The Office of the Data Commissioner has penalised Trident Insurance Company for non-compliance with data protection regulations.

The data protection watchdog, in a letter, directed the insurer to pay Sh1.8 million as a fine for failing to implement critical data protection measures as per the law. The penalty is to be paid within 30 days from the date of the notice (yesterday).

“This Penalty Notice is issued upon Trident Insurance Company Limited (hereinafter as “the Company”) as a result of its neglect and/or default to fully comply with the Enforcement Notice dated 11th March 2024,” read the letter by Data Commissioner Immaculate Kassait in part.

“We note that the Company did not demonstrate the implementation of the measures that needed to be taken by it to remedy or eliminate the situation as envisaged in the Enforcement Notice.”

Kassait highlighted the company’s failure to incorporate a notification mechanism to inform data subjects on matters affecting them, as envisaged under Section 29 of the Data Protection Act.

This, according to the regulator, meant that affected individuals were not adequately informed of their data rights or any potential violations.

Moreover, Trident Insurance is also blamed for not implementing the necessary technical and organisational measures to ensure that only personal data required for specific purposes were collected and processed, a requirement clearly outlined in the Enforcement Notice.

This failure could have exposed the company to potential misuse of personal data, increasing the risk of privacy breaches. Likewise, the insurer lacked an internal complaints mechanism.

Kassait went on to say that the underwriter did not demonstrate how it had established and operationalised internal procedures for resolving data protection complaints.

According to the Data Protection Act, data subjects should be able to exercise their rights and raise complaints, which should be addressed internally in the first instance.

The absence of such mechanisms undermines data subjects’ ability to seek redress when their personal data is mishandled.

In addition, Trident Insurance failed to provide proof that its staff had been trained on data protection, the office added.

The Act requires that all staff managing personal data, especially sensitive personal data, should undergo training to ensure compliance with the law.

The firm is also believed to have been operating without a data controller or processor permit, another mandatory requirement under the Act.