Every day across Kenya, millions of citizens hand over pieces of their identity in the name of security. Walk into a government office in Nairobi, a mall in Nakuru, a hospital in Kisumu, or even a private residential estate in Eldoret, and you will be asked for your full name, phone number, ID number, and reason for the visit. Often scribbled into a tattered visitor book next to yesterday’s log of a hundred strangers.

We have normalised it. We do not ask questions. But it’s time we did.

When did it become okay for any building with a security desk to demand sensitive personal data without explaining how they are storing or protecting it? When did we decide that entering a space meant signing away our privacy?

A 2023 Kenyatta National Hospital incident highlighted serious patient record mishandling, prompting a nationwide discussion on data privacy, consent, and ethical conduct in public institutions. While health data is more sensitive than a name at the gate, the principle remains: data, once given, must be handled with the care it deserves.

Even more troubling is the informal nature of most data collection. In older commercial buildings in Nairobi’s central business district, handwritten logs are frequently visible and often left unattended. In certain situations, guards would request that visitors leave their IDs at the gate, a flagrant violation of the Data Protection Act (2019), which requires that personal data be acquired only with consent, stored securely, and used for a clearly stated reason.

Most Kenyans are unaware that they have the right to refuse consent concerning their personal information. Even those who know about their rights often hesitate to criticise the system. The Data Protection Act marked a significant advancement by granting individuals legal authority over their data and establishing the Office of the Data Protection Commissioner to enforce these rights. The implementation of this Act is still inadequate, especially in everyday situations that may seem low-risk but are widespread and poorly regulated.

The irony is that in our quest for security, we are creating a surveillance culture without the technology or governance to manage it. So how do we fix it?

First, we need to reframe the idea of “security”. Proper security does not come from collecting more data, it comes from collecting the correct data correctly. Instead of requesting ID numbers and phone contacts for every visitor, security desks can request minimal, non-sensitive details, e.g. name and purpose of visit. No permanent storage. No risk of misuse.

We can innovate by digitising and automating visitor logging with built-in expiry mechanisms. A mobile-based visitor system, using QR codes or digital tokens, could verify a person’s access with no need to store their data long-term. Given the success of such systems in parking payments and delivery tracking, their application to critical data protection is feasible.

Educating security guards and facility managers can also help. They are not just frontline enforcers of physical safety; they are, whether they know it or not, data handlers. A guard who demands an ID is handling a citizen’s assets should be trained to treat it with the same care a banker treats your PIN.

We need to make data collection visible and understandable. Just as we have signs warning that CCTV cameras are watching, every building, office, or gate collecting personal information should display a clear privacy notice. These notices must tell people what and why information is being collected.

An informal data gathering network affects everyone, including landlords, company owners, and school principals who deal with sensitive information regularly. The law applies in these scenarios. Ordinary Kenyans have the right to learn about data collection methods, request alternatives, and seek protection for their personal information. Kenya’s future should be based on trust, protecting the safety, dignity, and security of information while maintaining personal integrity. It is time to demand responsibility and respect for data privacy.

— The writer is an Innovations Evangelist and a PhD Candidate; machariamuhoho@gmail.com