I entered a modern building in Westlands that was full of security protocols and one of the requirements to enter the building was that your biometrics were registered and a photo is taken of you. It did not offer an opt out system of instead leaving your Identification Card as most places would do. Biometric data falls under what is defined as personal data under the Data Protection Act. It has slowly been used as a common method enjoyed by financial institutions to process data mainly because it is viewed as the future of security.
The biometrics are stored in the form of a code which ultimately enhances the protection of data. Needless to say, that a breach of biometric data poses great risks that are not easily reversible. This is because that this data that identifies an individual can never be changed and thus the consequences of breach of this data should not be taken lightly.
The Data Protection Act in Section 44 provides restrictions where the sensitive personal data may be processed. The data subject thus ought to give his prior, free, informed and unequivocal consent to the collection and processing of such data. The consent alone is thus not sufficient to justify the collection of the data. The data should also be stored only for the required duration. This biometric data should thus only be processed when it is necessary to do so.
The question as to whether Kenyan entities pass the necessity and proportionality test is contentious and highly doubtful. I would think that it is not legally justifiable for my school library to require learners’ fingerprints to access the library. Entities that already carry out the collection of biometric information should carry out a compliance check to find out whether it is necessary for them to have such systems. In conclusion, it is important to protect the right to privacy of the data subjects and thus the necessity and proportionality test must be fulfilled.