PAULINE MUHANDA T/A MUDESHI MUHANDA AND CO ADVOCATES vs SAFARICOM PLC

Office of the Data Protection Commissioner

Automated Summary

Key Facts

The case involves a data breach by Safaricom PLC employee Dorcas Mwaniki, who disclosed the complainant's M-Pesa statements to a third party without consent or a court order. Safaricom has policies and safeguards (access controls, logging, disciplinary procedures) in place to protect personal data. The employee was a customer care agent with authorized access to M-Pesa statements but violated protocols by sharing data unlawfully. Safaricom conducted its own investigation, dismissed the employee, and reported the breach to the police. The Office of the Data Protection Commissioner (ODPC) determined that the employee acted outside the scope of her duties, and thus Safaricom is not vicariously liable for the breach.

Issues

  • Whether the Respondent was vicariously liable for its employee's conduct under the Data Protection Act
  • Whether this Office has jurisdiction to hear and determine this complaint
  • Whether the Respondent fulfilled its obligations under the provisions of the Act

Holdings

  • The Office of the Data Protection Commissioner (ODPC) has jurisdiction to hear and determine the complaint because the previous complaint did not result in a final decision, res judicata does not apply, and the ODPC did not improperly solicit the Complainant to re-submit the complaint.
  • The Respondent is not vicariously liable for the unauthorized disclosure of the Complainant's personal data by its employee. The employee's actions were outside the scope of her duties and aligned with a fraudulent scheme, failing the 'sufficient connection test' established by the UK Supreme Court in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12.

Remedies

  • Parties have a right to appeal this Determination to the High Court.
  • A recommendation is made for the prosecution of Dorcas Mwaniki under Section 72(3) of the Data Protection Act and the attendant Regulations.
  • The complaint stands resolved against the Respondent.

Legal Principles

  • The Office addressed res judicata principles to determine whether the complaint was statute-barred or previously finally decided, concluding no prior final determination existed to prevent re-litigation.
  • The determination applies the UK Supreme Court test for vicarious liability in data protection cases, requiring a sufficiently close connection between an employee's authorized duties and their wrongful conduct. The Office found the employee's unauthorized data disclosure not attributable to the employer as it was outside the scope of her duties.

Precedent Name

  • Christopher Kenyariri vs Salama Beach
  • WM Morrison Supermarkets plc v Various Claimants

Cited Statute

  • Data Protection Act, 2019
  • Constitution of Kenya 2010
  • Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021

Judge Name

Immaculate Kassait, MBS

Passage Text

  • This office finds that the fact that her employment at the Respondent company gave her the opportunity to commit the wrongful act was not sufficient to impose vicarious liability on the Respondent.
  • The test applied by the UK Supreme Court in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 in deciding whether an employer is vicariously liable is whether there was a sufficiently close connection between the work the employee was authorised to do and the wrongdoing carried out, so that the wrongdoing could fairly be regarded as done by the employee while acting in the ordinary course of employment.
  • The Supreme Court of the United Kingdom in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 held that the Controller was not vicariously liable for the actions of its former employee in wrongfully disclosing the payroll data of its entire workforce.