Kenyan companies are breaching data protection laws to share financial and personal data belonging to millions of Kenyans. A report from a survey conducted consultancy firm Ernst and Young shows that third party companies had obtained customer data from 41 percent of the companies holding the data.
Out of this figure, 53 percent did not seek the customer’s consent before sharing their personal information.
Some companies are said to be passing their client data to industry players, while some forward personal information to the authorities for investigations.
The data is used by third parties for advertising, analysis, sending bulk SMSs and processing transactions.
This is in contravention of the data protection act that restricts the handling and sharing of data received by the government and some private companies.
Mr. Nyamu said some firms had even put the data up for sale, although it was hard to quantify the actual value.
Data is siphoned from several quarters including public registries such as census, surveys, when visiting premises, signing up for services and so much more.
Kenyans are required to routinely share their personal data including their location, ID numbers, telephone, work, email addresses, marital status, employment and all private information.
Unfortunately, this puts the individuals at risk as their identities can be stolen and used maliciously. Fraudsters can also use the information to hack into emails or bank accounts and cause even more damage.
On several occasions, a number of users have taken to social media to complain about the number of unwarranted text messages from unknown companies.
The Data protection commissioner’s office led by Immaculate Kassait aims to protect Kenyans’ data frombeing mishandled. The office invites the public to file complaints or report cases where their data was compromised.
Among the first cases the office has addressed is the recent scenario where Kenyans woke up to find their details registered to different political parties without their knowledge. The Data protection office directed that the Office of the Registrar of Political Parties take the responsibility of ensuring that the affected users were deregistered.