Handling Employee Personal Numbers Post-Employment
It is common practice for employers to meet employees’ telephone expenses by enrolling an employee’s existing personal mobile number in a corporate account with a telecommunications provider. While this arrangement may be commercially convenient, recent determinations by the Office of the Data Protection Commissioner (ODPC) make it clear that such arrangements must comply with the Data Protection Act, 2019 and applicable telecommunications regulations.
In particular, the decisions in Sara Gathoni v Airflo Limited and Catherine Kainyu Murithi v Becton Dickson Company & Another provide important guidance on the obligations of employers and telecommunications providers both during employment and upon termination.
The key principles emerging from these decisions are outlined below.
1. Employers must disclose their intention to use an employee’s personal data prior to enrolment
Where an employer intends to enrol an employee’s personal mobile number onto a corporate billing arrangement, the purposes and scope of that processing must be clearly disclosed to the employee at or before onboarding.
In the Catherine Murithi determination, the complainant alleged that her employer requested her national identification documents during onboarding and subsequently enrolled her private number onto a corporate account without sufficient disclosure of the intended use of her personal data. The ODPC, however, found that the employer had demonstrated compliance by establishing an Employee Privacy Notice that clearly defined categories of data required and the purposes for which that data would be processed. The decision highlights the importance of transparency at the point of data collection.
2. A lawful basis is required before an employer or a telecommunications provider
The ODPC confirmed that registering a private mobile number in the name of an employer, disclosing national identity documentation to a telecommunications provider, altering tariffs, blocking a line, or effecting a transfer all constitute the processing of personal data within the meaning of the Act.
Such processing is lawful only where supported by a recognised lawful basis, including freely given and informed consent, demonstrable contractual necessity, or properly assessed legitimate interests. In the absence of such a basis, the 1 www.mutie-advocates.com transfer, registration, assumption of control, or continued administration of an employee’s personal mobile number is unlawful.
3. Employers must not unilaterally share personal data with telecommunications providers at termination
In the Catherine Murithi case, the employer shared the complainant’s name and national identification number with Safaricom in order to remove her from the corporate account following termination.
The ODPC held that by sharing her identification documentation for purposes of deregistration, the employer processed her personal data unlawfully. The determination emphasised that processing details relating to a private mobile number or SIM card, including the disclosure of identification documentation, should ordinarily be undertaken directly by the data subject as the cardholder or intended subscriber.
Employers should therefore avoid unilaterally sharing identification documents or SIM registration details during off-boarding unless supported by a clear lawful basis and proper procedural safeguards.
4. Telecommunications providers must deal directly with data subjects
The ODPC further clarified that after termination of employment, telecommunications providers must deal directly with the former employee when effecting SIM registration or line transfer. Regulation 10 of the Kenya Information and Communications (Registration of SIM Cards) Regulations requires the subscriber to provide identification documentation for registration purposes. The ODPC held that the telecommunications provider ought to have requested identification documentation directly from the complainant rather than relying on documents supplied by the employer. Failure to require personal appearance and direct consent during transfer or registration constitutes non-compliance.
5. An employer must facilitate the return of an employee’s personal line when it has been registered as a corporate line.
In the Sara Gathoni decision, the complainant’s number had originally been registered in her own name prior to employment but was later placed under the employer’s corporate account. Upon leaving employment, she requested that the number be restored to her. The employer failed to issue the necessary release documentation required by the telecommunications provider, resulting in the line being blocked and disrupting her communications and business operations.
The ODPC held that once the employment relationship ends, the employer is under a duty to cooperate in restoring the employee’s personal mobile number. Continued control of the line, failure to facilitate its release, or allowing it to remain blocked constitutes unlawful processing of personal data.
6. Former employees have a statutory right to rectification
In the Sara Gathoni case, the Office of the Data Protection Commissioner further held that where a mobile number continues to be registered in the name of a former employer after the employment relationship has ended, that record no 2 www.mutie-advocates.com longer reflects the true status of ownership and is therefore inaccurate. Section 26(d) of the Data Protection Act grants a data subject the right to require a data controller to rectify personal data that is inaccurate, misleading, or no longer up to date.
An employer that fails to take reasonable steps to correct the registration of a former employee’s mobile number is in breach of this statutory obligation and continues to process the individual’s personal data without a lawful basis.
Conclusion
These determinations reinforce a central regulatory principle: an employee’s personal mobile number forms part of their protected digital identity and remains subject to statutory safeguards before, during, and after employment.
Corporate billing arrangements do not displace data subject rights. Employers and telecommunications providers must treat the enrolment, transfer, deregistration, restoration, and rectification of personal mobile numbers as regulated processing activities requiring transparency, a valid lawful basis, and direct engagement with the data subject where appropriate.
Organisations would therefore be prudent to review their onboarding and off-boarding procedures to ensure that corporate mobile arrangements are aligned with the Data Protection Act, 2019 and applicable telecommunications regulations.
