The Office of the Data Protection Commissioner (ODPC) has ordered three financial institutions to pay a combined Sh650,000 to a customer whose personal information was unlawfully shared and used without her consent.
In a determination issued to the parties, the regulator found that Kenya Women Microfinance Bank (KWFT), Family Bank, and Co-operative Bank illegally processed and circulated the private loan details of Ms Mwikali Nzyoka, including her identity card number, phone number, workplace information and loan status.
According to the ODPC, KWFT was responsible for the initial leak after the lender shared Ms Nzyoka’s loan information while marketing customer loans. Co-operative Bank later admitted that it obtained her details through what it termed “market intelligence,” while Family Bank was found to have engaged an agent who contacted her using unlawfully acquired data.
The regulator noted that all three banks contacted Ms Nzyoka without her approval and failed to inform her of the processing of her personal data, contrary to the Data Protection Act, 2019.
Following the findings, the ODPC directed KWFT to pay Sh250,000, while Family Bank and Co-operative Bank will each pay Sh200,000 as compensation for infringing on her rights.
The ruling is among the clearest signals yet of the government’s intention to tighten oversight on data handling practices in the banking sector, where customer information is frequently shared during loan marketing and recovery efforts.
The case is also expected to serve as a precedent as Kenyans increasingly challenge the misuse of their personal data by lenders, digital credit providers and commercial agents.
