ODPC, time to press play?
Is your company compliant with the Data Protection Act, 2019? Or does it have systems to ensure that it is compliant with data protection laws? The Act which was enacted in 2019 regulates the processing of personal data and has provisions on how to protect the privacy of individuals. The Act also establishes the legal and institutional mechanism to protect personal data and to provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with the Act.
Since the appointment of the Data Protection Commissioner in November 2020 and the establishment of her Office early 2021, many complaints have been lodged. Most recent were complaints of unauthorised listing in political party registers. On the 5th of August, a Nairobi based lawyer wrote to the Office of the Data Protection Commissioner with complaints of an alleged data breach at Radisson Blue Hotel & Residence, Nairobi Arboretum.
The letter makes reference to various reports in the media on Deputy President of Kenya William Ruto being barred from traveling to Uganda. It also talks about a Turkish national by the name Harun Aydin who various media reports on August 3, 2021, indicated that was in the DP’s entourage and a person of interest within the Kenyan intelligence and/or security agencies.
The letter states that on or about August 3, 2021, blogger Robert Alai, published on his social media handles, what appears to be a list of around thirty four (34) hotel guests from Radisson to prove that in fact the said Harun Aydin had been a guest at the Radisson.
These allegations point to alleged disregard of the privacy of hotel guests in Radisson Blue. The letter also calls on the Ministry of Tourism and Wildlife to be involved as it is a serious national threat to the already ailing Tourism Industry.
The letter refers to Radisson Blu’s data controller duty of notification and communication of breach under Section 43 of the Data Protection Act, 2019 which provides that “where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorized access, a data controller shall— (a) notify the Data Commissioner without delay, within seventy-two hours (72 hrs.) of becoming aware of such breach. Radisson Blu is yet to make any public statement in respect of this matter as of the date of the letter.
In a persuasive appeal to the Data Commissioner, Mr Karoki asks the Data Commissioner to consider the recent $886.6 million fine by the Luxembourg National Commission for Data Protection (CNPD) charged to Amazon for allegedly violating the General Data Protection Regulation(GDPR) rules. He urges the Office of the Data Commissioner to conduct a thorough and speedy investigation into the potential breach of hotel guest’s information by Radisson, notify the public of the outcomes, and hold accountable those found culpable.
The Office of the Data Protection Commissioner (ODPC) is required to oversee the implementation of the Act and that includes receiving and investigating complaints by people on infringements of the rights under the Act. The Office is also required to create awareness on privacy rights. Businesses need to put in place privacy compliance systems to ensure they are not fingered by the Data Commissioner. As for Radisson Blue allegations, PROW & Company Advocates has said that the ball is in the ODPC’s court and they should press play.