[kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019
Mwendwa Kivuva
Kivuva at transworldafrica.com
Wed Mar 16 21:15:44 EAT 2022
Since SIM card data is used by a large section of the population for mobile
banking (Safaricom has 30 million mobile money customers) - and banking
regulations require a photo ID, should the regulation be harmonised for all
mobile money customers to provide their photo ID?
KICTANet had a Thought Leadership Forum with the ODPC, and the question of
DPIA came up. I can't remember the response. The recording of the forum is
available here https://youtu.be/Rmdvoc8Valo
On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, <
kictanet at lists.kictanet.or.ke> wrote:
> Listers,
>
> I am not sure if I am being paranoid but the SIM card re-registration
> order ostensibly by CA (Communications Authority) and which has mobile
> operators asking us to te-register our SIM cards by April or risk being
> deregistered, seems like regulatory overreach.
>
> CA says under the SIM Registrations regulations of 2015, MNOs are required
> to update their registers with details including ID documents and photo
> IDs. The reason given, ostensibly, is that many had their SIM details
> registered before that law came into place.
>
> Speaking of laws coming into operation, the Data Protection Act, itself
> came into effect in 2019. Significantly long after the said regulations.
>
> In seeking to protect privacy and personal data, the DPA requires Data
> Minimisation where personal data collected should be:
>
> "adequate, relevant and limited to what is necessary in relation to the
> purposes for which they are processed (‘data minimisation’);" Sec. 25(d)
> DPA, 2019
>
> This means that data that the controller does not really need to achieve a
> specific purpose, should not be collected.
>
> Biometric information such as Passport Photos that the Operators will take
> and store,for example, are in my opinion, surplus to requirements.
>
> The identification of the subscriber can be done without collection of
> intrusive biometric data for example by using national IDs. CA explicitly
> asks that the operators verify details with the Integrated Personnel
> Registry System. so collection of biometric data to me is disproportionate
> and cannot meet the threshold of lawful basis.
>
> Being the later law, and by the Huduma Number case precedent, the data
> minimisation provisions of the DPA, 2019 in my opinion hold primacy and in
> fact impliedly, repeal or render unlawful, the requirements for photo
> taking for SIM registration in the 2015 regulations.
>
> 2. Data Protection Impact Assessment.
>
> Another question I would have for the CA, the Data Commissioner and mobile
> operators, is if, as per the precedent sent by Justice Ngaah in the Katiba
> Institute v. MoICT & others regarding the need for the conduct of a Data
> Processing Impact Assessment, has been carried out in this instance when CA
> proposes to have collected the data of more than 30 million subscribers
> including biometric data.
>
> I think this is a plain case of flouting judicial guidance viz a viz when
> DPIAs should be carried out and CA should have had this carried out first
> before issuing the said directive.
>
> Regards,
>
> James G. Mbugua
> Data Privacy Consultant & Tech Policy Blogger
> @jgmbugua <jgmbugua at gmail.com>
>
>
>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com
>
>
> KICTANet is a multi-stakeholder Think Tank for people and institutions
> interested and involved in ICT policy and regulation. KICTANet is a
> catalyst for reform in the Information and Communication Technology sector.
> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
> Research, and Stakeholder Engagement.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
> KICTANet - The Power of Communities, is Kenya's premier ICT policy
> engagement platform.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20220316/4763b17a/attachment.htm>
More information about the KICTANet
mailing list