Commentary on Grace Gatambu v AAR Healthcare Kenya Limited
Introduction
Have you ever received a marketing message without subscribing to one? The Data Protection Act of Kenya provides mechanisms to address such situations. A recent case, Grace Gatambu v AAR Healthcare Kenya Limited, highlights these issues and underscores the importance of consent, especially when handling sensitive medical data.
Background
In this case, a hospital mistakenly sent a patient’s medical form—containing sensitive treatment information—to an insurance agent without her consent. The agent then used this data to market insurance products. Although the hospital admitted to the error, it attempted to shift blame to the agent and cited its email disclaimer as a defense.
The Data Commissioner found the hospital in violation of the Data Protection Act. The hospital breached the principles of lawfulness, fairness, and purpose limitation. Moreover, it failed to inform the complainant about its data protection policies and did not notify the Data Commissioner of the breach within the mandated 72-hour period.
Key Takeaways from the Decision
- Consent is paramount: No data should be shared without the explicit consent of the data subject.
- Data protection mechanisms: All data controllers must implement effective systems to safeguard all types of data, including sensitive information.
- Breach response: In the event of a data breach, data controllers are required to mitigate the breach and notify the Data Commissioner promptly.
- Email disclaimers are insufficient: Disclaimers do not absolve responsibility. Stronger data protection measures are needed.
- Sensitive data for marketing: Medical or sensitive data cannot be used for marketing purposes without consent.
Conclusion
While the Data Commissioner did not order compensation for the breach in this case, it serves as a clear reminder that data controllers must:
- Implement robust mechanisms to prevent data breaches.
- Provide a clear process for data subjects to exercise their rights.
- Establish a redress mechanism in case of a breach.
- Inform data subjects of their rights before collecting any data.