An investigation of client information privacy management

AN INVESTIGATION OF CLIENT INFORMATION PRIVACY MANAGEMENT: THE CASE OF COMMERCIAL BANKS IN

KENYA

ARBOGASTI ODERO A Management Research Project Submitted in Partial Fulfilment of the Requirements for the Award of Master of Business Administration (MBA) Degree, School of Business, University of Nairobi

November 2010

i

DECLARATION

I declare that this thesis is my original work and has never been submitted to any other

University or institution of higher learning for examination. The thesis is as a result of my own

individual effort and where other people’s ideas and work have been cited, they are duly

acknowledged.

Signature _______________________ Date _______________________

Arbogasti Odero

D61/P/8279/03

This research project has been submitted for examination with my approval as the University

Supervisor.

ii

DEDICATION

This work is dedicated to my beloved wife Constance Tengo for her role in urging me on in this

endless journey of acquiring knowledge and inculcating in me the passion and desire for success.

I also dedicate this work to my Dad Joseph and Mum Maria. Thank you for the words of

encouragement and prayers.

Finally my dedication goes to my supervisor Dr. Nixon Muganda and my moderator Mrs. Kate

Litondo who have seen me through this thesis and for ensuring that high standards are

maintained throughout the research work.

iii

ACKNOWLEDGEMENT

Many people have contributed to the fulfilment of this research project, either directly or

indirectly. I want to thank my supervisor Dr. Nixon Muganda and my moderator Mrs. Kate

Litondo who helped make this research project a success through so many ways. I want to thank

my colleagues at Federation of Kenya Employers who offered words of encouragement and

assistance in proof reading and in many other various ways. To my family members, I would like

to say thank you for constantly encouraging me to move on and not to quit especially during this

last phase of the research project which has not been easy. Finally, I thank the management of

various banks for their understanding and allowing me to distribute the questionnaires and

providing me with adequate response. To the bank customers who took time to fill in the

questionnaires thereby providing me with a basis to conclude this research project, you are

acknowledged. Without the feedback from the questionnaires, this research project would not

have been possible.

iv

TABLE OF CONTENTS

DECLARATION................................................................................................. i DEDICATION..................................................................................................... ii ACKNOWLEDGEMENT.................................................................................... iii TABLE OF CONTENT........................................................................................ iv ABSTRACT........................................................................................................... vii

CHAPTER ONE: INTRODUCTION…………………………… ................. 1

1.1 Background of the study………………………………………................... 1

1.2 Commercial Banks in Kenya…………………………………..................... 2

1.3 Statement of the problem………………………………………...................... 3

1.4 Research Objectives………………………………………….......................... 5

1.5 Significance of the study………………………………………................ 6

CHAPTER TWO: LITERATURE REVIEW……………………............. 7

2.1 Introduction.................................................................................................. 7

2.2 The concept of privacy…………………………………………............... 7

2.2.1 The right to be let alone............................................................. 7

2.2.2 Limited access to self.................................................................... 8

2.2.3 Privacy as secrecy...................................................................... 8

2.2.4 Control of personal information.................................................. 8

2.2.5 Personality.................................................................................. 9

2.2.6 Privacy as intimacy................................................................... 9

2.2.7 Privacy as a cluster concept..................................................... 10

2.3 Ethical decision making and privacy…………………………................. 10

2.4 Ethical Behaviour in an organization...................................................... 12

2.5 Computer ethics………………………………………………............... 13

2.5.1 Definition................................................................................... 14

2.5.2 Computer Ethics and Technology.............................................. 15

2.6 Theoretical Framework………………………………………................ 17

v

CHAPTER THREE: RESEARCH METHODOLOGY………................ 19

3.1 Research design……………………………………………................... 19

3.2 The population………………………………………………................. 19

3.3 Sample and sampling procedure……………………………................... 19

3.4 Data collection………………………………………………................ 19

3.5 Data analysis…………………………………………………................ 20

CHAPTER FOUR: DATA ANALYSIS AND PRESENTATION.............. 21

4.1 Introduction................................................................................................. 21

4.2 Respondents General Information.............................................................. 21

4.2.1 Gender........................................................................................... 21

4.2.2 Age Bracket.................................................................................... 22

4.2.3 How Long has had an Account with Respondent Bank .................... 22

4.2.4 Have a debit/Credit Card............................................................... 23

4.2.5 Position.......................................................................................... 24

4.2.6 Ownership of Banks....................................................................... 24

4.2.7 How long been in Operation...................................................... 25

4.2.8 Number of Branches................................................................. 26

4.2.9 Customer Base............................................................................ 26

4.2.10 Market Segment....................................................................... 27

4.3 Ethical Decisions by Banks in Managing Client Information Privacy........ 27

4.3.1 Extent Employees Understand the Mission of Organization........... 27

4.3.2 How Client Information is Stored................................................... 28

4.3.3 Purpose of Collection of Client Information.............................. 28

4.3.4 Client Information Used for what it was not Intended.............. 29

4.3.5 Erosion of Privacy Rights Attributed to Computer Ethics.............. 30

4.3.6 Have Computer Ethic to Guide on Handling of Records............... 30

4.3.7 Made Attempts to Protect Client Personnal data...................... 31

4.3.8 Measures Taken to Protect Client Information Privacy.............. 32

4.4 Impact of Client Information Management on Bank and Client Relationship 33

4.4.1 Asked to Give Personal Information............................................. 33

4.4.2 Cared to Know the Necessity of the Information....................... 33

vi

4.4.3 Record Treated as Confidential..................................................... 34

4.4.4 Banks Handle Personal Information with Confidentiality ......... 34

4.4.5 Information about Self Resembling Information Given to Bank 35

4.4.6 Felt Right to Privacy was Breached............................................... 36

CHAPTER FIVE: DISCUSION, CONCLUSION & RECOMMENDATION 38

5.1 Introduction.................................................................................................... 38

5.2 Summary......................................................................................................... 38

5.3 Discusion.......................................................................................................... 38

5.4 Conclusion ....................................................................................................... 40

5.5 Recommendations........................................................................................... 41

5.6 Suggestions for Future Research.............................................................. 41

5.7 Limitations of the Study............................................................................... 41

REFERENCES………………………………………………….............. 43

APPENDICES…………………………………………………….............. 46

Appendix 1: Letter of Introduction………………………………………….. 46

Appendix 2: Questionnaire………………………………………………….. 47

2.1 Questionnaire for Bank Employees.............................................. 47

2.2 Questionnaire for Bank Clients................................................ 50

Appendix 3: List of commercial banks in Kenya……………….................. 52

vii

viii

ABSTRACT

The aim of the study was to investigate the client information privacy management by

commercial banks in Kenya. The objectives of the study were to establish the ethical decisions

made by the management of the commercial banks in Kenya in management of client

information privacy and to determine the impact on the relationship of the banks and the client

with regard to how the banks managed the client’s information privacy. To achieve these, the

study adopted a descriptive survey in which all the commercial banks were studied. Data was

collected by use of questionnaires which were in two categories, one for bank employees

(management) and another for the bank customers. Data analysis was done using descriptive

statistics such as percentages and frequency distributions.

The study established that client information was stored in data bases, files and backups. The

information was mainly collected for records purposes. The study established that client

information was sometimes used for what it was not intended. It was evident respondent banks

had computer ethics to guide in handling of records and banks had made attempts to protect

client personal data through monitoring use of email by employees, educating the users on the

need to observe organizational ethics, making sure that users performed their duties diligently

and professionally, and ensuring that users maintained competency in their fields. Despite

assuring customers of confidentiality, the customer privacy was still breached. The study

established that these did not affect their relationship with the bank.

The study therefore concluded that the bank employees behaved immorally after making

immoral judgement and chose to breach client right to privacy and behaving unethically using

computer technology to mismanage the client information and using it for what it was not

intended for without the consent of the client. The study recommends that organizations develop

strong computer ethics which will instil ethical behaviour among the employees. The study

further recommends that only those who directly depend on the information to carry out their

duties be given access to the client information. Otherwise any person who does not need the

information be barred from accessing such information.

CHAPTER ONE

INTRODUCTION

1.1 Background of the Study

The advent of information age has increased the importance of data protection to a great deal

where the governments and international organizations around the world have been forced to

adopt privacy legislations (Holvast, Madsen and Roth, 2001). In South Africa for instance the

government mandated the law commission to introduce privacy and data protections Act which

would lead to investigation of privacy and data protection (Mokgoro 2000). The risk to privacy

infringement has been necessitated by the world economic systems’ transformation from a

dominantly mass- production model to a mass customization model which has been seen to be

creating an enormous demand for detailed data on consumer behaviour. If goods and services are

to be customized it appears to be necessary for organization to have access to detailed consumer

information. Increasing fragmentation of mass audiences has also created a demand on data

about the actual and potential users of specialized media channels (Aggre and Rotenberg 1998).

Many people today perceive there is a threat to their individual privacy owing to the increased

power of information processing technology used to collect a great deal of information about

them. Whether this information is accurate, relevant, complete or incomplete, it is stored,

analysed, interpreted, compared and exchanged at high speed, and often the individual has no

knowledge or control over the information. While an organization may claim that they offer tight

security and confidentiality controls over the data, these measures are often instituted mainly for

the benefit of the organization and may provide little protection to the individual who is subject

to the data (Collier, 1995:41). The advent of internet, technology has enabled governments and

commercial entities to collect, use and disclose vast amounts of personal information with or

without the consent of people. This has made consumers become increasingly concerned about

the degree to which retailers, manufacturers and marketers monitor their every action (Graeff and

Harmon, 2002). The information is used for commercial gain by many organizations, for

instance direct and targeted marketing, cross-selling of information and e-mail spam.

1

The primary source of consumer concern revolves around personal, or individual-specific, data.

Individual-specific information includes data such as names, addresses, demographic

characteristics, lifestyle interests, shopping preferences, and purchase histories of identifiable

individuals (Nowak and Phelps 1995). Many people have found themselves asking questions like

where did you get that information about me, or my business? How did you come to know about

me? How come you know me so well yet we have never met? The private information that is

nowadays stored in electronic files, can be sold to advertisers, placed on the Internet for public

viewing, hacked into by malicious hackers or even browsed by curious employees (Graeff and

Harmon, 2002). The latter is particularly hard to prevent, since traditional access control is of

little use where people are supposed to have access to private information about others to do their

work, but should not be allowed access to the same information when motivated by curiosity.

Technology has enabled firms to explore vastly improved and exciting new applications such as

data warehousing, data mining, target marketing, and self-service. Service firms have

increasingly moved towards one-to-one marketing and service delivery to millions of customers

on the internet, enabling them to deliver cost-effective customized service delivery processes and

loyalty programs (Graeff and Harmon, 2002). However, shifting marketing and customer service

to the internet also poses great challenges including the emergence of serious privacy concerns

and resulting negative consumer responses. This threat to consumer privacy posed by the internet

requires urgent attention as it may undermine a firm’s marketing performance in the long run

(Gauzente and Ranchhod, 2001).

1.2 Commercial Banks in Kenya

A bank can be defined as a company, which carries on, or purposes to carry on banking business

(Kenyan Banking Act, Cap 488). A bank is thus an institution that deals largely with money. It

collects deposits from savers and pays interest to the depositors and on the other hand uses the

savers deposits to grant loans to borrowers who in turn pay interest and fees. Banking in Kenya

started with British colonialist and few Indian traders towards the end of the 1900 Century.

According to Wagacha and Ngugi (1999), the first bank to start in Kenya was the National Bank

of India now called the Kenya Commercial Bank in 1896, followed by the standard bank in

1910. The banking sector has been changing steadily since 1960’s in a number of areas such as

2

asset base, target customers, marketing strategies, competitive strategies, information technology

and their role in the economy. Up to the 1980’s, regulation in the financial services was mainly

of restriction on both the range of products that a bank could offer and the nature and volume of

contracts in the geographical area in which the services could be offered. The banking sector was

liberalized in 1995.

Liberalization of banking in Kenya in 1995 brought about most of the changes, which have

impacted on the banking business both positively and negatively. One major positive change is

the lifting of foreign exchange control. The most biting change is the increased intensity of

competition (Oloo, 2007). As a result, organizations are made to change their ways of doing

business so often and almost constantly in some environments. According to the Central Bank of

Kenya (2009), there were 46 commercial Banks in Kenya as at 31st December 2009. According

to the 2007 banking survey, three players, Barclays Bank, Standard Chartered and Kenya

Commercial Bank have maintained their dominance in the Kenya’s banking sector, controlling

between 40% and 50% of the sector throughout the past ten years. But other players are coming

up and staking their claim to the cake, most notably among them are CFC Bank whose market

share has grown from 1.68% in 1997 to 5.28% in 2006 in terms of total asset. Others that have

realized significant market growth include CBA (2.83% to 4.9%), I&M Bank (1.59% to 2.92%).

Corporative Bank, Citibank, NIC Bank, Stanbic Bank, bank of Baroda, Prime Bank and Imperial

Bank among others have all grown their market share. Worth noting also is Equity Bank which

entered the market as a commercial bank in 2004 with a market share of 1.17% but now claims

to 2.63% as at the end of 2006 (Oloo, 2007).

1.3 Statement of the problem

The concept of information privacy has shifted in the space of general from civil and political

rights to a consumer rights issue underpinned by data protection (Aggre & Rotenberg, 1998).

The ease of access to a person’s file has brought up major disadvantage of the large databases

and data banking abilities a threat to the right to privacy. There is evidence to suggest that

consumer’s world-wide recognize a problem of lack of information privacy and control over

personal information, once such information has been divulged to various organizations. For a

certain price, anyone today can obtain intimate details about any individual’s life. A 1990 Harris

3

Poll, commissioned by Equifax, a major credit bureau, found that 79 per cent of those surveyed

were concerned about threats to their personal privacy. Of the individuals surveyed, one-half felt

that technology had got out of control, and two-thirds said that the government could not be

trusted (Aggre and Rotenberg, 1998).

The concern for privacy is not a recent issue. The initial legal opinion on the right to privacy

dates back to the nineteenth century (Warren and Brandeis 1890). Today’s technology provides

multiple opportunities for extensive data gathering and invasion of privacy. Many retail stores

have introduced loyalty schemes and store cards, collecting timely information about consumers’

choice and preferences. Basic database portrait of an individual’s purchase behaviour are today

kept by business organizations for marketing purposes. Advanced software applications such as

“cookies” or web-surfing programs allow the collection of data even without the knowledge of

the customer. The privacy concerns are also exacerbated by the unethical behaviour of some

firms who sell their marketing databases to third parties without asking for the consent of the

client and without caring about the law on client’s information privacy (Graeff and Harmon,

2002). Information that was perceived to have been given to the commercial banks with a

promise to treat it with confidentiality has been found with the credit companies. According to

the laws of Kenya, Banking Act, Cap 488, section 31(2) states that no person shall disclose or

publish any information which comes into his possession as a result of the performance of his

duties or responsibilities. Despite this law, client personal information has continued to be leaked

out by commercial banks. This has always left their clients wondering, what happened to the

information they divulged to the bank.

Most international studies indicate that information privacy is an important concern to many

customers. The findings of a study by Nowak, Phelps (1992) indicate that privacy is important

and is affected by type of practice and information. Other studies have focused on privacy in an

online environment. For instance study by Udo (2001) indicate that privacy and security

concerns are the number one reason that web users are not purchasing over the web. Harris

(2001) also conducted a series of three surveys on consumer privacy attitudes and behaviours.

Their findings are relatively consistent across all the three surveys, indicating that consumers are

willing to provide both online and offline organizations with basic information but are more

4

protective of personal information and less comfortable sharing information. A local empirical

study shows that there are limited studies that have been carried out in Kenya. Onduso (2001)

did a study on the ethical issues in the use of information technology among commercial banks

in Kenya. While the above research outcomes provide valuable insights on information privacy,

they only provide partial insight on client information privacy. These studies failed to highlight

client information privacy management. A knowledge gap therefore existed on how financial

institutions manage client information with privacy and confidentiality as ethics require. It was

this knowledge gap that the study sought to bridge by answering the following research

questions:

1. What are the ethical decisions made by commercial banks in Kenya in managing client

information privacy?

2. Have the decisions made by the bank management with regard the client information

privacy affected the relationship of the bank with its clients?

1.4 Research Objectives

The main objective of the study was to investigate the ethical decision making in managing

client information privacy by commercial banks in Kenya. The specific objectives of the study

were to:

1. Establish the ethical decisions made by the management of the commercial banks in

Kenya in management of client information privacy.

2. Determine the impact on the relationship of the banks and the client with regard to how

the banks managed the clients information privacy

1.5 Significance of the study

It is anticipated that the study will be of benefit to the following group of people;

Government – The government will benefit from the study in that it will facilitate the

formulation of laws that will protect the rights of its citizens.

Policy makers - The study will be of benefit to the policy makers on the need to make laws

aimed at protecting the privacy of the public who give their personal information in confidence.

5

Academicians – The study will contribute to the existing body of knowledge in the area of

management of personal information by commercial banks. It will also inspire future researchers

to carry out further research in the same or related field.

Banking Industry- The study will help the bankers to develop right attitude in understanding

and implementing the ethical decision making and privacy policies that will enhance client- bank

relationship and confidence in the bankers.

6

CHAPTER TWO

LITERATURE REVIEW

2.1 Introduction

In this chapter, literature related to the area of study is reviewed under the following sub-

headings; concept of privacy, ethical decision making and privacy, ethical behaviour in an

organization, computer ethics and theoretical framework.

2.2 The Concept of Privacy

Privacy has been defined in many ways over the last century (DeCew, 1997). Warren and

Brandeis following Judge Thomas Cooley called it “the right to be let alone” (Cooley, 1880).

Freund (1971) has defined privacy in terms of an extension of personality or personhood. Alan

Westin and others cited in Gavison (1983) have described privacy in terms of information

control. Eisenstadt v. Baird (1972) insisted that privacy consists of a form of autonomy over

personal matters. Parent (1983, p. 269) argued that “privacy is the condition of not having

undocumented personal knowledge about one possessed by others” while Inness (1992, p. 140)

defined privacy as “the state of possessing control over a realm of intimate decisions, which

include decisions about intimate access, intimate information, and intimate actions.”

More recently, DeCew (1997, p. 62) has proposed that the “realm of the private to be whatever is

not, according to a reasonable person in normal circumstances, the legitimate concern of others”.

This brief summary indicates the variety and breadth of the definitions that have been offered.

Different conceptions of privacy typically fall into one of six categories or combinations of the

six. Following Solove’s (2002) analysis, “1) the right to be let alone; 2) limited access to the self;

3) secrecy; 4) control of personal information; 5) personhood; 6) intimacy”; and 7) privacy as a

cluster concept.

2.2.1 The right to be let alone

In 1890 Warren and Brandeis argued that, “recent inventions and business methods call attention

for the protection of the person, and for securing to the individual the right to be let alone”

(Warren and Brandeis, 1890, p. 194). They note how technology, media interests, and big

business have “invaded the sacred precincts of private and domestic life” and ensured that “what

7

is whispered in the closet shall be proclaimed from the house-tops” (Warren and Brandeis, 1890,

p. 195). While acknowledged as starting the modern debate, the conception of privacy proposed

by Warren and Brandeis has been widely criticized as too vague (Solove, 2002). For example, on

this definition any offensive or hurtful conduct would violate a “right to be let alone” yet we may

not want to conclude that such conduct is a violation of privacy.

2.2.2 Limited access to the self

Privacy defined as “limited access to the self” has been defended by numerous authors including

Bok (1983), Allen (1988), and Gavison (1980). Bok writes, “privacy is the condition of being

protected from unwanted access by others, either physical access, personal information, or

attention” (Bok, 1983, p. 10). The worry here is that if no protection is available, it would be odd

to conclude that privacy interests were not relevant. Gaviston offers a different account of

limited access. On her view limited access consists of “secrecy, anonymity, and solitude”

(Gavison, 1980, p. 433). Solove (2002, p. 1105) notes that although Gaviston contends that ‘the

collection, storage, and computerization of information’ falls within her conception, these

activities often do not reveal secrets, destroy anonymity, or thwart solitude.” If so, such

conceptions of privacy would be too narrow.

2.2.3 Privacy as secrecy

Judge Richard Posner (1998) has defined privacy as the “right to conceal discreditable facts

about oneself” a right to secrecy. Solove, (2002) seems to concur writing that the realm in which

an actor can legitimately act without disclosure and accountability to others. DeCew and others

have criticized this conception of privacy noting “secret information is often not private (for

example, secret military plans) and private matters are not always secret (for example, one’s

debts)” (DeCew, 1997, p. 48). Moreover it seems that privacy-as-secrecy accounts cannot

accommodate what has come to be called “decisional privacy” for example, the right between

consenting adults to use contraceptive devices in private places.

2.2.4 Control of personal information

Control over personal information has also been offered as a definition of privacy.

8

According to Alan Westin (1968) privacy is the claim of individuals, groups, or institutions to

determine for themselves when, how, and to what extent information about them is

communicated to others (Westin, 1968). Fried cited in Solove (2002) claims that privacy is not

simply an absence of information about us in the minds of others; rather it is the control we have

over information about ourselves. Critics have attacked this conception on grounds that it, like

the secrecy view, cannot account for “decisional privacy.” It also fails to acknowledge a physical

aspect to privacy – control over access to locations and bodies (Schoeman, 1984; O’Brien, 1979;

Inness, 1992; Parent, 1983; Thomson, 1975; Solove, 2002). Moreover, expanding the definition

to include control over bodies and locations leads to the following worry offered by DeCew. If a police officer pushes one out of the way of an ambulance, one has lost control of what is done to one, but we would not say that privacy has been invaded. Not just any touching is a privacy intrusion (DeCew, 1997, p. 53).

2.2.5 Personality

Benn (1971) defended a personality-based conception of privacy. According to this view privacy

protects personhood and autonomous action. Benn (1971) writes: Respect for someone as a person, as a chooser, implies respect for him as one engaged on a kind of self-creative enterprise, which could be disrupted, distorted, or frustrated even by so limited an intrusion as watching (Benn, 1971, p. 26).

Critics of this view have countered noting that, rather than defining privacy, personality-based

conceptions of privacy simply indicate why privacy is important or valuable – privacy protects

personal development and autonomous choice (Solove, 2002).

2.2.6 Privacy as intimacy

Several authors have defended the view that privacy is a form of intimacy (Fried, 1968; Gerety,

1977). According to Rosen (2000) the intimate relationships on which true knowledge of another person

depends need space as well as time: sanctuaries from the gaze of the crowd in which slow mutual self-disclosure are

possible. Privacy is the state of the agent having control over decisions concerning matters that

draw their meaning and value from the agent’s love, caring, or liking. These decisions cover

choices on the agent’s part about access to herself, the dissemination of information about

herself, and her actions (Inness, 1992, p. 91). In critique Solove (2002), citing DeCew and

Farber, notes that financial information may be private but not intimate. Moreover, it is possible

to have private relationships without intimacy and to perform private acts that are not intimate.

9

2.2.7 Privacy as a cluster concept

Finally, many view privacy as a cluster concept that contains several of the dimensions noted

above. DeCew (1997) has proposed that privacy is a concept ranging over information, access,

and expressions. Moore (2003) has defended a “control over access” view arguing that privacy is

a culturally and species relative right to a level of control over access to bodies, locations, and

information. Solove (2002) has offered a contextualized dependent approach for defining privacy

– for example, in the context of information we may focus on certain dimensions of privacy that

will not be as important in different contexts like spatial control. Following on from those fixed

and incomplete concepts of privacy, some theories of privacy protection are developed. The four

main theories – non-intrusion theory, seclusion theory, control theory and limitation theory –

define privacy risks narrowly, and try to diminish the damage from them. However, it is not

possible to control all risks in today’s information society and no form of protection can cover all

kinds of risks (Tavani, 1999). The major flaw in the current definition of privacy is that it

assumes that people are vulnerable without considering the situational context, and as a result

privacy risks are always deemed to be dangerous.

Any study of the nature of privacy, privacy risks and privacy protection using the adversarial

paradigm has to cope with new instances of privacy infringement. As Moor (1997) puts it, the

privacy concept has been developed chronologically. In the current computer age, privacy has

become very “informationally enriched”. There is a need for an updated approach to studying

privacy. Moor identifies the problems and considers firstly “nature privacy and normative

privacy” which challenges the assumption that people are vulnerable and provides a useful

distinction between privacy right and privacy condition, and between a loss of privacy and an

invasion of privacy. Second, he offers an alternative solution for privacy protection -

control/restricted access theory. In this centrist position “different people may be given different

levels of access for different kinds of information at different times” (Moor, 1997).

2.3 Ethical Decision Making and Privacy

Privacy is a current ethical issue when discussing computer ethics and it is necessary to take into

account when using computer technology. The history of privacy stretches far back and the

approach to privacy has changed throughout the times. Because of modern technology used

10

today, computers have raised new privacy problems, due to communication and storage of

personal information. Clarke (1999a) provides a well-referenced definition of information

privacy as being a combination of personal communication privacy and personal data privacy.

His formal definition of information privacy is: “. . . the interest an individual has in controlling, or at least significantly influencing, the handling of data about themselves” (Clarke, 1999a).

The Common Criteria (2004) provides a more formal requirement based definition for providing

‘user protection against discovery and misuse of identity by other users’. It is clear from the

definition that it is information systems requirements focused, with emphasis on identity

protection. Identity protection is a major component of information privacy but by no means

represents the complete embodiment of its full meaning. Each organization creates its own

culture. The organizational culture is based on an overall subjective employee’s perception of the

organization through key characteristics that the organization values (Schein, 1990; O’Reilly et

al., 1991). These characteristics are individual initiative, risk tolerance, direction, integration,

management support, control, identity, reward system, conflict tolerance, and communication

patterns (Robbins, 1989). A review of current literature identifies significant contributions that

have been made to the understanding of organizational culture per se (Schein, 1990; O’Reilly et

al., 1991).

Elements of an organizational culture are symbols and slogans, stories, rites and ceremonies,

values, norms and beliefs (Petrovic-Lazarevic, 2000). Since the organizational ethics relate to

guiding beliefs, standards, or ideals about whether certain acts are good or bad in the business of

an organization, they are also dependent on organizational culture. All employees, however, do

not necessarily agree upon organizational ethics. Moreover, if organizational ethics involve value

judgements, they can have a legal form. For businesses that make use of computers and the

Internet, the ethics reflect the ethical values of managers, information specialists, and users. That

is, they reflect the ethical values of top managers, which in this case would include the chief

executive officer (CEO) and chief information officer (CIO). In other words, top managers

impose an ethical culture by establishing an ethics credo and ethics program and by tailoring

codes of ethics to their own companies. They are responsible for the organizational culture. This

applies particularly to the CIO, who, being in charge of IT applications in the organization,

11

contributes to creating corporate core values. It is these ethics that will guide the users. With the

increased rate of loss of privacy one is left to wonder whether there exist any ethics in

organizations as unethical practices have led to fast eroding right of privacy of client information

which is largely attributed to the advancement in technology.

2.4 Ethical Behaviour in an Organization

Unethical behaviours include all actions that result in unfairness to others, whether those

behaviours are legal or not. Concern is increasing today for ethics in organizational operations.

Much of this concern stems from disclosures of unethical actions that led to savings and loan,

banking, insurance, real estate, and other failures. The line between ethical and unethical actions

is far from being distinct. In today’s complex business world, persons who wish to be ethical

may not know exactly what actions will have ethical results and what actions will not. A highly

competitive situation prevents most organizations from being conservative in defining ethical

behaviour. If one company’s definition of ethical behaviour is more conservative than a

competitor’s definition, the company with the more conservative definition soon may be forced

out of business (Wells and Spinks 1996).

To a very large extent, values decide what is and is not ethical. Since all persons do not hold the

same values, honest beliefs about ethical behaviour may be different from one person to another.

Communication provides the greatest opportunities for potential unethical behaviours. All

unethical activities do not revolve around communication, but many do. Organizational

communication must be ethical if high morale and productivity among employees are to be

achieved. Communication with other organizations must be ethical if good business relationships

are to develop for the benefit of all (Wells and Spinks 1996). Communication with customers

and clients must be ethical if businesses are to develop bodies of satisfied customers and clients

that will make long-term profits possible. Communication with the community must be ethical if

the organization is to receive the community support and goodwill essential for its survival and

to avoid expensive and reputation-damaging legal entanglements (Wells and Spinks 1996).

12

2.5 Computer Ethics

Identifying factors that contribute to unethical behaviour and developing methods of controlling

inappropriate behaviour in an organization is an area of increasing interest to both academicians

and practitioners (Rodgerson et al., 2000). Although there have been several highly publicized

recent cases of scandals, the fundamental area within business organizations that is currently

experiencing a number of ethical problems and conflicts is the area of computer technology

(Rodgerson et al., (2000). As the adoption of computer technology has increased, the repeated

incidence of unethical use of computers has also rapidly increased (Conger and Loch, 1995). The

immense amount of information available to computer users has created enormous opportunities

for the misuse of computers by members of business organizations. In addition the proliferation

of computer use by employees in all functional areas has resulted in a variety of ethical problems

for society and organizations that are unique to the use of computer technology. Issues such as

software piracy, virus development and illegal systems access that were once viewed as an

annoyance are now considered major problems for organizations (Gattiker and Kelly, 1999).

Today there is a public concern about the invasion of privacy by computer technology and

misuse of data files is at an all time high (Pierce and Henry, 2000). The computer technology

used for generating electronic information has ethical implications as do the functions of

originating, processing, storing, distributing and using the data and information. Moreover, each

function carries responsibilities for those who perform and manage them.

2.5.1 Definition of Computer Ethics

Computer ethics is an area within applied ethics, where questions related to computers raise new

types of moral dilemmas, to which it is necessary to apply the best moral judgements (Edgar

2000). The society has historically evolved from an agricultural society through an industrial, to

the present day information society where computers have changed the way people live and

make decisions. This type of society has opened doors for new ethical questions never faced by

humans before, and these questions increase in number along with the development of the

technology. Whether computer ethics is an independent field of applied ethics or if it can be

included in an already existing field, has been argued by traditional ethicists and advocates of the

uniqueness thesis (Tavani 2002). Traditional ethicists do not think that there is anything unique

about the moral problems, for example privacy, free speech, intellectual property etc, which are

13

considered by computer ethicists. These new moral problems, which are associated with

computing, can according to the traditional ethicists be analyzed by using the traditional ethical

theories and categories of morality.

According to Moore (2001) the introduction of computers and the use of information technology

has created “conceptual muddles” and a need for new policies because of the existing “policy

vacuums”, meaning that there is no fixed set of rules and there are no policies for conduct in

certain new situations. The central task of computer ethics is to fill the policy vacuums by

formulating guidelines, which are supposed to lead the actions. Moore (2001) defines computer

ethics as “the analysis of the nature and social impact of computer technology and the

corresponding formulation and justification of policies for the ethical use of such technology”.

He also states in his paper that computer ethics has no fixed set of ethical rules, instead it

considers the relationships between facts, policies and values in a constantly changing computer

technology.

In another paper written by Moore, “Reason Relativity and Responsibility in Computer Ethics”,

the term “logically malleable” is used about computers, which means that computers can be used

in many logically different activities (Moore 2003). Another term used is “informational

enrichment”, meaning that computerized settings and activities are constantly developing and

becoming informationalized. The fact that computers are logically malleable and that

computerized situations become informationally enriched, means that they will generate many

new policy vacuums and conceptual muddles or confusions in the future. This also means that

the development of computer ethics will never be brought to an end; instead computer ethics is

an ongoing process.

Moore discusses how computer ethics should comprise both reason and relativity, since he

considers that none of the two popular views called “Routine Ethics” and “Cultural Relativism”

is adequate for computer ethics (Moore 2003). The view called “Routine Ethics” means that

computer ethics is considered as any other ethical area, with no dissimilarities, while in “Culture

Relativism” the laws and customs decide what is right and wrong within the field of computer

ethics. According to Moore both these propositions are incorrect, because computer ethics needs

14

a discussion and should not be dismissed only by categorizing it into one of these two views

(Moore 2003). Instead, computer ethics consists of two parts; the first one is the analysis of

situations where computer technology has an impact. The analysis helps to obtain a clear

conception of the situation in which policies have to be formulated. The second part of computer

ethics is, according to Moore, the policy-making for using computer technology ethically. The

policy-making means that it is necessary to interpret the situation, and to be followed by an

evaluation of the policy depending on the society’s values system.

2.5.2 Computer Ethics and Technology

Computer ethics is the analysis of the nature and social impact of computer technology and the

corresponding formulation and justification of policies for the ethical use of such technology. A

typical problem in computer ethics arises because there is a policy vacuum about how computer

technology should be used. Ethical issues within computer ethics can, according to Johnson

(2000), be divided into three groups: The first group concerns the ethical issues according to the

type of technology (whether hardware or software or internet) referred to. There has been a large

increase of computers and databases, which are used for recordkeeping and the creation,

maintenance and manipulation of great amounts of personal information. The development of

computer software has raised ethical issues, regarding property rights and the accountability and

reliability of programs. Each development in the history of computers, for instance the Internet,

has raised new moral concerns.

The second group consists of the ethical issues according to the sector (whether marketing or

medical, etc) in which they occur. When discussing privacy in general it is for example

important not to forget about the different connections, which are protected by privacy, for

example the privacy protection of medical records (Johnson 2000). The third and last group

concerns the ethical issues, according to ethical concepts or theories, where the different ethical

issues can be seen from different philosophical points of view, such as privacy, virtue, duty etc.

Although there are several alignments in ethics, for example utilitarianism1, social contract

1 These theories concentrate on the moral nature and value of the actions performed by the agent. They are ‘relational’ and action-oriented theories, intrinsically social in nature.

15

theory and deontological theory2, these theories have a common goal and that is to prevent harm

and enhance the dignity, happiness, and well-being of man. With the help of ethical principles

people can achieve this goal for themselves and for other people in different situations (Johnson

2003).

To be able to understand the connection between computer technology and ethics, it is essential

to recognize the connection between the technology and a human being (Johnson 2003). It

should be pointed out that technology does not yet do anything independently of a human being,

but there are situations when the control of a human being is weakened when it comes to

technology. Especially in those situations it is important to remember the responsibility human

beings have for technology, when developing new products. It is essential to keep all the

different aspects of a product in mind, especially those affecting the well-being of other people,

like safety, reliability, privacy etc.

Information System Audit and Control Association (ISACA) have set forth a code of

professional ethics to guide the professional and personal conduct of members of the association

and/or its certification holders. Members and ISACA certification shall:

a) Support the implementation of, and encourage compliance with, appropriate standards,

procedures and controls for information systems.

b) Perform their duties with objectivity, due diligence and professional care, in accordance

with professional standards and best practices.

c) Serve in the interest of stakeholders in a lawful and honest manner, while maintaining

high standards of conduct and character, and not engage in acts discreditable to the

profession

d) Maintain a privacy confidentiality of information obtained in the course of their duties

unless disclosure is required by legal authority. Such information shall not be used for

personal benefit or released to inappropriate parties.

2 These anchor on stability of the moral value of human actions through the assessment of their consequences in terms of global and personal welfare and the individual’s sense of duty.

16

e) Maintain competency in their respective fields and agree to undertake only those

activities, which they can reasonably expect to complete with professional competence

f) Inform appropriate parties of the results of work performed; revealing all significant facts

known to them.

g) Support the professional education of stakeholders in enhancing their understanding of

information systems security and control.

2.6 Theoretical Framework

The study adopts the theory of planned behaviour (TPB) and the four-component model of

ethical decision-making by Rest et al (1986) which are being predominant and continuing to be

applied to ethical decision-making in an information technology context (Leonard et al., 2004;

Peace et al., 2003). Rest et al.’s (1986) four-component model of ethical decision-making is

based on Kohlberg’s (1969) model of cognitive moral development which states that moral

reasoning is the basis for ethical behaviour which he described in six stages. It proposes that

individuals must first recognize a moral issue before making a moral judgment, then establish

moral intent (choosing what to do), and finally engage in moral behaviour. The theory of planned

behaviour is an extension of the theory of reasoned action (Ajzen and Fishbein, 1980; Fishbein

and Ajzen, 1975) made necessary by the original model’s limitations in dealing with behaviours

over which people have incomplete volitional control. As in the original theory of reasoned

action, a central factor in the theory of planned behaviour is the individual’s intention to perform

a given behaviour. Intentions are assumed to capture the motivational factors that influence a

behaviour; they are indications of how hard people are willing to try, of how much of an effort

they are planning to exert, in order to perform the behaviour. As a general rule, the stronger the

intention to engage in behaviour, the more likely should be its performance.

The four-component model and the TPB are similar in many ways. The TPB proposes that an

individual’s intention to behave is predicted by their attitude toward the behaviour, their

perception of social norms, and their perceived ability to actually engage in the behaviour

(Ajzen, 1991). Ethics studies that apply the TPB define attitude toward behaviour almost

identically to the four-component model’s definition of moral judgment, and is generally

17

formulated in the same way as whether the questionable behaviour is acceptable/unacceptable

(Leonard et al., 2004) or ethical/unethical (Loch and Conger, 1996).

Figure 1: Four-Component Model of Ethical Decision Making

Source: Rest et al., (1986)

Make moral judgment Establish moral intent Recognize moral issue Engage in moral behaviour

The study will apply the theoretical framework in determining the attitude and the perception to

social norms with regards to clients’ privacy information management. The study will apply the

theory to determine the respondents’ intention to infringe on the clients’ privacy.

18

CHAPTER THREE

RESEARCH METHODOLOGY

3.1 Research design

This was a descriptive survey aimed at surveying the ethical decisions made by commercial

banks in Kenya in managing client information privacy. According to Cooper (1996), a

descriptive study is concerned with finding out who, what, where and how of a phenomenon

which is the concern of this study.

3.2 The Population

The population of interest in this study was all the commercial banks in Nairobi. According to

the Central Bank of Kenya report as at 31st December 2009, there were 46 commercial banks in

Kenya (see appendix 3).

3.3 Sample and Sampling Procedure

Because of the small size of the number of commercial banks, the study carried out a census

study on 45 commercial banks in Kenya excluding charterhouse bank which is under statutory

management by Central Bank of Kenya. The branches in Nairobi were targeted for the study.

The researcher then used purposive sampling to select one senior manager from either

marketing/records or equivalent department from each of the sampled banks. The researcher also

used purposive sampling to select 45 bank customers at least one from each of the banks.

Purposive sampling was suitable as the researcher only studied those elements that had a bank

account with the bank.

3.4 Data collection

Primary data was collected using questionnaires which were both closed and open ended (see

appendix 2). The questionnaires were dropped at the respective banks headquarters in Nairobi

and collected later. The questionnaires were divided into two sections. Section one consisted of

questions on general information. Section two will have questions on ethical issues with regard

to management of clients’ personal records. The questionnaires used likert scales, on the scales

of 1-5.

19

3.5 Data analysis

Descriptive statistics was used to analyze the data. Data on section one was analyzed using

frequencies and percentages. Section two was analyzed using frequencies and percentages, mean

scores and standard deviation Output of the data analysis where applicable was presented in

tables, figures and graphs.

20

CHAPTER FOUR

DATA ANALYSIS AND PRESENTATION OF FINDINGS

4.1 Introduction

In this chapter data pertaining to the ethical decisions made by the management of the

commercial banks in Kenya in the management of client information privacy and the impact on

the relationship of the banks and the client with regard to how the banks managed the clients’

information privacy is analyzed and interpreted.

A total of 90 respondents comprising of 45 senior managers each from the 45 banks in Kenya

and 45 bank customers, one from each of the banks were sampled. Every respondent was given a

questionnaire out of which 70 respondents responded by completing and returning the

questionnaire. All the 45 bank customers completed and returned their questionnaires. This gave

a response rate of 78%. The collected data was edited and coded. Data analysis of the responses

was done using frequency, percentages, mean score and standard deviation. Where applicable,

presentations were done in form of pie charts, bar graphs and tables.

4.2 Respondents General Information

The study sought to establish the names of banks studied, names of respondents (optional) the

position of respondents in the bank, the ownership of the bank, the length of time the bank has

been in operation in Kenya, the number of branches, the customer base, the market segment the

bank served, the gender of the respondents, age, the length of time the respondent has been the

bank’s customer and where the respondents had credit/debit cards. The results of the study are

presented in the sections below:

4.2.1 Gender

Respondents were asked to indicate their genders. According to the study as presented in Figure

4.1, 45 percent of the bank customer respondents were male while 55 percent were female. This

was due to the fact that during data collection there were more women found in the banking halls

than the male. This may be an indication that probably there are more women seeking banking

services than men.

21

Figure 4.1: Distr0ibution of Respondents by Gender

Source: Research Data (2010)

4.2.2 Age Bracket

The study sought to establish the ages of the respondents. According to Table 4.1, 17 (38%) bank

customer respondents were in the age bracket of 36 to 40 years while 10 (21%) were over 40

years old. The results show that 8 (18%) were aged between 25 and 30 years. This implies that

though ages 36 to 40 are the majority distribution of respondents in terms age, the distribution is

even.

Table 4.1: Distribution of Respondents by Age.

Frequency Percent

Below 25 years 3 7

25 – 30 years 8 18

31 – 35 years 7 16

36 – 40 years 17 38

Over 40 years 10 21

Total 45 100


4.2.3 Period with Bank as Account Holder

Respondents were asked to state how long they have had account with the respondent bank.

According to the results of the study presented in Figure 4.2 most of the respondents (42%)

indicated that they had had accounts with the banks for less than five years. The study results

22

further show that 24 percent of the respondents have had accounts with the banks for between 5

and 10 years. This may be attributed to the fact that the last 5 years up to the post election

violence period, there has been an economic boom which has seen many households and

businesses seeking banking services. The boom in the economy, the reforms in the banking

sector which forced the lending rates, and the increasing liquidity of the banks increased the

demand for the banking services.

Figure 4.2: Period with Bank as Account Holder

42%

24%

18%

11%5%

05

1015202530354045

Dist

ribu

tion

of

Res

pond

ents

(%)

Less than 5years

5 - 10 years 11 15 years 16 - 20 years Over 20 years


4.2.4 Have a debit/Credit Card

Rodgerson et al., (2000) states that a number of ethical problems and conflicts are in the area of

technology. To test this, the study sought to establish from the respondents how many have

credit and debit cards being the latest technology in the banking industry. The results of the study

presented in Figure 4.3, majority of the respondents (64%) did not debit or credit cards. 36

percent of the respondents have debit and credit cards.

23

Figure 4.3: Have a debit/Credit Card

No64%

Yes36%


4.2.5 Position

Respondents were asked to indicate their positions in the institutions. According to Table 4.2,

most of the respondents (5, 20%) were managers in charge of credit while the rest were general

managers, marketing managers and operations managers in the same proportions. This means

that the information received was more accurate as those who filled the questionnaires were in

charge of decision making in the institutions.

Table 4.2: Respondents Positions

Frequency Percent

Manager (Credit) 5 20

General Manager 4 16

Marketing Manager 4 16

Operations Manager 4 16

Cashier 3 12

Not indicated 5 20

Total 25 100


4.2.6 Ownership of Banks

Respondents were asked to indicate the ownership of the banks. According to the results of the

study, 48 percent of the respondents indicated that banks were predominantly local while 44

24

percent indicated that the banks were balanced between foreign and local. Only 8 percent of the

respondent according to the study were predominantly foreign

Figure 4.4: Ownership of Banks


4.2.7 Period in Operation

The study sought to establish how long the respondent banks have been in operation. The study

results in figure 4.5 show that most of the respondent banks (36%) have been in operation for

between 31 to 41 years while 25 percent have been in operation for between 10 and 20 years

Figure 4.5: Period in Operation

9%

36%

18%

25%

12%

05

10152025303540

Less than 10Years

Between 10-20Years

Between 21-30Years

Between 31-40Years

Above 40 YearsDis

trib

utio

n of

Res

pond

ents

(%)


25

4.2.8 Number of Branches

Banks with wider coverage are deemed to have collected more client personal information and

the study therefore sought to establish the number of branches the respondent banks had. The

study results in Figure 4.6 show that 32 percent of the respondent banks had more than 20

branches while 20 percent had between 5 and 10 branches.

Figure 4.6: Number of Branches


4.2.9 Customer Base

The study sought to establish the size of the banks in terms of customer base. Respondents were

therefore asked to state the customer base of their organizations. Table 4.3 show that 12 (48%) of

the respondent banks had a customer base of between 50,000 and 100,000 while 7 (28%) had a

customer base of between 10,000 and 50,000.

Table 4.3: Customer Base

Frequency Percent

Less than 10,000 3 12

Between 10,001 and 50,000 7 28

Between 50,001 - 100,000 12 48

More than 100,001 3 12

Total 25 100


26

4.2.10 Market Segment

The study sought to establish the market segment the respondent banks served. Figure 4.7 show

that 96 percent of the respondent banks served both business and individuals.

Figure 4.7: Market Segment

Both business and personal

96%

Business4%


4.3 Ethical Decisions made by Commercial Banks in Kenya in Managing

Client Information Privacy

In this section the study sought to establish the ethical decisions made by the commercial banks

in managing the client information privacy. The results of the study are presented in the

subsequent sections.

4.3.1 Extent Employees Understand the Mission of the Organization Respondents were asked to indicate the extent to which their employees understood the mission

of the organizations. Figure 4.8 show that 55 percent of the respondents indicated that to a large

extent their employees understood the mission of the organizations. 18 percent of the

respondents indicated that to a very large extent the employees understood the mission of the

organization.

27

Figure 4.8: Extent Employees Understand Mission of the Organization


4.3.2 Storage of Client Information

The study sought to establish how the client information was stored. The results indicate that

client information is stored in files which are stored in safe cabinets. Respondents also indicated

that the client private information was stored in data bases and backups.

4.3.3 Purpose of Collection of Client Information

Respondents were asked to indicate the purpose for which client personal information is

collected. The main purpose of collecting the client information was for records purposes

according to 49 percent of the respondents. Records means that the clients personal information

are collected and stored for future use by the bank for instance in case of death or any other need.

According to 21 percent of the respondents, the banking act requires that all the banks have their

client information. The banking act requires that all account holders provide their details

including foreign and local transactions to control money laundering (Nduati, 2006). The study

further established that 34 percent of the respondents indicated that the client information was

collected for the purposes of marketing.

28

Figure 4.9 Purpose of Collection of Client Information


4.3.4 Client Information Used for what it was not intended

The respondents were asked to indicate whether there were occasions when the client

information was used for what it was not intended for. From the results of study presented in

Figure 4.10, 56 percent of the respondents indicated that indeed there were occasions when client

information was used for what it was not intended. The results in the figure show that 44 percent

of the respondents indicated that their institutions have never used client personal information for

what it was not intended. Asked to explain their answer, respondents indicated that the bank

used personal details to contact them when introducing a new product in the market. This

contravenes section 31(2) of the banking act which demands that the consent of the client is first

sought before the information is used. This therefore according to the Act is not allowed hence

amounting to infringment of customer privacy.

Figure 4.10: Client Information Used for what it was not intended


29

4.3.5 Erosion of Privacy Rights Attributed to Computer Ethics

The study sought to establish the extent to which the computer ethics was attributed to the

erosion of privacy rights. According to the study, 37 percent of the respondents indicated that

computer ethics was attributed to the erosion of the privacy rights only to a moderate extent. The

study further established that 24 percent of the respondents indicated that computer ethics was

attributed to erosion of privacy rights to a large extent. (see Figure 4.11)

Figure 4. 11: Erosion of Privacy Rights Attributed to Computer Ethics


4.3.6 Have Computer Ethics to Guide on Handling of Records

Respondents were asked to indicate whether the organization had put in place computer ethics

that guided the users on record handling. The results of the study presented in Figure 4.12 show

that 89 percent of the respondents indicated that indeed their organizations had put in place

computer ethics that guided the user in handling customers’ personal data. Asked to explain their

answers, respondents indicated that every user is given rights to only access information that

he/she requires to perform his or her duties. The study further established that it is in the policy

of most of the respondent banks that no customer private information should be mishandled as

mishandling of client personal information may lead to jail.

30

Figure 4.12: Have Computer Ethics to Guide on Handling of Records


4.3.7 Attempts to Protect Client Personal data

The study sought to establish whether the organizations had made attempts to protect the data

bases containing the client personal data. Figure 4.13 show that 56 percent of the respondents

indicated that the organization had indeed made attempts to protect the data bases while 44

percent of the respondents indicated that their organizations did not make attempts to protect the

data bases containing the customers’ personal data. These findings show that though majority of

the banks adhere to section 31(2) of Banking Act which prohibits disclosure of client’s personal

information furnished to the bank by the client unless the consent in writing of that person has

first been given and have therefore put in place measures to protect client privacy.

Figure 4.13: Made Attempts to Protect Client Personnal data


31

4.3.8 Measures to Protect Client Information Privacy

Respondents were asked to indicate the extent to which they agreed with the information

regarding remedies for unethical computer behaviours with regard to client information privacy

on a five point likert scale of to no extent, small extent, moderate extent, large extent and to very

large extent. The mean score 0.1 to 1.0 was taken to represent agree to no extent while the score

1.1 to 2.0 was taken to represent agree to small extent. The score 2.1 to 3.0 was taken to

represent agree to moderate extent while score 3.1 to 4.0 was taken to represent agree to large

extent. The mean score 4.1 to 5.0 was taken to represent agree to very large extent. The results

are presented in Table 4.4.

Table 4.4: Measures to Protect Client Information Privacy

N Mean Std. Error Std. Deviation Monitoring use of emails by employees 45 3.18 0.17 1.13 Looking at laws on computer ethics and enforcing them 45 2.27 0.15 1.03 Educating the users on the need to observing organizational ethics 45 3.56 0.17 1.14 Users perform their duties diligently and professionally 45 4.11 0.11 0.75 The users serve in the interest of stakeholders in lawful and honest manner 45 2.98 0.15 0.99 Ensure that users maintain competency in their fields 45 3.73 0.15 0.99


The study results show that most of the respondents agreed at least to a large extent (mean score

3.1-5.0) with statements regarding remedies for unethical behaviours to client information

privacy. The study results presented in Table 4.4 show that respondents agreed to a large extent

with the statement that the organizations were monitoring use of emails by the employees (mean

score, 3.18). Respondents equally agreed to a large extent with statements that the organizations

were educating the users on the need to observe organizational ethics with regard to use of

computer in handling client personal data (mean score, 3.56) and that the organizations ensured

that users maintained competencies in their fields (mean score, 3.73). The study established that

respondents agreed to a very large extent with the statement that the employee performed their

duties diligently and professionally.

32

Asked to state what measures are taken by the institution on anyone found mismanaging the

client private information, respondents indicated that the institution policy, rules and regulations

are clear and such a person is sacked forthwith without any warning. The respondents indicated

that legal action is also taken on such an employee.

4.4 The Impact on the Relationship of the Bank and the Client with Regard to how Bank

Manages Client Information Privacy

In this section the study sought to determine the impact of ethical decision making on the

relationship of the bank and the client with regard to how the banks managed the client

information privacy. The findings of the study are presented in the subsequent sections.

4.4.1 Asked to Give Personal Information

Respondents were asked to indicate whether their banks had ever asked them to give personal

information. According to the results of the study all the respondents indicated that indeed their

banks had asked them to give personal information.

4.4.2 Cared to Know the Necessity of the Information

Asked to indicate whether they had bothered to know what the information was meant for, 70

percent of the respondents indicated that they did not bother to ask to know why the information

was necessary, while 30 percent indicated that they bothered to ask to know the reason for which

the information was needed. This indicates that the clients are ignorant of the law (the banking

Act) which prohibits disclosure of any information furnished by the client unless the consent in

writing of that person has first been given. The banks could therefore be taking advantage of

their ignorance to infringe on their privacy (See Figure 4.14)

33

Figure 4.14: Cared to Know the Necessity of the Information

Yes30%

No70%


Asked to indicate some of the reasons given, all the respondents indicated that they were told the

information collected was for the purposes of records.

4.4.3 Record Treated as Confidential

To establish whether the bank made commitment to safeguard the client personal information,

respondents were asked whether the bank assured them that their information would be treated

with confidentiality. Figure 4.15, 98 percent of the respondents indicated that they were indeed

assured of confidentiality.

Figure 4.15: Record Treated as Confidential


4.4.4 Banks Handle Personal Information with Confidentiality

Respondents were asked to indicate their opinion as to whether the banks had handled their

personal information with confidentiality. According to the results presented in Table 4.5, 41

34

(80%) respondents indicated that the bank did not handle their information with confidentiality.

This contravenes the client privacy even after being assured by the bank that the information will

be treated with confidentiality. The study results also show contravention of the banking Act,

Cap 488 section 31(2) which prohibits disclosure of any client information furnished unless the

consent in writing of that person has first been given. Despite the unethical behaviour by the

banks, clients continue to provide the banks with their personal information which may be

attributed to the fact that the banks monopoly of the service could be the reason for this paradox.

Table 4.5: Banks Handle Personal Information with Confidentiality

Frequency Percent

Yes 9 20

No 41 80

Total 45 100


Asked to explain the reasons for their answers, 24 percent of the respondents indicated that they

believed that the banks had leaked their information to a third party who called them to promote

their products. 33 percent of the banks said that the banks had called them to introduce new

products for example, credit and debit cards.

4.4.5 Someone given Information about Self Similar to Information Given to Bank

The study sought to establish whether respondents had had someone give them information

similar to the one they gave to the bank. According to the Figure 4.16, 74 percent of the

respondents indicated that someone had indeed given them information about themselves which

was similar to the one they gave the bank. The results show that 26 percent indicated that no one

had given information which was similar to the one they gave the bank.

35

Figure 4.16: Someone given Information about Self Similar to Information Given to Bank


Asked to indicate their reaction, most of the resppondents indicated that they were shocked and

demanded to know where the person had gotten the information. Some respondents indicated

that they understood the fact that information is today shared and even rogue employees would

do anything including selling company’s confidential information to competitors.

4.4.6 Felt Right to Privacy was Breached

Respondents were asked to indicate whether they felt the right to privacy was breached by the

bank. Figure 4.17 show that majority of the respondents (82%) indicated that they indeed felt

their right to privacy was breached by the bank while 18 percent felt there was no breach of right

to privacy. This further points to the paradox that despite the unethical behaviour by the bank to

contravene client privacy right, clients still trust the banks with their information.

Figue 4.17: Felt Right to Privacy was Breached


36

Asked to indicate whether the breach of right to privacy had affected their relationship with the

bank, 66 percent of the respondents indicated that this did not affect their relationship with the

bank while 34 percent indicated that indeed this affected their relationship with the bank.

Figure 4.18: Breach of Right to Privacy affected Relationship

Yes66%

No34%


37

CHAPTER FIVE

DISCUSION, CONCLUSION AND RECOMMENDATION

5.1 Introduction

This chapter discusses the findings of data pertaining to the ethical decisions made by the

management of the commercial banks in Kenya in management of client information privacy and

its impact on the relationship of the banks and its client. Conclusions based on the findings are

then made and thereafter recommendations for management and suggestion for future study are

presented.

5.2 Summary

Most of the respondent banks (48%) are predominantly owned by Kenyans. The study

established that most of the banks have been in operation for between 31 and 41 years. The

banks mainly serve both the businesses and personal clients. The study established that the bank

employees to a large extent breached the clients’ right to privacy despite the computer ethics put

by the bank management to protect client privacy but this did not affect the relationship between

banks and its clients.

5.3 Discussion

5.3.1 Ethical Decisions made by Commercial Banks in Kenya in Managing Client Information

Privacy

The study sought to establish the ethical decisions made by commercial banks in Kenya with

regard to client information privacy. According to the study, majority (55%) of the bank

employees understood the mission of the organizations. The study established that according to

the respondents, the client personal information was stored in data bases in computers and in

files which were then stored in safe cabinets. The study further established that some client

information was stored in back-ups. The respondents indicated that the information was collected

for records (49%) and marketing (34%) purposes. It was also a requirement by the Banking Act

that banks have customer information for security purposes. But it was evident from the study

results as was depicted by 56 percent of the respondents that the client information was not used

for what it was intended for. This according to Bok (1983) was a breach of privacy as he defines

38

privacy as a condition of being protected from unwanted access by others which may be in the

form of physical access, or even personal information without approval. The study revealed that

only 44 percent of the client information collected was used for what it was intended. Some of

the respondent banks used the information to market their new products such as debit and credit

cards to their customers, which was not the main reason as to why the information was sought.

Weak computer ethics was blamed for the erosion of right to privacy in the financial institutions

as was indicated by majority of the respondents. Computer ethics was a major challenge to

respondent banks despite the fact that 89 percent of the respondent banks indicated to have

computer ethics to guide the handling of records, such as protecting client personal data,

monitoring the use of email by the employees (mean score 3.18), educating employees on the

need to observe organizational ethics (mean score 3.56) and ensuring that the employees

maintained competencies in their fields (mean score 3.73). These findings of the study agree with

Rodgerson et al (2000) that business organizations are experiencing a number of ethical

problems and conflicts in the area of computer technology baecause of increased adoption,

hence increased incidences of unethical use of computers. The results of the study further agree

with the views of Conger and Loch (1995) that the proliferation of computer use by employees in

all functional areas has resulted in a variety of ethical problems for society and organizations that

are unique to computer technology. The study results only confirm Pierce and Henry (2000)

findings that the invasion of privacy by computer technology and misuse of data files are at an

all time high.

5.3.2 Impact on the Relationship of the Bank and the Client with Regards to how Bank

Manages Client Information

The study sought to establish the impact of client information handling by the bank on their

relationship with the client. According to the study, all the respondents (bank customers)

indicated that the banks had sought their personal information of which 30 percent sought to

know why such information was necessary. Respondents were told that the main purpose for the

collection of such information was for records purposes. The banks assured the respondents of

confidentiality, but according to 82 percent of the respondents, this was never so as their

personal information they believe was used by the bank, used or leaked to a third party. 24

39

percent of the respondents believed that their information was leaked to the third party while 33

percent indicated that the bank called them to inform them of the new products such as debit and

credit cards they were offering.

According to 74 percent of the respondents someone not an employee of the bank had called

them giving personal description as the ones they had given to the bank. Respondents indicated

that they were shocked at how their personal information could be accessed by anyone. Due to

this 82 percent of the respondents indicated that they felt their right to privacy was breached by

the bank employees who had promised confidentiality. But this according to the results of the

study did not affect the relationship of the clients with their banks as was indicated by majority

of the respondents.

The results of the study clearly show that the bank employees were not guided by the Kohlberg’s

(1969) theory of cognitive moral development which states that moral behaviour starts by moral

reasoning. In the absence of moral reasoning it becomes obvious that the bank employees

behaved immorally after making immoral judgement and chose to breach client right to privacy

and behaving unethically using computer technology to mismanage the client information and

using it for what it was not intended for without the consent of the client.

5.4 Conclusion

The banks collect client personal information for three main reasons namely, for records,

marketing and requirement by the law (the Banking Act) that they gather such information as

client details for security purposes. The study established that the banks had put in place

measures to ensure that the employees do not mismanage client private information thereby

complying with the Banking Act which prohibits disclosure of client personal information

without concent. Despite the efforts to store the client information in safe place for

confidentiallity such as data bases and backups the bank employees have continued to

mismanagement client personal information with impunity. It was further evident that, despite

the fact that the banks have put in place measures such as computer ethics and strong monitoring

of the employee action in the computers and the internet to safeguard the client information, the

measures seem not to be effective enough as the employees have continued to infrege on the

40

clients’ privacy unabated. The study established that despite the cruel disciplinary action on

anyone found to mismanage client personal information, it was still not possible put an end to

unethical decision making by bank employees to client information, thereby contravening the

banking Act. This Conger and Loch (1995) attributes to immense amount of information

available to computer users. The employees have disregarded moral ethics and engaged in

unethical decision making which has breached client right to privacy. Though this supprised the

clients it did not have any effect on their relationship which the bank as they continued to trust

the banks with their personal information.

5.5 Recommendations

The study established that the bank employees engaged in unethical decision making in handling

client private information. The study therefore recommends that organizations develop strong

computer ethics which will instil ethical behaviour among the employees.

The study established that despite the fact that banks had measures to take care of the client

privacy, employees still infringed on client privacy. The study recommends that banks put in

place policies that will allow only those who directly depend on the information to carry out their

duties be given access to the client information. Otherwise any person who does not need the

information should be barred from accessing such information.

5.6 Suggestions for Further Research

This study was only done in the commercial banks in Kenya while there are other organizations

which collect client private information for instance hospitals etc. the study therefore

recommends that similar studies be carried out in other organizations with an aim of establishing

client information privacy management.

5.7 Limitations of the Study

Some respondents did not give all the required information and hence they may have deprived

the study of the necessary information. Time was limited for this study as the researcher was not

able to collect all the information especially from the bank employees who needed more time to

complete the questioinnaire due to their busy work schedule. The study used descriptive statistics

41

and therefore only gave what was being done and not what could be done and as a result

conclusions that extend beyond the data cannot be supported by the study.

42

REFERENCES

Ajzen, I. (1991). “The theory of planned behaviour”, Organizational Behaviour and Human

Decision Processes, Vol. 50 No. 2, pp. 179-211.

Allen, A.L. (1988). Uneasy Access: Privacy for Women in a Free Society, Rowman & Littlefield,

Totowa, NJ.

Benn, S.I. (1971). “Privacy, freedom, and respect for persons”, in Pennock, R. and Chapman, J.

(Eds), Privacy Nomos XIII, Atherton, New York, NY.

Central Bank of Kenya (2009). The Laws of Kenya: The Banking Act, Chapter 488. Central Bank of Kenya.

Central Bank of Kenya (2009), Bank Supervision Annual Report 2009

http://www.centralbank.go.ke/downloads/bsd/annualreports/bsd2009.pdf

Clarke, R. (1999). “Internet privacy concerns confirm the case for intervention”, Communication

of the ACM, Vol. 42, No. 1, pp. 60-7.

Cooley, T. (1880). A Treatise on the Law of Torts, Callaghan and Co, Chicago, IL.

Cooper, D. J., (1996). Internal Marketing: Your companies’ next stage of growth, New York, the

Harsworth press Inc.

Freund, P.A. (1971). “Privacy: one concept or many?”, in Pennock, R. and Chapman, J. (Eds),

Privacy Nomos XIII, Atherton, New York, NY.

Gavison, R. (1980). “Privacy and the limits of law”, Yale Law Journal, Vol. 89. No. 2, pp. 111-

117

Gavison, R. (1983). “Information control: availability and control”, in Benn, S. and Gaus, G.

(Eds), Public and Private in Social Life, St Martin’s Press, New York, NY.

43

Graeff, T.R. and Harmon, S. (2002). “Collecting and using personal data: consumers’ awareness

and concerns”, The Journal of Consumer Marketing, Vol. 19 No. 4/5, pp. 302-18.

Gittiker, U.E. and Kelley, H. (1999). “Morality and Computers: Attitudes and Differences in

Moral Judgements”, Information Systems Research, Vol. 10. No. 3. pp. 233-54

Inness, J. (1992). Privacy, Intimacy, and Isolation, Oxford University Press, New York, NY.

Jennings, M. (2002). “Ethics in cyberspace”, BizEd, January-February, pp. 18-23.

Johnson, J. (1998). “Netiquette training: whose responsibility?”, CPSR Newsletter, Vol. 16 No.

3, pp. 14-18.

Leonard, L.N.K., Cronan, T.P. and Kreie, J. (2004). “What are influences of ethical behaviour

intentions - planned behavior, reasoned action, perceived importance, or individual

characteristics?” Information & Management, Vol. 42 No. 1, pp. 143-58.

Moore, A.D. (2001). Intellectual Property and Information Control: Philosophic Foundations

and Contemporary Issues, Transaction Publishing, New Brunswick, NJ.

Moore, A.D. (2003). “Privacy: its meaning and value”, American Philosophical Quarterly, Vol.

40. No. 3. pp. 125-129

Moore, A.D. (Ed.) (2005). Information Ethics: Privacy, Property, and Power, University of

Washington Press, Seattle, WA.

Moor, J.H. (1997). What is computer ethics? Metaphilosophy 16/4.

http://www.ccsr.cse.dmu.ac.uk/staff/Srog/teaching/moor.htm

O’Brien, D.M. (1979). Privacy, Law, and Public Policy, Praeger, New York, NY.

44

http://www.ccsr.cse.dmu.ac.uk/staff/Srog/teaching/moor.htm

Onduso, T. S. (2001). A Survey of Ethical Issues in the use of Information Technological among

Commercial Banks in Kenya. Unpublished MBA Project of University of Nairobi, Kenya.

O’Reilly, C.A. III, Chatman, J. and Caldwell, D.F. (1991). “People and organizational culture: a

profile comparison approach to assessing person-organization fit”, Academy of Management

Journal, Vol. 34 No. 3, pp. 487-516.

Phelps, J. Nowak, G. and Ferrell E. (2000). Privacy Concerns and Consumer Willingness to

Provide Personal Information. Journal of Public Policy and Marketing, Vol 19. No. 1. pp. 27-41.

Posner, R.A. (1998). Economic Analysis of Law, Little, Brown, Boston, MA.

Rodgerson, S. Weckert, J. and Simpson, C. (2000). An Ethical Review of Information Systems

Development” Information Technology and People, Vol. 13, No. 4. pp 121-36

Solove, D.J. (2002). “Conceptualizing privacy”, California Law Review, Vol. 90. No.1. pp. 62-

69

Tavani, H. T. (2002). The uniqueness debate in computer ethics: What exactly is at issue, and

why does it matter? Ethics and Information Technology 4, 2002

Thomson, J.J. (1975). “The right to privacy”, Philosophy and Public Affairs, Vol. 4. No. 1, pp.

117-127

Wagacha, M. and Ngugi, R. (1999). Macroeconomics programmes, Kenya’s strategic policies

for the 21st century, Institute of Policy Analysis and research (IPAR) 1999.

Warren, S. and Brandeis, L.D. (1890). “The right to privacy”, Harvard Law Review, Vol. 4 No.

5, pp. 193-220.

45

APPENDICES

APPENDIX 1: LETTER OF INTRODUCTION

Dear Respondent

REF: REQUEST FOR RESEARCH DATA

I am a Master of Business Administration (M.B.A.) student at the University of Nairobi. I am

required to submit as part of my course work assessment a research project report on “an

investigation of ethical decision making in managing client information privacy, the case of

commercial banks in Kenya”. To achieve this, your organization is one of those selected for

the study. I kindly request you to fill the attached questionnaire to generate data required for this

study. This information will be used purely for academic purpose and your name will not be

mentioned in the report. Findings of the study, shall upon request, be availed to you.

Your assistance and cooperation will be highly appreciated.

Thank you in advance.

Arbogasti Odero.

M.B.A. Student- Researcher

University of Nairobi

46

APPENDIX 2: QUESTIONNAIRES

2.1 QUESTIONNAIRE FOR BANK EMPLOYEES

SECTION ONE: GENERAL INFORMATION

1. Name of bank_____________________________________________________

2. Name of interviewee (optional)______________________________________

3. Please state your position in the Bank__________________________________

4. Please indicate the ownership of the bank using the categories below (please tick one)

a) Predominantly local (51% or more) [ ]

b) Predominantly foreign (51% or more) [ ]

c) Balanced between foreign and local (50/50) [ ]

5. Using the categories below please indicate how long your bank has been in operation in

Kenya.

Less than 10 Years [ ]

Between 10-20 Years [ ]



Above 40 Years [ ]

6. Using the categories below, please indicate the number of branches you have in Kenya

Less than 5 [ ]

Between 5-10 [ ]

Between 11-20 [ ]

Above 20 [ ]

7. Please indicate your customer base by ticking any of the categories below.

Less than 10,000 [ ]

Between 10,001 and 50,000 [ ]

Between 50,001 - 100,000 [ ]

More than 100,001 [ ]

8. Which market segment does your bank serve? Please tick as is appropriate.

47

Business [ ]

Personal [ ]

Both Business and Personal [ ]

SECTION TWO: ETHICAL ISSUES IN MANAGEMENT OF CLIENTS PRIVATE

INFORMATION.

9. Organizational ethics is about the understanding the mission and the objective of the

organization as the aim of any organization forms its culture. To what extent do the

employees understand the mission of the organization? Tick the appropriate box below. No extent Small extent Moderate extent Large extent Very large extent

10. How is the client private information stored in your organization?

________________________________________________________________________

___________________________________________________________

11. Who has the right to access the client private information? _________________

12. What is the main purpose for collection of this information?

i) ____________________________________________

ii) _____________________________________________

iii) _____________________________________________

13. Are there occasions when the client private information has been used for what it was

not intended? Yes [ ] No [ ]

14. Explain your answer in 13 __________________________________________

_________________________________________________________________________

_____________________________________________________

15. Is there a code of ethics on how client information privacy is handled in your

organization? Yes [ ] No [ ]

16. Explain why ______________________________________________

______________________________________________________________________

48

17. Computer ethics is largely attributed to the erosion of privacy rights, to what extent do

you agree with the statement?

No extent Small extent Moderate extent Large extent Very large extent

18. Does the organization have in place any computer ethics that guide the users,

especially those in the records handling personal data?

Yes [ ] No [ ]

19. If yes, explain_____________________________________________________

_______________________________________________________________

20. Has the organization made attempts to protect the data bases containing the personal

data? Yes [ ] No [ ]

21. How has this been possible? _________________________________________

________________________________________________________________________

______________________________________________________________

22. To what extent do you agree with the following information as remedies for unethical

computer behaviours with regard to client information privacy?

No

extent

Small

extent

Moderate

extent

Large

extent

Very large

extent

Monitoring use of emails by employees

Looking at laws on computer ethics and enforcing

them

Educating the users on the need to observing

organizational ethics

Users perform their duties diligently and professionally

The users serve in the interest of stakeholders in lawful

and honest manner

Ensure that users maintain competency in their fields

49

23. What measures are taken by the institution on anyone found to have mismanaged the client

private information? _____________________________

2.2 QUESTIONNAIRE FOR CLIENTS SECTION ONE: GENERAL INFORMATION

1. Name of respondent (optional)

2. Gender Male [ ] Female [ ]

3. Age bracket Below 25 years 26-30 years 31-35 years 36-40 years Over 40 years

3. Which bank do you have an account with?_______________________________

4. For how long have you been their client?

Less than 5 years 6-10 years 11-15 years 16-20 years Over 20 years

5. Do you have a credit/debit card? Yes [ ] No

SECTION TWO: RELATIONSHIP OF THE BANK AND CLIENTS WITH REGARDS

TO HOW THE BANKS MANAGED CLIENT INFORMATION PRIVACY

6. Has your bank ever asked you to give your personal information?

Yes [ ] No [ ]

7. Did you bother to know what the information was meant for?

Yes [ ] No [ ]

8. What were some of the information?

i) ____________________________________________

ii) _____________________________________________

iii) _____________________________________________

50

9. Were you assured that the information will be treated as confidential?

Yes [ ] No [ ]

10. Do you think the bank has handled your personal information with confidentiality? Yes

[ ] No [ ]

11. If no explain____________________________________________________

________________________________________________________________________

___________________________________________________

12. Has anyone ever given you information about yourself that resembles the ones you gave

the bank? Yes [ ] No [ ]

If yes what was your reaction? ________________________________________

________________________________________________________________________

________________________________________________________________________

_____________________________________________________

13. Did you feel your right to privacy was breached by the bank?

Yes [ ] No [ ]

14. Has this affected your relationship with the bank? Yes [ ] No [ ]

In your opinion, what measures should be taken to curb such misbehaviour by the bank

employees?_________________________________________________

________________________________________________________________________

________________________________________________________________________

______________________________________________________

51

APPENDIX 3: COMMERCIAL BANKS IN KENYA AS AT 31ST DECEMBER

2009

1. African Banking Corporation Ltd. 2. Bank of Africa (K) Ltd. 3. Bank of Baroda (K) Ltd. 4. Bank of India 5. Barclays Bank of Kenya Ltd. 6. CFC Stanbic Bank Ltd 7. Charterhouse Bank Ltd.** 8. Chase Bank (K) Ltd. 9. Citibank N.A. Kenya 10. City Finance Bank Ltd. 11. Commercial Bank of Africa Ltd. 12. Consolidated Bank of Kenya Ltd. 13. Co-operative Bank of Kenya Ltd. 14. Credit Bank Ltd. 15. Development Bank of Kenya Ltd. 16. Diamond Trust Bank Kenya Ltd. 17. Dubai Bank Kenya Ltd 18. Eco bank Ltd. 19. Equatorial Commercial Bank Ltd. 20. Equity Bank Ltd. 21. Family Bank Ltd. 22. Fidelity Commercial Bank Ltd. 23. Fina Bank Ltd. 24. First Community Bank Ltd 25. Giro Commercial Bank Ltd. 26. Gulf African Bank Ltd. 27. Guardian Bank Ltd. 28. Habib Bank A.G. Zurich 29. Habib Bank Ltd. 30. Housing Finance Ltd. 31. Imperial Bank Ltd. 32. Investment & Mortgages Bank Ltd. 33. Kenya Commercial Bank Ltd. 34. K-Rep Bank Ltd. 35. Middle East Bank (K) Ltd. 36. National Bank of Kenya Ltd. 37. NIC Bank Ltd. 38. Oriental Commercial Bank Ltd. 39. Paramount Universal Bank Ltd. 40. Prime Bank Ltd. 41. Southern Credit Banking Corporation Ltd. 42. Standard Chartered Bank (K) Ltd. 43. Savings & Loan Kenya Ltd.

52

53

44. Trans-National Bank Ltd. 45. UBA Kenya Bank Ltd 46. Victoria Commercial Bank Ltd

** Charterhouse Bank Ltd which is under statutory management by CBK was not included in the study

Documents

An investigation of client information privacy management