Retailers and landlords across the country are in the crosshairs of the country's data protection watchdog as crackdowns on those misusing personal information heat up.
They risk hefty fines and jail terms if they mishandle the data of visitors to buildings and shoppers in supermarkets.
The Office of the Data Protection Commissioner (ODPC) said yesterday it is engaging with landlords and property managers as well as retailers to address the data protection concerns raised by Kenyans. This relates to information that may be obtained when individuals leave their personal data at the gates of various buildings and payment information in supermarkets.
Some supermarkets require customers to confirm their mobile phone details when making payment through mobile money, a spot-check confirmed yesterday.
Guards at several prominent office buildings in Nairobi's central business district also require visitors to provide identification details on a big black book before entry.
The books have massive personal data that could be easily gleaned, according to a spot-check by The Standard.
This information may include mobile phone number, ID number and vehicle registration number.
Visitors in some buildings are also asked to leave their IDs at the gates of the buildings for security checks.
There has been mounting concern that such personal information could expose visitors to fraud if it lands in the wrong hands.
“On the issue of property owners and building managers, The (Data Protection) Act provides for a number of lawful bases upon which entities can rely when collecting data,” the ODPC told The Standard.
One of these is carrying out a legal obligation – which includes the performance of a task required or mandated by a written law, it explained.
“The collection of personal data by private security agencies is mandated by the Private Security Regulations Act, 2016 which obligates private security organisations to collect certain personal data.
“In order to promote compliance among building owners and private security agencies, the ODPC will be conducting stakeholder sector-specific entities and is working on sector-specific guidelines,” it said.
The planned move is aimed at preventing personal information from being traded to advertisers or being leaked to fraudsters, in line with data protection legal requirements.
The data agency said retailers bear legal responsibility in the handling of clients’ data.
“Being data controllers, supermarkets are required to protect the personal information of their clients,” said the watchdog.
“We encourage data subjects whose information has been publicly disclosed by data controllers (supermarkets in this case) to file a complaint with us.”
Kenyans have reported being publicly asked for the details of their mobile telephone numbers after paying at the cash tills of various supermarkets.
“It is very disconcerting when the tellers loudly ask for my number when I have just paid via mobile money,” said Christine Njeri, a shopper.
“If someone obtains your receipt coupled with your mobile money details, because they can access them easily, you would surely be at risk of fraud.”
Data is seen as the new oil and businesses have been on the spot for mass-mining everyday data from Kenyans for profit.
Companies doing business in the country have been racing to review their data privacy policies to avoid paying a fine of up to one per cent of their annual turnover.