The Office of the Data Commissioner has fined Trident Insurance Company Kes 1.8 million for non-compliance with data protection regulations.
In a letter, the Commissioner directed the insurer to pay the penalty within 30 days from the date of the notice, September 12, 2024, for failing to implement critical data protection measures as per the law.
“This Penalty Notice is issued upon Trident Insurance Company Limited (hereinafter as “the Company”) as a result of its neglect and/or default to fully comply with the Enforcement Notice dated 11th March 2024,” read the letter by Data Commissioner Immaculate Kassait in part.
“We note that the Company did not demonstrate the implementation of the measures that needed to be taken by it to remedy or eliminate the situation as envisaged in the Enforcement Notice.”
Further, she pointed out the company’s failure to incorporate a notification mechanism to inform data subjects on matters affecting them, as envisaged under Section 29 of the Data Protection Act.
Did you read this?
According to Kassait, this meant that affected individuals were not adequately informed of their data rights or potential violations.
Trident Insurance is also blamed for not implementing the necessary technical and organisational measures to ensure that only personal data required for specific purposes were collected and processed, a requirement clearly outlined in the Enforcement Notice.
The regulator says that the failure could have exposed the company to potential misuse of personal data, increasing the risk of privacy breaches.
Likewise, the insurer lacked an internal complaints mechanism.
Additionally, she said that the underwriter did not demonstrate how it had established and operationalized internal procedures for resolving data protection complaints.
According to the Data Protection Act, data subjects should be able to exercise their rights and raise complaints, which should be addressed internally in the first instance.
The absence of such mechanisms undermines data subjects’ ability to seek redress when their data is mishandled.
Similarly, the letter indicates that Trident Insurance failed to prove that its staff had been trained on data protection.
The Act requires that all staff managing personal data, especially sensitive personal data, should undergo training to ensure compliance with the law.