St Luke Orthopaedic and Trauma Hospital Eldoret has been ordered to pay a complainant Ksh 525,000 as compensation for illegal sharing of her data with a third party.
The Office of the Data Protection Commissioner (ODPC) determined that the hospital unlawfully disclosed the Complainant’s sensitive health data to a third party without obtaining her explicit and informed consent.
According to the complainant by the name Merceline Akoth Odeyo, the hospital mishandled her sensitive personal data by failing to maintain its accuracy and currency, and by disclosing medical records of an unrelated individual as though they were hers.
St Luke Orthopaedic and Trauma Hospital Eldoret is said to have issued the patient medical
results belonging to a third party who shared a similar first name but a different surnames on two separate occasions.
In order to clarify the matter, the hospital contacted the third-party lab conducting the test for clarification which the patient had to consented to.
According to Data Commissioner Immaculate Kassait, the acts by the hospital violated the principle of transparency under Section 25 of the Data Protection Act and the Complainant’s right to be informed under Section 29.
ODPC in its ruling said the admission by the hospital to the administrative error demonstrates a failure to implement adequate technical and organizational measures to secure the Complainant’s
personal data, violating Section 41 of the Act.
The hospital has now been ordered to pay the said amount as compensation. The parties now have 30 days to appeal the determination to the High Court of Kenya.
