Banks must bank on privacy, data protection in digital age

The banking sector like other sectors is faced with multiple cutting-edge technologies that have created several new models of doing business. 

The blend of a centralized model and decentralized processes of banking like agent and “self-service-online’ banking keep taking shape and are apparent with the aid of emerging improved and sophisticated technologies and systems, the regulators and a legal regime have somewhat managed to keep pace.

Unlike Yaron Brooks, I will not say regulators are power lusting mediocre: regulation is not an obstacle to thriving free markets, but a vital part of them. In my opinion, it is a way of creating a leveled ground of fair play amongst all stake holders.

In the Banking world- just like it is taught in elementary stages of business, a customer is a king who must be treated as such all through.

From the history of banking, a customer enjoys several rights, creating longstanding and unshaken duties on the part of the bank.

One of the most important duties for purposes of this discussion is confidentiality. Under common law, this duty covers all customer information about themselves and accounts obtained by the bank. 

With several technologies employed by banks, this information is generated through online forms, cookies, CCTV cameras and other tools employed for monitoring customer transaction behaviors during a subsisting bank-client relationship.

The regulation of such information is now a matter of law protected by information privacy right under the constitution and the data protection and privacy rights established under the Data protection and Privacy Act, 2019.

Over and above common law principle of confidentiality, the legal regime in Uganda classifies entities such as banks dealing with personal data either as data collectors, processors or controllers depending on the circumstance, consequently this classification, confers duties including a duty to protect data subjects’ (read customers’) data and privacy rights.

The said duties are summarized under the data protection principles of; accountability, transparency, lawfulness and fairness, participation, consent, reasonable retention among others. 

The above principles are relevant because banks heavily rely on best practice like “Know Your Client”; as good practice and legal obligation under anti-money laundering legal regimes, banks collect data that sufficiently identifies and describes their clients, such data may as well be further processed for providing value added services for specific clients, based on their unique customer profile, such further data processing is required to follow consent principle.

Such other technologies like CCTV are as well profoundly used in banking halls, at ATM points, such video surveillance constitutes processing of personal data. 

Persons within the monitored area must be aware that they are being monitored by affixing appropriates signs indicating the purpose of processing and the video should not be retained longer than necessary.

Noteworthy, a bank’s survival is based on trust and public confidence and the same can be said for most of the online business models in this era where everyone is becoming more concerned about their personal data and privacy. 

Mr Timothy Amanya is an advocate and legal officer at Finance Trust bank