November 20, 2023
Kenya | Data Protection Commissioner decision clarifies employer's vicarious liability for employee's data breach
The Office of the Data Protection Commissioner (ODPC) on 3 October 2023 issued a decision addressing an employer's vicarious liability when an employee causes a data breach. In this case, the Complainant, an Advocate of the High Court of Kenya, allegedly discovered that her law firm was under private investigation which led to M-pesa1 statements relating to herself and her law firm being accessed without her consent or a court order. As a result, she contended that both information was revealed without their consent. It is against this background that she filed this complaint with the ODPC under Section 56 of the Data Protection Act.
At the same time, the Respondent company (referred to hereafter as Respondent or Company) did not deny that a data breach occurred. The Respondent argued that it had not only dismissed the employee, a customer care agent who caused the data breach, after conducting disciplinary proceedings, but also reported the breach and violation to the police for prosecution. Most importantly, the Respondent emphasized that it had measures in place to mitigate against data breaches, including access controls, two-factor authentication, a virtual private network (VPN), logging and quarterly audits. Therefore, the Respondent contended that the actions of the former employee were not attributable to the Company because the former employee had acted fraudulently, outside the scope of her duties in contravention of measures that the Company had established.
Analysis and determination
In reaching a decision in this case, the ODPC addressed: (1) whether the Respondent was vicariously liable for its former employee's conduct and (2) whether the Respondent had fulfilled their obligations under the Data Protection Act. The ODPC noted that vicarious liability arises when an employee performs a tortious act in the course of their employment. The Act does not contain provisions that deter the imposition of vicarious liability on data controllers or data processors in instances where an employee has direct liability for a data breach.
The ODPC emphasized that a sufficiently close connection between the authorized work done by the employee and the wrong carried out was pivotal to imposing vicarious liability because the wrongdoing could be considered as done in the ordinary course of employment. In the present case, the position of the ODPC was that indeed, as a customer care agent, access to and extraction of M-pesa statements was well within the employee's mandate in the ordinary course of employment. However, the Company employed safeguards that the employee should have adhered to in the execution of the role.
Consequently, the ODPC found that there was not a sufficiently close connection between what the employee was authorized to do and her disclosure because she ignored the procedures that the Company had established regarding data sharing with third parties. Therefore, the ODPC found that the former employee's wrongful act was not sufficient to impose vicarious liability on the employer. Moreover, on the second issue, the ODPC found that the Respondent had complied with the requirements of the Data Protection Act to integrate and implement appropriate measures and safeguards that give effect to data protection principles in an effective manner. Finally, the ODPC recommended the prosecution of the former employee subject to Section 72(3) of the Data Protection Act and its attendant regulations.
Notably, the ODPC emphasized that nothing in the Data Protection Act deters the imposition of vicarious liability on the employer. As such, the decision should not be taken to mean that vicarious liability cannot be imposed on an employer. The decision instructs employers to ensure that they maintain robust data processes and controls including restricting access to data to mitigate against data breaches occurring.
This decision highlights the important mandate that employers have in ensuring the integrity and protection of data subject information.
For additional information with respect to this Alert, please contact the following:
Ernst & Young (Kenya), Nairobi
Published by NTD's Tax Technical Knowledge Services group; Carolyn Wright, legal editor
1 According to Investopedia, "M-Pesa is a mobile banking service that allows users to store and transfer money through their mobile phones. M-Pesa was introduced in Kenya as an alternative way for the population of the country to have access to financial services." See, What Is M-Pesa? Definition, How the Service Works, and Example (investopedia.com) at https://www.investopedia.com/terms/m/mpesa.asp.