Skip links

Privacy Policies: Key Lessons for Employers from Harrison Kisaka versus Faulu Microfinance Bank Limited

By Jane Ombiro, CIPP/E Data Protection Associate South-End Tech Limited

The Office of the Data Protection Commissioner found Faulu Microfinace Bank liable for violating Harrison Kisaka’s right to access his data. Faulu had failed to make the data available to Kisaka upon his request. Kisaka, had emerged as the top candidate in a job recruitment process and had been informed of the same. However, for Faulu to conclude the recruitment process and for it to issue an employment offer to Kisaka, it required Kisaka to undergo a background check. Kisaka received and duly executed a consent form to that effect. After the background check was conducted Kisaka was informed that Faulu would not be proceeding with the offer for employment. Displeased by the outcome Kisaka sought access to the data that had been used against him however; Faulu denied him a copy of the personal data claiming that it was private information. Kisaka then lodged a complaint with the Office of the Data Protection Commissioner, alleging a breach of his right to access his personal data and to be informed about its usage under section 26 of the Data Protection Act, 2019.

Section 26 of the Data Protection Act, 2019 grants data subjects the right to access their data in the custody of a controller or processor upon request. The right to access is directly linked to the principle of lawfulness, fairness and transparency. The Data Protection Regulations, 2021 requires data controllers to comply with a data subjects’ request within 7 days of the data subject making the request.

Responding to access requests within the stipulated timeline may be administratively cumbersome to some controllers and processors depending on the size of the organization, the number of data subjects, the number of requests made and the number and categories of personal data that the controllers and processors handle.  Controllers and processors are therefore advised to put in place adequate controls that aid with compliance. Internal privacy policies and procedures are some of the controls data controllers and processors should implement.  Data protection policies are important because they inform employees on how to handle personal data.

The decision to have one policy that cuts across the entire organization or to have separate policies for the various departments in an organization is a factor to consider. A single policy for the entire organization is ideal for organizations that have consistency in their operations.  Multiple policies on the other hand are ideal for organizations that have distinct departments that handle personal data in different ways, in this case the policies must be department specific.

Policies must be reviewed on a regular basis and the employees must be adequately trained on the policies to ensure maximum compliance. 

To conclude, controllers and processors should have privacy policies in place for compliance with the Data Protection Act and to avoid run-ins with the Office of the Data Protection Commissioner as was the case with Faulu MicroFinance Bank.

Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email or

This website uses cookies to improve your web experience. Privacy Policy