- According to the commissioner, this is the first and highest penalty an education facility has been accorded.
- They noted the institutions will learn a lesson from the punishment of not using minors' data without parents' consent.
The Office of the Data Protection Commissioner has fined an educational institution for failing to comply with the Data Protection Act.
In a statement released on Tuesday, Roma School an institution based in Uthiru, Nairobi, allegedly posted minors' photos without parental consent.
This resulted in the institution being slapped with a Sh4.5 million penalty for breaching the act.
“Roma School, an Educational Institution based in Uthiru has been fined Sh4,550,000 for posting minors' pictures without parental consent,” reads the statement.
According to the commissioner, this is the first and highest penalty an education facility has been accorded.
They noted the institutions will learn a lesson from the punishment of not using minors' data without parents' consent.
“This sends a message to schools and other facilities handling minors' data to obtain consent from parents/guardians before processing minors' data,” reads the statement.
Speaking to the school's director, he said he hasn’t received any complaint about the release of the minors’ images.
“I received the letter from the data protection office but I don’t understand what is happening because I have not received any complaint from anyone regarding the matter,” he said.
He added that he would be visiting the office of the data protection commissioner to follow up on the matter.
"I will have to go to their offices," he said.
According to the office of the data commissioner, the penalty notices have been issued pursuant to Sections 62 and 63 of the Data Protection Act, 2019 (Act) and Regulations 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.
Data Commissioner Immaculate Kassait urged entities to comply with the Data Protection Act by implementing data protection principles and safeguards.
She also called upon data controllers and Data Processors to ensure that the processing of personal data is in accordance with the provision of the Act.
“Failure to comply with the Act will result in instituting enforcement procedures,” Kassait said.