[kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019
Grace Mutung'u
nmutungu at gmail.com
Mon Mar 21 09:19:04 EAT 2022
@James, has there been any response to this issue yet?
Checking through the regulations, I cannot find the legal basis for
reregistration of existing subscribers or taking photos but I could be
wrong.
I have also noticed that Safaricom have ID card readers that are connected
to IPRS and I wondered if there is any data sharing between Safaricom and
IPRS other than just validating the document. This, as colleagues have
said, could probably be KYC but it is also being done during registration
for a SIM card/Mpesa.
I hope that Communications Authority and ODPC officers here can respond,
nobody seems to have clear answers on the legal basis for this data
collection.
Warmly,
Grace
On Thu, 17 Mar 2022 at 12:56, James Mbugua via KICTANet <
kictanet at lists.kictanet.or.ke> wrote:
> Mwendwa,
>
> I agree with Mutindi we should isolate KYC issues with subscriber
> registration. That is the whole essence of purpose limitation. We cannot
> use banking regulations for subscribe registration. It is not to say that
> every mobile subscriber is automatically also an MPESA customer and that
> the information should be collected for use the day they decide to register
> for MPESA. In any case, it is also not to say that when they do register
> for mobile money, that they will not have to provide all the
> know-your-customer details including photographs.
>
> My point is that SIM registration must be limited in data collection to
> what is necessary and adequate for its stated purposes, and not more
> personal information than necessary.
>
> Mutindi,
>
> I will be raising it with the ODPC thanks.
>
> Regards,
>
> James G. Mbugua
> Data Privacy Consultant & Tech Policy Blogger
> @jgmbugua <jgmbugua at gmail.com>
>
> On Wed, Mar 16, 2022 at 9:31 PM Mwendwa Kivuva via KICTANet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> Since SIM card data is used by a large section of the population for
>> mobile banking (Safaricom has 30 million mobile money customers) - and
>> banking regulations require a photo ID, should the regulation be harmonised
>> for all mobile money customers to provide their photo ID?
>>
>> KICTANet had a Thought Leadership Forum with the ODPC, and the question
>> of DPIA came up. I can't remember the response. The recording of the forum
>> is available here https://youtu.be/Rmdvoc8Valo
>>
>> On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, <
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>>> Listers,
>>>
>>> I am not sure if I am being paranoid but the SIM card re-registration
>>> order ostensibly by CA (Communications Authority) and which has mobile
>>> operators asking us to te-register our SIM cards by April or risk being
>>> deregistered, seems like regulatory overreach.
>>>
>>> CA says under the SIM Registrations regulations of 2015, MNOs are
>>> required to update their registers with details including ID documents and
>>> photo IDs. The reason given, ostensibly, is that many had their SIM details
>>> registered before that law came into place.
>>>
>>> Speaking of laws coming into operation, the Data Protection Act, itself
>>> came into effect in 2019. Significantly long after the said regulations.
>>>
>>> In seeking to protect privacy and personal data, the DPA requires Data
>>> Minimisation where personal data collected should be:
>>>
>>> "adequate, relevant and limited to what is necessary in relation to the
>>> purposes for which they are processed (‘data minimisation’);" Sec. 25(d)
>>> DPA, 2019
>>>
>>> This means that data that the controller does not really need to achieve
>>> a specific purpose, should not be collected.
>>>
>>> Biometric information such as Passport Photos that the Operators will
>>> take and store,for example, are in my opinion, surplus to requirements.
>>>
>>> The identification of the subscriber can be done without collection of
>>> intrusive biometric data for example by using national IDs. CA explicitly
>>> asks that the operators verify details with the Integrated Personnel
>>> Registry System. so collection of biometric data to me is disproportionate
>>> and cannot meet the threshold of lawful basis.
>>>
>>> Being the later law, and by the Huduma Number case precedent, the data
>>> minimisation provisions of the DPA, 2019 in my opinion hold primacy and in
>>> fact impliedly, repeal or render unlawful, the requirements for photo
>>> taking for SIM registration in the 2015 regulations.
>>>
>>> 2. Data Protection Impact Assessment.
>>>
>>> Another question I would have for the CA, the Data Commissioner and
>>> mobile operators, is if, as per the precedent sent by Justice Ngaah in the
>>> Katiba Institute v. MoICT & others regarding the need for the conduct of a
>>> Data Processing Impact Assessment, has been carried out in this instance
>>> when CA proposes to have collected the data of more than 30 million
>>> subscribers including biometric data.
>>>
>>> I think this is a plain case of flouting judicial guidance viz a viz
>>> when DPIAs should be carried out and CA should have had this carried out
>>> first before issuing the said directive.
>>>
>>> Regards,
>>>
>>> James G. Mbugua
>>> Data Privacy Consultant & Tech Policy Blogger
>>> @jgmbugua <jgmbugua at gmail.com>
>>>
>>>
>>>
>>> _______________________________________________
>>> KICTANet mailing list
>>> KICTANet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at
>>> https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com
>>>
>>>
>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>> interested and involved in ICT policy and regulation. KICTANet is a
>>> catalyst for reform in the Information and Communication Technology sector.
>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>> Research, and Stakeholder Engagement.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>> engagement platform.
>>>
>> _______________________________________________
>> KICTANet mailing list
>> KICTANet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at
>> https://lists.kictanet.or.ke/mailman/options/kictanet/jgmbugua%40gmail.com
>>
>>
>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>> interested and involved in ICT policy and regulation. KICTANet is a
>> catalyst for reform in the Information and Communication Technology sector.
>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>> Research, and Stakeholder Engagement.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>> engagement platform.
>>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com
>
>
> KICTANet is a multi-stakeholder Think Tank for people and institutions
> interested and involved in ICT policy and regulation. KICTANet is a
> catalyst for reform in the Information and Communication Technology sector.
> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
> Research, and Stakeholder Engagement.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
> KICTANet - The Power of Communities, is Kenya's premier ICT policy
> engagement platform.
>
--
Grace Mutung'u
Skype: gracebomu
@Bomu
PGP ID : 807F57ACF469B0BB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20220321/f40916ff/attachment.htm>
More information about the KICTANet
mailing list