your Right.

Always know where your data goes and ensure that consent is given. Companies must uphold this responsibility, and individuals should never hesitate to demand transparency. Stay informed, stay protected!

“Please note that the information provided in this newsletter is for general informational purposes only and does not constitute legal advice or a legal opinion. For a formal legal opinion tailored to your specific situation, please contact us through the details provided on our website.”