Safaricom has been fined Sh250,000 for using a customer’s national identity (ID) card to register a SIM card without her permission.
In the ruling by Data Commissioner Immaculate Kassait, the telecoms operator was found at fault for transferring ownership of Catherine Murithi’s corporate phone line from her ex-employer to her personal ID, days after her employment was terminated.
Safaricom was cited for infringing on Ms Murithi’s right to be informed under Section 26(a) of the Data Protection Act, as well as for unlawful processing of the complainant’s personal data without her consent.
Ms Murithi’s former employer, a medical technology firm named Becton Dickinson (BD), has also been ordered to pay a similar amount as compensation to the complainant for sharing details of her ID with Safaricom.
“The first and second respondents (BD and Safaricom respectively) are hereby ordered to pay the complainant Sh250,000 each for the infringement of her rights under the Act (Data Protection Act) and the unlawful processing of her personal data without her consent,” wrote Ms Kassait.
According to the detailed judgement, Ms Murithi had submitted a range of personal documents including the ID to BD as part of the requirements for an employment contract signed on August 16, 2021.
Ms Murithi said that she only expected her data to be used for verification of her job application details as per human resources regulations.
Soon after joining employment, she alleged, BD informed her that to convert her post-paid personal Airtel number into a corporate line under the firm’s account, she needed to terminate Airtel SIM card services so that the same number could be registered with Safaricom under the BD account.
The number thus became Ms Murithi’s official communication channel that BD was being billed for by Safaricom during her employment tenure that lasted till September 30, 2024, when she was issued with a termination letter on a redundancy basis.
The complainant further submitted that after she had ceased being BD’s employee, the firm without consent shared her national ID copies with a Safaricom representative to facilitate the registration and transfer of the mobile number to her ID after it had been scrapped from the BD corporate account.
She also alleged that the company transferred her personal data outside Kenya without her consent, by copying two South Africa-based colleagues in an e-mail to Safaricom.
“According to Safaricom, these copies were shared by BD in a separate mail that the complainant was not party to thus enabling Safaricom to transfer the terminated BD billed number to the complainant’s identity, register the transferred BD billed number to the complainant’s identity card under the Safaricom’s prepaid tariff without her consent or participation,” says the ODPC concerning the adduced evidence.
In its response, BD said the opted approach was necessary to achieve proper offloading of the complainant from the company, adding that no harm or prejudice was caused to her rights as the mobile line was originally hers and Safaricom already had her personal data.
On its part, Safaricom maintained that it acted purely on BD’s instructions to have Murithi’s SIM details transferred back to her ID following her exit from employment.
In her determination, Ms Kassait notes that BD violated Ms Murithi’s right to be informed of the use to which her personal data was to be put, while Safaricom was found to have erred for not dealing directly with the complainant as a subscriber after it was informed of her exit from employment.
“The complainant had the right to be informed about how her personal data will be used by the second respondent (Safaricom). Instead, the second respondent opted to deal with the first respondent (BD) and request for the complainant’s ID copies from the first respondent while fully aware that the complainant was no longer in any contractual relationship with the first respondent,” Ms Kassait said.
