[kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019

Ciiru K lizwanjiru at gmail.com
Thu Apr 7 17:08:27 EAT 2022


Dear listers,

I am equally concerned by the overreach in this matter.
For people who are outside Kenya, the list of requirements is obnoxious.
Below are the requirements.
 - Mobile number
- Passport page containing your bio details.
- Passport page containing your visa.
- Passport page containing the exit stamp from Kenya (full page including
the dotted passport number)
- Passport page containing the entry stamp in your current country of
residence(full page including the dotted passport number)
- Scanned copy of ID(both sides)

Why do they need all this information? Who will have access to it?

Yours truly gobsmacked.
Liz

On Thu, Mar 17, 2022, 02:06 James Mbugua via KICTANet <
kictanet at lists.kictanet.or.ke> wrote:

> Listers,
>
> I am not sure if I am being paranoid but the SIM card re-registration
> order ostensibly by CA (Communications Authority) and which has mobile
> operators asking us to te-register our SIM cards by April or risk being
> deregistered, seems like regulatory overreach.
>
> CA says under the SIM Registrations regulations of 2015, MNOs are required
> to update their registers with details including ID documents and photo
> IDs. The reason given, ostensibly, is that many had their SIM details
> registered before that law came into place.
>
> Speaking of laws coming into operation, the Data Protection Act, itself
> came into effect in 2019. Significantly long after the said regulations.
>
> In seeking to protect privacy and personal data, the DPA  requires Data
> Minimisation where personal data collected should be:
>
> "adequate, relevant and limited to what is necessary in relation to the
> purposes for which they are processed (‘data minimisation’);" Sec. 25(d)
> DPA, 2019
>
> This means that data that the controller does not really need to achieve a
> specific purpose, should not be collected.
>
> Biometric information such as Passport Photos that the Operators will take
> and store,for example, are in my opinion, surplus to requirements.
>
> The identification of the subscriber can be done without collection of
> intrusive biometric data for example by using national IDs. CA explicitly
> asks that the operators verify details with the Integrated Personnel
> Registry System. so collection of biometric data to me is disproportionate
> and cannot meet the threshold of lawful basis.
>
> Being the later law, and by the Huduma Number case precedent, the data
> minimisation provisions of the DPA, 2019 in my opinion hold primacy and in
> fact impliedly, repeal or render unlawful, the requirements for photo
> taking for SIM registration in the 2015 regulations.
>
> 2. Data Protection Impact Assessment.
>
> Another question I would have for the CA, the Data Commissioner and mobile
> operators, is if, as per the precedent sent by Justice Ngaah in the Katiba
> Institute v. MoICT & others regarding the need for the conduct of a Data
> Processing Impact Assessment, has been carried out in this instance when CA
> proposes to have collected the data of more than 30 million subscribers
> including biometric data.
>
> I think this is a plain case of flouting judicial guidance viz a viz when
> DPIAs should be carried out and CA should have had this carried out first
> before issuing the said directive.
>
> Regards,
>
> James G. Mbugua
> Data Privacy Consultant & Tech Policy Blogger
> @jgmbugua <jgmbugua at gmail.com>
>
>
>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/lizwanjiru%40gmail.com
>
>
> KICTANet is a multi-stakeholder Think Tank for people and institutions
> interested and involved in ICT policy and regulation. KICTANet is a
> catalyst for reform in the Information and Communication Technology sector.
> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
> Research, and Stakeholder Engagement.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
> KICTANet - The Power of Communities, is Kenya's premier ICT policy
> engagement platform.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20220408/2b2fcac2/attachment.htm>


More information about the KICTANet mailing list