DTB Kenya, Uganda Units Fined Sh500,000 After Data Privacy Breach

Diamond Trust Bank Kenya and its Uganda subsidiary have been ordered to pay a combined Sh500,000 after being found in breach of Kenya’s Data Protection Act, 2019.

The decision follows a complaint by Aaditi Rajput, who for nearly three years received another customer’s financial statements while her own account notifications were disabled, causing financial strain and concerns over the safety of her personal information.

ODPC investigators found that DTB Kenya wrongly applied a “Do Not Contact” instruction without verifying account details.

Staff relied solely on a name match without cross-checking account numbers, ID numbers, or other unique identifiers, violating the principles of lawful and fair processing.

Meanwhile, DTB Uganda improperly linked Ms Rajput’s account to a third-party customer without consent, breaching key principles of data accuracy, privacy, and protection by design.

The Office of the Data Protection Commissioner (ODPC) ordered both DTB units to pay Sh250,000 each and issued an enforcement notice to DTB Uganda, requiring the bank to bring its data handling practices into compliance.

Data Commissioner Immaculate Kassait said the ruling reinforces the need for stronger accountability and customer data safeguards within Kenya’s financial sector.

Background of the Case

The complaint was filed in 2022 by Ms Rajput, a Kenyan customer of Diamond Trust Bank Kenya.

Between 2019 and 2022, she stopped receiving her own account statements and transaction alerts but simultaneously received highly sensitive statements belonging to another customer.

These statements included account balances, transaction histories, and personal identifiers, exposing confidential financial data without authorization.

Breaches Identified by ODPC

1. Principle of Accuracy (Section 25) – Both DTB Kenya and Diamond Trust Bank Uganda failed to ensure personal data was accurate and up to date. Their systems incorrectly linked Ms Rajput’s account to another customer, causing her to receive sensitive financial information of a third party while her own notifications were suppressed.
2. Lawful, Fair, and Transparent Processing (Section 41(1)) – DTB Kenya
   The bank applied a “Do Not Contact” instruction to Ms Rajput’s account without proper verification, relying only on a name match and ignoring other identifiers. This breached fair and lawful data processing principles.
3. Purpose Limitation (Section 28) – DTB Uganda
   The Ugandan unit linked Ms Rajput’s Kenyan account to another customer for statement routing without her knowledge or consent.
4. Data Protection by Design and by Default (Section 36) – Both DTB units lacked adequate safeguards in their IT and back-office systems to prevent mistaken identity linking across borders. Multi-factor verification before suppressing notifications or redirecting statements was missing.
5. Accuracy of Cross-Border Data (Regulation 25, Data Protection General Regulations, 2021 – DTB Uganda)
   The bank failed to take reasonable steps to ensure data accuracy when sharing or processing it across jurisdictions, continuing to route the wrong customer’s statements for years.
6. Security of Personal Data (Section 51) – Both entities exposed detailed financial information to an unauthorized third party for almost three years, failing to implement proper technical and organizational measures to prevent unauthorized disclosure.

This is the first instance where ODPC has imposed penalties on a Kenyan bank and its foreign subsidiary simultaneously. The DTB units have 30 days to appeal the ruling to the High Court.

Jefferson Wachira is a writer at Africa Digest News, specializing in banking and finance trends, and their impact on African economies.

About Post Author

Africa Digest News

http://digitalbankingnews.co.ke

Happy

0 0 %

Sad

0 0 %

Excited

0 0 %

Sleepy

0 0 %

Angry

0 0 %

Surprise

0 0 %