COVID-19: A Data Protection Perspective and A Key Decision by The UK Supreme Court

The COVID-19 pandemic raises data protection issues as most organizations begin to grapple with the data protection ramifications with regard to personal data that might relate to the pandemic e.g. travel history, proximity or contact with infected individuals, underlying health conditions or vulnerability, etc. Indeed, one of the proposed ways to check the spread of the disease is through the use of a mobile phone app that would alert one of close proximity or contact with an infected person. For such an app to work, it would undoubtedly require the availability and use of people’s personal health data which falls within the definition of “sensitive personal data” under the Data Protection Act, 2019 (DPA) and care ought to be taken before processing such data and risk running afoul of the DPA, with potential penal consequence.

Section 44 of the DPA prohibits the processing of sensitive personal data unless the same is processed in line with the data protection principles set out under section 25 of the DPA which include data collection for legitimate purposes and limited to the extent necessary. Under section 46 (1) of the DPA, processing of personal data relating to the health of an individual is restricted to healthcare providers or persons under obligation of professional secrecy under law. However, section 46 (2) (a) of the DPA, then provides that the condition under section 46 (1) is met if the processing “is necessary for reasons of public interest in the area of public health”. It is therefore arguable that organizations that possess or collect personal data may be allowed to process such data if it is deemed necessary “for reasons of public interest in the area of public health” relating to COVID-19.

That notwithstanding, organizations ought to take necessary precautions so as to abide by the data processing principles set out under section 25 of the DPA, and where in doubt, appropriate guidance may be sought from the Data Commissioner, given that the DPA is fairly new legislation in Kenya (having come into force on 25th November 2019) while the COVID-19 pandemic is itself a public health crisis of unprecedented proportions.

Speaking of compliance with data protection laws, a key decision was recently handed down by the United Kingdom’s Supreme Court regarding an employer’s vicarious liability in respect of breaches of the United Kingdom’s Data Protection Act, 2018 (the UK DPA) in the case of  WM Morrison Supermarkets plc vs Various Claimants (2020) UKSC 12. The decision was in respect of a challenge by Morrisons on the Court of Appeal’s decision by which the supermarket chain was found vicariously liable for data breaches committed by its former employee which had satisfied the “close connection test” The Court of Appeal also rejected the argument advanced by Morrisons that since vicarious liability in respect of data breaches by an employee was not expressly included in the UK DPA, an employer should not be vicariously liable for such breaches.

The UK Supreme Court considered the two issues afresh and applied the close connection test with reference to a long line of established precedent on vicarious liability. The Court considered the fact that the actions of Morrisons’ former employee had not been pursued in furtherance of his employer’s business and that he was on a “a frolic of his own”. The Court of Appeal’s application of the close connection test was found to have been faulty, as what ought to have been considered was the entire sequence of events and whether an individual was acting in his capacity as an employee and in furtherance of his employer’s objectives before arriving at a positive finding of vicarious liability.

On the issue as to whether vicarious liability is excluded under the UK DPA, the Court held that the statutory liability of a data controller under the UK DPA, including the liability for the conduct of its employee, is based on lack of reasonable care, whereas vicarious liability is not based on fault. The Court went on to state that there is nothing anomalous about the contrast between the fault-based liability of the primary wrongdoer under the UK DPA and the strict vicarious liability of his employer. In reaching this conclusion, the Court drew an analogy between the fault-based liability of an employee for negligence and the resultant strict vicarious liability of his employer with the resulting determination that the UKDPA does not exclude vicarious liability for data breaches by an employee.

While the decision was ultimately in Morrisons’ favour, the case turned largely on the application of the close connection test which was both fact dependent and context specific with regard to that particular case.

This alert is for informational purposes only and should not be taken as or construed to be legal advice. If you have any queries or need clarifications, please do not hesitate to contact John Mbaluto (, Gibran Darr ( or your usual contact at our firm, for legal advice relating to the COVID-19 pandemic and how the same might affect you.