The Office of the Data Protection Commissioner (ODPC) raised concern over what it described as widespread and unlawful data harvesting by private security firms, warning that routine practices at security desks posed serious privacy risks.
In a draft Guidance Note issued on Friday, December 19, targeting private security providers, the ODPC flagged the common requirement for visitors to disclose phone numbers, home addresses, marital status, and other personal details as unlawful under the Data Protection Act, 2019.
According to the regulator, the only information that could lawfully be collected for basic building access was a visitor’s name, identification number, and time of entry.
The ODPC stated that security firms were required to “limit the amount of personal information collected to what was required”, adding that where there was no lawful basis, such data should not only have ceased to be collected but should also have been deleted.
The warning came against the backdrop of rising data breaches in Kenya, with 2024 and 2025 recording some of the most serious cyber incidents in the country’s history.
In October 2025, a popular health app suffered a breach that exposed sensitive medical records of 4.8 million users, while a February 2025 breach at the Business Registration Service leaked private details of more than two million firms.
Government platforms were also targeted in November 2025, when several high-profile websites were defaced and temporarily taken offline in coordinated cyber attacks.
The Communications Authority reported detecting more than 4.5 billion cyber threat events between April and June 2025 alone, pointing to the growing risk of personal data misuse.
Against this backdrop, the ODPC moved to strengthen individual rights, including allowing individuals to formally request access to CCTV footage or visitor log entries in which they appeared.
The regulator noted that this right was a core provision of the Data Protection Act and applied to all private security firms operating under the Private Security Regulation Act, 2016.
The ODPC also raised concerns about misuse of collected data, citing cases where visitor details were later used for unsolicited marketing or shared publicly, actions that violated the principle of purpose limitation.
As Kenya grappled with data sovereignty, cross-border data transfers, and escalating cyber threats, the regulator said curbing unnecessary data collection at security desks was a critical first line of defence.
The draft guidelines were opened for public participation ahead of finalisation, signaling a shift toward tighter control of everyday data collection practices.
