Tala, Branch among 40 digital lenders flagged for personal data breaches

Tala and Branch have been listed among 40 Digital Credit Providers (DCPs) over suspected personal data breaches by the Office of the Data Protection Commission (ODPC).

A data breach exposes confidential, sensitive, or protected information to unauthorized persons. Files in a data breach can also be viewed or shared without permission.

The 40 digital lenders are set to undergo a preliminary documentary assessment after complaints were raised by members of public over the processing of personal data.

By September 30, 2022, the ODPC says it had received 1,030 complaints and admitted 555 of the complaints, half of which or 54 per cent relate to digital credit providers.

Other DCPs under audit for the data breaches include Zenka Digital, Zuri Cash, Premier Credit, Credit Moja and Hela Credit, Apesa, AsapKash, Cash, Cash Sea, CollectPlus, Coopesa, Credit Kes, Credit Moja, Deltech Capital Limited, and Direct Cash.

Also listed were FairKash, FlashPesa, Flexi Cash, Hela Credit, Hikash, iKash, Connect, InstarCash, iPesa, Kash Loan, KashBean, KashPlus, Kashway, KesLoan, Lemon Kash, LionCash, M-Credit.

The rest are: Premier Credit Ltd, Rocket Pesa, Senti, SkyPesa, Zash Loan, Zenka Digital Limited, Zuri Cash, PapCash, Pocket Cash, MetaLoan, and MoKash.

The DCPs will be required to provide the Data Commissioner Office with requisite documents by October 18, 2022, failure to which they will be deemed as unwilling to cooperate with the office.

The ODCP likewise issued an enforcement notice against Aga Khan University Hospital following an alleged breach of Kenya's Data Protection Laws.

"A complaint was raised by a patient to the Data Commissioner that after visiting the Hospital, a staff later inappropriately contacted the complainant contrary to Sections 25, 41 and 46 of the Data Protection Act, 2019," said ODPC.

"In exercise of the Powers of the ODPC, the Data Commissioner directed the Hospital to outline specific measures it will take to mitigate or eliminate the breach/ contravention and to rectify and/or put in place structures within which the measures shall be implemented within 30 days."

The audit of the DCPs comes even as the credit providers fall under the regulation of the Central Bank of Kenya (CBK), which also prescribed tough rules against personal data breaches.

On September 19, the CBK indicated it had licensed 10 DCPs and was further reviewing 278 applications.