Authored By: RENEE TIKOLO
N/A (I've Already Graduated from University)
Abstract
Imagine you walk into an office block in Nairobi’s central business district: at security you are asked to sign your name, phone number, ID number, and reason for your visit in a visitor’s book. Such a routine gesture may seem harmless – yet evidence suggests that this personal information, once captured on paper, is often exposed to misuse.
Reports from Kenyan schools, residential buildings and commercial premises show that physical visitor logs have been stolen, copied, or used by fraudsters who contact people for extortion, impersonation, or monetary demands. This article asks: Do current visitor-registration practices in Kenyan office buildings align with the requirements of the Data Protection Act (2019), and how can misuse of visitor data be mitigated?
Through legal and policy analysis, comparison with GDPR rights (such as access and erasure), and documented misuse cases, I argue that many visitor book practices violate core legal principles – notice, consent, minimisation, security, and retention- and pose real risks of identity misuse and fraud. The article ends with concrete, low-cost recommendations (policy adjustments, signage, shorter retention periods, secure storage) to reduce risk and ensure compliance in everyday settings.
Introduction
Picture this: you’re hurrying to an appointment in Nairobi’s bustling central business district. At the entrance of a gleaming office block, a security guard directs you to a desk and asks you to record your name, phone number, national ID number, the office you are visiting, and the time of entry in a thick, black visitor’s book. Sometimes you are even asked to leave your ID card at the gate. To most Kenyans, this ritual is routine, part of the price of accessing secure buildings. But beneath its ordinary appearance lies a troubling question: what happens to the data once it has been collected?
This question is not merely theoretical. Over the past few years, reports in the press and on social media have revealed how visitor books and similar records are exploited. In Elgeyo-Marakwet county (in the Rift Valley region of Kenya), for example, a stolen school visitor book was used by fraudsters to contact parents and demand money, posing as school officials.1In Nairobi, the Office of the Data Protection Commissioner (ODPC) has raised concerns over landlords, supermarkets, and office buildings that collect excessive personal details, often without informing visitors how the information will be stored or for how long.2 Fraud victims have discovered that their details – sometimes including phone numbers and ID copies – were misused to obtain mobile loans or commit impersonation in fraudulent transactions.
Kenya’s Data Protection Act, 2019 (DPA) was enacted to safeguard exactly this type of information, setting clear duties for data controllers and processors, and conferring rights on data subjects.3 Yet, visitor-book practices across the country often fail to meet the Act’s basic requirements: providing notice, collecting only what is necessary, securing the information from unauthorised access, and limiting how long it is retained. The situation is not unique to Kenya. Under the General Data Protection Regulation (GDPR) in the European Union, data subjects are given explicit rights of access and erasure that, if applied locally, would expose the weaknesses in current Kenyan practices even more starkly.
This article therefore asks: Are manual visitor-registration practices in Kenyan office buildings compliant with the Data Protection Act, 2019, and what risks arise from their misuse? By examining the DPA alongside the GDPR, analysing documented misuse cases, and highlighting the compliance gaps, I argue that routine visitor-book practices are both legally inadequate and socially dangerous. Yet the problem is not insurmountable. Through modest changes in policy, staff training, signage, and data-retention practices, organisations can significantly reduce risks of misuse while still meeting legitimate security needs.
- Legal Framework on Data Protection
1.1 Constitutional Foundation
The starting point for data protection in Kenya is the Constitution of Kenya, 2010. Article 31 guarantees every person the right to privacy, including protection from unnecessary searches, seizures, or disclosure of private affairs, as well as protection of the privacy of communications.4 This provision reflects the recognition of privacy as a fundamental human right and provides the constitutional foundation upon which the Data Protection Act, 2019, is built. Importantly, the constitutional framing signals that privacy is not merely a policy concern, but a matter of constitutional enforcement, placing duties on both state and private actors.
1.2 Principles of Data Protection
The Data Protection Act, 2019 (DPA) operationalizes Article 31 and provides detailed rules for the collection, storage, and processing of personal data. At the heart of the Act are the principles of data protection outlined in Section 25, which closely mirror international best practices.5
First, all processing of personal data must be lawful, fair, and transparent. This means organizations must not only comply with legal requirements but also ensure that data subjects are clearly informed about how their data will be collected and used.6
Second, the principle of purpose limitation requires that personal data be collected only for explicit, specified, and legitimate purposes.7 For instance, if an office building collects visitors’ identification details for security verification, that data cannot later be repurposed for marketing or shared with third parties without justification.
Third, the principle of data minimization limits data collection to only what is necessary.8 The routine practice of asking visitors to write their full names, ID numbers, phone numbers, and reasons for visits in a physical logbook arguably raises questions under this principle, as it is unclear whether all of this information is necessary to achieve the purpose of security.
Further principles include accuracy (ensuring data is up-to-date and corrected when erroneous),9 storage limitation (prohibiting retention beyond necessity),10 and integrity and confidentiality (requiring organizations to secure data from unauthorized access or misuse).11 Taken together, these principles form the backbone of Kenya’s data protection regime and provide benchmarks for evaluating whether common practices, such as manual visitor logbooks, comply with the law.
1.3 Rights of Data Subjects
Complementing these principles are the rights of individuals whose personal data is collected. The Act affirms that every data subject has the right to be informed about the use of their personal data, to access their data, to object to its processing, to request correction of false or misleading information, and to request deletion of data that is false, misleading, or unlawfully held.12
These rights embody the idea of informational self-determination – that individuals should remain in control of their personal information. In practice, this means that if a person’s details are collected in a visitor logbook, they should have a right to know who will access that book, how long their details will be kept, and for what precise purposes they are retained.
1.4 Consent and Lawful Processing
The Act further places particular emphasis on consent as a lawful basis for processing data. It states that consent must be free, specific, informed, and unequivocal. Data subjects must also be given the ability to withdraw consent at any time, and the burden rests on data controllers to prove that consent was validly obtained.13
Beyond consent, the Act recognizes other lawful bases for processing, including where processing is necessary to fulfill a contract, comply with a legal obligation, protect vital interests (such as during a medical emergency), perform a task in the public interest, or pursue legitimate interests that do not override the rights of the data subject.14 However, where consent is the basis,it cannot be coerced – for instance, requiring visitors to provide unnecessary personal information as a condition for entering a building may not meet the threshold of valid consent.
1.5 Enforcement and Oversight
The enforcement of these provisions is entrusted to the Office of the Data Protection Commissioner (ODPC), established under the DPA. The ODPC is empowered to register data controllers and processors, monitor compliance, investigate complaints, and issue administrative penalties.15 This institutional oversight is critical, as it ensures that both public and private entities remain accountable for their handling of personal data. Without such enforcement, the strong rights and principles in the law would risk being merely aspirational.
1.6 Comparative lens: the GDPR (EU)
The European Union’s General Data Protection Regulation (GDPR) has become the touchstone of modern privacy law and provides a helpful benchmark for evaluating Kenya’s Data Protection Act. The GDPR systematised a set of clear subject rights and controller obligations that emphasise transparency, individual control, and strong supervisory powers ideas that informed the drafting of many national laws, including Kenya’s DPA.
One of the most practically important provisions for ordinary people is the right of access by the data subject.16 A data subject can obtain confirmation whether their personal data is being processed and – where it is – has a right to a copy of those data together with details about the processing purposes, categories of data, recipients (or categories of recipients), expected storage period or the criteria for determining retention, and information about the right to lodge a complaint with a supervisory authority.17 This right matters in a visitor-book context because it gives any person recorded in a log the legal basis to ask a building or security firm: “Do you have my details? What did you collect? Who has seen it?” – questions that help reveal whether a controller met the DPA’s transparency and notice obligations.
Closely related is the right to erasure, often called the “right to be forgotten.” This allows a data subject to require a controller to erase personal data without undue delay where the data are no longer necessary for the purposes for which they were collected, where consent is withdrawn and there is no other lawful ground for processing, or where the data have been unlawfully processed.18 The right is not absolute and contains exceptions (for example, where processing is necessary for compliance with a legal obligation or for public-interest archiving), but it creates a powerful corrective tool that compels controllers to remove stale or unnecessary records on request.19In situations where visitor logs are kept indefinitely or are routinely accessible, an effective erasure right would mean a visitor could insist their entry be deleted once security purposes are served.
Beyond Articles 15 and 17, the GDPR explicitises other rights and requirements – transparency about processing, the right to rectification, restriction of processing, portability, and robust rules on lawful bases for processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests).20 The GDPR also requires accountability on the part of controllers (documenting lawful bases, carrying out data-protection impact assessments where appropriate, and building privacy by design into systems).21 These features make the GDPR a useful comparator: where Kenya’s DPA mirrors these rights and principles, it establishes similar expectations for controllers; where Kenya’s regime is less detailed (for example, on portability or automated-decision safeguards), the GDPR still serves as a practical benchmark for best practice.
Finally, enforcement under the GDPR is notable for its scale and teeth (e.g., supervisory authorities being able to issue substantial fines and coordinate cross-border enforcement) which increases incentives for compliance in practice. Kenya’s ODPC occupies an analogous role domestically, but differences in institutional maturity and enforcement resources can affect how quickly theoretical rights translate into practical protections on the ground. For this reason, the GDPR is best read as a standard-setting instrument: its rights and remedies illustrate what “strong” data protection looks like, and they help identify where local practices (such as visitor-book regimes) fall short.
- Visitor-Book Practices in Kenya
Everyday visitor-management practices – pen, book, sign – sit at the intersection of two competing goals: security and access control on one hand, and protection of personal data on the other. In many Kenyan buildings, however, the practical arrangements for meeting those goals raise both legal and operational questions. Recent reporting and regulatory alerts show that the risk is not hypothetical: physical visitor records have been stolen or otherwise misused, and regulators have started to push back.
A spot-check of Nairobi buildings by a national newspaper found that reception desks and building gates commonly keep handwritten visitor books that capture multiple identifiers – the visitor’s name, phone number, national ID number, vehicle registration and the person or company they are visiting.22In some cases, reception staff even request to hold the visitor’s ID card at the gate. These practices are widespread across office blocks, supermarkets, residential estates and even schools, testifying to how routine the visitor-book ritual has become.23 Yet, despite their ordinariness, such books raise serious questions under the Data Protection Act (DPA) and the GDPR standards it draws from.
For instance, individuals are rarely informed about the purpose of this data collection, how long their details will be kept, or whether they can refuse to provide certain information. This gap undermines the right to be informed,24 which requires clear notice at the point of collection. Visitors who sign often have no realistic option to refuse; access to the premises is made conditional on compliance, undermining the principle of freely given consent and calling into question the lawful basis of processing.25
The type and volume of data collected also sit uneasily with the principle of data minimisation.26 Recording full ID numbers, physical addresses and phone contacts, when name and purpose of visit would suffice for security, appears disproportionate. The requirement to surrender ID cards at entry compounds this concern, as the copying or retention of identifiers carries heightened risks of fraud and impersonation.
These risks are not theoretical. As shared in the introduction, in Elgeyo-Marakwet county, a school visitor’s book was stolen and later exploited by criminals to impersonate school officials and defraud parents.27 Similar incidents – including theft of school records used to solicit payments or commit identity fraud – have been reported across different counties,28 underscoring how physical records are attractive to fraudsters. Such breaches highlight a failure of the security safeguards obligation in both the DPA,29 and the GDPR,30 which require controllers to protect personal data against loss, theft, and unauthorised access.
Once collected, visitor data is usually left in open registers at reception desks, accessible to any passerby who may casually browse names and numbers. This undermines the right of access and rectification as provided for in both the DPA,31 and the GDPR:32 visitors have no mechanism to later see, verify, or correct what has been recorded about them. Similarly, because registers are rarely destroyed and often pile up indefinitely in offices or guard rooms, the right to erase (i.e., the right to be forgotten)33is effectively impossible to exercise. Moreover, the absence of retention limits also contravenes the storage limitation principle.34
Finally, the way visitor books are managed reflects a lack of organisational responsibility. Most buildings have no designated policy for how long visitor data is retained, how it is safeguarded, or who is accountable for misuse. This runs counter to the accountability principle,35 which require organisations to not only comply with but also demonstrate compliance with data protection standards.
Taken together, these practices illustrate a systemic misalignment between everyday reality and the rights-based framework enshrined in Kenya’s Data Protection Act and mirrored in the GDPR. From the moment of collection to the point of disposal, visitor logbooks undermine notice, consent, minimisation, access, erasure, security, retention, and accountability. The next section will draw out these gaps in sharper relief and propose practical reforms to bring routine visitor management into compliance with both Kenyan and global data-protection norms.
- Recommendations
Reforming visitor-management practices in Kenya requires simple but deliberate changes. Buildings should begin by providing clear privacy notices at entry points, setting out the purpose of data collection, the lawful basis relied upon, and the period of retention. This would give effect to the right to be informed under section 29 of the DPA. Equally important is the principle of minimisation – recording a visitor’s name, purpose of visit and time of entry may be proportionate, but the routine demand for ID numbers or phone contacts is excessive and exposes individuals to unnecessary risks.
Security and retention safeguards must also improve. Open logbooks accessible to all passers-by are inconsistent with the Act’s confidentiality and security obligations – controlled registers or digital systems that restrict visibility to authorised staff would reduce this exposure. In addition,visitor records should not be stored indefinitely, and data controllers must create clear policies for timely disposal, as contemplated under section 39, which would align practice with the law and reduce the risk of misuse.
- Conclusion
The visitor book may appear a harmless administrative tool, yet in its current form it undermines core rights guaranteed under Kenya’s Data Protection Act and fails to meet international benchmarks such as the GDPR. The solution is not to abandon visitor management altogether, but to recalibrate it: collect less, secure better, and respect the rights of data subjects. Such reforms would not only bring practice into compliance with the law but also build public trust in the very institutions meant to provide safety and security.
Bibliography
Statutes and Statutory Instruments
Data Protection Act of Kenya 2019.
EU Legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.
Website and Blogs
Brian Ngugi, ‘Retailers and City landlords in the crosshairs of data watchdog’ (The Standard Newspaper, 2022)<https://www.standardmedia.co.ke/business/business/article/2001465993/retailers-and-city-landl ords-in-the-crosshairs-of-data-watchdog?utm_source=chatgpt.com > accessed on 21 September 2025.
Fred Kibor, ‘Police alarmed by thieves stealing visitors book in schools’ (Nation Africa, 28 June 2022) <https://nation.africa/kenya/counties/elgeyo-marakwet/police-alarmed-by-thieves-stealing-visitor s-book-in-schools-3862342?utm_source=chatgpt.com > accessed 21 September 2025.
1 Fred Kibor, ‘Police alarmed by thieves stealing visitors book in schools’ (Nation Africa, 28 June 2022) <https://nation.africa/kenya/counties/elgeyo-marakwet/police-alarmed-by-thieves-stealing-visitors-book-in-schools 3862342?utm_source=chatgpt.com > accessed 21 September 2025.
2 Brian Ngugi, ‘Retailers and City landlords in the crosshairs of data watchdog’ (The Standard Newspaper, 2022) <https://www.standardmedia.co.ke/business/business/article/2001465993/retailers-and-city-landlords-in-the-crosshai rs-of-data-watchdog?utm_source=chatgpt.com > accessed on 21 September 2025.
3 Data Protection Act of Kenya 2019.
4 Constitution of Kenya 2010, ar 31.
5 Data Protection Act 2019, s 25.
6 Data Protection Act 2019, s 25(b).
7 Data Protection Act 2019, s 25(c).
8 Data Protection Act 2019, s 25(d).
9 Data Protection Act 2019, s 25(f).
10 Data Protection Act 2019, s 39.
11 Data Protection Act 2019, s 41(1).
12 Data Protection Act 2019, s 26 (a)-(e).
13 Data Protection Act 2019, s 21 (1)-(4).
14 Data Protection Act 2019, s 30 (1) & (2)
15 Data Protection Act 2019, s 8 & 9.
16 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, art.15.
17 Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art.15.
18 Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art.17.
19 Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art.17 (2).
20 Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art.16, 18, 20.
21 Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art.17 (2).
22 Brian Ngugi, ‘Retailers and City landlords in the crosshairs of data watchdog’ (The Standard Newspaper, 2022) <https://www.standardmedia.co.ke/business/business/article/2001465993/retailers-and-city-landlords-in-the-crosshai rs-of-data-watchdog?utm_source=chatgpt.com > accessed on 22 September 2025.
23 Brian Ngugi, ‘Retailers and City landlords in the crosshairs of data watchdog’ (The Standard Newspaper, 2022) <https://www.standardmedia.co.ke/business/business/article/2001465993/retailers-and-city-landlords-in-the-crosshai rs-of-data-watchdog?utm_source=chatgpt.com > accessed on 22 September 2025.
24 Data Protection Act 2019, s 29; Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art.12 & 13.
25 Data Protection Act 2019, s 23 & 36 ;Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art. 7 & 21.
26 Data Protection Act 2019, s 25(c); Data Protection Act 2019, s 23 & 36; Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art. 5(1)(c).
27 Fred Kibor, ‘Police alarmed by thieves stealing visitors book in schools’ (Nation Africa, 28 June 2022) <https://nation.africa/kenya/counties/elgeyo-marakwet/police-alarmed-by-thieves-stealing-visitors-book-in-schools 3862342?utm_source=chatgpt.com > accessed 22 September 2025.
28 Fred Kibor, ‘Police alarmed by thieves stealing visitors book in schools’ (Nation Africa, 28 June 2022) <https://nation.africa/kenya/counties/elgeyo-marakwet/police-alarmed-by-thieves-stealing-visitors-book-in-schools 3862342?utm_source=chatgpt.com > accessed 22 September 2025.
29 Data Protection Act 2019, s 25(c).
30 Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art. 32.
31 Data Protection Act 2019, s 26(1)(b)-(c).
32 Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art. 15 & 16.
33 Data Protection Act 2019, s 26(1)(d); Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art. 17.
34 Data Protection Act 2019, s 39; Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art. 5(1)(e).
35 Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1, art. 5(2).
