Skip to content

Kenya: Understanding the basics: The crossover between data privacy and private security regulations

23 April 2024
– 5 Minute Read

DOWNLOAD ARTICLE

Overview

  • In Kenya, as in many other countries around the world, there are regulations in place to safeguard the privacy of data which, at the same time, need to be balanced against the need to protect individuals and property against security and terrorist threats.
  • The primary legislation governing data privacy in Kenya is the Data Protection Act, 2019.
  • Private security services are regulated by the Private Security Regulation Act, 2016.
  • This article outlines the risks and challenges of data collection by private security firms and provides suggestions on how to mitigate them.

In recent years, data privacy and private security have become paramount concerns for individuals and businesses alike. In Kenya, as in many other countries around the world, there are regulations in place to safeguard the privacy of data which, at the same time, need to be balanced against the need to protect individuals and property against security and terrorist threats. Understanding and navigating these regulations is crucial for compliance in order to balance multiple interests.

Data privacy regulations in Kenya

The primary legislation governing data privacy in Kenya is the Data Protection Act, 2019. The Act aims to regulate the processing of personal data and establish a regulatory framework for the collection, handling, and sharing of personal information. Under the Act, data subjects have the right to know how their data is being processed, as well as the right to access and rectify their data.

One key aspect of the Data Protection Act is the requirement for data controllers and processors to implement appropriate technical and organisational measures to safeguard digital and physical personal data against unauthorised access, disclosure, alteration, or destruction. This includes measures such as encryption, access controls, and regular security assessments.

In addition to the Data Protection Act, there are additional sector-specific regulations that apply to certain industries, such as the Private Security Regulation Act, 2016, which regulates private security firms and personnel in the country.

Private security regulations in Kenya

In Kenya, private security services are regulated by the Private Security Regulation Act, 2016. This Act establishes the Private Security Regulatory Authority (PSRA), which is responsible for licensing and regulating private security firms and personnel in the country. The PSRA sets standards for training, vetting, and conduct of security personnel to ensure the safety and security of individuals and property.

Private security firms are required to comply with a set of regulations, directives and guidelines issued by the PSRA, including requirements for background checks on personnel, monitoring and reporting of security incidents, and the use of appropriate security technology and equipment. Furthermore, private security personnel stationed at property entry points are authorised to require a person to identify themselves, register the time of entry and exit, in physical logbooks, and temporarily retain the identification documents of such a person.  In the wake of the Data Protection Act, this has led to a significant cause of concern for data subjects unsure as to the grounds for collection (Section 48 of the PSRA) and the security measures in place to look after personal data collected at such entry points.

Risks and challenges of data collection by private security firms

The collection of such visitor data by private security firms does raise concerns about privacy and data protection. All parties involved, from the data controller and data processor to the data subject face risks such as unauthorised access to sensitive information, destruction of data, data breaches, and misuse of personal data. During the contracting process, it is vital for property managers and building owners to ensure that the appointed private security firms are able to strictly adhere to their obligations under the Data Protection Act, which should be clearly set out in any appointment letter or service contract.

Given that data collection is an integral part of the operations of security firms, as it enables them to gather information, analyse trends, and enhance their ability to provide effective security solutions, it is paramount for such organisations to mitigate the risks associated with data collection, through the adoption of best practices.  By implementing best practices in data collection and management, private security firms and their clients can minimise the risks and safeguard the sensitive information they handle.

Implement robust data protection measures

One of the key best practices for private security firms is to implement robust data protection measures to safeguard the information collected. For digital data, this includes encrypting sensitive data, and regularly updating security protocols to preempt potential threats. For physical data, this includes ensuring that data is properly labelled, organised and carefully stored.  In both cases, access to personal data must be restricted to authorised personnel.

Conduct regular data privacy impact assessments

To proactively identify and address potential privacy risks associated with data collection and compliance with the Data Protection Act 2019, security firms should conduct regular data privacy impact assessments. By incorporating privacy impact assessments into their data collection processes, security firms can demonstrate their commitment to data protection and enhance transparency with stakeholders.

Train staff on data protection best practices

Effective data protection requires the involvement of all staff members within a security firm. To ensure that employees understand their roles and responsibilities in safeguarding data, firms should provide regular training on data protection best practices. This can include educating staff on data security protocols, raising awareness of potential data protection risks, and fostering a culture of data protection within the organisation. By investing in staff training, security firms can empower employees to uphold data protection standards and mitigate the risks associated with data collection activities.