@Mwendwa Kivuva Let us not conflate issues. ALWAYS treat mobile banking (and banking in general) quite separate from other services offered by MNOs. A practical problem- @James Mbugua was right on data minimization (I would add necessity as well) disqualifying the current directive by CA. If you speak of harmonization of regulations, you can no longer rely on minimization and necessity because a need (banking) has been created. While all these things begin with a SIM Card registration, MPESA requires a further positive step of registration. At that point, we can safely speak of harmonization and requiring more information to prevent financial crimes etc. Different products, different markets. 

Are we sure CA is the source of the photos directive? (Kindly share the directive if you have access to it). The Regulations only allow this information to be collected during SIM Card registration- 

5 (1) A person who intends to register a SIM-card shall provide the following particulars to the telecommunications operator or agent—

(a)

full names;

(b)

identity card, service card, passport or alien card number;

(c)

date of birth;

(d)

gender;

(e)

physical address;

(f)

postal address, where available;

(g)

any other registered subscriber number associated with the subscriber;

(h)

an original and a copy of the national identity card, service card, passport or alien card;

(i)

an original and a copy of the birth certificate, in respect of registration of minors;

(j)

subscriber number in respect to existing subscribers;

(k)

an original and true copy of the certificate of registration, where relevant;

(l)

a letter duly sealed by the chief executive officer or the person responsible for the day to day management of the statutory body.


(while your ID would normally have a photo- it is vastly different from a digital photo which can become part of a biometric register). 


I cannot insist on this enough, a SIM Card registration is not the same thing as MPESA (or other mobile money platform registration). The requirements for SIM Card registration have to remain as basal as possible. 


On Wed, Mar 16, 2022 at 9:33 PM Mwendwa Kivuva via KICTANet <kictanet@lists.kictanet.or.ke> wrote:
Since SIM card data is used by a large section of the population for mobile banking (Safaricom has 30 million mobile money customers) - and banking regulations require a photo ID, should the regulation be harmonised for all mobile money customers to provide their photo ID?

KICTANet had a Thought Leadership Forum with the ODPC, and the question of DPIA came up. I can't remember the response. The recording of the forum is available here https://youtu.be/Rmdvoc8Valo 

On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, <kictanet@lists.kictanet.or.ke> wrote:
Listers,

I am not sure if I am being paranoid but the SIM card re-registration order ostensibly by CA (Communications Authority) and which has mobile operators asking us to te-register our SIM cards by April or risk being deregistered, seems like regulatory overreach.

CA says under the SIM Registrations regulations of 2015, MNOs are required to update their registers with details including ID documents and photo IDs. The reason given, ostensibly, is that many had their SIM details registered before that law came into place.

Speaking of laws coming into operation, the Data Protection Act, itself came into effect in 2019. Significantly long after the said regulations.

In seeking to protect privacy and personal data, the DPA  requires Data Minimisation where personal data collected should be:
 
"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);" Sec. 25(d) DPA, 2019

This means that data that the controller does not really need to achieve a specific purpose, should not be collected.

Biometric information such as Passport Photos that the Operators will take and store,for example, are in my opinion, surplus to requirements.

The identification of the subscriber can be done without collection of intrusive biometric data for example by using national IDs. CA explicitly asks that the operators verify details with the Integrated Personnel Registry System. so collection of biometric data to me is disproportionate and cannot meet the threshold of lawful basis.

Being the later law, and by the Huduma Number case precedent, the data minimisation provisions of the DPA, 2019 in my opinion hold primacy and in fact impliedly, repeal or render unlawful, the requirements for photo taking for SIM registration in the 2015 regulations.

2. Data Protection Impact Assessment.

Another question I would have for the CA, the Data Commissioner and mobile operators, is if, as per the precedent sent by Justice Ngaah in the Katiba Institute v. MoICT & others regarding the need for the conduct of a Data Processing Impact Assessment, has been carried out in this instance when CA proposes to have collected the data of more than 30 million subscribers including biometric data.

I think this is a plain case of flouting judicial guidance viz a viz when DPIAs should be carried out and CA should have had this carried out first before issuing the said directive.

Regards,

James G. Mbugua
Data Privacy Consultant & Tech Policy Blogger



_______________________________________________
KICTANet mailing list
KICTANet@lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Twitter: http://twitter.com/kictanet
Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com


KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.
_______________________________________________
KICTANet mailing list
KICTANet@lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Twitter: http://twitter.com/kictanet
Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.com


KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.


--
Mercy Mutemi, Advocate.