Evidently, from the documents submitted to this Office, the 1st Respondent did not fullfill
this obligation as they transferred and shared the Complainant’s personal details with third parties for purposes of transfer of the salvage vehicle.
– Immaculate Kassait –
Introduction
Insurance companies exercising the right of salvage will now be required to be a little more diligent in disposing of salvages. This follows a decision by the Data Commissioner in which CIC General Motor Insurance was found liable for infringement of its insured’s rights when it shared the insured’s data with a third-party purchaser of a salvage motor vehicle but without the insured’s consent.
The right of salvage allows an insurance company to acquire and sell property for which it has paid an insured in full for its loss or destruction. The sale of the salvaged property helps an insurer recover some of its costs. The insured is required to submit the ownership documents of the property to the insurer to facilitate this process.
The Dispute
ODPC Complaint No. 0359 of 2024 – Carolyne Mage – versus – CIC General Motor Insurance & National Transport Authority
The Complainant lodged a complaint before the Office of Data Protection (ODPC). She alleged that her personal data had been shared with third parties by her insurer without her consent. She had submitted the original log book, copies of her KRA PIN, and National Identity card to her insurer for purposes of processing her claim following an accident involving her motor vehicle. The motor vehicle had since been written off.
After the claim was paid, her insurer, in the exercise of its right of salvage, sold the motor vehicle to a third party and handed over the logbook to the purchaser. The purchaser in turn sought to have the motor vehicle transferred to his name through the E-citizen portal at the National Transport Safety Authority (NTSA). He contacted the Complainant requesting her to transfer the written-off car but this request was declined. Later, she received a notification on sms indicating that the motor vehicle had been successfully transferred.
The Data Commissioner found that the insurer had breached the Complainant’s rights by failing to inform her of the third parties whose personal data has been or will be transferred. To that extent, the insurer had failed to discharge its obligations as mandated under section 28 of the Data Protection Act (“the Act”). “Evidently, from the documents submitted to this Office, the 1st Respondent did not fulfill this obligation as they transferred and shared the Complainant’s personal details with third parties for purposes of transfer of the salvage vehicle,” she held in the decision delivered on 7th June 2024. For this breach, the insurer was ordered to pay the Complainant two hundred and fifty thousands of shillings (250,000/=) as compensation.
Implications to Insurance Companies
Insurance companies fall under the category of data controllers/processors. By definition, these are persons/entities who determine the purpose or means of processing of personal data, or entities which process personal data on behalf of the data controller. Such entities are obligated under section 29 of the Act to, amongst other duties, before collecting personal data, inform the person of the third parties whose personal data has been collected will be transferred to. This duty is a correlation of the rights under section 26 that the data subject has, including “the right to be informed of the use for which their personal data is to be put.”
Where a data controller/processor breaches their obligation under the Act, they are liable to compensate the person who suffers injury on account of the breach. This is in accordance with section 65 of the Act. Additionally, the Data Commissioner is empowered to issue an enforcement notice, requiring the data controller/processor in breach of the provisions of the Act, to take such steps within such period as may be specified in the notice with a view to complying with the provisions of the Act. There are criminal sanctions including a penalty of not more than five million or imprisonment for a term not exceeding two years or both, in the event of non-compliance.
This means that insurance companies must out of necessity, consider introducing ‘consent clauses’ in the “Discharge Forms” with their insured who would consent to their data being shared with third parties, for the legitimate purpose of transferring the salvages to the purchasers. That way, they would be able to comply with the requirements under the Act and avoid unnecessary claims borne out of breach of the provisions of the Act.
Considering the nature of the insurance business and the need to engage other third parties including garages and assessors, all of which are critical players in an insurance claim process, the consent clauses should not only be limited to discharge forms for salvages, but should also extent to other related matters that would involve third parties where the insured personal data would be required by those parties.
Conclusion
Five years after its enactment, the provisions of the Data Protection Act continue to be given effect through interpretation in various fora. For data processors/controllers in which category insurance companies fall under, urgent steps must be taken in relation to the operations of the Act. Focus must now shift on compliance with the requirements of the Act and this includes obtaining consent from customers who may potentially turn to be their adversaries in the event of breach of the provisions of the Act by the insurers.
Cyril Kubai – Partner (Dispute Resolution)
26 September, 2024
Comment (1)
Very relevant. Most of these insurance companies do share our data without consent sometimes for marketing purposes