I&M Bank House, 5th Floor, 2nd Ngong Avenue, Upper Hill, Nairobi, Kenya

Five critical issues that users of CCTV cameras must consider in the wake of the data protection act


Closed-circuit television (CCTV) is a video surveillance technology that is used to monitor public and private spaces. The use of CCTV has become increasingly prevalent in recent years, with many businesses and governments using the technology to improve security and prevent crime. However, the use of CCTV is also controversial, with concerns about privacy and data protection.

With the new Data Protection Act (DPA), 2019 coming into effect in Kenya to regulates the collection, use, and storage of personal data, we highlight five regulatory compliance and good practice measures that a user of CCTV cameras should be minded of, in the current dispensation.

  1. The scope of application

The DPA is designed to protect individuals from the misuse of their personal data and ensure that their privacy rights are respected. Under the DPA, personal data is defined as any information that can be used to identify an individual. This includes images captured by CCTV cameras.

Both public and private organizations use CCTV cameras as well as individuals in domestic settings for security, monitoring, or other reasons. The use of CCTV cameras for purely personal or household activities is exempted from the application of the Act. Arguably, individuals that have CCTV cameras installed in their homes that capture information from public areas, or neighbouring premises might not be exempt from the Act’s application.

Organizations that use CCTV cameras on the other hand must ensure that they comply with the DPA’s requirements for the processing of personal data.

  1. Registration of CCTV users.

The distinction is made between a data controller and a data processor . A data controller is the person that authorizes and controls the processing of personal data, while a data processor acts on behalf of the data controller.

A person that installs CCTV cameras for surveillance or any other purpose will be considered a data controller.

Organizations with an annual turnover or annual revenue of 5 million and above or more than 10 employees, that use CCTV cameras, are required to register as either data controllers or data processors.

However, where CCTV cameras are used for the purpose of crime prevention and prosecution of offenders, the Data Protection (registration of data controllers and data processors) Regulations,2021, require the mandatory registration of the users, whether or not the organization meets the minimum annual turnover/revenue turnover or employee requirements set.

  1. Application of the data Protection principles

Section 25 of the DPA, highlights the principles of data protection. Organizations and individuals that use CCTV must ensure that they comply with the principles of  data protection as outlined in the Act.

These include the principles of transparency, fairness, and lawfulness. Meaning, organizations must be clear about why they are using CCTV, and they must provide individuals with information about how their personal data will be processed. They must also ensure that they have appropriate security measures in place to protect the personal data that they collect and handle.

One of the key requirements of the DPA is that organizations and individuals must have a valid reason for using CCTV cameras in line with the principle that personal data should be collected for explicit, specified and legitimate purposes.This means that they must be able to demonstrate that the use of CCTV is necessary for a specific and legitimate purpose, such as improving security or preventing crime.   The CCTV cameras shall only be used for the purpose justifying the use and no more.

The use of CCTV must be proportionate to the risk that it is intended to address, and the benefits of using CCTV must outweigh any potential negative impact on individuals’ privacy.

Users of CCTV cameras must ensure that they have proper policies that guide the erasure of the footage collected, in line with the principle that, data shall not be kept for much longer than required and that for any reason footage is transferred to another country, ensure that proper safeguards are employed prior to the transfer.

  1. Rights of Data Subjects

The DPA also gives individuals certain rights in relation to their personal data. This includes the right to be informed that their personal data is being processed, the right to access the personal data that an organization holds about them, the right to have inaccurate data corrected, and the right to object to the processing of their personal data in certain circumstances.

These rights may require users of CCTV cameras to display clearly to individuals that access area under surveillance are being recorded. Organizations and individuals that use CCTV must also be prepared to respond to requests from people who want to exercise these rights.

  1. Consequences for Non-Compliance

The DPA prescribes that a Data Commissioner can impose a maximum penalty of up to 5 million shillings or in the case of an undertaking, one percent of the previous year’s annual turnover, in case of infringement of express provisions of the Act. The infringement includes failure to register as either data controller or data processor (where registration is required), failure to regard the principles of data protection and rights of data subjects as provided by the Act.

Also there are certain offences that are created by the Act, specifically the offence of unlawful discloser of personal data by data controllers or data processors, which the Act prescribes a fine not exceeding 3 million shillings or an imprisonment term not exceeding 10 years or both, upon conviction.


In conclusion, the use of CCTV is subject to the Data Protection Act, and organizations that use CCTV must comply with the law. This means that they must have a valid reason for using CCTV, ensure that they comply with the principles of the DPA, and be prepared to respond to requests from individuals who want to exercise their rights in relation to their personal data. The use of CCTV can be an effective way to improve security and prevent crime, but it must be used in a way that respects individuals’ privacy rights.

How can we help you

Do you need help with CCTV use compliance? Barizi Data Privacy Services is a trusted, data protection service provider that allows you to outsource a range of much needed data protection and related services to ensure that your organization complies with the Data Protection Laws and Regulations, from across the globe.

Reach out to us