Data Protection Breaches Highlight Regulatory Pressure on Educational Institutions in Kenya
The Office of the Data Protection Commissioner (ODPC) in Kenya has initiated enforcement actions against two educational institutions, Nova Pioneer and Friends School Keveye Girls High School, for contravening the Data Protection Act. This move underscores an increasingly stringent regulatory approach aimed at safeguarding minors’ personal data within educational settings.
Nova Pioneer, a notable private school group, has incurred a fine of KSh 0.5 million due to the unauthorized dissemination and use of student data. The institution was found to have shared sensitive information about a student—including details such as passport number, nationality, and birth date—with a safari company and the U.S. Embassy. This action occurred despite explicit parental disapproval regarding the child’s involvement in a scheduled school trip.
In a separate incident, Friends School Keveye Girls High School was implicated in recording and storing a video that documented the disciplinary action taken against a student for possessing a contraband mobile phone. The ODPC determined that the school failed to acquire necessary parental consent prior to processing this minor’s data, thereby violating privacy rights. The Commissioner, Immaculate Kassait, stated that the school did not demonstrate a lawful basis for the data sharing, resulting in unlawful processing of the student’s personal information.
The investigation revealed that the data consent form provided by the school lacked clarity, which contributed to the improper handling of the child’s data. Moreover, the recording of the disciplinary incident, intended for internal administrative use, was conducted without informed consent from the student’s guardian, infringing upon the student’s right to privacy and dignity. The ODPC emphasized the organization’s failure to adhere to principles of data minimization and transparency, noting that policies had not been updated to inform stakeholders regarding such recordings.
Additionally, the ODPC mandated Friends School Keveye Girls to provide KSh 20,000 in compensation for the damaged mobile phone. The findings of this investigation reflect a robust commitment by the data regulator to enforce protections, particularly for vulnerable populations like minors. Business owners in education and similar industries must take heed of these regulatory changes, as the emphasis on obtaining explicit and verifiable consent is now more critical than ever.
From a cybersecurity standpoint, the incidents align with several tactics outlined in the MITRE ATT&CK framework. For instance, the unauthorized access to data can be seen as related to tactics such as initial access and data exfiltration. The absence of effective data governance may suggest a lack of organizational resilience against potential threats, emphasizing the importance of implementing robust data protection policies and training.
In summary, these cases serve as a salient reminder for businesses, particularly within the educational sector, to prioritize compliance with data protection regulations. As regulatory bodies become increasingly vigilant, the onus falls on institutions to ensure they are safeguarding sensitive information and adhering to ethical standards of consent and data privacy.
