Ms Jane Ombiro, CIPP/E, Data Protection Expert South-End Tech Limited Date: Monday, February 26, 2024
On 3rd January 2024, Starlet Wahu was found brutally murdered in an Airbnb apartment in South B, Nairobi County. A few days later the mutilated body of Rita Waeni was found in an apartment in Roysambu. The two murders shook the nation and sparked public outcry. In response to the public and in an attempt to curb the heinous acts the Private Security Regulatory Authority issued a directive on 15th January, 2024 addressed to the private security sector.
The directive was to the effect that all private security service providers were to comply with section 48 of the Private Security Regulation Act, 2016. This section gives private security providers the power to record and temporarily withhold identification documents. The private security service provider may request a person to identify themselves, register the time of entrance and exit of the person, and retain temporarily the identification documents of any person before entering any premises or property within their care.
The section further stipulates that the identification document surrendered must be given back to the person at the point of exit, not be used for any other purpose save for identification and be kept in safe custody until given back to the owner. Lastly, the section mandates that the information obtained in the registration of a person must not be used for any other purposes save for the identification of the person.
Since the Private Security Regulation Act was enacted in 2016, questions have arisen on its application vis-a-vis the Data Protection Act which came into force in 2019, three years after the commencement of the Private Security Regulation Act. These questions, however, have been addressed by section 30 (b)(ii) of the Data Protection Act. The section enables controllers and processors to process personal data if it is necessary for compliance with any legal obligation to which the controller or processor is subject.
The section, therefore, empowers Private security Providers to request and hold identification documents of Data Subjects for them to comply with their legal obligations under the Private Security Regulation Act, 2016. When Section 30 (b)(ii) of the Data Protection Act and Section 48 of the Private Security Regulation Act are relied on as a basis for processing personal data, a data subject’s consent or lack thereof becomes immaterial to the processing activities.
Private security firms are thus advised to put in place privacy policies and procedures and train their security officers on data protection and privacy to enable them to adequately comply with the requirements of both the Data Protection Act and the Private Security Regulation Act. In addition, they should only collect the data necessary for them to identify the data subjects, put in place measures to secure the data and only use the data for the purposes stipulated in the Private Security Regulation Act.
Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email.
