Most Kenyans have become accustomed to leaving their details on visitor’s books at the entrance of office buildings. The guards are strictly instructed not to allow visitors without writing their personal details in the book.
In most cases, one is forced to leave their national ID or Passport at the entrance, meaning the guards have in their custody more than your name and ID Number. They now know when you were born, your home county, and a couple of other personal data sets that you would have otherwise wanted to keep to yourself.
Following the enactment of the Kenya Data Protection Act of 2019, many have wondered why this practice of collecting personal data by security guards or firms continues unabated. Is this practice legal? Why hasn’t the Data Protection Act or Data Commissioner come to the rescue?
We address these and other questions in this article.
It is legal
First, let’s do away with the legalese. What the private security firms and guards are doing by collecting our data is legal as per the Private Security Regulation Act of 2016, which states in section 48(1) as follows:
Section 48(1):- Power to record and temporarily withhold identification documents
At the entry of any premises or property within the jurisdiction and care of a private security service provider, a security guard or a security officer, the private security service provider, security guard or officer may request a person to identify themselves, register the time of entrance and exit of the person and retain temporarily the identification document of such person.
This means that refusing to identify oneself when requested may be illegal. Kenyans are, therefore, obliged by law to identify themselves when requested by the private security guards at the various entrances.
Which brings us to the next question, what then is the use of the KE Data Protection Act if it cannot ‘protect’ us from intrusive private and public security operatives?
The role of the Data Protection Act
In answering this second question, we need to demystify the role of the Data Protection Act. More importantly, we must understand the underlying philosophy behind the privacy acts enacted globally.
Data Protection Acts’ fundamental role globally is never to stop the various actors from collecting personal data. Indeed, all social, business or government transactions have an element of personal data exchange, and it would be futile to have a blanket outlawing of personal data exchanges.
More simplistically, the Data Protection Act nor the Data Commissioner is not there to block private security guards from collecting personal data. Instead, the Data Protection Act and the Data Commissioner provide oversight or regulatory role over the personal data collection.
But what exactly is regulatory oversight?
Again, there is the misconception that regulatory action is purely to block things from happening. In reality, blocking actions are often the last tool of choice in modern regulatory toolboxes. Current regulatory regimes are designed to promote and support socio-economic processes rather than to block them.
In the specific case of private security guards collecting our personal data, the regulator will not, nor is she expected to block the personal data collection. Instead, the regulatory oversight would ensure that security firms collecting personal data do so within the parameters outlined in the Data Protection Act.
Additionally, they need to minimize the data collection to the minimum required to carry out their security functions.
The regulatory role is to ensure this is happening – rather than doing a blanket rule of “thou shall not collect personal data” in any circumstances.