Should You Leave Personal Details at Building Entrances? Data Commissioner Clarifies

  • An image of a sampled ID card (left) and the image of Data Commissioner Immaculate Kassait (right)
    An image of a sampled ID card (left) and the image of Data Commissioner Immaculate Kassait (right)
    Kenyans.co.ke
  • More often than not, we find ourselves depositing our national identification cards(IDs) or giving out mobile numbers and email addresses when accessing public spaces be it buildings or supermarkets.

    We do this by revealing sensitive and crucial personal information, all in the name of security oblivious of the lurking danger, especially in the wake of mobile phone scammers.

    But is it justifiable? Data Commissioner Immaculate Kassait on Wednesday, January 25 debunked this trend, which appears to have been normalised.

    “By law, you are required to deposit your ID, the concern is why are you asking for my biometrics to access a building?” she paused.

    An image of Data Commissioner Immaculate Kassait during her vetting in Parliament in 2020
    An image of Data Commissioner Immaculate Kassait during her vetting in Parliament in 2020
    The Standard

    “It is a lawful purpose because the owners of the building could say its because of the private security regulations that are why they are collecting,

    “However, going beyond that purpose and storing that information for a duration of time and collecting information that is beyond like email addresses, and area of residence, they should only collect what is necessary to identify an individual," she added.

    While advocating for data safety, Kassait stated that owners of data are allowed to forward their concerns to her office when they feel that their information is misused.

    "If you visit either a hospital or a supermarket, they must inform you of the basis for which they are taking your information," she directed.

    Also, she revealed the guiding norms of data protection that citizens should be aware of, including the following:

    1. Lawful fairness and Transparency; entities must inform you as to why and what the information taken is going to be used for.

    2. Purpose limitation; informing customers or individuals of the purpose for which the data will be used. Limited in the sense that the data should only be used for the dispelled purpose it had been collected for.

    3. Data Minimisation; she stated that information is collected for a specific purpose further to which if it is extended could breach and affect even the security of the data subject.

    4. Accuracy; getting accurate information by making sure there are systems to protect the data collected.

    Equally, she advised that establishments must declare the purposes of asking for private information and that one must consent before agreeing to leave their data.

    She further revealed that the commission was investigating two buildings that are alleged to have violated data privacy rights.

    Kassait is the first-ever Data Commissioner in Kenya, a position she was nominated and appointed to in 2020.

    Data by the Communications Authority for the period between January and March 2020 shows 34,644,531 cyber threats
    Data by the Communications Authority for the period between January and March 2020 shows 34,644,531 cyber threats
    Twitter
    scam