AN INVESTIGATION OF CLIENT INFORMATION PRIVACY MANAGEMENT: THE CASE OF COMMERCIAL BANKS IN
KENYA
ARBOGASTI ODERO A Management Research Project Submitted in Partial Fulfilment of the Requirements for the Award of Master of Business Administration (MBA) Degree, School of Business, University of Nairobi
November 2010
i
DECLARATION
I declare that this thesis is my original work and has never been submitted to any other
University or institution of higher learning for examination. The thesis is as a result of my own
individual effort and where other people’s ideas and work have been cited, they are duly
acknowledged.
Signature _______________________ Date _______________________
Arbogasti Odero
D61/P/8279/03
This research project has been submitted for examination with my approval as the University
Supervisor.
ii
DEDICATION
This work is dedicated to my beloved wife Constance Tengo for her role in urging me on in this
endless journey of acquiring knowledge and inculcating in me the passion and desire for success.
I also dedicate this work to my Dad Joseph and Mum Maria. Thank you for the words of
encouragement and prayers.
Finally my dedication goes to my supervisor Dr. Nixon Muganda and my moderator Mrs. Kate
Litondo who have seen me through this thesis and for ensuring that high standards are
maintained throughout the research work.
iii
ACKNOWLEDGEMENT
Many people have contributed to the fulfilment of this research project, either directly or
indirectly. I want to thank my supervisor Dr. Nixon Muganda and my moderator Mrs. Kate
Litondo who helped make this research project a success through so many ways. I want to thank
my colleagues at Federation of Kenya Employers who offered words of encouragement and
assistance in proof reading and in many other various ways. To my family members, I would like
to say thank you for constantly encouraging me to move on and not to quit especially during this
last phase of the research project which has not been easy. Finally, I thank the management of
various banks for their understanding and allowing me to distribute the questionnaires and
providing me with adequate response. To the bank customers who took time to fill in the
questionnaires thereby providing me with a basis to conclude this research project, you are
acknowledged. Without the feedback from the questionnaires, this research project would not
have been possible.
iv
TABLE OF CONTENTS
DECLARATION................................................................................................. i DEDICATION..................................................................................................... ii ACKNOWLEDGEMENT.................................................................................... iii TABLE OF CONTENT........................................................................................ iv ABSTRACT........................................................................................................... vii
CHAPTER ONE: INTRODUCTION…………………………… ................. 1
1.1 Background of the study………………………………………................... 1
1.2 Commercial Banks in Kenya…………………………………..................... 2
1.3 Statement of the problem………………………………………...................... 3
1.4 Research Objectives………………………………………….......................... 5
1.5 Significance of the study………………………………………................ 6
CHAPTER TWO: LITERATURE REVIEW……………………............. 7
2.1 Introduction.................................................................................................. 7
2.2 The concept of privacy…………………………………………............... 7
2.2.1 The right to be let alone............................................................. 7
2.2.2 Limited access to self.................................................................... 8
2.2.3 Privacy as secrecy...................................................................... 8
2.2.4 Control of personal information.................................................. 8
2.2.5 Personality.................................................................................. 9
2.2.6 Privacy as intimacy................................................................... 9
2.2.7 Privacy as a cluster concept..................................................... 10
2.3 Ethical decision making and privacy…………………………................. 10
2.4 Ethical Behaviour in an organization...................................................... 12
2.5 Computer ethics………………………………………………............... 13
2.5.1 Definition................................................................................... 14
2.5.2 Computer Ethics and Technology.............................................. 15
2.6 Theoretical Framework………………………………………................ 17
v
CHAPTER THREE: RESEARCH METHODOLOGY………................ 19
3.1 Research design……………………………………………................... 19
3.2 The population………………………………………………................. 19
3.3 Sample and sampling procedure……………………………................... 19
3.4 Data collection………………………………………………................ 19
3.5 Data analysis…………………………………………………................ 20
CHAPTER FOUR: DATA ANALYSIS AND PRESENTATION.............. 21
4.1 Introduction................................................................................................. 21
4.2 Respondents General Information.............................................................. 21
4.2.1 Gender........................................................................................... 21
4.2.2 Age Bracket.................................................................................... 22
4.2.3 How Long has had an Account with Respondent Bank .................... 22
4.2.4 Have a debit/Credit Card............................................................... 23
4.2.5 Position.......................................................................................... 24
4.2.6 Ownership of Banks....................................................................... 24
4.2.7 How long been in Operation...................................................... 25
4.2.8 Number of Branches................................................................. 26
4.2.9 Customer Base............................................................................ 26
4.2.10 Market Segment....................................................................... 27
4.3 Ethical Decisions by Banks in Managing Client Information Privacy........ 27
4.3.1 Extent Employees Understand the Mission of Organization........... 27
4.3.2 How Client Information is Stored................................................... 28
4.3.3 Purpose of Collection of Client Information.............................. 28
4.3.4 Client Information Used for what it was not Intended.............. 29
4.3.5 Erosion of Privacy Rights Attributed to Computer Ethics.............. 30
4.3.6 Have Computer Ethic to Guide on Handling of Records............... 30
4.3.7 Made Attempts to Protect Client Personnal data...................... 31
4.3.8 Measures Taken to Protect Client Information Privacy.............. 32
4.4 Impact of Client Information Management on Bank and Client Relationship 33
4.4.1 Asked to Give Personal Information............................................. 33
4.4.2 Cared to Know the Necessity of the Information....................... 33
vi
4.4.3 Record Treated as Confidential..................................................... 34
4.4.4 Banks Handle Personal Information with Confidentiality ......... 34
4.4.5 Information about Self Resembling Information Given to Bank 35
4.4.6 Felt Right to Privacy was Breached............................................... 36
CHAPTER FIVE: DISCUSION, CONCLUSION & RECOMMENDATION 38
5.1 Introduction.................................................................................................... 38
5.2 Summary......................................................................................................... 38
5.3 Discusion.......................................................................................................... 38
5.4 Conclusion ....................................................................................................... 40
5.5 Recommendations........................................................................................... 41
5.6 Suggestions for Future Research.............................................................. 41
5.7 Limitations of the Study............................................................................... 41
REFERENCES………………………………………………….............. 43
APPENDICES…………………………………………………….............. 46
Appendix 1: Letter of Introduction………………………………………….. 46
Appendix 2: Questionnaire………………………………………………….. 47
2.1 Questionnaire for Bank Employees.............................................. 47
2.2 Questionnaire for Bank Clients................................................ 50
Appendix 3: List of commercial banks in Kenya……………….................. 52
vii
viii
ABSTRACT
The aim of the study was to investigate the client information privacy management by
commercial banks in Kenya. The objectives of the study were to establish the ethical decisions
made by the management of the commercial banks in Kenya in management of client
information privacy and to determine the impact on the relationship of the banks and the client
with regard to how the banks managed the client’s information privacy. To achieve these, the
study adopted a descriptive survey in which all the commercial banks were studied. Data was
collected by use of questionnaires which were in two categories, one for bank employees
(management) and another for the bank customers. Data analysis was done using descriptive
statistics such as percentages and frequency distributions.
The study established that client information was stored in data bases, files and backups. The
information was mainly collected for records purposes. The study established that client
information was sometimes used for what it was not intended. It was evident respondent banks
had computer ethics to guide in handling of records and banks had made attempts to protect
client personal data through monitoring use of email by employees, educating the users on the
need to observe organizational ethics, making sure that users performed their duties diligently
and professionally, and ensuring that users maintained competency in their fields. Despite
assuring customers of confidentiality, the customer privacy was still breached. The study
established that these did not affect their relationship with the bank.
The study therefore concluded that the bank employees behaved immorally after making
immoral judgement and chose to breach client right to privacy and behaving unethically using
computer technology to mismanage the client information and using it for what it was not
intended for without the consent of the client. The study recommends that organizations develop
strong computer ethics which will instil ethical behaviour among the employees. The study
further recommends that only those who directly depend on the information to carry out their
duties be given access to the client information. Otherwise any person who does not need the
information be barred from accessing such information.
CHAPTER ONE
INTRODUCTION
1.1 Background of the Study
The advent of information age has increased the importance of data protection to a great deal
where the governments and international organizations around the world have been forced to
adopt privacy legislations (Holvast, Madsen and Roth, 2001). In South Africa for instance the
government mandated the law commission to introduce privacy and data protections Act which
would lead to investigation of privacy and data protection (Mokgoro 2000). The risk to privacy
infringement has been necessitated by the world economic systems’ transformation from a
dominantly mass- production model to a mass customization model which has been seen to be
creating an enormous demand for detailed data on consumer behaviour. If goods and services are
to be customized it appears to be necessary for organization to have access to detailed consumer
information. Increasing fragmentation of mass audiences has also created a demand on data
about the actual and potential users of specialized media channels (Aggre and Rotenberg 1998).
Many people today perceive there is a threat to their individual privacy owing to the increased
power of information processing technology used to collect a great deal of information about
them. Whether this information is accurate, relevant, complete or incomplete, it is stored,
analysed, interpreted, compared and exchanged at high speed, and often the individual has no
knowledge or control over the information. While an organization may claim that they offer tight
security and confidentiality controls over the data, these measures are often instituted mainly for
the benefit of the organization and may provide little protection to the individual who is subject
to the data (Collier, 1995:41). The advent of internet, technology has enabled governments and
commercial entities to collect, use and disclose vast amounts of personal information with or
without the consent of people. This has made consumers become increasingly concerned about
the degree to which retailers, manufacturers and marketers monitor their every action (Graeff and
Harmon, 2002). The information is used for commercial gain by many organizations, for
instance direct and targeted marketing, cross-selling of information and e-mail spam.
1
The primary source of consumer concern revolves around personal, or individual-specific, data.
Individual-specific information includes data such as names, addresses, demographic
characteristics, lifestyle interests, shopping preferences, and purchase histories of identifiable
individuals (Nowak and Phelps 1995). Many people have found themselves asking questions like
where did you get that information about me, or my business? How did you come to know about
me? How come you know me so well yet we have never met? The private information that is
nowadays stored in electronic files, can be sold to advertisers, placed on the Internet for public
viewing, hacked into by malicious hackers or even browsed by curious employees (Graeff and
Harmon, 2002). The latter is particularly hard to prevent, since traditional access control is of
little use where people are supposed to have access to private information about others to do their
work, but should not be allowed access to the same information when motivated by curiosity.
Technology has enabled firms to explore vastly improved and exciting new applications such as
data warehousing, data mining, target marketing, and self-service. Service firms have
increasingly moved towards one-to-one marketing and service delivery to millions of customers
on the internet, enabling them to deliver cost-effective customized service delivery processes and
loyalty programs (Graeff and Harmon, 2002). However, shifting marketing and customer service
to the internet also poses great challenges including the emergence of serious privacy concerns
and resulting negative consumer responses. This threat to consumer privacy posed by the internet
requires urgent attention as it may undermine a firm’s marketing performance in the long run
(Gauzente and Ranchhod, 2001).
1.2 Commercial Banks in Kenya
A bank can be defined as a company, which carries on, or purposes to carry on banking business
(Kenyan Banking Act, Cap 488). A bank is thus an institution that deals largely with money. It
collects deposits from savers and pays interest to the depositors and on the other hand uses the
savers deposits to grant loans to borrowers who in turn pay interest and fees. Banking in Kenya
started with British colonialist and few Indian traders towards the end of the 1900 Century.
According to Wagacha and Ngugi (1999), the first bank to start in Kenya was the National Bank
of India now called the Kenya Commercial Bank in 1896, followed by the standard bank in
1910. The banking sector has been changing steadily since 1960’s in a number of areas such as
2
asset base, target customers, marketing strategies, competitive strategies, information technology
and their role in the economy. Up to the 1980’s, regulation in the financial services was mainly
of restriction on both the range of products that a bank could offer and the nature and volume of
contracts in the geographical area in which the services could be offered. The banking sector was
liberalized in 1995.
Liberalization of banking in Kenya in 1995 brought about most of the changes, which have
impacted on the banking business both positively and negatively. One major positive change is
the lifting of foreign exchange control. The most biting change is the increased intensity of
competition (Oloo, 2007). As a result, organizations are made to change their ways of doing
business so often and almost constantly in some environments. According to the Central Bank of
Kenya (2009), there were 46 commercial Banks in Kenya as at 31st December 2009. According
to the 2007 banking survey, three players, Barclays Bank, Standard Chartered and Kenya
Commercial Bank have maintained their dominance in the Kenya’s banking sector, controlling
between 40% and 50% of the sector throughout the past ten years. But other players are coming
up and staking their claim to the cake, most notably among them are CFC Bank whose market
share has grown from 1.68% in 1997 to 5.28% in 2006 in terms of total asset. Others that have
realized significant market growth include CBA (2.83% to 4.9%), I&M Bank (1.59% to 2.92%).
Corporative Bank, Citibank, NIC Bank, Stanbic Bank, bank of Baroda, Prime Bank and Imperial
Bank among others have all grown their market share. Worth noting also is Equity Bank which
entered the market as a commercial bank in 2004 with a market share of 1.17% but now claims
to 2.63% as at the end of 2006 (Oloo, 2007).
1.3 Statement of the problem
The concept of information privacy has shifted in the space of general from civil and political
rights to a consumer rights issue underpinned by data protection (Aggre & Rotenberg, 1998).
The ease of access to a person’s file has brought up major disadvantage of the large databases
and data banking abilities a threat to the right to privacy. There is evidence to suggest that
consumer’s world-wide recognize a problem of lack of information privacy and control over
personal information, once such information has been divulged to various organizations. For a
certain price, anyone today can obtain intimate details about any individual’s life. A 1990 Harris
3
Poll, commissioned by Equifax, a major credit bureau, found that 79 per cent of those surveyed
were concerned about threats to their personal privacy. Of the individuals surveyed, one-half felt
that technology had got out of control, and two-thirds said that the government could not be
trusted (Aggre and Rotenberg, 1998).
The concern for privacy is not a recent issue. The initial legal opinion on the right to privacy
dates back to the nineteenth century (Warren and Brandeis 1890). Today’s technology provides
multiple opportunities for extensive data gathering and invasion of privacy. Many retail stores
have introduced loyalty schemes and store cards, collecting timely information about consumers’
choice and preferences. Basic database portrait of an individual’s purchase behaviour are today
kept by business organizations for marketing purposes. Advanced software applications such as
“cookies” or web-surfing programs allow the collection of data even without the knowledge of
the customer. The privacy concerns are also exacerbated by the unethical behaviour of some
firms who sell their marketing databases to third parties without asking for the consent of the
client and without caring about the law on client’s information privacy (Graeff and Harmon,
2002). Information that was perceived to have been given to the commercial banks with a
promise to treat it with confidentiality has been found with the credit companies. According to
the laws of Kenya, Banking Act, Cap 488, section 31(2) states that no person shall disclose or
publish any information which comes into his possession as a result of the performance of his
duties or responsibilities. Despite this law, client personal information has continued to be leaked
out by commercial banks. This has always left their clients wondering, what happened to the
information they divulged to the bank.
Most international studies indicate that information privacy is an important concern to many
customers. The findings of a study by Nowak, Phelps (1992) indicate that privacy is important
and is affected by type of practice and information. Other studies have focused on privacy in an
online environment. For instance study by Udo (2001) indicate that privacy and security
concerns are the number one reason that web users are not purchasing over the web. Harris
(2001) also conducted a series of three surveys on consumer privacy attitudes and behaviours.
Their findings are relatively consistent across all the three surveys, indicating that consumers are
willing to provide both online and offline organizations with basic information but are more
4
protective of personal information and less comfortable sharing information. A local empirical
study shows that there are limited studies that have been carried out in Kenya. Onduso (2001)
did a study on the ethical issues in the use of information technology among commercial banks
in Kenya. While the above research outcomes provide valuable insights on information privacy,
they only provide partial insight on client information privacy. These studies failed to highlight
client information privacy management. A knowledge gap therefore existed on how financial
institutions manage client information with privacy and confidentiality as ethics require. It was
this knowledge gap that the study sought to bridge by answering the following research
questions:
1. What are the ethical decisions made by commercial banks in Kenya in managing client
information privacy?
2. Have the decisions made by the bank management with regard the client information
privacy affected the relationship of the bank with its clients?
1.4 Research Objectives
The main objective of the study was to investigate the ethical decision making in managing
client information privacy by commercial banks in Kenya. The specific objectives of the study
were to:
1. Establish the ethical decisions made by the management of the commercial banks in
Kenya in management of client information privacy.
2. Determine the impact on the relationship of the banks and the client with regard to how
the banks managed the clients information privacy
1.5 Significance of the study
It is anticipated that the study will be of benefit to the following group of people;
Government – The government will benefit from the study in that it will facilitate the
formulation of laws that will protect the rights of its citizens.
Policy makers - The study will be of benefit to the policy makers on the need to make laws
aimed at protecting the privacy of the public who give their personal information in confidence.
5
Academicians – The study will contribute to the existing body of knowledge in the area of
management of personal information by commercial banks. It will also inspire future researchers
to carry out further research in the same or related field.
Banking Industry- The study will help the bankers to develop right attitude in understanding
and implementing the ethical decision making and privacy policies that will enhance client- bank
relationship and confidence in the bankers.
6
CHAPTER TWO
LITERATURE REVIEW
2.1 Introduction
In this chapter, literature related to the area of study is reviewed under the following sub-
headings; concept of privacy, ethical decision making and privacy, ethical behaviour in an
organization, computer ethics and theoretical framework.
2.2 The Concept of Privacy
Privacy has been defined in many ways over the last century (DeCew, 1997). Warren and
Brandeis following Judge Thomas Cooley called it “the right to be let alone” (Cooley, 1880).
Freund (1971) has defined privacy in terms of an extension of personality or personhood. Alan
Westin and others cited in Gavison (1983) have described privacy in terms of information
control. Eisenstadt v. Baird (1972) insisted that privacy consists of a form of autonomy over
personal matters. Parent (1983, p. 269) argued that “privacy is the condition of not having
undocumented personal knowledge about one possessed by others” while Inness (1992, p. 140)
defined privacy as “the state of possessing control over a realm of intimate decisions, which
include decisions about intimate access, intimate information, and intimate actions.”
More recently, DeCew (1997, p. 62) has proposed that the “realm of the private to be whatever is
not, according to a reasonable person in normal circumstances, the legitimate concern of others”.
This brief summary indicates the variety and breadth of the definitions that have been offered.
Different conceptions of privacy typically fall into one of six categories or combinations of the
six. Following Solove’s (2002) analysis, “1) the right to be let alone; 2) limited access to the self;
3) secrecy; 4) control of personal information; 5) personhood; 6) intimacy”; and 7) privacy as a
cluster concept.
2.2.1 The right to be let alone
In 1890 Warren and Brandeis argued that, “recent inventions and business methods call attention
for the protection of the person, and for securing to the individual the right to be let alone”
(Warren and Brandeis, 1890, p. 194). They note how technology, media interests, and big
business have “invaded the sacred precincts of private and domestic life” and ensured that “what
7
is whispered in the closet shall be proclaimed from the house-tops” (Warren and Brandeis, 1890,
p. 195). While acknowledged as starting the modern debate, the conception of privacy proposed
by Warren and Brandeis has been widely criticized as too vague (Solove, 2002). For example, on
this definition any offensive or hurtful conduct would violate a “right to be let alone” yet we may
not want to conclude that such conduct is a violation of privacy.
2.2.2 Limited access to the self
Privacy defined as “limited access to the self” has been defended by numerous authors including
Bok (1983), Allen (1988), and Gavison (1980). Bok writes, “privacy is the condition of being
protected from unwanted access by others, either physical access, personal information, or
attention” (Bok, 1983, p. 10). The worry here is that if no protection is available, it would be odd
to conclude that privacy interests were not relevant. Gaviston offers a different account of
limited access. On her view limited access consists of “secrecy, anonymity, and solitude”
(Gavison, 1980, p. 433). Solove (2002, p. 1105) notes that although Gaviston contends that ‘the
collection, storage, and computerization of information’ falls within her conception, these
activities often do not reveal secrets, destroy anonymity, or thwart solitude.” If so, such
conceptions of privacy would be too narrow.
2.2.3 Privacy as secrecy
Judge Richard Posner (1998) has defined privacy as the “right to conceal discreditable facts
about oneself” a right to secrecy. Solove, (2002) seems to concur writing that the realm in which
an actor can legitimately act without disclosure and accountability to others. DeCew and others
have criticized this conception of privacy noting “secret information is often not private (for
example, secret military plans) and private matters are not always secret (for example, one’s
debts)” (DeCew, 1997, p. 48). Moreover it seems that privacy-as-secrecy accounts cannot
accommodate what has come to be called “decisional privacy” for example, the right between
consenting adults to use contraceptive devices in private places.
2.2.4 Control of personal information
Control over personal information has also been offered as a definition of privacy.
8
According to Alan Westin (1968) privacy is the claim of individuals, groups, or institutions to
determine for themselves when, how, and to what extent information about them is
communicated to others (Westin, 1968). Fried cited in Solove (2002) claims that privacy is not
simply an absence of information about us in the minds of others; rather it is the control we have
over information about ourselves. Critics have attacked this conception on grounds that it, like
the secrecy view, cannot account for “decisional privacy.” It also fails to acknowledge a physical
aspect to privacy – control over access to locations and bodies (Schoeman, 1984; O’Brien, 1979;
Inness, 1992; Parent, 1983; Thomson, 1975; Solove, 2002). Moreover, expanding the definition
to include control over bodies and locations leads to the following worry offered by DeCew. If a police officer pushes one out of the way of an ambulance, one has lost control of what is done to one, but we would not say that privacy has been invaded. Not just any touching is a privacy intrusion (DeCew, 1997, p. 53).
2.2.5 Personality
Benn (1971) defended a personality-based conception of privacy. According to this view privacy
protects personhood and autonomous action. Benn (1971) writes: Respect for someone as a person, as a chooser, implies respect for him as one engaged on a kind of self-creative enterprise, which could be disrupted, distorted, or frustrated even by so limited an intrusion as watching (Benn, 1971, p. 26).
Critics of this view have countered noting that, rather than defining privacy, personality-based
conceptions of privacy simply indicate why privacy is important or valuable – privacy protects
personal development and autonomous choice (Solove, 2002).
2.2.6 Privacy as intimacy
Several authors have defended the view that privacy is a form of intimacy (Fried, 1968; Gerety,
1977). According to Rosen (2000) the intimate relationships on which true knowledge of another person
depends need space as well as time: sanctuaries from the gaze of the crowd in which slow mutual self-disclosure are
possible. Privacy is the state of the agent having control over decisions concerning matters that
draw their meaning and value from the agent’s love, caring, or liking. These decisions cover
choices on the agent’s part about access to herself, the dissemination of information about
herself, and her actions (Inness, 1992, p. 91). In critique Solove (2002), citing DeCew and
Farber, notes that financial information may be private but not intimate. Moreover, it is possible
to have private relationships without intimacy and to perform private acts that are not intimate.
9
2.2.7 Privacy as a cluster concept
Finally, many view privacy as a cluster concept that contains several of the dimensions noted
above. DeCew (1997) has proposed that privacy is a concept ranging over information, access,
and expressions. Moore (2003) has defended a “control over access” view arguing that privacy is
a culturally and species relative right to a level of control over access to bodies, locations, and
information. Solove (2002) has offered a contextualized dependent approach for defining privacy
– for example, in the context of information we may focus on certain dimensions of privacy that
will not be as important in different contexts like spatial control. Following on from those fixed
and incomplete concepts of privacy, some theories of privacy protection are developed. The four
main theories – non-intrusion theory, seclusion theory, control theory and limitation theory –
define privacy risks narrowly, and try to diminish the damage from them. However, it is not
possible to control all risks in today’s information society and no form of protection can cover all
kinds of risks (Tavani, 1999). The major flaw in the current definition of privacy is that it
assumes that people are vulnerable without considering the situational context, and as a result
privacy risks are always deemed to be dangerous.
Any study of the nature of privacy, privacy risks and privacy protection using the adversarial
paradigm has to cope with new instances of privacy infringement. As Moor (1997) puts it, the
privacy concept has been developed chronologically. In the current computer age, privacy has
become very “informationally enriched”. There is a need for an updated approach to studying
privacy. Moor identifies the problems and considers firstly “nature privacy and normative
privacy” which challenges the assumption that people are vulnerable and provides a useful
distinction between privacy right and privacy condition, and between a loss of privacy and an
invasion of privacy. Second, he offers an alternative solution for privacy protection -
control/restricted access theory. In this centrist position “different people may be given different
levels of access for different kinds of information at different times” (Moor, 1997).
2.3 Ethical Decision Making and Privacy
Privacy is a current ethical issue when discussing computer ethics and it is necessary to take into
account when using computer technology. The history of privacy stretches far back and the
approach to privacy has changed throughout the times. Because of modern technology used
10
today, computers have raised new privacy problems, due to communication and storage of
personal information. Clarke (1999a) provides a well-referenced definition of information
privacy as being a combination of personal communication privacy and personal data privacy.
His formal definition of information privacy is: “. . . the interest an individual has in controlling, or at least significantly influencing, the handling of data about themselves” (Clarke, 1999a).
The Common Criteria (2004) provides a more formal requirement based definition for providing
‘user protection against discovery and misuse of identity by other users’. It is clear from the
definition that it is information systems requirements focused, with emphasis on identity
protection. Identity protection is a major component of information privacy but by no means
represents the complete embodiment of its full meaning. Each organization creates its own
culture. The organizational culture is based on an overall subjective employee’s perception of the
organization through key characteristics that the organization values (Schein, 1990; O’Reilly et
al., 1991). These characteristics are individual initiative, risk tolerance, direction, integration,
management support, control, identity, reward system, conflict tolerance, and communication
patterns (Robbins, 1989). A review of current literature identifies significant contributions that
have been made to the understanding of organizational culture per se (Schein, 1990; O’Reilly et
al., 1991).
Elements of an organizational culture are symbols and slogans, stories, rites and ceremonies,
values, norms and beliefs (Petrovic-Lazarevic, 2000). Since the organizational ethics relate to
guiding beliefs, standards, or ideals about whether certain acts are good or bad in the business of
an organization, they are also dependent on organizational culture. All employees, however, do
not necessarily agree upon organizational ethics. Moreover, if organizational ethics involve value
judgements, they can have a legal form. For businesses that make use of computers and the
Internet, the ethics reflect the ethical values of managers, information specialists, and users. That
is, they reflect the ethical values of top managers, which in this case would include the chief
executive officer (CEO) and chief information officer (CIO). In other words, top managers
impose an ethical culture by establishing an ethics credo and ethics program and by tailoring
codes of ethics to their own companies. They are responsible for the organizational culture. This
applies particularly to the CIO, who, being in charge of IT applications in the organization,
11
contributes to creating corporate core values. It is these ethics that will guide the users. With the
increased rate of loss of privacy one is left to wonder whether there exist any ethics in
organizations as unethical practices have led to fast eroding right of privacy of client information
which is largely attributed to the advancement in technology.
2.4 Ethical Behaviour in an Organization
Unethical behaviours include all actions that result in unfairness to others, whether those
behaviours are legal or not. Concern is increasing today for ethics in organizational operations.
Much of this concern stems from disclosures of unethical actions that led to savings and loan,
banking, insurance, real estate, and other failures. The line between ethical and unethical actions
is far from being distinct. In today’s complex business world, persons who wish to be ethical
may not know exactly what actions will have ethical results and what actions will not. A highly
competitive situation prevents most organizations from being conservative in defining ethical
behaviour. If one company’s definition of ethical behaviour is more conservative than a
competitor’s definition, the company with the more conservative definition soon may be forced
out of business (Wells and Spinks 1996).
To a very large extent, values decide what is and is not ethical. Since all persons do not hold the
same values, honest beliefs about ethical behaviour may be different from one person to another.
Communication provides the greatest opportunities for potential unethical behaviours. All
unethical activities do not revolve around communication, but many do. Organizational
communication must be ethical if high morale and productivity among employees are to be
achieved. Communication with other organizations must be ethical if good business relationships
are to develop for the benefit of all (Wells and Spinks 1996). Communication with customers
and clients must be ethical if businesses are to develop bodies of satisfied customers and clients
that will make long-term profits possible. Communication with the community must be ethical if
the organization is to receive the community support and goodwill essential for its survival and
to avoid expensive and reputation-damaging legal entanglements (Wells and Spinks 1996).
12
2.5 Computer Ethics
Identifying factors that contribute to unethical behaviour and developing methods of controlling
inappropriate behaviour in an organization is an area of increasing interest to both academicians
and practitioners (Rodgerson et al., 2000). Although there have been several highly publicized
recent cases of scandals, the fundamental area within business organizations that is currently
experiencing a number of ethical problems and conflicts is the area of computer technology
(Rodgerson et al., (2000). As the adoption of computer technology has increased, the repeated
incidence of unethical use of computers has also rapidly increased (Conger and Loch, 1995). The
immense amount of information available to computer users has created enormous opportunities
for the misuse of computers by members of business organizations. In addition the proliferation
of computer use by employees in all functional areas has resulted in a variety of ethical problems
for society and organizations that are unique to the use of computer technology. Issues such as
software piracy, virus development and illegal systems access that were once viewed as an
annoyance are now considered major problems for organizations (Gattiker and Kelly, 1999).
Today there is a public concern about the invasion of privacy by computer technology and
misuse of data files is at an all time high (Pierce and Henry, 2000). The computer technology
used for generating electronic information has ethical implications as do the functions of
originating, processing, storing, distributing and using the data and information. Moreover, each
function carries responsibilities for those who perform and manage them.
2.5.1 Definition of Computer Ethics
Computer ethics is an area within applied ethics, where questions related to computers raise new
types of moral dilemmas, to which it is necessary to apply the best moral judgements (Edgar
2000). The society has historically evolved from an agricultural society through an industrial, to
the present day information society where computers have changed the way people live and
make decisions. This type of society has opened doors for new ethical questions never faced by
humans before, and these questions increase in number along with the development of the
technology. Whether computer ethics is an independent field of applied ethics or if it can be
included in an already existing field, has been argued by traditional ethicists and advocates of the
uniqueness thesis (Tavani 2002). Traditional ethicists do not think that there is anything unique
about the moral problems, for example privacy, free speech, intellectual property etc, which are
13
considered by computer ethicists. These new moral problems, which are associated with
computing, can according to the traditional ethicists be analyzed by using the traditional ethical
theories and categories of morality.
According to Moore (2001) the introduction of computers and the use of information technology
has created “conceptual muddles” and a need for new policies because of the existing “policy
vacuums”, meaning that there is no fixed set of rules and there are no policies for conduct in
certain new situations. The central task of computer ethics is to fill the policy vacuums by
formulating guidelines, which are supposed to lead the actions. Moore (2001) defines computer
ethics as “the analysis of the nature and social impact of computer technology and the
corresponding formulation and justification of policies for the ethical use of such technology”.
He also states in his paper that computer ethics has no fixed set of ethical rules, instead it
considers the relationships between facts, policies and values in a constantly changing computer
technology.
In another paper written by Moore, “Reason Relativity and Responsibility in Computer Ethics”,
the term “logically malleable” is used about computers, which means that computers can be used
in many logically different activities (Moore 2003). Another term used is “informational
enrichment”, meaning that computerized settings and activities are constantly developing and
becoming informationalized. The fact that computers are logically malleable and that
computerized situations become informationally enriched, means that they will generate many
new policy vacuums and conceptual muddles or confusions in the future. This also means that
the development of computer ethics will never be brought to an end; instead computer ethics is
an ongoing process.
Moore discusses how computer ethics should comprise both reason and relativity, since he
considers that none of the two popular views called “Routine Ethics” and “Cultural Relativism”
is adequate for computer ethics (Moore 2003). The view called “Routine Ethics” means that
computer ethics is considered as any other ethical area, with no dissimilarities, while in “Culture
Relativism” the laws and customs decide what is right and wrong within the field of computer
ethics. According to Moore both these propositions are incorrect, because computer ethics needs
14
a discussion and should not be dismissed only by categorizing it into one of these two views
(Moore 2003). Instead, computer ethics consists of two parts; the first one is the analysis of
situations where computer technology has an impact. The analysis helps to obtain a clear
conception of the situation in which policies have to be formulated. The second part of computer
ethics is, according to Moore, the policy-making for using computer technology ethically. The
policy-making means that it is necessary to interpret the situation, and to be followed by an
evaluation of the policy depending on the society’s values system.
2.5.2 Computer Ethics and Technology
Computer ethics is the analysis of the nature and social impact of computer technology and the
corresponding formulation and justification of policies for the ethical use of such technology. A
typical problem in computer ethics arises because there is a policy vacuum about how computer
technology should be used. Ethical issues within computer ethics can, according to Johnson
(2000), be divided into three groups: The first group concerns the ethical issues according to the
type of technology (whether hardware or software or internet) referred to. There has been a large
increase of computers and databases, which are used for recordkeeping and the creation,
maintenance and manipulation of great amounts of personal information. The development of
computer software has raised ethical issues, regarding property rights and the accountability and
reliability of programs. Each development in the history of computers, for instance the Internet,
has raised new moral concerns.
The second group consists of the ethical issues according to the sector (whether marketing or
medical, etc) in which they occur. When discussing privacy in general it is for example
important not to forget about the different connections, which are protected by privacy, for
example the privacy protection of medical records (Johnson 2000). The third and last group
concerns the ethical issues, according to ethical concepts or theories, where the different ethical
issues can be seen from different philosophical points of view, such as privacy, virtue, duty etc.
Although there are several alignments in ethics, for example utilitarianism1, social contract
1 These theories concentrate on the moral nature and value of the actions performed by the agent. They are ‘relational’ and action-oriented theories, intrinsically social in nature.
15
theory and deontological theory2, these theories have a common goal and that is to prevent harm
and enhance the dignity, happiness, and well-being of man. With the help of ethical principles
people can achieve this goal for themselves and for other people in different situations (Johnson
2003).
To be able to understand the connection between computer technology and ethics, it is essential
to recognize the connection between the technology and a human being (Johnson 2003). It
should be pointed out that technology does not yet do anything independently of a human being,
but there are situations when the control of a human being is weakened when it comes to
technology. Especially in those situations it is important to remember the responsibility human
beings have for technology, when developing new products. It is essential to keep all the
different aspects of a product in mind, especially those affecting the well-being of other people,
like safety, reliability, privacy etc.
Information System Audit and Control Association (ISACA) have set forth a code of
professional ethics to guide the professional and personal conduct of members of the association
and/or its certification holders. Members and ISACA certification shall:
a) Support the implementation of, and encourage compliance with, appropriate standards,
procedures and controls for information systems.
b) Perform their duties with objectivity, due diligence and professional care, in accordance
with professional standards and best practices.
c) Serve in the interest of stakeholders in a lawful and honest manner, while maintaining
high standards of conduct and character, and not engage in acts discreditable to the
profession
d) Maintain a privacy confidentiality of information obtained in the course of their duties
unless disclosure is required by legal authority. Such information shall not be used for
personal benefit or released to inappropriate parties.
2 These anchor on stability of the moral value of human actions through the assessment of their consequences in terms of global and personal welfare and the individual’s sense of duty.
16
e) Maintain competency in their respective fields and agree to undertake only those
activities, which they can reasonably expect to complete with professional competence
f) Inform appropriate parties of the results of work performed; revealing all significant facts
known to them.
g) Support the professional education of stakeholders in enhancing their understanding of
information systems security and control.
2.6 Theoretical Framework
The study adopts the theory of planned behaviour (TPB) and the four-component model of
ethical decision-making by Rest et al (1986) which are being predominant and continuing to be
applied to ethical decision-making in an information technology context (Leonard et al., 2004;
Peace et al., 2003). Rest et al.’s (1986) four-component model of ethical decision-making is
based on Kohlberg’s (1969) model of cognitive moral development which states that moral
reasoning is the basis for ethical behaviour which he described in six stages. It proposes that
individuals must first recognize a moral issue before making a moral judgment, then establish
moral intent (choosing what to do), and finally engage in moral behaviour. The theory of planned
behaviour is an extension of the theory of reasoned action (Ajzen and Fishbein, 1980; Fishbein
and Ajzen, 1975) made necessary by the original model’s limitations in dealing with behaviours
over which people have incomplete volitional control. As in the original theory of reasoned
action, a central factor in the theory of planned behaviour is the individual’s intention to perform
a given behaviour. Intentions are assumed to capture the motivational factors that influence a
behaviour; they are indications of how hard people are willing to try, of how much of an effort
they are planning to exert, in order to perform the behaviour. As a general rule, the stronger the
intention to engage in behaviour, the more likely should be its performance.
The four-component model and the TPB are similar in many ways. The TPB proposes that an
individual’s intention to behave is predicted by their attitude toward the behaviour, their
perception of social norms, and their perceived ability to actually engage in the behaviour
(Ajzen, 1991). Ethics studies that apply the TPB define attitude toward behaviour almost
identically to the four-component model’s definition of moral judgment, and is generally
17
formulated in the same way as whether the questionable behaviour is acceptable/unacceptable
(Leonard et al., 2004) or ethical/unethical (Loch and Conger, 1996).
Figure 1: Four-Component Model of Ethical Decision Making
Source: Rest et al., (1986)
Make moral judgment Establish moral intent Recognize moral issue Engage in moral behaviour
The study will apply the theoretical framework in determining the attitude and the perception to
social norms with regards to clients’ privacy information management. The study will apply the
theory to determine the respondents’ intention to infringe on the clients’ privacy.
18
CHAPTER THREE
RESEARCH METHODOLOGY
3.1 Research design
This was a descriptive survey aimed at surveying the ethical decisions made by commercial
banks in Kenya in managing client information privacy. According to Cooper (1996), a
descriptive study is concerned with finding out who, what, where and how of a phenomenon
which is the concern of this study.
3.2 The Population
The population of interest in this study was all the commercial banks in Nairobi. According to
the Central Bank of Kenya report as at 31st December 2009, there were 46 commercial banks in
Kenya (see appendix 3).
3.3 Sample and Sampling Procedure
Because of the small size of the number of commercial banks, the study carried out a census
study on 45 commercial banks in Kenya excluding charterhouse bank which is under statutory
management by Central Bank of Kenya. The branches in Nairobi were targeted for the study.
The researcher then used purposive sampling to select one senior manager from either
marketing/records or equivalent department from each of the sampled banks. The researcher also
used purposive sampling to select 45 bank customers at least one from each of the banks.
Purposive sampling was suitable as the researcher only studied those elements that had a bank
account with the bank.
3.4 Data collection
Primary data was collected using questionnaires which were both closed and open ended (see
appendix 2). The questionnaires were dropped at the respective banks headquarters in Nairobi
and collected later. The questionnaires were divided into two sections. Section one consisted of
questions on general information. Section two will have questions on ethical issues with regard
to management of clients’ personal records. The questionnaires used likert scales, on the scales
of 1-5.
19
3.5 Data analysis
Descriptive statistics was used to analyze the data. Data on section one was analyzed using
frequencies and percentages. Section two was analyzed using frequencies and percentages, mean
scores and standard deviation Output of the data analysis where applicable was presented in
tables, figures and graphs.
20
CHAPTER FOUR
DATA ANALYSIS AND PRESENTATION OF FINDINGS
4.1 Introduction
In this chapter data pertaining to the ethical decisions made by the management of the
commercial banks in Kenya in the management of client information privacy and the impact on
the relationship of the banks and the client with regard to how the banks managed the clients’
information privacy is analyzed and interpreted.
A total of 90 respondents comprising of 45 senior managers each from the 45 banks in Kenya
and 45 bank customers, one from each of the banks were sampled. Every respondent was given a
questionnaire out of which 70 respondents responded by completing and returning the
questionnaire. All the 45 bank customers completed and returned their questionnaires. This gave
a response rate of 78%. The collected data was edited and coded. Data analysis of the responses
was done using frequency, percentages, mean score and standard deviation. Where applicable,
presentations were done in form of pie charts, bar graphs and tables.
4.2 Respondents General Information
The study sought to establish the names of banks studied, names of respondents (optional) the
position of respondents in the bank, the ownership of the bank, the length of time the bank has
been in operation in Kenya, the number of branches, the customer base, the market segment the
bank served, the gender of the respondents, age, the length of time the respondent has been the
bank’s customer and where the respondents had credit/debit cards. The results of the study are
presented in the sections below:
4.2.1 Gender
Respondents were asked to indicate their genders. According to the study as presented in Figure
4.1, 45 percent of the bank customer respondents were male while 55 percent were female. This
was due to the fact that during data collection there were more women found in the banking halls
than the male. This may be an indication that probably there are more women seeking banking
services than men.
21
Figure 4.1: Distr0ibution of Respondents by Gender
Source: Research Data (2010)
4.2.2 Age Bracket
The study sought to establish the ages of the respondents. According to Table 4.1, 17 (38%) bank
customer respondents were in the age bracket of 36 to 40 years while 10 (21%) were over 40
years old. The results show that 8 (18%) were aged between 25 and 30 years. This implies that
though ages 36 to 40 are the majority distribution of respondents in terms age, the distribution is
even.
Table 4.1: Distribution of Respondents by Age.
Frequency Percent
Below 25 years 3 7
25 – 30 years 8 18
31 – 35 years 7 16
36 – 40 years 17 38
Over 40 years 10 21
Total 45 100
Source: Research Data (2010)
4.2.3 Period with Bank as Account Holder
Respondents were asked to state how long they have had account with the respondent bank.
According to the results of the study presented in Figure 4.2 most of the respondents (42%)
indicated that they had had accounts with the banks for less than five years. The study results
22
further show that 24 percent of the respondents have had accounts with the banks for between 5
and 10 years. This may be attributed to the fact that the last 5 years up to the post election
violence period, there has been an economic boom which has seen many households and
businesses seeking banking services. The boom in the economy, the reforms in the banking
sector which forced the lending rates, and the increasing liquidity of the banks increased the
demand for the banking services.
Figure 4.2: Period with Bank as Account Holder
42%
24%
18%
11%5%
05
1015202530354045
Dist
ribu
tion
of
Res
pond
ents
(%)
Less than 5years
5 - 10 years 11 15 years 16 - 20 years Over 20 years
Source: Research Data (2010)
4.2.4 Have a debit/Credit Card
Rodgerson et al., (2000) states that a number of ethical problems and conflicts are in the area of
technology. To test this, the study sought to establish from the respondents how many have
credit and debit cards being the latest technology in the banking industry. The results of the study
presented in Figure 4.3, majority of the respondents (64%) did not debit or credit cards. 36
percent of the respondents have debit and credit cards.
23
Figure 4.3: Have a debit/Credit Card
No64%
Yes36%
Source: Research Data (2010)
4.2.5 Position
Respondents were asked to indicate their positions in the institutions. According to Table 4.2,
most of the respondents (5, 20%) were managers in charge of credit while the rest were general
managers, marketing managers and operations managers in the same proportions. This means
that the information received was more accurate as those who filled the questionnaires were in
charge of decision making in the institutions.
Table 4.2: Respondents Positions
Frequency Percent
Manager (Credit) 5 20
General Manager 4 16
Marketing Manager 4 16
Operations Manager 4 16
Cashier 3 12
Not indicated 5 20
Total 25 100
Source: Research Data (2010)
4.2.6 Ownership of Banks
Respondents were asked to indicate the ownership of the banks. According to the results of the
study, 48 percent of the respondents indicated that banks were predominantly local while 44
24
percent indicated that the banks were balanced between foreign and local. Only 8 percent of the
respondent according to the study were predominantly foreign
Figure 4.4: Ownership of Banks
Source: Research Data (2010)
4.2.7 Period in Operation
The study sought to establish how long the respondent banks have been in operation. The study
results in figure 4.5 show that most of the respondent banks (36%) have been in operation for
between 31 to 41 years while 25 percent have been in operation for between 10 and 20 years
Figure 4.5: Period in Operation
9%
36%
18%
25%
12%
05
10152025303540
Less than 10Years
Between 10-20Years
Between 21-30Years
Between 31-40Years
Above 40 YearsDis
trib
utio
n of
Res
pond
ents
(%)
Source: Research Data (2010)
25
4.2.8 Number of Branches
Banks with wider coverage are deemed to have collected more client personal information and
the study therefore sought to establish the number of branches the respondent banks had. The
study results in Figure 4.6 show that 32 percent of the respondent banks had more than 20
branches while 20 percent had between 5 and 10 branches.
Figure 4.6: Number of Branches
Source: Research Data (2010)
4.2.9 Customer Base
The study sought to establish the size of the banks in terms of customer base. Respondents were
therefore asked to state the customer base of their organizations. Table 4.3 show that 12 (48%) of
the respondent banks had a customer base of between 50,000 and 100,000 while 7 (28%) had a
customer base of between 10,000 and 50,000.
Table 4.3: Customer Base
Frequency Percent
Less than 10,000 3 12
Between 10,001 and 50,000 7 28
Between 50,001 - 100,000 12 48
More than 100,001 3 12
Total 25 100
Source: Research Data (2010)
26
4.2.10 Market Segment
The study sought to establish the market segment the respondent banks served. Figure 4.7 show
that 96 percent of the respondent banks served both business and individuals.
Figure 4.7: Market Segment
Both business and personal
96%
Business4%
Source: Research Data (2010)
4.3 Ethical Decisions made by Commercial Banks in Kenya in Managing
Client Information Privacy
In this section the study sought to establish the ethical decisions made by the commercial banks
in managing the client information privacy. The results of the study are presented in the
subsequent sections.
4.3.1 Extent Employees Understand the Mission of the Organization Respondents were asked to indicate the extent to which their employees understood the mission
of the organizations. Figure 4.8 show that 55 percent of the respondents indicated that to a large
extent their employees understood the mission of the organizations. 18 percent of the
respondents indicated that to a very large extent the employees understood the mission of the
organization.
27
Figure 4.8: Extent Employees Understand Mission of the Organization
Source: Research Data (2009)
4.3.2 Storage of Client Information
The study sought to establish how the client information was stored. The results indicate that
client information is stored in files which are stored in safe cabinets. Respondents also indicated
that the client private information was stored in data bases and backups.
4.3.3 Purpose of Collection of Client Information
Respondents were asked to indicate the purpose for which client personal information is
collected. The main purpose of collecting the client information was for records purposes
according to 49 percent of the respondents. Records means that the clients personal information
are collected and stored for future use by the bank for instance in case of death or any other need.
According to 21 percent of the respondents, the banking act requires that all the banks have their
client information. The banking act requires that all account holders provide their details
including foreign and local transactions to control money laundering (Nduati, 2006). The study
further established that 34 percent of the respondents indicated that the client information was
collected for the purposes of marketing.
28
Figure 4.9 Purpose of Collection of Client Information
Source: Research Data (2010)
4.3.4 Client Information Used for what it was not intended
The respondents were asked to indicate whether there were occasions when the client
information was used for what it was not intended for. From the results of study presented in
Figure 4.10, 56 percent of the respondents indicated that indeed there were occasions when client
information was used for what it was not intended. The results in the figure show that 44 percent
of the respondents indicated that their institutions have never used client personal information for
what it was not intended. Asked to explain their answer, respondents indicated that the bank
used personal details to contact them when introducing a new product in the market. This
contravenes section 31(2) of the banking act which demands that the consent of the client is first
sought before the information is used. This therefore according to the Act is not allowed hence
amounting to infringment of customer privacy.
Figure 4.10: Client Information Used for what it was not intended
Source: Research Data (2009)
29
4.3.5 Erosion of Privacy Rights Attributed to Computer Ethics
The study sought to establish the extent to which the computer ethics was attributed to the
erosion of privacy rights. According to the study, 37 percent of the respondents indicated that
computer ethics was attributed to the erosion of the privacy rights only to a moderate extent. The
study further established that 24 percent of the respondents indicated that computer ethics was
attributed to erosion of privacy rights to a large extent. (see Figure 4.11)
Figure 4. 11: Erosion of Privacy Rights Attributed to Computer Ethics
Source: Research Data (2009)
4.3.6 Have Computer Ethics to Guide on Handling of Records
Respondents were asked to indicate whether the organization had put in place computer ethics
that guided the users on record handling. The results of the study presented in Figure 4.12 show
that 89 percent of the respondents indicated that indeed their organizations had put in place
computer ethics that guided the user in handling customers’ personal data. Asked to explain their
answers, respondents indicated that every user is given rights to only access information that
he/she requires to perform his or her duties. The study further established that it is in the policy
of most of the respondent banks that no customer private information should be mishandled as
mishandling of client personal information may lead to jail.
30
Figure 4.12: Have Computer Ethics to Guide on Handling of Records
Source: Research Data (2009)
4.3.7 Attempts to Protect Client Personal data
The study sought to establish whether the organizations had made attempts to protect the data
bases containing the client personal data. Figure 4.13 show that 56 percent of the respondents
indicated that the organization had indeed made attempts to protect the data bases while 44
percent of the respondents indicated that their organizations did not make attempts to protect the
data bases containing the customers’ personal data. These findings show that though majority of
the banks adhere to section 31(2) of Banking Act which prohibits disclosure of client’s personal
information furnished to the bank by the client unless the consent in writing of that person has
first been given and have therefore put in place measures to protect client privacy.
Figure 4.13: Made Attempts to Protect Client Personnal data
Source: Research Data (2009)
31
4.3.8 Measures to Protect Client Information Privacy
Respondents were asked to indicate the extent to which they agreed with the information
regarding remedies for unethical computer behaviours with regard to client information privacy
on a five point likert scale of to no extent, small extent, moderate extent, large extent and to very
large extent. The mean score 0.1 to 1.0 was taken to represent agree to no extent while the score
1.1 to 2.0 was taken to represent agree to small extent. The score 2.1 to 3.0 was taken to
represent agree to moderate extent while score 3.1 to 4.0 was taken to represent agree to large
extent. The mean score 4.1 to 5.0 was taken to represent agree to very large extent. The results
are presented in Table 4.4.
Table 4.4: Measures to Protect Client Information Privacy
N Mean Std. Error Std. Deviation Monitoring use of emails by employees 45 3.18 0.17 1.13 Looking at laws on computer ethics and enforcing them 45 2.27 0.15 1.03 Educating the users on the need to observing organizational ethics 45 3.56 0.17 1.14 Users perform their duties diligently and professionally 45 4.11 0.11 0.75 The users serve in the interest of stakeholders in lawful and honest manner 45 2.98 0.15 0.99 Ensure that users maintain competency in their fields 45 3.73 0.15 0.99
Source: Research Data (2009)
The study results show that most of the respondents agreed at least to a large extent (mean score
3.1-5.0) with statements regarding remedies for unethical behaviours to client information
privacy. The study results presented in Table 4.4 show that respondents agreed to a large extent
with the statement that the organizations were monitoring use of emails by the employees (mean
score, 3.18). Respondents equally agreed to a large extent with statements that the organizations
were educating the users on the need to observe organizational ethics with regard to use of
computer in handling client personal data (mean score, 3.56) and that the organizations ensured
that users maintained competencies in their fields (mean score, 3.73). The study established that
respondents agreed to a very large extent with the statement that the employee performed their
duties diligently and professionally.
32
Asked to state what measures are taken by the institution on anyone found mismanaging the
client private information, respondents indicated that the institution policy, rules and regulations
are clear and such a person is sacked forthwith without any warning. The respondents indicated
that legal action is also taken on such an employee.
4.4 The Impact on the Relationship of the Bank and the Client with Regard to how Bank
Manages Client Information Privacy
In this section the study sought to determine the impact of ethical decision making on the
relationship of the bank and the client with regard to how the banks managed the client
information privacy. The findings of the study are presented in the subsequent sections.
4.4.1 Asked to Give Personal Information
Respondents were asked to indicate whether their banks had ever asked them to give personal
information. According to the results of the study all the respondents indicated that indeed their
banks had asked them to give personal information.
4.4.2 Cared to Know the Necessity of the Information
Asked to indicate whether they had bothered to know what the information was meant for, 70
percent of the respondents indicated that they did not bother to ask to know why the information
was necessary, while 30 percent indicated that they bothered to ask to know the reason for which
the information was needed. This indicates that the clients are ignorant of the law (the banking
Act) which prohibits disclosure of any information furnished by the client unless the consent in
writing of that person has first been given. The banks could therefore be taking advantage of
their ignorance to infringe on their privacy (See Figure 4.14)
33
Figure 4.14: Cared to Know the Necessity of the Information
Yes30%
No70%
Source: Research Data (2009)
Asked to indicate some of the reasons given, all the respondents indicated that they were told the
information collected was for the purposes of records.
4.4.3 Record Treated as Confidential
To establish whether the bank made commitment to safeguard the client personal information,
respondents were asked whether the bank assured them that their information would be treated
with confidentiality. Figure 4.15, 98 percent of the respondents indicated that they were indeed
assured of confidentiality.
Figure 4.15: Record Treated as Confidential
Source: Research Data (2009)
4.4.4 Banks Handle Personal Information with Confidentiality
Respondents were asked to indicate their opinion as to whether the banks had handled their
personal information with confidentiality. According to the results presented in Table 4.5, 41
34
(80%) respondents indicated that the bank did not handle their information with confidentiality.
This contravenes the client privacy even after being assured by the bank that the information will
be treated with confidentiality. The study results also show contravention of the banking Act,
Cap 488 section 31(2) which prohibits disclosure of any client information furnished unless the
consent in writing of that person has first been given. Despite the unethical behaviour by the
banks, clients continue to provide the banks with their personal information which may be
attributed to the fact that the banks monopoly of the service could be the reason for this paradox.
Table 4.5: Banks Handle Personal Information with Confidentiality
Frequency Percent
Yes 9 20
No 41 80
Total 45 100
Source: Research Data (2009)
Asked to explain the reasons for their answers, 24 percent of the respondents indicated that they
believed that the banks had leaked their information to a third party who called them to promote
their products. 33 percent of the banks said that the banks had called them to introduce new
products for example, credit and debit cards.
4.4.5 Someone given Information about Self Similar to Information Given to Bank
The study sought to establish whether respondents had had someone give them information
similar to the one they gave to the bank. According to the Figure 4.16, 74 percent of the
respondents indicated that someone had indeed given them information about themselves which
was similar to the one they gave the bank. The results show that 26 percent indicated that no one
had given information which was similar to the one they gave the bank.
35
Figure 4.16: Someone given Information about Self Similar to Information Given to Bank
Source: Research Data (2009)
Asked to indicate their reaction, most of the resppondents indicated that they were shocked and
demanded to know where the person had gotten the information. Some respondents indicated
that they understood the fact that information is today shared and even rogue employees would
do anything including selling company’s confidential information to competitors.
4.4.6 Felt Right to Privacy was Breached
Respondents were asked to indicate whether they felt the right to privacy was breached by the
bank. Figure 4.17 show that majority of the respondents (82%) indicated that they indeed felt
their right to privacy was breached by the bank while 18 percent felt there was no breach of right
to privacy. This further points to the paradox that despite the unethical behaviour by the bank to
contravene client privacy right, clients still trust the banks with their information.
Figue 4.17: Felt Right to Privacy was Breached
Source: Research Data (2009)
36
Asked to indicate whether the breach of right to privacy had affected their relationship with the
bank, 66 percent of the respondents indicated that this did not affect their relationship with the
bank while 34 percent indicated that indeed this affected their relationship with the bank.
Figure 4.18: Breach of Right to Privacy affected Relationship
Yes66%
No34%
Source: Research Data (2009)
37
CHAPTER FIVE
DISCUSION, CONCLUSION AND RECOMMENDATION
5.1 Introduction
This chapter discusses the findings of data pertaining to the ethical decisions made by the
management of the commercial banks in Kenya in management of client information privacy and
its impact on the relationship of the banks and its client. Conclusions based on the findings are
then made and thereafter recommendations for management and suggestion for future study are
presented.
5.2 Summary
Most of the respondent banks (48%) are predominantly owned by Kenyans. The study
established that most of the banks have been in operation for between 31 and 41 years. The
banks mainly serve both the businesses and personal clients. The study established that the bank
employees to a large extent breached the clients’ right to privacy despite the computer ethics put
by the bank management to protect client privacy but this did not affect the relationship between
banks and its clients.
5.3 Discussion
5.3.1 Ethical Decisions made by Commercial Banks in Kenya in Managing Client Information
Privacy
The study sought to establish the ethical decisions made by commercial banks in Kenya with
regard to client information privacy. According to the study, majority (55%) of the bank
employees understood the mission of the organizations. The study established that according to
the respondents, the client personal information was stored in data bases in computers and in
files which were then stored in safe cabinets. The study further established that some client
information was stored in back-ups. The respondents indicated that the information was collected
for records (49%) and marketing (34%) purposes. It was also a requirement by the Banking Act
that banks have customer information for security purposes. But it was evident from the study
results as was depicted by 56 percent of the respondents that the client information was not used
for what it was intended for. This according to Bok (1983) was a breach of privacy as he defines
38
privacy as a condition of being protected from unwanted access by others which may be in the
form of physical access, or even personal information without approval. The study revealed that
only 44 percent of the client information collected was used for what it was intended. Some of
the respondent banks used the information to market their new products such as debit and credit
cards to their customers, which was not the main reason as to why the information was sought.
Weak computer ethics was blamed for the erosion of right to privacy in the financial institutions
as was indicated by majority of the respondents. Computer ethics was a major challenge to
respondent banks despite the fact that 89 percent of the respondent banks indicated to have
computer ethics to guide the handling of records, such as protecting client personal data,
monitoring the use of email by the employees (mean score 3.18), educating employees on the
need to observe organizational ethics (mean score 3.56) and ensuring that the employees
maintained competencies in their fields (mean score 3.73). These findings of the study agree with
Rodgerson et al (2000) that business organizations are experiencing a number of ethical
problems and conflicts in the area of computer technology baecause of increased adoption,
hence increased incidences of unethical use of computers. The results of the study further agree
with the views of Conger and Loch (1995) that the proliferation of computer use by employees in
all functional areas has resulted in a variety of ethical problems for society and organizations that
are unique to computer technology. The study results only confirm Pierce and Henry (2000)
findings that the invasion of privacy by computer technology and misuse of data files are at an
all time high.
5.3.2 Impact on the Relationship of the Bank and the Client with Regards to how Bank
Manages Client Information
The study sought to establish the impact of client information handling by the bank on their
relationship with the client. According to the study, all the respondents (bank customers)
indicated that the banks had sought their personal information of which 30 percent sought to
know why such information was necessary. Respondents were told that the main purpose for the
collection of such information was for records purposes. The banks assured the respondents of
confidentiality, but according to 82 percent of the respondents, this was never so as their
personal information they believe was used by the bank, used or leaked to a third party. 24
39
percent of the respondents believed that their information was leaked to the third party while 33
percent indicated that the bank called them to inform them of the new products such as debit and
credit cards they were offering.
According to 74 percent of the respondents someone not an employee of the bank had called
them giving personal description as the ones they had given to the bank. Respondents indicated
that they were shocked at how their personal information could be accessed by anyone. Due to
this 82 percent of the respondents indicated that they felt their right to privacy was breached by
the bank employees who had promised confidentiality. But this according to the results of the
study did not affect the relationship of the clients with their banks as was indicated by majority
of the respondents.
The results of the study clearly show that the bank employees were not guided by the Kohlberg’s
(1969) theory of cognitive moral development which states that moral behaviour starts by moral
reasoning. In the absence of moral reasoning it becomes obvious that the bank employees
behaved immorally after making immoral judgement and chose to breach client right to privacy
and behaving unethically using computer technology to mismanage the client information and
using it for what it was not intended for without the consent of the client.
5.4 Conclusion
The banks collect client personal information for three main reasons namely, for records,
marketing and requirement by the law (the Banking Act) that they gather such information as
client details for security purposes. The study established that the banks had put in place
measures to ensure that the employees do not mismanage client private information thereby
complying with the Banking Act which prohibits disclosure of client personal information
without concent. Despite the efforts to store the client information in safe place for
confidentiallity such as data bases and backups the bank employees have continued to
mismanagement client personal information with impunity. It was further evident that, despite
the fact that the banks have put in place measures such as computer ethics and strong monitoring
of the employee action in the computers and the internet to safeguard the client information, the
measures seem not to be effective enough as the employees have continued to infrege on the
40
clients’ privacy unabated. The study established that despite the cruel disciplinary action on
anyone found to mismanage client personal information, it was still not possible put an end to
unethical decision making by bank employees to client information, thereby contravening the
banking Act. This Conger and Loch (1995) attributes to immense amount of information
available to computer users. The employees have disregarded moral ethics and engaged in
unethical decision making which has breached client right to privacy. Though this supprised the
clients it did not have any effect on their relationship which the bank as they continued to trust
the banks with their personal information.
5.5 Recommendations
The study established that the bank employees engaged in unethical decision making in handling
client private information. The study therefore recommends that organizations develop strong
computer ethics which will instil ethical behaviour among the employees.
The study established that despite the fact that banks had measures to take care of the client
privacy, employees still infringed on client privacy. The study recommends that banks put in
place policies that will allow only those who directly depend on the information to carry out their
duties be given access to the client information. Otherwise any person who does not need the
information should be barred from accessing such information.
5.6 Suggestions for Further Research
This study was only done in the commercial banks in Kenya while there are other organizations
which collect client private information for instance hospitals etc. the study therefore
recommends that similar studies be carried out in other organizations with an aim of establishing
client information privacy management.
5.7 Limitations of the Study
Some respondents did not give all the required information and hence they may have deprived
the study of the necessary information. Time was limited for this study as the researcher was not
able to collect all the information especially from the bank employees who needed more time to
complete the questioinnaire due to their busy work schedule. The study used descriptive statistics
41
and therefore only gave what was being done and not what could be done and as a result
conclusions that extend beyond the data cannot be supported by the study.
42
REFERENCES
Ajzen, I. (1991). “The theory of planned behaviour”, Organizational Behaviour and Human
Decision Processes, Vol. 50 No. 2, pp. 179-211.
Allen, A.L. (1988). Uneasy Access: Privacy for Women in a Free Society, Rowman & Littlefield,
Totowa, NJ.
Benn, S.I. (1971). “Privacy, freedom, and respect for persons”, in Pennock, R. and Chapman, J.
(Eds), Privacy Nomos XIII, Atherton, New York, NY.
Central Bank of Kenya (2009). The Laws of Kenya: The Banking Act, Chapter 488. Central Bank of Kenya.
Central Bank of Kenya (2009), Bank Supervision Annual Report 2009
http://www.centralbank.go.ke/downloads/bsd/annualreports/bsd2009.pdf
Clarke, R. (1999). “Internet privacy concerns confirm the case for intervention”, Communication
of the ACM, Vol. 42, No. 1, pp. 60-7.
Cooley, T. (1880). A Treatise on the Law of Torts, Callaghan and Co, Chicago, IL.
Cooper, D. J., (1996). Internal Marketing: Your companies’ next stage of growth, New York, the
Harsworth press Inc.
Freund, P.A. (1971). “Privacy: one concept or many?”, in Pennock, R. and Chapman, J. (Eds),
Privacy Nomos XIII, Atherton, New York, NY.
Gavison, R. (1980). “Privacy and the limits of law”, Yale Law Journal, Vol. 89. No. 2, pp. 111-
117
Gavison, R. (1983). “Information control: availability and control”, in Benn, S. and Gaus, G.
(Eds), Public and Private in Social Life, St Martin’s Press, New York, NY.
43
Graeff, T.R. and Harmon, S. (2002). “Collecting and using personal data: consumers’ awareness
and concerns”, The Journal of Consumer Marketing, Vol. 19 No. 4/5, pp. 302-18.
Gittiker, U.E. and Kelley, H. (1999). “Morality and Computers: Attitudes and Differences in
Moral Judgements”, Information Systems Research, Vol. 10. No. 3. pp. 233-54
Inness, J. (1992). Privacy, Intimacy, and Isolation, Oxford University Press, New York, NY.
Jennings, M. (2002). “Ethics in cyberspace”, BizEd, January-February, pp. 18-23.
Johnson, J. (1998). “Netiquette training: whose responsibility?”, CPSR Newsletter, Vol. 16 No.
3, pp. 14-18.
Leonard, L.N.K., Cronan, T.P. and Kreie, J. (2004). “What are influences of ethical behaviour
intentions - planned behavior, reasoned action, perceived importance, or individual
characteristics?” Information & Management, Vol. 42 No. 1, pp. 143-58.
Moore, A.D. (2001). Intellectual Property and Information Control: Philosophic Foundations
and Contemporary Issues, Transaction Publishing, New Brunswick, NJ.
Moore, A.D. (2003). “Privacy: its meaning and value”, American Philosophical Quarterly, Vol.
40. No. 3. pp. 125-129
Moore, A.D. (Ed.) (2005). Information Ethics: Privacy, Property, and Power, University of
Washington Press, Seattle, WA.
Moor, J.H. (1997). What is computer ethics? Metaphilosophy 16/4.
http://www.ccsr.cse.dmu.ac.uk/staff/Srog/teaching/moor.htm
O’Brien, D.M. (1979). Privacy, Law, and Public Policy, Praeger, New York, NY.
44
Onduso, T. S. (2001). A Survey of Ethical Issues in the use of Information Technological among
Commercial Banks in Kenya. Unpublished MBA Project of University of Nairobi, Kenya.
O’Reilly, C.A. III, Chatman, J. and Caldwell, D.F. (1991). “People and organizational culture: a
profile comparison approach to assessing person-organization fit”, Academy of Management
Journal, Vol. 34 No. 3, pp. 487-516.
Phelps, J. Nowak, G. and Ferrell E. (2000). Privacy Concerns and Consumer Willingness to
Provide Personal Information. Journal of Public Policy and Marketing, Vol 19. No. 1. pp. 27-41.
Posner, R.A. (1998). Economic Analysis of Law, Little, Brown, Boston, MA.
Rodgerson, S. Weckert, J. and Simpson, C. (2000). An Ethical Review of Information Systems
Development” Information Technology and People, Vol. 13, No. 4. pp 121-36
Solove, D.J. (2002). “Conceptualizing privacy”, California Law Review, Vol. 90. No.1. pp. 62-
69
Tavani, H. T. (2002). The uniqueness debate in computer ethics: What exactly is at issue, and
why does it matter? Ethics and Information Technology 4, 2002
Thomson, J.J. (1975). “The right to privacy”, Philosophy and Public Affairs, Vol. 4. No. 1, pp.
117-127
Wagacha, M. and Ngugi, R. (1999). Macroeconomics programmes, Kenya’s strategic policies
for the 21st century, Institute of Policy Analysis and research (IPAR) 1999.
Warren, S. and Brandeis, L.D. (1890). “The right to privacy”, Harvard Law Review, Vol. 4 No.
5, pp. 193-220.
45
APPENDICES
APPENDIX 1: LETTER OF INTRODUCTION
Dear Respondent
REF: REQUEST FOR RESEARCH DATA
I am a Master of Business Administration (M.B.A.) student at the University of Nairobi. I am
required to submit as part of my course work assessment a research project report on “an
investigation of ethical decision making in managing client information privacy, the case of
commercial banks in Kenya”. To achieve this, your organization is one of those selected for
the study. I kindly request you to fill the attached questionnaire to generate data required for this
study. This information will be used purely for academic purpose and your name will not be
mentioned in the report. Findings of the study, shall upon request, be availed to you.
Your assistance and cooperation will be highly appreciated.
Thank you in advance.
Arbogasti Odero.
M.B.A. Student- Researcher
University of Nairobi
46
APPENDIX 2: QUESTIONNAIRES
2.1 QUESTIONNAIRE FOR BANK EMPLOYEES
SECTION ONE: GENERAL INFORMATION
1. Name of bank_____________________________________________________
2. Name of interviewee (optional)______________________________________
3. Please state your position in the Bank__________________________________
4. Please indicate the ownership of the bank using the categories below (please tick one)
a) Predominantly local (51% or more) [ ]
b) Predominantly foreign (51% or more) [ ]
c) Balanced between foreign and local (50/50) [ ]
5. Using the categories below please indicate how long your bank has been in operation in
Kenya.
Less than 10 Years [ ]
Between 10-20 Years [ ]
Between 21-30 Years [ ]
Between 31-40 Years [ ]
Above 40 Years [ ]
6. Using the categories below, please indicate the number of branches you have in Kenya
Less than 5 [ ]
Between 5-10 [ ]
Between 11-20 [ ]
Above 20 [ ]
7. Please indicate your customer base by ticking any of the categories below.
Less than 10,000 [ ]
Between 10,001 and 50,000 [ ]
Between 50,001 - 100,000 [ ]
More than 100,001 [ ]
8. Which market segment does your bank serve? Please tick as is appropriate.
47
Business [ ]
Personal [ ]
Both Business and Personal [ ]
SECTION TWO: ETHICAL ISSUES IN MANAGEMENT OF CLIENTS PRIVATE
INFORMATION.
9. Organizational ethics is about the understanding the mission and the objective of the
organization as the aim of any organization forms its culture. To what extent do the
employees understand the mission of the organization? Tick the appropriate box below. No extent Small extent Moderate extent Large extent Very large extent
10. How is the client private information stored in your organization?
________________________________________________________________________
___________________________________________________________
11. Who has the right to access the client private information? _________________
12. What is the main purpose for collection of this information?
i) ____________________________________________
ii) _____________________________________________
iii) _____________________________________________
13. Are there occasions when the client private information has been used for what it was
not intended? Yes [ ] No [ ]
14. Explain your answer in 13 __________________________________________
_________________________________________________________________________
_____________________________________________________
15. Is there a code of ethics on how client information privacy is handled in your
organization? Yes [ ] No [ ]
16. Explain why ______________________________________________
______________________________________________________________________
48
17. Computer ethics is largely attributed to the erosion of privacy rights, to what extent do
you agree with the statement?
No extent Small extent Moderate extent Large extent Very large extent
18. Does the organization have in place any computer ethics that guide the users,
especially those in the records handling personal data?
Yes [ ] No [ ]
19. If yes, explain_____________________________________________________
_______________________________________________________________
20. Has the organization made attempts to protect the data bases containing the personal
data? Yes [ ] No [ ]
21. How has this been possible? _________________________________________
________________________________________________________________________
______________________________________________________________
22. To what extent do you agree with the following information as remedies for unethical
computer behaviours with regard to client information privacy?
No
extent
Small
extent
Moderate
extent
Large
extent
Very large
extent
Monitoring use of emails by employees
Looking at laws on computer ethics and enforcing
them
Educating the users on the need to observing
organizational ethics
Users perform their duties diligently and professionally
The users serve in the interest of stakeholders in lawful
and honest manner
Ensure that users maintain competency in their fields
49
23. What measures are taken by the institution on anyone found to have mismanaged the client
private information? _____________________________
2.2 QUESTIONNAIRE FOR CLIENTS SECTION ONE: GENERAL INFORMATION
1. Name of respondent (optional)
2. Gender Male [ ] Female [ ]
3. Age bracket Below 25 years 26-30 years 31-35 years 36-40 years Over 40 years
3. Which bank do you have an account with?_______________________________
4. For how long have you been their client?
Less than 5 years 6-10 years 11-15 years 16-20 years Over 20 years
5. Do you have a credit/debit card? Yes [ ] No
SECTION TWO: RELATIONSHIP OF THE BANK AND CLIENTS WITH REGARDS
TO HOW THE BANKS MANAGED CLIENT INFORMATION PRIVACY
6. Has your bank ever asked you to give your personal information?
Yes [ ] No [ ]
7. Did you bother to know what the information was meant for?
Yes [ ] No [ ]
8. What were some of the information?
i) ____________________________________________
ii) _____________________________________________
iii) _____________________________________________
50
9. Were you assured that the information will be treated as confidential?
Yes [ ] No [ ]
10. Do you think the bank has handled your personal information with confidentiality? Yes
[ ] No [ ]
11. If no explain____________________________________________________
________________________________________________________________________
___________________________________________________
12. Has anyone ever given you information about yourself that resembles the ones you gave
the bank? Yes [ ] No [ ]
If yes what was your reaction? ________________________________________
________________________________________________________________________
________________________________________________________________________
_____________________________________________________
13. Did you feel your right to privacy was breached by the bank?
Yes [ ] No [ ]
14. Has this affected your relationship with the bank? Yes [ ] No [ ]
In your opinion, what measures should be taken to curb such misbehaviour by the bank
employees?_________________________________________________
________________________________________________________________________
________________________________________________________________________
______________________________________________________
51
APPENDIX 3: COMMERCIAL BANKS IN KENYA AS AT 31ST DECEMBER
2009
1. African Banking Corporation Ltd. 2. Bank of Africa (K) Ltd. 3. Bank of Baroda (K) Ltd. 4. Bank of India 5. Barclays Bank of Kenya Ltd. 6. CFC Stanbic Bank Ltd 7. Charterhouse Bank Ltd.** 8. Chase Bank (K) Ltd. 9. Citibank N.A. Kenya 10. City Finance Bank Ltd. 11. Commercial Bank of Africa Ltd. 12. Consolidated Bank of Kenya Ltd. 13. Co-operative Bank of Kenya Ltd. 14. Credit Bank Ltd. 15. Development Bank of Kenya Ltd. 16. Diamond Trust Bank Kenya Ltd. 17. Dubai Bank Kenya Ltd 18. Eco bank Ltd. 19. Equatorial Commercial Bank Ltd. 20. Equity Bank Ltd. 21. Family Bank Ltd. 22. Fidelity Commercial Bank Ltd. 23. Fina Bank Ltd. 24. First Community Bank Ltd 25. Giro Commercial Bank Ltd. 26. Gulf African Bank Ltd. 27. Guardian Bank Ltd. 28. Habib Bank A.G. Zurich 29. Habib Bank Ltd. 30. Housing Finance Ltd. 31. Imperial Bank Ltd. 32. Investment & Mortgages Bank Ltd. 33. Kenya Commercial Bank Ltd. 34. K-Rep Bank Ltd. 35. Middle East Bank (K) Ltd. 36. National Bank of Kenya Ltd. 37. NIC Bank Ltd. 38. Oriental Commercial Bank Ltd. 39. Paramount Universal Bank Ltd. 40. Prime Bank Ltd. 41. Southern Credit Banking Corporation Ltd. 42. Standard Chartered Bank (K) Ltd. 43. Savings & Loan Kenya Ltd.
52
53
44. Trans-National Bank Ltd. 45. UBA Kenya Bank Ltd 46. Victoria Commercial Bank Ltd
** Charterhouse Bank Ltd which is under statutory management by CBK was not included in the study