Data Commissioner fines school Sh500,000 for sharing student’s personal data without consent
The Commission found that the school breached the minor's personal data when the school shared the information with a travel agency and the US Embassy.
The Office of the Data Protection Commission (ODPC) has ordered a top school to pay a fine of Sh500,00 for sharing a student's personal data without the parent's consent.
The Commission found that the school breached the minor's personal data when the school shared the information with a travel agency and the US Embassy.
More To Read
- Man loses CCTV privacy case over failure to follow legal procedures
- High Court grants four-month delay on IMEI registration directive after privacy concerns
- Banks resist KRA’s push for system integration over personal data privacy concerns
- Human rights groups slam telcos over alleged data sharing with security agencies
- Kenya Medical Council issues new certification rule for health facilities from 2025
- Safaricom under fire as Senators demand answers on alleged data breaches
"The Respondent is hereby found liable for unlawful processing of the minor's personal data and is hereby ordered to pay the complainant (minor's parent) Sh500,000 as compensation," ordered the Data Commissioner.
ODPC faulted the school for issuing a letter to a third party containing personal information of the child without prior consent from the minor's parent.
The commissioner said the sharing of the information was an unlawful processing of the minor's personal data.
"Personal data belonging to minors requires special protection due to their vulnerability and should always advance the rights and best interests of the child," noted the Data Commissioner.
The suit was filed by the minor's parent against the school for sharing the child's personal information with the travel agency and the US Embassy consulate without their consent.
The parent told the data commissioner said the letter contained personal information of the child, yet the school did not obtain prior consent.
The said letter was issued to 16 parents as they sought a visa to travel to the United States of America.
The parents were given an invitation letter from the World Scholars Cup Debate Competition bearing all the student's information, an introduction letter from the school listing the qualifying scholars.
The minor's parent stated that the child's information, contained in the letter, was displayed to all 16 parents and presented to the US Embassy on October 18, 2024, without her consent.
She further stated that the breach has caused her emotional distress, as the release of personal information about her child to a third-party individual can lead to identity theft or fraud.
In its defence, the school said that the processing of the children's data was necessitated by an invitation letter from the World Scholars Cup dated September 26, 2024.
They said the letter contained the names of participating students and chaperones, requesting that they be granted visas for entry into the United States to attend an academic competition hosted by Yale University.
The school further stated that as part of its educational mission to foster students' growth and provide meaningful opportunities, it sought to facilitate the trip. This included issuing a consent form to the relevant parents, which was accessible only by the school trips team and distributed via Google Forms.
Top Stories Today
