Banks should protect the data of customers and their next of kin

Hibo Hussein contributed to this post. This article was originally published at page 11 of Business Daily Africa Newspaper of December 11, 2018

This week, banks have approached the High Court to declare unconstitutional some clauses in the Finance Act 2018 that requires them to record details of customers’ next of kin and to keep updated next of kin registers of their customers. The clause makes it an offence for lenders to fail to keep this register.


The banks are relying on two arguments. Firstly, that introduction of these provisions was not subjected to public participation. Secondly, that the law violates Article 31 (C) of the Constitution that protects individuals from being compelled to reveal private information.We note that despite good intentions of coming up with the law, the drafting of this section is flawed. The Finance Act 2018 in attempting to address very important issues of consumer rights, however is far reaching and breaches the rights of privacy of another citizen.

Kenyans should be able to choose whether to provide and to have a right to correct any inaccurate data about them. This burden should not lie with the lender as it is upto Kenyans to choose to provide their data. As general practice, lenders collect personal data from their clients; from names, date of birth, passport/ID numbers, physical addresses, email addresses, signatures to photographic data.

By law, banks are bound by the common law principles of confidentiality as well as statutory requirements relating to non-disclosure of information on the other hand individuals have rights to know why information is being collected from them, for what use and for how long. Data subjects have a right of access to their personal information and a right to demand correction if such information is inaccurate or complete. Despite, well intended; the introduction of next of kin register is a concern for all Kenyans.

This creates an opportunity to discuss the lending industry and whether they protect the data of their customers. Despite clients giving all their information there is little understanding of their privacy rights. The processing of the next of kin data should only be allowed for legitimate purposes of the data subject.

A potential legitimate interests would be when the lender would need to contact the next of kin incase the bank customer pass away. However, the next of kins have certain data protection rights which the Finance Act 2018 should cater for in its drafting.

Firstly, as it relates to next of kin; the responsibility should be on the bank customer to inform their next of kin whenever they are selected as a next of kin since the lenders will be processing their personal data.

Secondly, the nominated next of kin has a right to provide consent and to withdraw their consent, in instances where they had agreed to be nominated and later change their minds; they can later revoke the permissions granted to the companies.

Thirdly, the nominated next of kin have a right to limit the way the lender uses their data and only allow for storage of the personal data but no other purpose such as marketing products to them. Fourthly, both the customers and their next of kin should be able to complain a competent authority that is impartial and independent and seek remedy whenever their data has been misused. In conclusion, the Finance Act 2018 should be amended to take care of the rights of the customer and their next of kin.

Hibo Hussein contributed to this post. This article was originally published at page 11 of Business Daily Africa Newspaper of December 11, 2018

By Ephraim Percy Kenyanito

Ephraim is a trained lawyer and an Associate of the Chartered Institute of Arbitrators with over eight years in the International Trade, Technology, Media and Telecommunications Law industry. Between 2014 and 2018 he served as the youngest advisor on Internet Governance to two UN Secretary Generals Ban Ki–moon and António Manuel de Oliveira Guterres. Additionally, since 2013 he has served as an Independent Expert to two ICANN Implementation Advisory Groups. Further, since 2012, Ephraim has executed international development projects with a diverse range of leading international institutions across 46 African Union member countries. Presently, Ephraim does research at the nexus of the Domain Name System and Business and Human Rights (BHR) with an international institution, ARTICLE 19. He is also a member of the GFCE Advisory Board, Digital Peace Now, European Commission GIPO advisory group among other board positions. He is also a full member of the International Association of Privacy Professionals (IAPP) and Pan African Lawyers Union (PALU). Ephraim is currently pursuing Postgraduate qualifications in Technology, Media and Telecommunications Law at Queen Mary University of London and holds an LLB (with Honours) where his thesis examined the Relationship Between Domain Names and Geographical Indications with a special focus on .wine and .vin applications.

Leave a Reply