Data-privacy-Mati Mango

Should Private Security Firms Collect Your Personal Data?

By John Walubengo

Most Kenyans have become accustomed to leaving their details on visitor’s books at the entrance of office buildings. The guards are strictly instructed not to allow visitors without writing their personal details in the book.

In most cases, one is forced to leave their national ID or Passport at the entrance, meaning the guards have in their custody more than your name and ID Number. They now know when you were born, your home county, and a couple of other personal data sets that you would have otherwise wanted to keep to yourself.

Following the enactment of the Kenya Data Protection Act of 2019, many have wondered why this practice of collecting personal data by security guards or firms continues unabated. Is this practice legal? Why hasn’t the Data Protection Act or Data Commissioner come to the rescue?

We address these and other questions in this article.

It is legal

First, let’s do away with the legalese. What the private security firms and guards are doing by collecting our data is legal as per the Private Security Regulation Act of 2016, which states in section 48(1) as follows:

Section 48(1):- Power to record and temporarily withhold identification documents

At the entry of any premises or property within the jurisdiction and care of a private security service provider, a security guard or a security officer, the private security service provider, security guard or officer may request a person to identify themselves, register the time of entrance and exit of the person and retain temporarily the identification document of such person.

This means that refusing to identify oneself when requested may be illegal. Kenyans are, therefore, obliged by law to identify themselves when requested by the private security guards at the various entrances.

Which brings us to the next question, what then is the use of the KE Data Protection Act if it cannot ‘protect’ us from intrusive private and public security operatives?

The role of the Data Protection Act

In answering this second question, we need to demystify the role of the Data Protection Act. More importantly, we must understand the underlying philosophy behind the privacy acts enacted globally.

Data Protection Acts’ fundamental role globally is never to stop the various actors from collecting personal data. Indeed, all social, business or government transactions have an element of personal data exchange, and it would be futile to have a blanket outlawing of personal data exchanges.

More simplistically, the Data Protection Act nor the Data Commissioner is not there to block private security guards from collecting personal data. Instead, the Data Protection Act and the Data Commissioner provide oversight or regulatory role over the personal data collection.

Regulatory Oversight

But what exactly is regulatory oversight?

Again, there is the misconception that regulatory action is purely to block things from happening. In reality, blocking actions are often the last tool of choice in modern regulatory toolboxes. Current regulatory regimes are designed to promote and support socio-economic processes rather than to block them.

In the specific case of private security guards collecting our personal data, the regulator will not, nor is she expected to block the personal data collection. Instead, the regulatory oversight would ensure that security firms collecting personal data do so within the parameters outlined in the Data Protection Act.

This would mean that private security firms must, amongst other things, have a privacy policy communicating the purpose and how they collect and secure the personal data sets of visitors.

Additionally, they need to minimize the data collection to the minimum required to carry out their security functions.

The regulatory role is to ensure this is happening – rather than doing a blanket rule of “thou shall not collect personal data” in any circumstances.

This clarifies some issues around private security guards collecting your personal data. When they ask for your personal information, do not refuse; instead, ask them to show you their Privacy Policy, and you will have begun educating them about your privacy rights.


John Walubengo is an ICT Lecturer and Consultant. @jwalu.



David Indeje information

Related Posts

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.