In Grace Gatambu v. AAR Healthcare Kenya Limited, ODPC Complaint 1085 of 2023, alleged that AAR Healthcare Kenya Limited had violated the Data Protection Act, 2019, by disclosing her confidential medical information which contained both sensitive health data and personal data, to a third party without her consent. This information was then used to market to her insurance products by the third party. The Respondent admitted to the allegations, confirming that one of its staff members had erroneously shared the Complainant’s medical information with the wrong insurance company. The Respondent contacted the Complainant, offering a verbal apology and treating the incident as an isolated case of human error.
Determination
The Office of the Data Protection Commissioner (ODPC) determined that AAR Healthcare Kenya Limited had violated the Complainant’s rights under the Data Protection Act, 2019. The Respondent failed to inform the Complainant of the intended use of her data at the point of collection and did not obtain her consent before sharing it with a third party.
Given that the Respondent had erroneously shared the complainant’s medical information with the wrong insurance company, the ODPC emphasized that it was the Respondent’s obligation to ensure that the third party did not further process the Complainant’s data and to direct the erasure of the complainant’s information from their records.
Additionally, the ODPC found that the Respondent failed to implement privacy by design and default, which would have safeguarded the data protection principles during its processing activities. The Respondent was found liable and issued with an Enforcement Notice.
What’s In It for Medical Health Facilities?
- Obtain Explicit Consent for Data Sharing
Medical facilities MUST obtain explicit, informed consent from data subjects before sharing their sensitive personal and health data with third parties. Consent should clearly outline how the data will be used and who it will be shared with. - Inform Patients at the Point of Data Collection
Patients should be informed of the purpose for collecting their data, how it will be processed, and the entities with whom it may be shared. Transparency is critical to building trust and ensuring compliance with data protection laws. - Implement Privacy by Design and Default
Medical facilities must adopt privacy safeguards from the outset of data collection and throughout all processing activities. This includes limiting access to sensitive data, using secure systems, and embedding data protection principles into workflows to minimize risks. - Train Staff on Data Protection Compliance
Staff handling sensitive patient data must receive regular training on data protection laws, including the importance of confidentiality, proper data handling procedures, and the consequences of breaches. - Address Errors with Adequate Remediation
In the event of a data breach, medical facilities must take swift action to mitigate harm. This includes notifying affected individuals, investigating the breach, and ensuring corrective measures are in place to prevent recurrence. A verbal apology alone is insufficient to address violations of data protection principles. - Understand the Significance of Sensitive Data
Medical facilities handle highly sensitive health and personal data, which is subject to strict protection under data privacy laws. Mishandling such data can lead to significant legal, financial, and reputational repercussions.
AUTHOR: Joyce Mwaura
