Premium

Firms are ‘selling’ your personal data without consent

Immaculate Kassait, nominee for the position of Data Commissioner, when she appeared for vetting before the Departmental Committee on Communication, Information, and Innovation, in Parliament on Wednesday, October 28, 2020 [David Njaaga, Standard]

Do you get those annoying SMS alerts showing you have subscribed to a certain service? And even when you unsubscribe you still get messages from the same or other organisation?

It means your personal information, which you disclosed to one firm, is likely to have been sold to another without your consent.

A survey report by consulting firm Ernest & Young (EY) shows six out of 10 (59 per cent) organisations in Kenya transfer personal data in their custody to third parties, sometimes for commercial gain.

It also shows your spending habits and identity are the two leading sets of data that are pricey, largely transacted at 47 per cent each.

Others include details such as phone numbers.

According to the report released Thursday, while 59 per cent of organisations transfer personal data to third (and subsequent parties), just 47 per cent seek consent from the subjects.

Reasons for sharing of the information include analytics, card processing, financial transactions, SMS alerts for customer transactions and investigations into fraud by law enforcement.

Others are service provision, vendor support, joint product offering and mobile banking.

The survey was conducted between November 2020 and February 2021 and interviewed senior executives, legal officers and those involved in risk technology.

Respondents were from sectors including banking, insurance, asset management, manufacturing, fast-moving consumer goods, and telecommunication and financial services.

Data Commissioner Immaculate Kassait said people should be wary of who they share their personal information with and why.

“For example, when you take your clothes to the laundry, you will be asked your number, where you live and you end up giving your whole biography. We should shift our minds on sharing information freely,” she said.

Ms Kassait said simple details such as residential information shared in an estate setting should require consent. “You should ask yourself; the people you are sharing information with, where do they take it?”

Kenya enacted the Data Protection Act in November 2019.

The EY survey shows that mobile or web applications (39 per cent) are the leading channels for getting consent followed by email (37 per cent). The rest (24 per cent) include SMS and physical signed forms.

Forty-five per cent of organisations, according to the survey, have ways for people to access their personal data through online portals.

Another 37 per cent access via mails and 18 per cent use other means such as physical visits.

EY Partner and Technology Consulting Leader Robert Nyamu said millennials and Generation Z lead in inquiring into the safety of their data.

“Young people want to work with organisations that handle their data responsibly,” he said. “We know this population spend most of their time online.” 

He said the Data Protection Act and the subsequent regulations will streamline the sector further.

“Data protection and privacy is not a purely compliance issue but it has been proved in other markets that it can be the competitive edge for an organisation,” Mr Nyamu said.