It has become a familiar experience in major towns in Kenya to be requested by security guards manning major buildings to provide crucial details of oneself, usually recorded in a book or on a computer.
The requested information usually includes one’s identity card, which contains one’s unique number, a photo and one’s place and date of birth. Sometimes one might be asked for a vehicle registration number which is a unique number, and even one’s mobile phone number, which is registered in an individual’s name to enable one to be tracked down by the authorities.
All this private information it collected (and maybe your ID card retained for a while), as well as the fact that you were in a particular place at a specific time, itself something that might be a matter of personal importance.
Have you ever wondered about the right to collect this information and what safeguards exist?
This article concerns not just the collection of that data but, equally important, what happens to that data after you give it.
The right to privacy
Sharing information implicates your right to privacy. The right to privacy is a fundamental human right protected under Article 31 of the Constitution of Kenya. This provides that one has a right not to have “information relating to family or private affairs unnecessarily required or revealed”.
Please think about these words for a moment. You don’t have a right never to have such private information asked for. You only have a right not to have it unnecessarily required.
You may be aware that under Article 24 of the Constitution, most rights may be limited by law, but with important conditions. And the limitation must be “reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom”.
Whether a limitation is reasonable and justifiable depends on the purpose to be achieved, and the balance between that purpose and the extent of the limit on the right. And one relevant factor is whether there is no “less restrictive: way to achieve the purpose”. This seems another way of saying it is really necessary?
So because Article 31 implies that a necessary requirement to provide information is already not a violation of a right, maybe Article 24 adds nothing. A court faced with either Article 31 or Article 24 would be deciding effectively the same question about necessity. Why should any law be allowed to require something unnecessary in this context?
Incidentally, rights under the Constitution apply against private citizens and bodies also – so if they allow others into their premises offering services to the public on conditions like giving up their IDs, this must be “necessary.”
The law
However, there is some other law on the subject. Under the Private Security Regulation Act, 2016 private security firms guarding premises are empowered to request a person to identify themselves, register when they arrive and leave, and hold on to their identification document when they are in the building. The askaris have to give the identification back when the person leaves and can’t use it for any other reason.
Is it necessary to require people to give up this information? If so, we have already seen that no right is breached. If it is not necessary, then the only way you could be required to give the information is by law.
However, this Act does not meet Article 24’s requirements for a limitation on the right to privacy. It does not explain why the limitation is necessary (or justified). But any legislation limiting rights and passed after the 2010 Constitution must specifically state the intention to limit the right or fundamental freedom and the nature and the extent of the limitation. The Act does not do this.
Moreover, security guards are asking for more information than the law allows. The Act does not empower security guards to request phone numbers of individuals entering the building being manned.
We can imagine why the Act put these rights limitations in place. It could have been for security purposes or to provide a basis for owners to refuse to vet people wanting to enter their premises. But the point is, we are left to speculate. Article 24 makes it clear that the Act must explain why a limit on a right or fundamental freedom is imposed, not leave it to us to guess.
So we are pushed back to the Constitution - is it “necessary”?
But does one necessity apply to every building or place? Is it not reasonable, even necessary, to require fuller information of people going into certain places than others? And should the requirements vary depending on how sensitive the information is?
Another law
The Data Protection Act of 2019 reflects that Kenyans have become increasingly concerned that they must provide personal details about themselves to carry out everyday tasks. They are aware that people who acquire such information may be able to use it for identity theft – using someone’s personal details to commit a crime or steal money from their accounts – or for profit: selling the details to advertisers or others who might want to sell you something.
The DPA looks at first sight as though it is about information (data) kept in electronic form. But it does cover more than that. It regulates how personal information is used, saved, analysed and made available. All this is called “processing” the data. It addresses two types of data – ‘personal data’ and ‘sensitive personal data’.
Personal data is any information that relates to you or another person. Sensitive personal data refers to information you might want to keep secret, or that could be used unfairly, such as your health status, ethnicity, beliefs, biometric data and family information.
Not surprisingly, there are greater restrictions on the use of sensitive personal data, which is limited to protecting your interests, not for the advantage of others. The list of permitted uses for personal data is longer but generally includes business transactions, government use and agreements you make to share the data – like when using an app on your phone.
When we think about giving our personal information to enter a building, we must think about the fact that we had to share it and what is done with that information afterwards.
The role of the data protection commissioner
The DPA mandates the Office of the Data Protection Commissioner to oversee those using our data and enforce the DPA’s requirements.
To allay the fears of Kenyans, the Office of the Commissioner should ensure that private security firms collect personal data as the DPA requires. The office does say that private security firms should be registered with it. This Act requires precautions beyond those under the Private Security Regulation Act.
Firms must have a data privacy policy covering why data is collected, and measures put place to protect it. The public should be informed of this. Data must be processed in accordance with the right to privacy, data collected for explicitly specified and legitimate purposes, and collection of data should be no more than needed to enable the firms to accomplish their mandate.
In advancing their compliance mandate, the commissioner should conduct stakeholders’ sector-specific trainings, develop sector-specific guidelines for private security firms and building owners, and continue sensitising Kenyans on various aspects of the DPA.
This will aid in preventing the personal information of Kenyans from being traded for monetary gains, ensure compliance with the DPA and alleviate the fear of members of the public on private security firms collecting their personal data.
Article 31 is brief, and legislation is desirable to specify what information may be collected, how and what can be done with it. Exactly what security firms may and should collect, when and where, merits further consideration and perhaps more full and specific laws. The decisions of the courts would also help clarify the law and what is not “necessary” and, therefore, a breach of the right.
Legal researcher, Katiba Institute
