[kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019
Ali Hussein
ali at hussein.me.ke
Mon Mar 21 21:10:41 EAT 2022
Interesting read sir.
Regards
*Ali Hussein*
Fintech | Digital Transformation
Tel: +254 713 601113
Twitter: @AliHKassim
Skype: abu-jomo
LinkedIn: http://ke.linkedin.com/in/alihkassim
<http://ke.linkedin.com/in/alihkassim>
Any information of a personal nature expressed in this email are purely
mine and do not necessarily reflect the official positions of the
organizations that I work with.
On Mon, Mar 21, 2022 at 8:56 PM Bitange Ndemo via KICTANet <
kictanet at lists.kictanet.or.ke> wrote:
> *The role of cryptocurrencies in sub-Saharan Africa
> <https://www.brookings.edu/blog/africa-in-focus/2022/03/16/the-role-of-cryptocurrencies-in-sub-saharan-africa/>*
>
> Ndemo
>
> On Mon, Mar 21, 2022 at 1:03 PM Mwendwa Kivuva via KICTANet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> Very rich debate this one.
>>
>> I think this whole debate has been necessitated by this message from
>> Safaricom
>>
>> "Dear Customer, urgently visit an M-PESA Agent, Dealer or Safaricom Shop
>> with original ID to update your SIM registration. Dial *106# for lines
>> registered to you"
>>
>> James / Kanini, I'm not calling for all sim card owners to provide more
>> data. My question was, "should the regulation be harmonised for all mobile
>> money customers to provide their photo ID?" For mobile money customers, not
>> SIM card owners.
>>
>>
>> On Mon, 21 Mar 2022, 12:19 Mutindi Muema via KICTANet, <
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>>> @Walu, if i had time to spare i would dig in, but billable work is
>>> hogging my schedule right now. I can however add some direction for whoever
>>> has time to delve into this- we all looking forward to any findings:
>>>
>>> Further to direction by Grace, Walu & Mutemi, it seems work needed
>>> along the lines of what the law says regarding:
>>>
>>> 1. requirements for SIM card registration - probably KICA both Act
>>> and Regs as well as any relevant guidelines issued by CA. Kanini Mutemi
>>> reproduced a segment of KICA earlier. some work to get any other relevant
>>> provisions.
>>> 2. @Walu it is also important that any directive for
>>> re-registration has been issued by CA - the same be reviewed. Yes CA has a
>>> mandate , content of any directions would also inform thai convo.
>>> 3. Requirements for mobile money registration/use are also relevant-
>>> from my understanding mobile money legal framework is the National Payment
>>> Systems ACt (NPSA)& Regs and relevant guidelines under that. Cursory review
>>> of Act, I do not remember seeing requirements for photo here last time I
>>> reviewed this (which a while back) someone with time on their hands can go
>>> through requirements as well.
>>> 4. Mobile banking regulatory framework- is different from mobile
>>> money framework. Mobile banking falls more within banking so Banking Act,
>>> prudential guidelines etc - we could actually have different requirements
>>> for registration of customers for mobile banking in law than requirements
>>> for registration of mobile money (NPSA)
>>> 5. Like Walu said - there is also need to review laws relating to
>>> ani-money laundering , terrorism fianncing etc to see requirements under
>>> those esp those that would relate to KYC as well as the deffinition of
>>> insitutions to which the obligations apply and if any distinction between
>>> application to businesses lines licensed under KICA (Sim card), NPSA
>>> (mobile money)versus licensees under Banking Act (mobile banking).
>>> 6. All the findings then need to be reconciled with provisions of
>>> the Data Protection Act & Regs now in force :
>>>
>>> (i) from a data protection principle perspective but then also
>>> (ii) from a communications to data subject perspective- as evident in
>>> this thread, data subjects have questions around this and compliance is
>>> definitely impacted by clarity of comms to data subjects. This second point
>>> is particularly important for data protection compliance as communications
>>> helps with accountability and transparency with regards to what data
>>> controllers/ processors are actually doing with data subject data and why.
>>>
>>>
>>> Kind regards,
>>> Mutindi
>>> Advocate & Certified Information Privacy Manager (CIPM)-
>>> International Association of Privacy Professionals (IAPP)
>>>
>>>
>>>
>>> On Mon, Mar 21, 2022 at 11:44 AM Walubengo J via KICTANet <
>>> kictanet at lists.kictanet.or.ke> wrote:
>>>
>>>> Interesting discourse.
>>>>
>>>> I didnt know CA had a directive for SIM card re-registration but that's
>>>> besides the point since its their mandate. The issues here is whether
>>>> collecting photos of data subjects during registration is an overeach.
>>>>
>>>> From reading various comments its seems we have CA regulations, Banking
>>>> regulations and Data Protection Regulations coming into play. It looks like
>>>> Listers agree that the stringent Banking Regulations (e.g KYC) may kick in
>>>> for MPESA registration, but not necessarily for basic subscriber (eg voice)
>>>> registration.
>>>>
>>>> The argument seems to be whether the basic subscriber (SIM card)
>>>> registration for say voice services, should be accompanied with digital
>>>> photos since this may violate the data minimization principles of the Data
>>>> Protection Act.
>>>>
>>>> I am persuaded that this is a valid concern - However, I request the
>>>> lawyers to expand their search further and review the security laws. Is it
>>>> possible that the Security Laws (as amended over time) could have enhanced
>>>> basic service (eg for voice) registration to include photos of the
>>>> subscriber?
>>>>
>>>> Such that in case there is a terror attack and the terrorists use voice
>>>> communication (and not necessarily mobile money), one would still want to
>>>> track them down using their mug-shot?
>>>>
>>>> the lawyers can find out and tell us.
>>>>
>>>> walu
>>>>
>>>>
>>>>
>>>>
>>>> On Thursday, March 17, 2022, 12:57:53 PM GMT+3, James Mbugua via
>>>> KICTANet <kictanet at lists.kictanet.or.ke> wrote:
>>>>
>>>>
>>>> Mwendwa,
>>>>
>>>> I agree with Mutindi we should isolate KYC issues with subscriber
>>>> registration. That is the whole essence of purpose limitation. We cannot
>>>> use banking regulations for subscribe registration. It is not to say that
>>>> every mobile subscriber is automatically also an MPESA customer and that
>>>> the information should be collected for use the day they decide to register
>>>> for MPESA. In any case, it is also not to say that when they do register
>>>> for mobile money, that they will not have to provide all the
>>>> know-your-customer details including photographs.
>>>>
>>>> My point is that SIM registration must be limited in data collection to
>>>> what is necessary and adequate for its stated purposes, and not more
>>>> personal information than necessary.
>>>>
>>>> Mutindi,
>>>>
>>>> I will be raising it with the ODPC thanks.
>>>>
>>>> Regards,
>>>>
>>>> James G. Mbugua
>>>> Data Privacy Consultant & Tech Policy Blogger
>>>> @jgmbugua <jgmbugua at gmail.com>
>>>>
>>>> On Wed, Mar 16, 2022 at 9:31 PM Mwendwa Kivuva via KICTANet <
>>>> kictanet at lists.kictanet.or.ke> wrote:
>>>>
>>>> Since SIM card data is used by a large section of the population for
>>>> mobile banking (Safaricom has 30 million mobile money customers) - and
>>>> banking regulations require a photo ID, should the regulation be harmonised
>>>> for all mobile money customers to provide their photo ID?
>>>>
>>>> KICTANet had a Thought Leadership Forum with the ODPC, and the question
>>>> of DPIA came up. I can't remember the response. The recording of the forum
>>>> is available here https://youtu.be/Rmdvoc8Valo
>>>>
>>>> On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, <
>>>> kictanet at lists.kictanet.or.ke> wrote:
>>>>
>>>> Listers,
>>>>
>>>> I am not sure if I am being paranoid but the SIM card re-registration
>>>> order ostensibly by CA (Communications Authority) and which has mobile
>>>> operators asking us to te-register our SIM cards by April or risk being
>>>> deregistered, seems like regulatory overreach.
>>>>
>>>> CA says under the SIM Registrations regulations of 2015, MNOs are
>>>> required to update their registers with details including ID documents and
>>>> photo IDs. The reason given, ostensibly, is that many had their SIM details
>>>> registered before that law came into place.
>>>>
>>>> Speaking of laws coming into operation, the Data Protection Act, itself
>>>> came into effect in 2019. Significantly long after the said regulations.
>>>>
>>>> In seeking to protect privacy and personal data, the DPA requires Data
>>>> Minimisation where personal data collected should be:
>>>>
>>>> "adequate, relevant and limited to what is necessary in relation to
>>>> the purposes for which they are processed (‘data minimisation’);" Sec.
>>>> 25(d) DPA, 2019
>>>>
>>>> This means that data that the controller does not really need to
>>>> achieve a specific purpose, should not be collected.
>>>>
>>>> Biometric information such as Passport Photos that the Operators will
>>>> take and store,for example, are in my opinion, surplus to requirements.
>>>>
>>>> The identification of the subscriber can be done without collection of
>>>> intrusive biometric data for example by using national IDs. CA explicitly
>>>> asks that the operators verify details with the Integrated Personnel
>>>> Registry System. so collection of biometric data to me is disproportionate
>>>> and cannot meet the threshold of lawful basis.
>>>>
>>>> Being the later law, and by the Huduma Number case precedent, the data
>>>> minimisation provisions of the DPA, 2019 in my opinion hold primacy and in
>>>> fact impliedly, repeal or render unlawful, the requirements for photo
>>>> taking for SIM registration in the 2015 regulations.
>>>>
>>>> 2. Data Protection Impact Assessment.
>>>>
>>>> Another question I would have for the CA, the Data Commissioner and
>>>> mobile operators, is if, as per the precedent sent by Justice Ngaah in the
>>>> Katiba Institute v. MoICT & others regarding the need for the conduct of a
>>>> Data Processing Impact Assessment, has been carried out in this instance
>>>> when CA proposes to have collected the data of more than 30 million
>>>> subscribers including biometric data.
>>>>
>>>> I think this is a plain case of flouting judicial guidance viz a viz
>>>> when DPIAs should be carried out and CA should have had this carried out
>>>> first before issuing the said directive.
>>>>
>>>> Regards,
>>>>
>>>> James G. Mbugua
>>>> Data Privacy Consultant & Tech Policy Blogger
>>>> @jgmbugua <jgmbugua at gmail.com>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> KICTANet mailing list
>>>> KICTANet at lists.kictanet.or.ke
>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>> Twitter: http://twitter.com/kictanet
>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>
>>>> Unsubscribe or change your options at
>>>> https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com
>>>>
>>>>
>>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>>> interested and involved in ICT policy and regulation. KICTANet is a
>>>> catalyst for reform in the Information and Communication Technology sector.
>>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>>> Research, and Stakeholder Engagement.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>> online that you follow in real life: respect people's times and bandwidth,
>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>> not spam, do not market your wares or qualifications.
>>>>
>>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>>> engagement platform.
>>>>
>>>> _______________________________________________
>>>> KICTANet mailing list
>>>> KICTANet at lists.kictanet.or.ke
>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>> Twitter: http://twitter.com/kictanet
>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>
>>>> Unsubscribe or change your options at
>>>> https://lists.kictanet.or.ke/mailman/options/kictanet/jgmbugua%40gmail.com
>>>>
>>>>
>>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>>> interested and involved in ICT policy and regulation. KICTANet is a
>>>> catalyst for reform in the Information and Communication Technology sector.
>>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>>> Research, and Stakeholder Engagement.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>> online that you follow in real life: respect people's times and bandwidth,
>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>> not spam, do not market your wares or qualifications.
>>>>
>>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>>> engagement platform.
>>>>
>>>> _______________________________________________
>>>> KICTANet mailing list
>>>> KICTANet at lists.kictanet.or.ke
>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>> Twitter: http://twitter.com/kictanet
>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>
>>>> Unsubscribe or change your options at
>>>> https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
>>>>
>>>>
>>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>>> interested and involved in ICT policy and regulation. KICTANet is a
>>>> catalyst for reform in the Information and Communication Technology sector.
>>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>>> Research, and Stakeholder Engagement.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>> online that you follow in real life: respect people's times and bandwidth,
>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>> not spam, do not market your wares or qualifications.
>>>>
>>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>>> engagement platform.
>>>> _______________________________________________
>>>> KICTANet mailing list
>>>> KICTANet at lists.kictanet.or.ke
>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>> Twitter: http://twitter.com/kictanet
>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>
>>>> Unsubscribe or change your options at
>>>> https://lists.kictanet.or.ke/mailman/options/kictanet/missmutindi%40gmail.com
>>>>
>>>>
>>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>>> interested and involved in ICT policy and regulation. KICTANet is a
>>>> catalyst for reform in the Information and Communication Technology sector.
>>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>>> Research, and Stakeholder Engagement.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>> online that you follow in real life: respect people's times and bandwidth,
>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>> not spam, do not market your wares or qualifications.
>>>>
>>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>>> engagement platform.
>>>>
>>> _______________________________________________
>>> KICTANet mailing list
>>> KICTANet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at
>>> https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com
>>>
>>>
>>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>>> interested and involved in ICT policy and regulation. KICTANet is a
>>> catalyst for reform in the Information and Communication Technology sector.
>>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>>> Research, and Stakeholder Engagement.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>>> engagement platform.
>>>
>> _______________________________________________
>> KICTANet mailing list
>> KICTANet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at
>> https://lists.kictanet.or.ke/mailman/options/kictanet/bndemo%40bitangendemo.me
>>
>>
>> KICTANet is a multi-stakeholder Think Tank for people and institutions
>> interested and involved in ICT policy and regulation. KICTANet is a
>> catalyst for reform in the Information and Communication Technology sector.
>> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
>> Research, and Stakeholder Engagement.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>> KICTANet - The Power of Communities, is Kenya's premier ICT policy
>> engagement platform.
>>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com
>
>
> KICTANet is a multi-stakeholder Think Tank for people and institutions
> interested and involved in ICT policy and regulation. KICTANet is a
> catalyst for reform in the Information and Communication Technology sector.
> Its work is guided by four pillars of Policy Advocacy, Capacity Building,
> Research, and Stakeholder Engagement.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
> KICTANet - The Power of Communities, is Kenya's premier ICT policy
> engagement platform.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20220321/87821485/attachment.htm>
More information about the KICTANet
mailing list