ODPC warns security firms over excessive data collection

The Office of the Data Protection Commissioner (ODPC) has warned private security firms in Kenya against unlawfully harvesting excessive personal data from visitors. In a draft guidance note, the ODPC states that only names, identification numbers, and entry times should be collected for building access. This alert comes amid rising cyber threats and major data breaches in the country.

The Office of the Data Protection Commissioner (ODPC) has expressed deep concern over routine data collection practices at security desks, describing them as posing significant privacy risks. In a draft Guidance Note released on December 19, 2025, the ODPC highlights that private security firms must stop requiring visitors to provide phone numbers, home addresses, marital status, and other personal details, as these violate the Data Protection Act of 2019.

According to the regulator, the only permissible information for basic access is a visitor's name, identification number, and time of entry. Firms are urged to limit collection to what is strictly necessary and delete any data without a lawful basis.

This warning arises against a backdrop of escalating data breaches in Kenya. In October 2025, a popular health app was breached, exposing medical records of 4.8 million users. A February 2025 incident at the Business Registration Service leaked details of over two million firms. Government websites faced defacement in coordinated cyber attacks in November 2025.

The Communications Authority reported detecting more than 4.5 billion cyber threat events between April and June 2025. The ODPC emphasizes strengthened individual rights, including the ability to request access to CCTV footage or visitor logs featuring oneself. This provision applies to all firms under the Private Security Regulation Act of 2016.

Concerns also extend to data misuse, such as using visitor details for unsolicited marketing or public sharing, which breaches purpose limitation principles. The draft is open for public input before finalization, indicating a push for stricter oversight of everyday data practices.

As Kenya contends with data sovereignty, cross-border transfers, and intensifying cyber threats, the ODPC views curbing unnecessary collection at security points as a vital first defense.

関連記事

Illustration of Coupang facing record data breach fine
AIによって生成された画像

Coupang, data breach for records 624.7 billion won fine

AIによるレポート AIによって生成された画像

韓国の個人情報保護委員会は木曜日、電子商取引大手Coupangに対し、3700万人以上のユーザーに影響が及んだ大規模なデータ漏洩を含むプライバシー侵害を理由に、過去最高額となる6247億ウォンの制裁金を科すと発表した。

Commission III of the Indonesian parliament has sharply criticized Rien Wartia Trigina alias Erin for filing a counter report against her former domestic worker Herawati under the personal data protection law.

AIによるレポート

A report by the Génération Libre think tank links rising data breaches in France to European regulations. The CNIL is tightening controls after a record year in 2025.

このウェブサイトはCookieを使用します

サイトを改善するための分析にCookieを使用します。詳細については、プライバシーポリシーをお読みください。
拒否