Data Commissioner Immaculate Kassait. Photo/courtesy.
The Office of the Data Commissioner has imposed a fine on Trident Insurance Company for failing to adhere to data protection regulations.
In a communication to the insurer, the data protection authority ordered a payment of Sh1,825,000 due to the company’s failure to implement key data protection measures required by law.
“This Penalty Notice is issued upon Trident Insurance Company Limited (hereinafter as ‘the Company’) as a result of its neglect and/or default to fully comply with the Enforcement Notice dated 11th March 2024,” stated Data Commissioner Immaculate Kassait.
“We note that the Company did not demonstrate the implementation of the measures that needed to be taken by it to remedy or eliminate the situation as envisaged in the Enforcement Notice,” she added.
Also read: Section Of Nairobi, Kiambu Women Reaps Big From Tumikia Mtoto Project
One of the significant compliance lapses cited by Kassait was the insurer’s failure to establish a notification system to alert data subjects of important matters affecting their data, as required under Section 29 of the Data Protection Act.
As a result, individuals impacted by data processing were not properly informed about their data rights or any breaches thereof. Additionally, Trident Insurance did not enforce necessary technical and organizational safeguards to ensure that only data required for specific purposes was collected and processed, a critical obligation outlined in the Enforcement Notice.
Read: Gov’t Blows Sh1.6 Billion To ‘Count Fish’ And Wants More
This shortfall increased the risk of unauthorized use of personal data, raising concerns about potential privacy violations. The insurer was also found to be lacking an internal complaints resolution process.
The company did not provide evidence of having established or activated internal procedures to handle data protection complaints. According to the Data Protection Act, individuals should have the ability to exercise their rights and lodge complaints, which should be addressed internally before escalating.
Without these systems, data subjects are hindered from seeking resolution when their personal information is mishandled.
Furthermore, Trident Insurance failed to demonstrate that its employees had undergone data protection training, as mandated by the Act.
Staff managing personal data, particularly sensitive information, are required to receive adequate training to ensure legal compliance.
The company was also found to be non-compliant with the obligation to register as a data controller or processor, a requirement under the Act. The fine must be paid to the Office of the Data Commissioner within 30 days of receiving the notice.
