In Kenya’s fast-growing digital economy, personal data has become the invisible currency of everyday life. Every phone call, mobile money transaction, or social media interaction generates a trail of personal information much of it stored, shared, and repurposed by individuals, companies and institutions. This explosion of data collection has brought convenience, but it has also introduced new vulnerabilities that directly threaten individual safety, dignity, and privacy. The question we must now confront is simple yet profound: what data is enough?
The principle of data minimisation requires collection and sharing only of the personal information necessary for a specific, lawful, and clearly defined purpose is one of the most fundamental safeguards in data protection law. Yet, it remains one of the least observed in practice across Kenya. From online registration forms that demand unnecessary details to financial platforms that reveal personal identifiers in every transaction, the culture of over-collection and over-sharing has become deeply ingrained. The consequences are no longer theoretical. They are tangible, personal, and dangerous.
The failure to apply data minimisation has exposed Kenyans, especially women and vulnerable groups, to heightened safety risks. Gender-based violence is increasingly facilitated by the misuse or careless handling of personal data. Perpetrators have exploited leaked contact details, photographs, and addresses to stalk or harass victims. Similarly, the practice of “doxing” or “kusalimia”, publishing someone’s private information online has become a weapon of intimidation. A phone number displayed on a business page or a leaked transaction receipt can quickly spiral into harassment or extortion. Moreover, the flood of unsolicited advertising messages that many Kenyans receive daily is a by-product of unrestrained data collection, where contact lists (whether electronic or the ever-present jotter at security gates) are illegally accessed, bought and sold by unscrupulous data handlers with little accountability. These examples show that excessive data collection is not merely a technical or regulatory issue, it is a human safety concern.
Every text message, call, or mobile money transfer generates metadata location, time, duration, device type that can easily be repurposed for surveillance or profiling if not tightly controlled. Content Service Providers, Internet Service Providers, and generally all data handlers must ensure that they collect only what is strictly required for service delivery, billing, and fraud detection. They should avoid using subscriber data for unrelated commercial purposes, especially targeted advertising, without explicit consent.
While some banks and fintech firms mask credit card numbers, account and other details not considered necessary in verifying a transaction, mobile money service providers have not adequately observed the principle of data minimisation. Both the providers and the relevant regulators need to give greater attention to ensuring that only the data necessary for service delivery is collected and processed.
In most cases, what truly matters in confirming a financial transaction is the transaction code, not the names, phone numbers, or email addresses of the parties involved. Minimisation in the financial sector would mean that these personal identifiers are either masked or tokenised whenever possible. The goal should be to preserve the utility and traceability of transactions while reducing the exposure of personally identifiable information that could be exploited for fraud or identity theft.
The responsibility for promoting and enforcing data minimisation does not rest on companies alone. Kenya already has a capable ecosystem of regulatory institutions that, if well coordinated, can embed minimisation as a national standard of practice. The Office of the Data Protection Commissioner (ODPC) is the guardian of privacy under the Data Protection Act. It must continue to emphasise the principle of data minimisation which requires data handlers to collect only data that is “adequate, relevant and limited to what is necessary.” ODPC can go further by issuing practical guidance for specific sectors clarifying, for instance, what “necessary” means in mobile money transactions, telecom registration or digital lending.
The Communications Authority of Kenya, as the regulator of the telecommunications sector, plays an equally important role. It can strengthen licensing conditions to ensure that mobile operators and internet service providers adopt data minimisation as part of their compliance frameworks. Meanwhile, the Central Bank of Kenya (CBK) responsible for regulating banks, digital lenders, and payment service providers can promote privacy-preserving financial systems. CBK can encourage the use of pseudonymisation and tokenisation so that sensitive identifiers such as a payer’s name are replaced by transaction references in digital payment systems.
While institutional and regulatory reforms are crucial, the role of the individual the data subject cannot be understated. The law gives every Kenyan the right of access, correction, and objection to the processing of their personal data. Individuals can take control by questioning why certain data is being requested before providing it, refusing to share information that seems excessive, and deleting accounts that are no longer in use. They can also be more discerning about which digital platforms they engage with, prioritising those that ask for less data or demonstrate transparent privacy practices.
In financial transactions, individuals should also be aware of what truly matters for validation. The transaction code, a unique identifier confirming completion is what carries legal and operational significance. Sharing one’s name, phone number, or email address with every transaction only multiplies exposure to risk. Systems that rely on coded references, rather than direct identifiers, should be the preferred standard. This approach not only protects privacy but also builds trust in digital financial systems.
The belief that collecting more data automatically leads to better service is a misconception that has outlived its usefulness. The accumulation of unnecessary personal information creates more liabilities from regulatory penalties to reputational damage following a data breach. The real value of data lies not in its quantity but in its relevance, quality, and security. Organisations must therefore adopt a disciplined, purpose-driven approach to data handling: clearly defining why they collect information, applying a necessity test before each collection, limiting retention to only what is required, restricting access to authorised personnel and sharing what is necessary and lawful.
Ultimately, data minimisation is a matter of collective responsibility. Regulators must strengthen oversight and harmonise enforcement; companies must embed privacy by design in their systems; and citizens must reclaim agency over their data. In doing so, Kenya can move towards a safer, more trustworthy digital future.