BY SAM ALFAN .
The Data Commissioner has recommended prosecution of a Safaricom employee who shared an advocate’s M-Pesa statement with a private investigator.
The office of the Data Commissioner said Dorcas Mwaniki who worked for Safaricom as a customer care agent, be prosecuted under section 72(3) of Data Protection Act and the attendant regulations.
In the determination, the Data Commissioner noted that Mwaniki was still a Safaricom employee at the time she made an authorized disclosure of personal information to a third party.
“In this regard, this office excludes that such employee’s action deviated from the confines established by Safaricom Plc and therefore assumes personal responsibility as outlined under section 72(3),” said Data commissioner in the determination.
Lawyer Pauline Muhanda and her law firm filed the complaint before the Data Commissioner, after discovering that she and her law firm were under private investigation.
The investigations led to M-Pesa statements relating to herself and the law firm being accessed without their consent or knowledge.
She attached the said M-Pesa statements to her complaint indicating various transactions between 11th and 31st December 2022.
It was her claim that her information and those of her clients had been revealed without their consent.
“It is imperative to note that the investigations and this determination is confined to the Muhanda’s personal data, as the data subject, and not information relating to her firm or her clients,” states the determination.
Safaricom Plc had filed a preliminary objection claiming the Data Commissioner Office does not have jurisdiction to entertain the re-filed complaint.
According to telco, the ODPC acted in violation of Section 8 of the Act by soliciting the lawyer to lodge a complaint which had already been determined by the ODPC’s finding that it had no jurisdiction.
Safaricom responded to the lawyer complaint through a letter dated 7th August 2023 and stated that they have put in place technological and organisational measures to eliminate and minimize data breaches.
These include coming up with various policies regulating access to data and regular periodical training of its staff in respect of those policies and controls.
“The policies include an Acceptable Usage Policy, Disciplinary Policy and Procedure, Safaricom Data Protection Policy and Safaricom Information Security Policy,” said Safaricom in the letter.
Safaricom further stated that it has an elaborate sanction mechanism which Includes undertaking disciplinary processes or reporting an employee who is liable for data breach to the police for prosecution for deterrence purposes.
The company further stated that it has also put in place controls to ensure that only authorised persons have access to M-Pesa statements which are in- built within its IT systems including access controls, logging, monitoring controls, quarterly audits, the Safaricom VPN which employees are required to sign into before accessing the data, and two-factor authentication.
Safaricom claims that upon receipt of the complaint, the company stated that it established that an employee had acted against her terms and conditions of her contract of employment and their policies by releasing Muhanda’s data to a third party without a court order nor consent of the Complainant.
The company further stated that the employee was a customer care agent, who in her ordinary course of work had access to M-Pesa statements and had an obligation to provide them to data subjects upon their request or to other parties upon the production of a court order.
“Upon discovery of the violation, the Respondent stated that it initiated disciplinary proceedings which resulted in the dismissal of the employee,” Safaricom told Data commissioner.
Safaricom PLc further that it reported the said breach and violation to the police for prosecution under Sections 72 (4) and (5) and 73 of the Act.
The company averred that actions of the employee are not attributable to it as she acted outside the scope of her duties, and in furtherance of a fraudulent scheme which did not align with the measures they set up.
Safaricom told the Data Commissioner that the lawyer may pursue their former employee for the breach and if the complainant pursues such a course and Safaricom is ready to assist the Complainant with the necessary evidence to prosecute the claim.
