The ODPC has found some disturbing practices adopted by the digital lender Azura in using personal data of Mr. Okoth without his consent. Investigations revealed that Azura had obtained Mr. Okoth's telephone number from a third party who had borrowed money from the lender, listing Mr. Okoth as a referee or emergency contact.

Lack of Notification and Privacy Violations

Contrary to such a relationship, Azura failed to inform Mr. Okoth when collecting his data of its intended use. Lack of such communication on the side of Azura constitutes a serious breach of data protection laws, says Data Commissioner Immaculate Kassait. She held thus: "The respondent Azura, by failing to inform the Complainant of the use to which his personal data was to be put, at the point of collection of the personal data, breached his right to be informed." Besides, the company ignored various requests by Mr. Okoth to desist from its practice of reaching out to him.

Denials by Azura and Lack of Proof

Though Azura insisted that Mr. Okoth had taken a loan personally and defaulted, the company failed to avail evidence to support its claims. Efforts by ODPC to verify the claims on Azura's database were obstructed. On the date agreed upon for verification, Azura said the staff in charge of the database was not available, which Ms. Kassait described as "obstruction of the Data Commissioner contrary to Section 61 of the Act."

Consequences and Recommendations

Consequently, these findings prompted the ODPC to order Azura to compensate Mr. Okoth for the breach at the same time as recommending that legal action be taken against the directors of Azura for breaching data protection laws.

Background on Data Privacy Violations

Incidents of data privacy violations, such as Mr. Okoth's, have been rife in Kenya, especially before CBK moved to sanitize the list of digital credit providers. Many DCPs were said to harass contacts of borrowers not involved in any loans. This had caused immense distress to many.

New Regulatory Measures

The CBK has taken up these challenges by setting requirements for the licensing of DCPs, stipulating that the data protection policies should be given out and, further, the consumer redress mechanisms. So far, 58 digital lenders have been licensed by the CBK, with the most recent this past March being Azura. The truth is, such a nature of regulation is expected to protect consumers' interests and ensure the responsible handling of personal information.