Sign up for tax alert emails    GTNU homepage    Tax newsroom    Email document    Print document    Download document

November 20, 2023

Kenya | Data Protection Commissioner decision clarifies employer's vicarious liability for employee's data breach

  • The Office of the Data Protection Commissioner (ODPC) recently issued a decision pertaining to an employer's vicarious liability when an employee causes a data breach.
  • The ODPC ruled that the employer was not vicariously liable because the close-connection test was not sufficiently satisfied.
  • This decision highlights the important mandate that employers have in ensuring the integrity and protection of data.

Executive summary

The Office of the Data Protection Commissioner (ODPC) on 3 October 2023 issued a decision addressing an employer's vicarious liability when an employee causes a data breach. In this case, the Complainant, an Advocate of the High Court of Kenya, allegedly discovered that her law firm was under private investigation which led to M-pesa1 statements relating to herself and her law firm being accessed without her consent or a court order. As a result, she contended that both information was revealed without their consent. It is against this background that she filed this complaint with the ODPC under Section 56 of the Data Protection Act.

At the same time, the Respondent company (referred to hereafter as Respondent or Company) did not deny that a data breach occurred. The Respondent argued that it had not only dismissed the employee, a customer care agent who caused the data breach, after conducting disciplinary proceedings, but also reported the breach and violation to the police for prosecution. Most importantly, the Respondent emphasized that it had measures in place to mitigate against data breaches, including access controls, two-factor authentication, a virtual private network (VPN), logging and quarterly audits. Therefore, the Respondent contended that the actions of the former employee were not attributable to the Company because the former employee had acted fraudulently, outside the scope of her duties in contravention of measures that the Company had established.

Analysis and determination

In reaching a decision in this case, the ODPC addressed: (1) whether the Respondent was vicariously liable for its former employee's conduct and (2) whether the Respondent had fulfilled their obligations under the Data Protection Act. The ODPC noted that vicarious liability arises when an employee performs a tortious act in the course of their employment. The Act does not contain provisions that deter the imposition of vicarious liability on data controllers or data processors in instances where an employee has direct liability for a data breach.

The ODPC emphasized that a sufficiently close connection between the authorized work done by the employee and the wrong carried out was pivotal to imposing vicarious liability because the wrongdoing could be considered as done in the ordinary course of employment. In the present case, the position of the ODPC was that indeed, as a customer care agent, access to and extraction of M-pesa statements was well within the employee's mandate in the ordinary course of employment. However, the Company employed safeguards that the employee should have adhered to in the execution of the role.

Consequently, the ODPC found that there was not a sufficiently close connection between what the employee was authorized to do and her disclosure because she ignored the procedures that the Company had established regarding data sharing with third parties. Therefore, the ODPC found that the former employee's wrongful act was not sufficient to impose vicarious liability on the employer. Moreover, on the second issue, the ODPC found that the Respondent had complied with the requirements of the Data Protection Act to integrate and implement appropriate measures and safeguards that give effect to data protection principles in an effective manner. Finally, the ODPC recommended the prosecution of the former employee subject to Section 72(3) of the Data Protection Act and its attendant regulations.


Notably, the ODPC emphasized that nothing in the Data Protection Act deters the imposition of vicarious liability on the employer. As such, the decision should not be taken to mean that vicarious liability cannot be imposed on an employer. The decision instructs employers to ensure that they maintain robust data processes and controls including restricting access to data to mitigate against data breaches occurring.

This decision highlights the important mandate that employers have in ensuring the integrity and protection of data subject information.


For additional information with respect to this Alert, please contact the following:

Ernst & Young (Kenya), Nairobi

Published by NTD's Tax Technical Knowledge Services group; Carolyn Wright, legal editor


1 According to Investopedia, "M-Pesa is a mobile banking service that allows users to store and transfer money through their mobile phones. M-Pesa was introduced in Kenya as an alternative way for the population of the country to have access to financial services." See, What Is M-Pesa? Definition, How the Service Works, and Example ( at


The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting or tax advice or opinion provided by Ernst & Young LLP to the reader. The reader also is cautioned that this material may not be applicable to, or suitable for, the reader's specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The reader should contact his or her Ernst & Young LLP or other tax professional prior to taking any action based upon this information. Ernst & Young LLP assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.


Copyright © 2024, Ernst & Young LLP.


All rights reserved. No part of this document may be reproduced, retransmitted or otherwise redistributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP.


Any U.S. tax advice contained herein was not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.


"EY" refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.


Privacy  |  Cookies  |  BCR  |  Legal  |  Global Code of Conduct Opt out of all email from EY Global Limited.


Cookie Settings

This site uses cookies to provide you with a personalized browsing experience and allows us to understand more about you. More information on the cookies we use can be found here. By clicking 'Yes, I accept' you agree and consent to our use of cookies. More information on what these cookies are and how we use them, including how you can manage them, is outlined in our Privacy Notice. Please note that your decision to decline the use of cookies is limited to this site only, and not in relation to other EY sites or Please refer to the privacy notice/policy on these sites for more information.

Yes, I accept         Find out more