I DID NOT CONSENT! THE PLACE OF MEDICAL DATA IN THE DATA LAWS

Commentary on Grace Gatambu v AAR Healthcare Kenya Limited

Introduction

Have you ever received a marketing message without subscribing to one? The Data Protection Act of Kenya provides mechanisms to address such situations. A recent case, Grace Gatambu v AAR Healthcare Kenya Limited, highlights these issues and underscores the importance of consent, especially when handling sensitive medical data.

Background

In this case, a hospital mistakenly sent a patient’s medical form—containing sensitive treatment information—to an insurance agent without her consent. The agent then used this data to market insurance products. Although the hospital admitted to the error, it attempted to shift blame to the agent and cited its email disclaimer as a defense.

The Data Commissioner found the hospital in violation of the Data Protection Act. The hospital breached the principles of lawfulness, fairness, and purpose limitation. Moreover, it failed to inform the complainant about its data protection policies and did not notify the Data Commissioner of the breach within the mandated 72-hour period.

Key Takeaways from the Decision

Consent is paramount: No data should be shared without the explicit consent of the data subject.

Data protection mechanisms: All data controllers must implement effective systems to safeguard all types of data, including sensitive information.

Breach response: In the event of a data breach, data controllers are required to mitigate the breach and notify the Data Commissioner promptly.

Email disclaimers are insufficient: Disclaimers do not absolve responsibility. Stronger data protection measures are needed.

Sensitive data for marketing: Medical or sensitive data cannot be used for marketing purposes without consent.

Conclusion

While the Data Commissioner did not order compensation for the breach in this case, it serves as a clear reminder that data controllers must:

Implement robust mechanisms to prevent data breaches.

Provide a clear process for data subjects to exercise their rights.

Establish a redress mechanism in case of a breach.

Inform data subjects of their rights before collecting any data.

Arbitration And Mediation.

Banking And Financing.

Block Chain, Fintech & Regulations.

Capital Markets.

Commercial Due Diligence.

Real Estate.

Competition Law.

Contract Management.

Crisis Management.

Data Law.

Debt Recovery.

Tax Law.

Digital Currency And Cryptocurrency.

Employment And Labour Relations.

ESG Law.

Fintech Advisory.

Insolvency And Restructuring.

Legal Audit And Compliance.

Legal Training.

Loan And Debt Restructuring.

Medical Negligence.

Public Procurement.

I DID NOT CONSENT! THE PLACE OF MEDICAL DATA IN THE DATA LAWS.

Leave A Comment Cancel reply

related news & insights.

IS YOUR BUSINESS AT RISK OF UNFAIR PRODUCT RECLASSIFICATION BY KRA?

CONSENT AND ACCOUNTABILITY IN DATA SHARING

Embracing and Solving the Complex.

services.

get in touch.