[kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019
Barrack Otieno
otieno.barrack at gmail.com
Thu Mar 17 10:14:37 EAT 2022
@kanini mutemi <kaninimutemi at gmail.com>
many thanks. Speaking as a layman, i provided all this details yet i had a
sim card deregistered, just wondering where my data went. Furthermore i
went to an MNO shop and i was asked to disregard the sms only for my line
to be deregistered (never mind it had airtime which was never refunded -
story for another day). I agree we seem to be mixing up too many issues or
should i say converging. It would be great to hear what CA has to say on
this matter.
Regards
On Wed, Mar 16, 2022 at 11:33 PM kanini mutemi via KICTANet <
kictanet at lists.kictanet.or.ke> wrote:
> @Mwendwa Kivuva <Lordmwesh at gmail.com> Let us not conflate issues. ALWAYS
> treat mobile banking (and banking in general) quite separate from other
> services offered by MNOs. A practical problem- @James Mbugua was right on
> data minimization (I would add necessity as well) disqualifying the current
> directive by CA. If you speak of harmonization of regulations, you can no
> longer rely on minimization and necessity because a need (banking) has been
> created. While all these things begin with a SIM Card registration, MPESA
> requires a further positive step of registration. At that point, we can
> safely speak of harmonization and requiring more information to
> prevent financial crimes etc. Different products, different markets.
>
> Are we sure CA is the source of the photos directive? (Kindly share the
> directive if you have access to it). The Regulations only allow this
> information to be collected during SIM Card registration-
>
> 5 (1) A person who intends to register a SIM-card shall provide the
> following particulars to the telecommunications operator or agent—
> (a)
>
> full names;
> (b)
>
> identity card, service card, passport or alien card number;
> (c)
>
> date of birth;
> (d)
>
> gender;
> (e)
>
> physical address;
> (f)
>
> postal address, where available;
> (g)
>
> any other registered subscriber number associated with the subscriber;
> (h)
>
> an original and a copy of the national identity card, service card,
> passport or alien card;
> (i)
>
> an original and a copy of the birth certificate, in respect of
> registration of minors;
> (j)
>
> subscriber number in respect to existing subscribers;
> (k)
>
> an original and true copy of the certificate of registration, where
> relevant;
> (l)
>
> a letter duly sealed by the chief executive officer or the person
> responsible for the day to day management of the statutory body.
>
>
> (while your ID would normally have a photo- it is vastly different from a
> digital photo which can become part of a biometric register).
>
>
> I cannot insist on this enough, a SIM Card registration is not the same
> thing as MPESA (or other mobile money platform registration). The
> requirements for SIM Card registration have to remain as basal as possible.
>
> On Wed, Mar 16, 2022 at 9:33 PM Mwendwa Kivuva via KICTANet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> Since SIM card data is used by a large section of the population for
>> mobile banking (Safaricom has 30 million mobile money customers) - and
>> banking regulations require a photo ID, should the regulation be harmonised
>> for all mobile money customers to provide their photo ID?
>>
>> KICTANet had a Thought Leadership Forum with the ODPC, and the question
>> of DPIA came up. I can't remember the response. The recording of the forum
>> is available here https://youtu.be/Rmdvoc8Valo
>>
>> On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, <
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>>> Listers,
>>>
>>> I am not sure if I am being paranoid but the SIM card re-registration
>>> order ostensibly by CA (Communications Authority) and which has mobile
>>> operators asking us to te-register our SIM cards by April or risk being
>>> deregistered, seems like regulatory overreach.
>>>
>>> CA says under the SIM Registrations regulations of 2015, MNOs are
>>> required to update their registers with details including ID documents and
>>> photo IDs. The reason given, ostensibly, is that many had their SIM details
>>> registered before that law came into place.
>>>
>>> Speaking of laws coming into operation, the Data Protection Act, itself
>>> came into effect in 2019. Significantly long after the said regulations.
>>>
>>> In seeking to protect privacy and personal data, the DPA requires Data
>>> Minimisation where personal data collected should be:
>>>
>>> "adequate, relevant and limited to what is necessary in relation to the
>>> purposes for which they are processed (‘data minimisation’);" Sec. 25(d)
>>> DPA, 2019
>>>
>>> This means that data that the controller does not really need to achieve
>>> a specific purpose, should not be collected.
>>>
>>> Biometric information such as Passport Photos that the Operators will
>>> take and store,for example, are in my opinion, surplus to requirements.
>>>
>>> The identification of the subscriber can be done without collection of
>>> intrusive biometric data for example by using national IDs. CA explicitly
>>> asks that the operators verify details with the Integrated Personnel
>>> Registry System. so collection of biometric data to me is disproportionate
>>> and cannot meet the threshold of lawful basis.
>>>
>>> Being the later law, and by the Huduma Number case precedent, the data
>>> minimisation provisions of the DPA, 2019 in my opinion hold primacy and in
>>> fact impliedly, repeal or render unlawful, the requirements for photo
>>> taking for SIM registration in the 2015 regulations.
>>>
>>> 2. Data Protection Impact Assessment.
>>>
>>> Another question I would have for the CA, the Data Commissioner and
>>> mobile operators, is if, as per the precedent sent by Justice Ngaah in the
>>> Katiba Institute v. MoICT & others regarding the need for the conduct of a
>>> Data Processing Impact Assessment, has been carried out in this instance
>>> when CA proposes to have collected the data of more than 30 million
>>> subscribers including biometric data.
>>>
>>> I think this is a plain case of flouting judicial guidance viz a viz
>>> when DPIAs should be carried out and CA should have had this carried out
>>> first before issuing the said directive.
>>>
>>> Regards,
>>>
>>> James G. Mbugua
>>> Data Privacy Consultant & Tech Policy Blogger
>>> @jgmbugua <jgmbugua at gmail.com>
>>>
>>>
>>>
>>> _______________________________________________
>>> KICTANet mailing list
>>> KICTANet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at
>>> https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com
>>>
>>>
>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>> interested and involved in ICT policy and regulation. KICTANet is a
>>> catalyst for reform in the Information and Communication Technology sector.
>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>> Research, and Stakeholder Engagement.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>> engagement platform.
>>>
>> _______________________________________________
>> KICTANet mailing list
>> KICTANet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at
>> https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.com
>>
>>
>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>> interested and involved in ICT policy and regulation. KICTANet is a
>> catalyst for reform in the Information and Communication Technology sector.
>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>> Research, and Stakeholder Engagement.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>> engagement platform.
>>
>
>
> --
> *Mercy Mutemi, Advocate*.
>
>
>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/otieno.barrack%40gmail.com
>
>
> KICTANet is a multi-stakeholder Think Tank for people and institutions
> interested and involved in ICT policy and regulation. KICTANet is a
> catalyst for reform in the Information and Communication Technology sector.
> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
> Research, and Stakeholder Engagement.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
> KICTANet - The Power of Communities, is Kenya's premier ICT policy
> engagement platform.
>
--
Barrack O. Otieno
+254721325277
+254733206359
Skype: barrack.otieno
PGP ID: 0x2611D86A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20220317/0e9d6aab/attachment.htm>
More information about the KICTANet
mailing list