ODPC warns security firms over excessive data collection

The Office of the Data Protection Commissioner (ODPC) has warned private security firms in Kenya against unlawfully harvesting excessive personal data from visitors. In a draft guidance note, the ODPC states that only names, identification numbers, and entry times should be collected for building access. This alert comes amid rising cyber threats and major data breaches in the country.

The Office of the Data Protection Commissioner (ODPC) has expressed deep concern over routine data collection practices at security desks, describing them as posing significant privacy risks. In a draft Guidance Note released on December 19, 2025, the ODPC highlights that private security firms must stop requiring visitors to provide phone numbers, home addresses, marital status, and other personal details, as these violate the Data Protection Act of 2019.

According to the regulator, the only permissible information for basic access is a visitor's name, identification number, and time of entry. Firms are urged to limit collection to what is strictly necessary and delete any data without a lawful basis.

This warning arises against a backdrop of escalating data breaches in Kenya. In October 2025, a popular health app was breached, exposing medical records of 4.8 million users. A February 2025 incident at the Business Registration Service leaked details of over two million firms. Government websites faced defacement in coordinated cyber attacks in November 2025.

The Communications Authority reported detecting more than 4.5 billion cyber threat events between April and June 2025. The ODPC emphasizes strengthened individual rights, including the ability to request access to CCTV footage or visitor logs featuring oneself. This provision applies to all firms under the Private Security Regulation Act of 2016.

Concerns also extend to data misuse, such as using visitor details for unsolicited marketing or public sharing, which breaches purpose limitation principles. The draft is open for public input before finalization, indicating a push for stricter oversight of everyday data practices.

As Kenya contends with data sovereignty, cross-border transfers, and intensifying cyber threats, the ODPC views curbing unnecessary collection at security points as a vital first defense.

Relaterade artiklar

Illustration of Coupang facing record data breach fine
Bild genererad av AI

Coupang fined record 624.7 billion won over data breach

Rapporterad av AI Bild genererad av AI

South Korea's data protection regulator on Thursday fined e-commerce company Coupang a record 624.7 billion won over privacy violations, including a massive data breach that affected more than 37 million users.

Commission III of the Indonesian parliament has sharply criticized Rien Wartia Trigina alias Erin for filing a counter report against her former domestic worker Herawati under the personal data protection law.

Rapporterad av AI

A report by the Génération Libre think tank links rising data breaches in France to European regulations. The CNIL is tightening controls after a record year in 2025.

Denna webbplats använder cookies

Vi använder cookies för analys för att förbättra vår webbplats. Läs vår integritetspolicy för mer information.
Avböj