ODPC warns security firms over excessive data collection

The Office of the Data Protection Commissioner (ODPC) has expressed deep concern over routine data collection practices at security desks, describing them as posing significant privacy risks. In a draft Guidance Note released on December 19, 2025, the ODPC highlights that private security firms must stop requiring visitors to provide phone numbers, home addresses, marital status, and other personal details, as these violate the Data Protection Act of 2019.

According to the regulator, the only permissible information for basic access is a visitor's name, identification number, and time of entry. Firms are urged to limit collection to what is strictly necessary and delete any data without a lawful basis.

This warning arises against a backdrop of escalating data breaches in Kenya. In October 2025, a popular health app was breached, exposing medical records of 4.8 million users. A February 2025 incident at the Business Registration Service leaked details of over two million firms. Government websites faced defacement in coordinated cyber attacks in November 2025.

The Communications Authority reported detecting more than 4.5 billion cyber threat events between April and June 2025. The ODPC emphasizes strengthened individual rights, including the ability to request access to CCTV footage or visitor logs featuring oneself. This provision applies to all firms under the Private Security Regulation Act of 2016.

Concerns also extend to data misuse, such as using visitor details for unsolicited marketing or public sharing, which breaches purpose limitation principles. The draft is open for public input before finalization, indicating a push for stricter oversight of everyday data practices.

As Kenya contends with data sovereignty, cross-border transfers, and intensifying cyber threats, the ODPC views curbing unnecessary collection at security points as a vital first defense.