The government has launched investigations into the operations of 40 digital lenders after numerous complaints from members of the public.
In a statement to newsrooms on Wednesday, October 5, the Office of the Data Protection Commission (ODPC) said it's conducting a preliminary documentary assessment and audit on 40 Digital Credit Providers (DCPs) over breach of personal data privacy.
According to Data Commissioner Immaculate Kassait, as of September 30, 2022, her office had received 1,030 complaints from members of the public.
The office admitted 555 of the cases including 299 (54%) which were on Digital Lenders.
Digital lenders on the spot
The lenders include Apesa, Asap Kash, Branch, Cash, Cash Sea, Collect Plus, Coopesa, Credit Ksh, Credit Moja, Deltech Capital Limited/Mykes loan, Direct Cash, Fair Cash, Flash Pesa, Lexi Cash and Hela Credit.
Others are Hikash Kenya, Ikash Connet, Instar Cash, Ipesa, Kash Loan, KashBean, KashPlus, Kashway, Kesloan, Lemon Kash, Lion Cash/Grola Tech Ltd, M-Credit, Meta Loan, Mokash and PapKash.
Poket Cash, Premier Credit Ltd, Rocket Pesa, Senti, SkyPesa, Tala, Wakanda Credit/Kashway, Zash Loan, Zenka Digital Limited and Zuri Cas are also targeted in the new crackdown.
During the audit process, the Data Commissioner said, the lenders will be required to provide her office with requisite documents by October 18, 2022 failure to which they will be deemed to have failed to cooperate with the Office which is an offence under Section 61 of the Data Protection Act.
The Data Protection (Complaints Handling and Enforcement Procedures) regulations, 2021 took effect in February 2022 paving the way for data subjects to file complaints and report data breaches to the Data Commissioner.
Most of the lenders on the list are facing accusations of using threats to recover money from loan defaulters. Some have been accused of going to the extent of accessing borrowers' phone books and sending threatening messages to relatives and friends.
At the same time, the Data Commissioner also issued an enforcement notice against Aga Khan University Hospital over an alleged breach of a patient's personal data.
The patient is said to have filed a complaint with the commission after one of the staff at the hospital contacted them 'inappropriately'.
"A complaint was raised by a patient to the Data Commissioner that after visiting the Hospital, a staff later inappropriately contacted the complainant contrary to Sections 25, 41 and 46 of the Data Protection Act, 2019. (The Act)," the statement read in part.
Kassait has since directed the hospital to put in place measures to prevent such acts in the future.
"In exercise of the Powers of the ODPC, the Data Commissioner directed the Hospital to outline specific measures it will take to mitigate or eliminate the breach/ contravention and to rectify and/or put in place structures within which the measures shall be implemented within 30 days," the Data Commissioner said.
"Pursuant to Section 58(3) of the Data Protection Act. 2019, any person who, without reasonable excuse, fails to comply with an enforcement notice commits an offence and is liable on conviction to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both," she added.
While encouraging members of the public to continue sending their complaints, Kassait expressed her commitment to protecting personal data and enforcing compliance in the event of a breach of the laws.
"This is just one among many other complaints being investigated by the office. We want to assure the public that the complaints received will be investigated and concluded accordingly. All aggrieved members of the public are encouraged to continue sending their complaints via https://www.odpc.go.ke/file-a-complaint/," she stated.