If Your Personal Data Is Misused, Start With the Right Complaint Route

Personal information can be misused in ways that feel small at first but become serious very quickly. A hospital may keep a doctor’s name on its website after the doctor has left. A school may display a parent’s phone number in a public group without permission. An employer may circulate a national identity document beyond the staff who need it. A shop may post a customer’s photo on social media while accusing them of debt or theft. These situations may involve embarrassment, reputational harm, financial risk or fear of further misuse. In Tanzania, they may also raise personal data protection issues.

The High Court decision in Dr. Monica Peter Mungo v Shifaa Pan African Hospitals Ltd offers a practical lesson about the route a complainant should consider before going to court. The dispute involved alleged misuse of professional credentials and personal data. The Court struck out the claim because the claimant had not first exhausted the statutory remedies under the Personal Data Protection Act. For public awareness purposes, the message is not that personal data claims are unimportant. The message is that the legal route matters.

That point may appear procedural, but it can decide the fate of a case. Where the law creates a specialised complaint mechanism, a court may decline to hear a matter too early if the claimant has not first used that mechanism. The Personal Data Protection Commission is the body created to handle complaints about violations of personal data protection principles. A person who rushes to court without checking that route may lose time, money and momentum, even where the underlying grievance appears serious.

The first question is whether the complaint is truly about personal data. Personal data can include a person’s name, photo, phone number, identity details, medical information, employment history, professional credentials, address, financial details or any information that identifies or can reasonably identify them. If the problem is that such information was collected, displayed, used, shared or kept without a proper legal basis, the matter may fit within data protection law. If the main complaint is unpaid salary, breach of contract, defamation, medical negligence or dismissal from employment, another legal route may also be involved. Sometimes both routes may overlap.

A strong complaint should be clear and factual. It should identify the data that was used, the person or organisation that used it, the date or period of use, where it appeared and why the complainant believes the use was unlawful. It should also explain the harm or risk caused. For example, a doctor whose name and qualifications remain on a hospital advert after leaving employment may say that the advert misleads patients and damages professional control over their credentials. A customer whose identity document is shared in a public messaging group may point to privacy risk, fraud risk and humiliation.

Evidence is often the difference between a complaint that can be acted upon and one that remains too general. Screenshots should show dates where possible. Links should be saved. Letters, emails, employment records, consent forms, privacy notices and earlier complaints to the organisation should be kept. It is also sensible to record when the organisation was asked to remove, correct or stop using the data, and how it responded. A short written record made at the time may later be more persuasive than a long explanation given months after the event.

The decision also invites a bit of caution about mixing claims. People often experience a data problem together with other wrongs. A former employee may feel defamed, underpaid and misrepresented. A patient may feel that confidential medical information was exposed and that the treatment itself was poor. A business partner may complain about contract breach and misuse of personal documents. Those concerns may all be real, but they should not be thrown together in a way that hides the data protection issue. If personal data misuse is the main concern, it should be framed clearly under the correct complaint process.

There is a wider public lesson here. Data protection law is not only for large technology companies or complicated digital platforms. It applies to ordinary institutions that handle people’s information every day, including hospitals, schools, employers, shops, professional bodies, charities and public offices. A simple photograph, a staff profile, a patient record or a copied identity card can carry legal significance. Organisations should ask whether they have a proper basis for using the data, whether the person was informed, whether the use is necessary and whether the information is being kept longer than needed.

The key message is that your personal information is protected, but you must use the correct complaint route. If your data is misused, document the problem, complain clearly and consider approaching the Personal Data Protection Commission before filing a court case. The process may feel slower than going straight to court, but using the route created by law may protect your complaint from being rejected too early.

Source note and disclaimer. This article is based on Dr. Monica Peter Mungo v Shifaa Pan African Hospitals Ltd, Civil Case No. 23470 of 2025, [2026] TZHC 328, High Court of Tanzania, decided on 17 February 2026, and on Tanzania’s Personal Data Protection Act, 2022 and related complaint framework. It is prepared for public rights awareness and is not legal advice for a specific case.