New Data Laws to Allow Kenyans to Demand CCTV Footage and Visitor Logs

The Office of the Data Protection Commissioner (ODPC) has raised concerns over what it described as excessive and unlawful collection of personal data by private security firms. 

The regulator warned that routine practices at security desks, such as asking for phone numbers, home addresses, and marital status, pose serious privacy risks.

In a draft guidance note issued on Friday, December 19, 2025, the ODPC clarified that only basic information—name, identification number, and time of entry—is legally permissible for building access under the Data Protection Act, 2019. Any additional data collected without lawful justification should be deleted immediately.

The warning comes amid increasing cyber incidents in the country. In 2024 and 2025, Kenya witnessed significant data breaches, including:

• A breach at a popular health app exposing records of 4.8 million users (October 2025)

• A leak of private details for over two million firms at the Business Registration Service (February 2025)

• Coordinated cyber attacks that temporarily disabled multiple government websites (November 2025)

The Communications Authority of Kenya reported over 4.5 billion cyber threat events between April and June 2025, highlighting the urgent need for stronger data protection.

The ODPC emphasized that individuals have the right to access CCTV footage or visitor logs where they appear. The draft guidelines also cautioned against misuse of data for unsolicited marketing or public sharing, which violates the principle of purpose limitation.