NCBA Bank ordered to pay Sh250,000 for mishandling customer’s data

The Office of the Data Protection Commissioner (ODPC) has ordered NCBA Bank to pay a customer Sh250,000 for mishandling his personal data. This is a stern warning to institutions that data subjects’ rights – particularly the right to erasure – must be respected and acted upon promptly.

How it Happened

The case was filed by Brian Githaiga who kept telling the bank that his email address was incorrect. Despite this, NCBA failed to update or delete the wrong email and continued to send sensitive account transactions to the wrong person.

What’s more disturbing is that the unintended recipient also contacted the bank to report the error and said she didn’t have an account with NCBA. Yet the bank continued to communicate with that email.

NCBA’s Defence Falls Flat

In their response, NCBA said Mr. Githaiga had supplied two email addresses when he opened the account and only later asked for one to be deleted. The bank claimed they complied with the request promptly.

But the ODPC’s investigation found otherwise. The regulator found that although Mr. Githaiga had indeed requested for the deletion of the secondary email, the instruction was not executed properly. The evidence presented by the complainant contradicted NCBA’s claims and the ODPC concluded that the bank had breached his right to erasure under the Data Protection Act.

“The respondent is hereby found liable for violating the complainant’s right to erasure… and is ordered to pay the complainant Sh250,000,” ruled Data Commissioner Immaculate Kassait.

A Pattern of Non-Compliance in the Financial Sector

This is not an isolated case. Other financial institutions have been penalized by the ODPC for not respecting data privacy rights. Last year, Family Bank and SBM Bank were fined Sh250,000 and Sh450,000 respectively for sending unsolicited emails to non-customers and not acting on complaints.

The common thread in all these cases is the banks’ negligence or refusal to act on requests to delete or update personal data – violating the right to erasure which requires compliance within 14 days of a legitimate request.

Other Sectors Also Under the Spotlight

It’s not just the financial sector. Zuku, a telco, was fined Sh500,000 for not deleting a former customer’s contact details and exposing directors to potential legal action.

The regulator has been saying it loud and clear: institutions that handle personal data must be accountable, correct or delete data when requested and have mechanisms to prevent unauthorized disclosure.

What This Means for Businesses in Kenya

This is a wake up call for all data controllers and processors in Kenya—especially in sectors like banking, telecom, healthcare and e-commerce. Not responding to requests for correction or erasure of personal data is not just bad customer service; it’s a legal risk.

With increasing public awareness and regulatory scrutiny, businesses must audit their data handling practices. Those who don’t comply will face financial penalties and reputational damage that will erode customer trust.

Key Points:

  • NCBA Bank fined Sh250,000 for sending a customer’s private data to the wrong email.

  • ODPC found the bank didn’t respond to repeated requests for correction and erasure.

  • Family Bank, SBM Bank and Zuku have also been penalized for data breaches.

  • Right to erasure must be honoured within 14 days under the Data Protection Act.

  • Take data privacy seriously or face increasing regulatory and legal action.