Tala, Branch, Zenka among 40 digital lenders to miss their licences

The Office of the Data Protection Commission (ODPC) says that Tala and Branch are two of 40 Digital Credit Providers (DCPs) that may have broken the law by giving out personal information.

 

A data breach makes private, delicate, or safeguarded information accessible to unauthorized people. Additionally, files in a data breach may be accessed or distributed without authorization.

 

After concerns were made by members of the public over the protection of personal data, the 40 digital creditors are going to go through a preliminary documentary analysis.

The ODPC reports that as of September 30, 2022, it had collected 1,030 complaints and had acknowledged 555 of them, of which 555, or 54%, were related to digital credit companies.

 

Zenka Digital, Zuri Cash, Premier Credit, Credit Moja and Hela Credit, Apesa, AsapKash, Cash, Cash Sea, CollectPlus, Coopesa, Credit Kes, Credit Moja, Deltech Capital Limited, and Direct Cash are further DCPs being investigated for the data breaches.

 

FairKash, FlashPesa, Flexi Cash, Hela Credit, Hikash, iKash, Connect, InstarCash, iPesa, Kash Loan, KashBean, KashPlus, Kashway, KesLoan, Lemon Kash, LionCash, and M-Credit were also included on the list.

 

The remaining companies are: MoKash, Zuri Cash, PapCash, Pocket Cash, MetaLoan, Senti, Rocket Pesa, Zenka Digital Limited, and Premier Credit Ltd.

 

By October 18, 2022, the DCPs must deliver the necessary documentation to the Data Commissioner Office; otherwise, they risk being labeled as refusing to work with the office and kicked out of the market. 

 

The ODCP also sent an enforcement notice to Aga Khan University Hospital after it was said to have broken Kenya's data protection laws.

 

According to ODPC, a patient complained to the Data Commissioner that after visiting the hospital, a staff member contacted the complainant in an inappropriate way, which is against Sections 25, 41, and 46 of the Data Protection Act, 2019.

 

The hospital was told to list the specific steps it will take to stop or reduce the breach or violation, as well as to fix and/or set up structures within which the measures will be carried out by the Data Commissioner, using the ODPC's powers. This must be done within 30 days.

 

While the Central Bank of Kenya (CBK) is in charge of the credit providers and has strict rules against breaches of personal data, an audit of the DCPs is going on at the same time.

 

On September 19, the CBK said that it had given licenses to 10 DCPs and was still reviewing 278 applications.