[kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019

Bitange Ndemo bndemo at bitangendemo.me
Mon Mar 21 20:55:28 EAT 2022


*The role of cryptocurrencies in sub-Saharan Africa
<https://www.brookings.edu/blog/africa-in-focus/2022/03/16/the-role-of-cryptocurrencies-in-sub-saharan-africa/>*

Ndemo

On Mon, Mar 21, 2022 at 1:03 PM Mwendwa Kivuva via KICTANet <
kictanet at lists.kictanet.or.ke> wrote:

> Very rich debate this one.
>
> I think this whole debate has been necessitated by this message from
> Safaricom
>
> "Dear Customer, urgently visit an M-PESA Agent, Dealer or Safaricom Shop
> with original ID to update your SIM registration. Dial *106# for lines
> registered to you"
>
> James / Kanini, I'm not calling for all sim card owners to provide more
> data. My question was, "should the regulation be harmonised for all mobile
> money customers to provide their photo ID?" For mobile money customers, not
> SIM card owners.
>
>
> On Mon, 21 Mar 2022, 12:19 Mutindi Muema via KICTANet, <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> @Walu, if i had time to spare i would dig in, but billable work is
>> hogging my schedule right now. I can however add some direction for whoever
>> has time to delve into this- we all looking forward to any findings:
>>
>>  Further to direction by Grace, Walu & Mutemi,  it seems work needed
>> along the lines of what the law says regarding:
>>
>>    1. requirements for SIM card registration - probably KICA both Act
>>    and Regs as well as any relevant guidelines issued by CA. Kanini Mutemi
>>    reproduced a segment of KICA earlier. some work to get any other relevant
>>    provisions.
>>    2. @Walu  it is also important that any directive for re-registration
>>    has been issued by CA - the same be reviewed. Yes CA has a mandate ,
>>    content of any directions would also inform thai convo.
>>    3. Requirements for mobile money registration/use are also relevant-
>>    from my understanding mobile money legal framework is the National Payment
>>    Systems ACt (NPSA)& Regs and relevant guidelines under that. Cursory review
>>    of Act, I do not remember seeing requirements for photo here last time I
>>    reviewed this (which a while back) someone with time on their hands can go
>>    through requirements as well.
>>    4. Mobile banking regulatory framework- is different from mobile
>>    money framework. Mobile banking falls more within banking so Banking Act,
>>    prudential guidelines etc - we could actually have different requirements
>>    for registration of customers for  mobile banking in law than requirements
>>    for registration of mobile money (NPSA)
>>    5. Like Walu said - there is also need to review laws relating to
>>    ani-money laundering , terrorism fianncing etc to see requirements under
>>    those esp those that would relate to KYC as well as the deffinition of
>>    insitutions to which the obligations apply and if any distinction between
>>    application to businesses lines licensed under KICA (Sim card), NPSA
>>    (mobile money)versus licensees under Banking Act (mobile banking).
>>    6. All the findings then need to be reconciled with provisions of the
>>    Data Protection Act & Regs now in force :
>>
>> (i) from a data protection principle perspective but then also
>> (ii) from a communications to data subject perspective- as evident in
>> this thread, data subjects have questions around this and compliance is
>> definitely impacted by clarity of comms to data subjects. This second point
>> is particularly important for data protection compliance as communications
>> helps with accountability and transparency with regards to what data
>> controllers/ processors are actually doing with data subject data and why.
>>
>>
>> Kind regards,
>> Mutindi
>> Advocate & Certified Information Privacy Manager (CIPM)-
>> International Association of Privacy Professionals (IAPP)
>>
>>
>>
>> On Mon, Mar 21, 2022 at 11:44 AM Walubengo J via KICTANet <
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>>> Interesting discourse.
>>>
>>> I didnt know CA had a directive for SIM card re-registration but that's
>>> besides the point since its their mandate. The issues here is whether
>>> collecting photos of data subjects during registration is an overeach.
>>>
>>> From reading various comments its seems we have CA regulations, Banking
>>> regulations and Data Protection Regulations coming into play. It looks like
>>> Listers agree that the stringent Banking Regulations (e.g KYC) may kick in
>>> for MPESA registration, but not necessarily for basic subscriber (eg voice)
>>> registration.
>>>
>>> The argument seems to be whether the basic subscriber (SIM card)
>>> registration for say voice services, should be accompanied with digital
>>> photos since this may violate the data minimization principles of the Data
>>> Protection Act.
>>>
>>> I am persuaded that this is a valid concern - However, I request the
>>> lawyers to expand their search further and review the security laws. Is it
>>> possible that the Security Laws (as amended over time) could have enhanced
>>> basic service (eg for voice) registration to include photos of the
>>> subscriber?
>>>
>>> Such that in case there is a terror attack and the terrorists use voice
>>> communication (and not necessarily mobile money),  one would still want to
>>> track them down using their mug-shot?
>>>
>>> the lawyers can find out and tell us.
>>>
>>> walu
>>>
>>>
>>>
>>>
>>> On Thursday, March 17, 2022, 12:57:53 PM GMT+3, James Mbugua via
>>> KICTANet <kictanet at lists.kictanet.or.ke> wrote:
>>>
>>>
>>> Mwendwa,
>>>
>>> I agree with Mutindi we should isolate KYC issues with subscriber
>>> registration. That is the whole essence of purpose limitation. We cannot
>>> use banking regulations for subscribe registration. It is not to say that
>>> every mobile subscriber is automatically also an MPESA customer and that
>>> the information should be collected for use the day they decide to register
>>> for MPESA. In any case, it is also not to say that when they do register
>>> for mobile money, that they will not have to provide all the
>>> know-your-customer details including photographs.
>>>
>>> My point is that SIM registration must be limited in data collection to
>>> what is necessary and adequate for its stated purposes, and not more
>>> personal information than necessary.
>>>
>>> Mutindi,
>>>
>>> I will be raising it with the ODPC thanks.
>>>
>>> Regards,
>>>
>>> James G. Mbugua
>>> Data Privacy Consultant & Tech Policy Blogger
>>> @jgmbugua <jgmbugua at gmail.com>
>>>
>>> On Wed, Mar 16, 2022 at 9:31 PM Mwendwa Kivuva via KICTANet <
>>> kictanet at lists.kictanet.or.ke> wrote:
>>>
>>> Since SIM card data is used by a large section of the population for
>>> mobile banking (Safaricom has 30 million mobile money customers) - and
>>> banking regulations require a photo ID, should the regulation be harmonised
>>> for all mobile money customers to provide their photo ID?
>>>
>>> KICTANet had a Thought Leadership Forum with the ODPC, and the question
>>> of DPIA came up. I can't remember the response. The recording of the forum
>>> is available here https://youtu.be/Rmdvoc8Valo
>>>
>>> On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, <
>>> kictanet at lists.kictanet.or.ke> wrote:
>>>
>>> Listers,
>>>
>>> I am not sure if I am being paranoid but the SIM card re-registration
>>> order ostensibly by CA (Communications Authority) and which has mobile
>>> operators asking us to te-register our SIM cards by April or risk being
>>> deregistered, seems like regulatory overreach.
>>>
>>> CA says under the SIM Registrations regulations of 2015, MNOs are
>>> required to update their registers with details including ID documents and
>>> photo IDs. The reason given, ostensibly, is that many had their SIM details
>>> registered before that law came into place.
>>>
>>> Speaking of laws coming into operation, the Data Protection Act, itself
>>> came into effect in 2019. Significantly long after the said regulations.
>>>
>>> In seeking to protect privacy and personal data, the DPA  requires Data
>>> Minimisation where personal data collected should be:
>>>
>>> "adequate, relevant and limited to what is necessary in relation to the
>>> purposes for which they are processed (‘data minimisation’);" Sec. 25(d)
>>> DPA, 2019
>>>
>>> This means that data that the controller does not really need to achieve
>>> a specific purpose, should not be collected.
>>>
>>> Biometric information such as Passport Photos that the Operators will
>>> take and store,for example, are in my opinion, surplus to requirements.
>>>
>>> The identification of the subscriber can be done without collection of
>>> intrusive biometric data for example by using national IDs. CA explicitly
>>> asks that the operators verify details with the Integrated Personnel
>>> Registry System. so collection of biometric data to me is disproportionate
>>> and cannot meet the threshold of lawful basis.
>>>
>>> Being the later law, and by the Huduma Number case precedent, the data
>>> minimisation provisions of the DPA, 2019 in my opinion hold primacy and in
>>> fact impliedly, repeal or render unlawful, the requirements for photo
>>> taking for SIM registration in the 2015 regulations.
>>>
>>> 2. Data Protection Impact Assessment.
>>>
>>> Another question I would have for the CA, the Data Commissioner and
>>> mobile operators, is if, as per the precedent sent by Justice Ngaah in the
>>> Katiba Institute v. MoICT & others regarding the need for the conduct of a
>>> Data Processing Impact Assessment, has been carried out in this instance
>>> when CA proposes to have collected the data of more than 30 million
>>> subscribers including biometric data.
>>>
>>> I think this is a plain case of flouting judicial guidance viz a viz
>>> when DPIAs should be carried out and CA should have had this carried out
>>> first before issuing the said directive.
>>>
>>> Regards,
>>>
>>> James G. Mbugua
>>> Data Privacy Consultant & Tech Policy Blogger
>>> @jgmbugua <jgmbugua at gmail.com>
>>>
>>>
>>>
>>> _______________________________________________
>>> KICTANet mailing list
>>> KICTANet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at
>>> https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com
>>>
>>>
>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>> interested and involved in ICT policy and regulation. KICTANet is a
>>> catalyst for reform in the Information and Communication Technology sector.
>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>> Research, and Stakeholder Engagement.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>> engagement platform.
>>>
>>> _______________________________________________
>>> KICTANet mailing list
>>> KICTANet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at
>>> https://lists.kictanet.or.ke/mailman/options/kictanet/jgmbugua%40gmail.com
>>>
>>>
>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>> interested and involved in ICT policy and regulation. KICTANet is a
>>> catalyst for reform in the Information and Communication Technology sector.
>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>> Research, and Stakeholder Engagement.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>> engagement platform.
>>>
>>> _______________________________________________
>>> KICTANet mailing list
>>> KICTANet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at
>>> https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
>>>
>>>
>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>> interested and involved in ICT policy and regulation. KICTANet is a
>>> catalyst for reform in the Information and Communication Technology sector.
>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>> Research, and Stakeholder Engagement.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>> engagement platform.
>>> _______________________________________________
>>> KICTANet mailing list
>>> KICTANet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at
>>> https://lists.kictanet.or.ke/mailman/options/kictanet/missmutindi%40gmail.com
>>>
>>>
>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>> interested and involved in ICT policy and regulation. KICTANet is a
>>> catalyst for reform in the Information and Communication Technology sector.
>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>> Research, and Stakeholder Engagement.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>> engagement platform.
>>>
>> _______________________________________________
>> KICTANet mailing list
>> KICTANet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at
>> https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com
>>
>>
>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>> interested and involved in ICT policy and regulation. KICTANet is a
>> catalyst for reform in the Information and Communication Technology sector.
>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>> Research, and Stakeholder Engagement.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>> engagement platform.
>>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/bndemo%40bitangendemo.me
>
>
> KICTANet is a multi-stakeholder Think Tank for people and institutions
> interested and involved in ICT policy and regulation. KICTANet is a
> catalyst for reform in the Information and Communication Technology sector.
> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
> Research, and Stakeholder Engagement.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
> KICTANet - The Power of Communities, is Kenya's premier ICT policy
> engagement platform.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20220321/86ba93b7/attachment.htm>


More information about the KICTANet mailing list