Privacy Focus – Kenya Private Security Providers and Data Protection

Introduction:

The Private Security Regulatory Authority (PSRA) issued a mandatory directive on January 15, 2024, requiring private security providers for online accommodation, lodging, and hospitality platforms like Airbnb to record and temporarily hold identification documents of all individuals accessing the facilities. This immediate measure aims to deter the alarming rise in murder cases reported in residential and accommodation platforms.

?

Contents of the Directive:

Citing Section 48 of the Private Security Regulation Act, the directive empowers security officers to request identification, register entry/exit times, and temporarily retain ID documents. Private security guards must comply with the following under Section 48:

• Request ID documents:?From all individuals accessing premises under their care.
• Record ID details:?Accurately and promptly upon entry.
• Log entry/exit times:?For each individual.
• Maintain a log:?Recording vehicles, rickshaws, and motorcycles entering/departing the premises.
• Ensure CCTV functionality:?For proper operation and up-to-date recordings.
• Display Access Control Policy:?At entry/exit points.
• Maintain an occurrence book:?Of significant incidents related to resident/guest safety.

Identification documents must be:

• Returned upon exit
• Kept securely until return
• Used solely for identification purposes

?

Data Protection Compliance Measures:

In this article, we highlight compliance measures private security companies must implement in the processing of personal data in line with the Data Protection Act. The measures include:

1. Training and Awareness

Private security service Providers are encouraged to conduct regular training on their employees to create awareness and understanding of data protection policies and procedures. Furthermore, the companies are encouraged to share data protection manuals to enable ease of understanding of data protection principles.

??

2. Data Protection Officers

Private security companies are advised to recruit or outsource data protection officers to guide on data protection compliance. This will ensure the companies remain compliant.

3. Retention Policies

Private security companies are advised to draft and publicize retention policies that stipulate retention durations of identification documents.? Furthermore, the companies are encouraged to ensure that data retention policies provide realistic periods for pseudonymization and anonymization of data retained for an unlimited amount of time.

4. Identity Verification Tools

Private security companies are encouraged to incorporate verification tools to confirm the authenticity of the identity of customers before providing access to online accommodation, lodging and hospitality platforms such as Airbnb. This will solidify the security of residents and guests.

5. Privacy Notices

Private security companies are encouraged to embrace the inclusion of data protection policies or notices in the registration of persons and employment contracts of their security staff. Furthermore, the companies are advised to display conspicuously copies of privacy notices and security policies at points of entry and exit of premises under their care.

6. Mandatory Registration with ODPC

Private security companies are reminded of the mandatory requirement to register as data controllers or processors with the office of the Data Protection Commissioner. Furthermore, private security companies are advised to effect registration with the private security regulatory authority to avoid attracting penalties for non-compliance. Operators of short-term rentals are advised to effect registration with the Tourism Regulatory Authority in line with the Ministry of Interior directive.

7. Privacy by Design and Default

Private security companies are encouraged to embrace robust security measures to protect the confidentiality of sensitive personal data. The security measures include:

• User authentication methods such as biometric identification, to verify and protect customer identity.
• Shredding all confidential waste
• Ensuring that CCTV and security cameras are in proper working condition.
• Ensuring that CCTV recording of footage is up–to–date
• Regular evaluation of security guards to ensure understanding of their responsibilities
• Regular internal and external audits to assess the effectiveness of technical and organizational safeguards.??????? User authentication methods such as biometric identification, to verify and protect customer identity.
• Shredding all confidential waste
• Ensuring that CCTV and security cameras are in proper working condition.
• Ensuring that CCTV recording of footage is up–to–date
• Regular evaluation of security guards to ensure understanding of their responsibilities
• Regular internal and external audits to assess the effectiveness of technical and organizational safeguards.

??

8. Swift Action on Data Breaches:

Private Security Companies are advised to report immediately personal data breaches within 72 hours to the ODPC. The report must outline the date and circumstances of the breach, mitigating measures to control the breach and potential harm to affected individuals.

9. Access Control Policies

Private Security Companies are encouraged to incorporate robust security safeguards such as data encryption, security keys, two-factor authentication, and video surveillance and password requirements to ensure protection against unauthorized or unlawful processing against accidental loss, destruction, or damage.

In addition, security companies are encouraged to conduct periodic data security audits to identify potential vulnerabilities in their systems and processes and ensure the implementation of appropriate safeguards to mitigate risks.

10. Ticketing Systems

Private Security Companies are encouraged to incorporate online compliant mechanisms such as chatbots to facilitate ease of lodging complaints by data subjects. Further, the companies can consider incorporating an online ticketing system to address data subjects' requests and complaints.

11. Consent

Private security companies are encouraged to obtain consent before collecting or processing data of data subjects. Furthermore, the companies are advised to secure parental consent before collecting or processing data pertaining to minors. The companies can embed consent verification mechanisms such as signed consent forms, checking government-issued identification such as national IDs or passports or using electronic signatures.

?

Conclusion

The Private Security Industry in Kenya now faces a new landscape with the PSRA directive mandating ID collection and data handling procedures for online accommodation platforms like Airbnb. Failure to comply can lead to significant penalties, and the directive itself indicates a growing focus on data privacy and security in this sector.

Therefore, proactively embracing Data Protection Act compliance is not just about avoiding fines, but about demonstrating responsible data practices and gaining a competitive edge. By implementing the measures outlined in this document and seeking expert guidance, your security company can build trust with users, stakeholders, and regulators, positioning itself for success in the evolving regulatory environment.

?

Contact Us Today:

Tel: +254 115 191 744

E-Mail: [email protected]

Website: www.cybertembo.com