Vicarious liability of employers vs employee responsibility in regards to personal data breaches.

Summary of the final determination of the odpc in complaint no. 1212 of 2023: pauline muhanda t/a mudeshi muhanda and co. Advocates v safaricom plc

Facts in issue

The Complainant is an Advocate of the High Court of Kenya who discovered through an Application lodged in Court that her law firm and herself had been under private investigation. These investigations led to production of MPESA statements of transactions conducted between 11th and 31st December, 2022 relating to herself and her law firm being produced in court. These statements had been accessed from a Safaricom PLC employee; who in her ordinary course of work handled Mpesa statements and had an obligation to provide them to data subjects upon their request or upon production of a court order. However, in this matter, neither the complainant’s consent nor a court order had not been obtained before the statements were handed over to opposing Counsel. As a result, both her and her client’s information had been revealed without their consent therefore allegedly violating their right to privacy. The complainant filed a complaint under Section 8(f) and 56 of the DPA as well as regulation 14 of the Data Protection (Complaints, Handling and Enforcement) Regulations, 2021 to the ODPC.

Proceedings before the odpc

The Respondents put out a Preliminary Objection, claiming that the ODPC was functus officio and did not have jurisdiction to hear the complaint, that the Complaint was res judicata thus the Respondent ought not to be vexed over the same matter twice and that the ODPC acted in violation of Section 8 of the DPA by soliciting the Complainant to re lodge a complaint where the ODPC had stated it had no jurisdiction.

The ODPC identified 3 issues for determination: 

  1. Whether the ODPC has jurisdiction to hear this matter
  2. Whether the Respondent was vicariously liable to the employees’ conduct
  3. Whether the Respondent fulfilled its obligations as per the provisions of the Act.

In regards to the first issue, the ODPC clarified that it had notified the respondent about the claim within 21 days as required by law, however because the parties attempted to first use ADR to resolve the matter, the 90-day statutory timeline had passed. However, the ODPC determined that it was indeed not functus officio as Section 8(K) and 9 of the DPA give the office power to perform its functions as necessary for the promotion of the DPA. The ODPC noted that no final determination had been rendered previously on the same complaint, with the same parties, issues by itself, which was the body of competent jurisdiction. The matter, therefore, did not reach the threshold of res judicata. It therefore had the jurisdiction to hear and determine the complaint.

In regards to the issue of vicarious liability, the ODPC noted that the Respondent did not dispute that a personal data breach of its systems had occurred due to the actions of the employee. However, the Respondents insisted that the employee had violated the company’s Acceptable Usage Policy that she was obligated to comply with. They insisted that the employee, who was Customer Care Agent was acting within her ordinary course of work when interacting with Mpesa statements. However, she went beyond the scope of her employment and violated the existing safeguards and policies by providing 3rd parties with the MPESA statements of the Claimant and her firm without her consent or the production of a court order. The Respondents insisted that in dealing with the matter, they had conducted investigations, taken disciplinary measures and further reported the matter to the police as per their legal obligation. 

In its determination, the ODPC noted that vicarious liability arises when a tortious act is done by an employee within the scope of employment or during the course of such employment. It also noted that the DPA does not prevent imposition of vicarious liability on a data processor or controller in instances where direct breach rests with their employee acting in the course of their employment. The ODPC therefore relied on the close connection test in deciding whether the Respondent in this case is vicariously liable for its employee’s wrong doings. This test questions whether there is a sufficiently close connection between the work the employee was authorised to do and the wrongdoing carried out such that the wrong doing could be regarded as done by the employee in the ordinary course of employment.

The ODPC determined that the actions of the employee in this matter did satisfy the close connection test. The Customer Care agent’s actions of extracting the MPESA statements fall within the “field of activities” of her role, however, the Respondent had put in place safeguards that ought to have been adhered to in executing that role which she did not adhere to. Therefore, the existence of a close link between her duties and the actions she chose to take of disclosing the claimant’s personal information, when done without following set procedure; ie getting consent or following a court order does not satisfy the close connection test.

Similarly, in evaluating the culpability of the employee in this matter, the ODPC noted that she acted ultra vires when she assumed the role of Data Controller and accepted an unauthorized application by a 3rd party, without following the set rules of authorisation. She therefore failed to follow the rules set by the Respondent in regards to sharing of data with 3rd parties. Consequently, the ODPC found that despite the fact that her employment at the Respondent gave her the opportunity to commit a wrongful act, it was not sufficient enough to impose vicarious liability on the Respondent. 

In regards to the final issue, the ODPC insisted that being the Data Controller, the Respondent is obligated under S.41 of the DPA to implement appropriate safeguards, technical and organizational structures to implement data protection principles in an effective manner. Data Controllers are required to integrate necessary safeguards that ensure that by default only personal data that is necessary for each specific purpose is processed. This is because the controller has a greater obligation to protect the data in its controllership.  However, in this case, the Respondent had an employee who unlawfully disclosed the Complainant’s personal data and therefore acted outside the scope of her mandate an act that ultimately the controller had no responsibility over. The employee who acted outside of her mandate and deviated from the confines set by the Respondent is, therefore, personally responsible for the breach as per Section 72(3) of the DPA and as such the ODPC recommended that she be prosecuted under the said section and the attendant regulations.

This determination by the ODPC provides an overview of the responsibilities of employers’/ data controllers and employees/data processors in regards to data breaches. Whereas employers are required to set safeguards, create policies and organizational structures, it is the responsibility of employees to follow those structures. Failure to do so, may result in the employee having to take on personal responsibility for the data breach to their detriment. It is therefore extremely important for both organizations and their employees to protect themselves by setting and/or following the requisite data protection policies in place

Date: October 13, 2023 By: Anne Gathirwa.

For more insights pertaining to this matter, you can reach the writer at annegathirwalaw@gmail.com. You can also contact us at MMS Advocates, Lower Duplex Apartments, LOWER HILL ROAD, or email us at info@mmsadvocates.co.ke