Thank you Nick for bringing this discussion here. I am a Software Engineer and I have implemented the M-Pesa API in several solutions to *automate payment* and it worked like a charm. This is now not going to be so flawless with the data minimization strategies being implemented by Safaricom. In my view, data minimization should be rethought, especially in API to API data sharing, as you have rightly pointed out. It is going to *negatively impact user experience *like in the Supermarket Loyalty Program which you highlighted, in which case a customer will have to be asked once more for their phone number after they have made their payment in order to get their Loyalty Points for the purchase made. Will this lead to longer queues in the supermarket? Another example is when you send money to someone else via your bank application or online banking via web, some banks now require you to type the name of the person you are sending the money to, which can actually be shared by the M-Pesa API, making that process more challenging. Safaricom should consider signing *Data Protection Agreements* with such organizations to ensure that they will use the data as per their terms of service and privacy policy to ensure protection compliance. I am looking forward to reading other possible workarounds from other listers on this challenge. On Tue, Jun 4, 2024 at 2:27 PM Twahir Hussein Kassim via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

Listers,

Whilst this may conform with the Data Protection Act 2019, SAFARICOM must not be seen to cherry-pick what it can apply and what it cannot apply. Beginning of last year there was hue and cry on *KRA being given access to Mobile Money transactions so as to effect Tax Compliance* <https://www.semafor.com/article/10/25/2023/kenyan-businesses-are-dumping-m-pesa-mobile-money>. This made many businesses drop the use of Paybills and Tills. Was this effected? If YES, what moral high ground is SAFCOM standing on now?

Compliance to the ACT must be 360 degree and not aimed at the a small portion of the pie, unfortunately most of issues of "compliance" seem to be focused on the downtrodden whilst the big boys are having their cake and eating it! Wahenga hunena, "msumeno hukata mbele na nyuma" (A saw cuts in both directions).

Regards Twahir

[image: Mailtrack] <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> Sender notified by Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> 06/04/24, 02:18:48 PM

On Tue, Jun 4, 2024 at 1:11 PM N N via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Listers,

https://www.businessdailyafrica.com/bd/corporate/industry/lipa-na-m-pesa-to-...

The onset of data minimization will have a great effect on small businesses which rely on API's to record and credit recurrent payments to the accounts of their customers. An example is an estate agency which collects rent through a till number and an API credits payments to rent accounts based on the phone number. With the current masking on the number i.e. +2547xxxxx015 or the default +254700000000, the API will no longer know where to credit the rent received via till. Another example is the Naivas Supermarket Loyalty program which rewards loyalty points automatically to a customer who pays for shopping via Lipa na MPESA. Going forward, this will not be possible.

Not sure whether there is any workaround around this problem. I personally think the data minimization should apply to generated till statements and not to information shared at an API level since this affects how some systems work. Or there should be a provision where businesses commit not to share data collected through payments with third parties under any circumstances.

At the very least, data minimization should happen at the person to person level where MPESA allows me to know your three names just because I sent you money.

Please share your thoughts.

Best Regards, --------------------------------

*Nick Ngatia* Email <nick.ngatia@childrenyouth.org> *|* Facebook <http://www.facebook.com/niccoswagg1> *|* *Twitter <http://www.twitter.com/nickngatia> **| LinkedIn <https://www.linkedin.com/in/nick-ngatia-a6b06a7b?trk=nav_responsive_tab_profile_pic> * *Skype:* *nick.ngatia** |* *Phone:* *+25**4 (0) 711 42 2015*

*"Development Towards Sustainability is far too more important to leave it to chance."* --------------------------------- _______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

-- Best Regards, Kelvin Kariuki Assistant Lecturer Multimedia University of Kenya Faculty of Computing and Information Technology Twitter Handle: @teacherkaris Alt email: kkariuki@mmu.ac.ke Mobile: +2547 29 385 557 The Lord is my Shepherd

Teacher Karis, As is right now, Quick Mart does ask a customer after paying via their Till Number to again give one's number for the Loyalty Points to be updated. It sure does cause some seconds delay which might not be felt during a dull day but which has a HUGE impact on time during rush-times. I tend to agree on the aspect of signing Data Protection Agreements being a way forward to eradicate these issues. [image: Mailtrack] <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> Sender notified by Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> 06/04/24, 10:36:44 PM On Tue, Jun 4, 2024 at 9:32 PM Kelvin Kariuki <kelvinkariuki89@gmail.com> wrote:

Thank you Nick for bringing this discussion here. I am a Software Engineer and I have implemented the M-Pesa API in several solutions to *automate payment* and it worked like a charm. This is now not going to be so flawless with the data minimization strategies being implemented by Safaricom.

In my view, data minimization should be rethought, especially in API to API data sharing, as you have rightly pointed out. It is going to *negatively impact user experience *like in the Supermarket Loyalty Program which you highlighted, in which case a customer will have to be asked once more for their phone number after they have made their payment in order to get their Loyalty Points for the purchase made. Will this lead to longer queues in the supermarket?

Another example is when you send money to someone else via your bank application or online banking via web, some banks now require you to type the name of the person you are sending the money to, which can actually be shared by the M-Pesa API, making that process more challenging.

Safaricom should consider signing *Data Protection Agreements* with such organizations to ensure that they will use the data as per their terms of service and privacy policy to ensure protection compliance.

I am looking forward to reading other possible workarounds from other listers on this challenge.

On Tue, Jun 4, 2024 at 2:27 PM Twahir Hussein Kassim via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Listers,

Whilst this may conform with the Data Protection Act 2019, SAFARICOM must not be seen to cherry-pick what it can apply and what it cannot apply. Beginning of last year there was hue and cry on *KRA being given access to Mobile Money transactions so as to effect Tax Compliance* <https://www.semafor.com/article/10/25/2023/kenyan-businesses-are-dumping-m-pesa-mobile-money>. This made many businesses drop the use of Paybills and Tills. Was this effected? If YES, what moral high ground is SAFCOM standing on now?

Compliance to the ACT must be 360 degree and not aimed at the a small portion of the pie, unfortunately most of issues of "compliance" seem to be focused on the downtrodden whilst the big boys are having their cake and eating it! Wahenga hunena, "msumeno hukata mbele na nyuma" (A saw cuts in both directions).

Regards Twahir

[image: Mailtrack] <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> Sender notified by Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> 06/04/24, 02:18:48 PM

On Tue, Jun 4, 2024 at 1:11 PM N N via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Dear Listers,

https://www.businessdailyafrica.com/bd/corporate/industry/lipa-na-m-pesa-to-...

The onset of data minimization will have a great effect on small businesses which rely on API's to record and credit recurrent payments to the accounts of their customers. An example is an estate agency which collects rent through a till number and an API credits payments to rent accounts based on the phone number. With the current masking on the number i.e. +2547xxxxx015 or the default +254700000000, the API will no longer know where to credit the rent received via till. Another example is the Naivas Supermarket Loyalty program which rewards loyalty points automatically to a customer who pays for shopping via Lipa na MPESA. Going forward, this will not be possible.

Not sure whether there is any workaround around this problem. I personally think the data minimization should apply to generated till statements and not to information shared at an API level since this affects how some systems work. Or there should be a provision where businesses commit not to share data collected through payments with third parties under any circumstances.

At the very least, data minimization should happen at the person to person level where MPESA allows me to know your three names just because I sent you money.

Please share your thoughts.

Best Regards, --------------------------------

*Nick Ngatia* Email <nick.ngatia@childrenyouth.org> *|* Facebook <http://www.facebook.com/niccoswagg1> *|* *Twitter <http://www.twitter.com/nickngatia> **| LinkedIn <https://www.linkedin.com/in/nick-ngatia-a6b06a7b?trk=nav_responsive_tab_profile_pic> * *Skype:* *nick.ngatia** |* *Phone:* *+25**4 (0) 711 42 2015*

*"Development Towards Sustainability is far too more important to leave it to chance."* --------------------------------- _______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list -- kictanet@lists.kictanet.or.ke To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

Mailing List Posts Online: https://posts.kictanet.or.ke/

Twitter: https://twitter.com/KICTANet/ Facebook: https://www.facebook.com/KICTANet/ Instagram: https://www.instagram.com/KICTANet/ LinkedIn: https://www.linkedin.com/company/kictanet/ YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/ WhatsApp Channel: https://whatsapp.com/channel/0029VaQsX4w6mYPIctLsGh1K

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

PRIVACY POLICY: See https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

-- Best Regards,

Kelvin Kariuki Assistant Lecturer Multimedia University of Kenya Faculty of Computing and Information Technology Twitter Handle: @teacherkaris Alt email: kkariuki@mmu.ac.ke Mobile: +2547 29 385 557

The Lord is my Shepherd

On 04/06/2024 17.42, Twahir Hussein Kassim via KICTANet wrote:

Teacher Karis,

As is right now, Quick Mart does ask a customer after paying via their Till Number to again give one's number for the Loyalty Points to be updated. It sure does cause some seconds delay which might not be felt during a dull day but which has a HUGE impact on time during rush-times.

Loyalty cards with bar codes or QR codes would not cause a huge delay.

I tend to agree on the aspect of signing Data Protection Agreements being a way forward to eradicate these issues.

How can one enforce compliance? What will be the resulting increase in administration costs? Will businesses be able to obtain data breach insurance to compensate those affected by data breaches?

Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> Sender notified by Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> 06/04/24, 10:36:44 PM

On Tue, Jun 4, 2024 at 9:32 PM Kelvin Kariuki <kelvinkariuki89@gmail.com <mailto:kelvinkariuki89@gmail.com>> wrote:

Thank you Nick for bringing this discussion here. I am a Software Engineer and I have implemented the M-Pesa API in several solutions to *automate payment* and it worked like a charm. This is now not going to be so flawless with the data minimization strategies being implemented by Safaricom.

In my view, data minimization should be rethought, especially in API to API data sharing, as you have rightly pointed out. It is going to *negatively impact user experience *like in the Supermarket Loyalty  Program which you highlighted, in which case a customer will have to be asked once more for their phone number after they have made their payment in order to get their Loyalty Points for the purchase made. Will this lead to longer queues in the supermarket? 

Another example is when you send money to someone else via your bank application or online banking via web, some banks now require you to type the name of the person you are sending the money to, which can actually be shared by the M-Pesa API, making that process more challenging. 

Safaricom should consider signing *Data Protection Agreements* with such organizations to ensure that they will use the data as per their terms of service and privacy policy to ensure protection compliance. 

I am looking forward to reading other possible workarounds from other listers on this challenge.  

On Tue, Jun 4, 2024 at 2:27 PM Twahir Hussein Kassim via KICTANet <kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>> wrote:

Listers,

Whilst this may conform with the Data Protection Act 2019, SAFARICOM must not be seen to cherry-pick what it can apply and what it cannot apply. Beginning of last year there was hue and cry on *KRA being given access to Mobile Money transactions so as to effect Tax Compliance* <https://www.semafor.com/article/10/25/2023/kenyan-businesses-are-dumping-m-pesa-mobile-money>. This made many businesses drop the use of Paybills and Tills. Was this effected? If YES, what moral high ground is SAFCOM standing on now?

Compliance to the ACT must be 360 degree and not aimed at the a small portion of the pie, unfortunately most of issues of "compliance" seem to be focused on the downtrodden whilst the big boys are having their cake and eating it! Wahenga hunena, "msumeno hukata mbele na nyuma" (A saw cuts in both directions).

Regards Twahir

Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> Sender notified by Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality11&> 06/04/24, 02:18:48 PM

On Tue, Jun 4, 2024 at 1:11 PM N N via KICTANet <kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>> wrote:

Dear Listers,

https://www.businessdailyafrica.com/bd/corporate/industry/lipa-na-m-pesa-to-... <https://www.businessdailyafrica.com/bd/corporate/industry/lipa-na-m-pesa-to-hide-identity-of-subscribers-3801386>

The onset of data minimization will have a great effect on small businesses which rely on API's to record and credit recurrent payments to the accounts of their customers. An example is an estate agency which collects rent through a till number and an API credits payments to rent accounts based on the phone number. With the current masking on the number i.e. +2547xxxxx015 or the default +254700000000, the API will no longer know where to credit the rent received

One can use a hash function ( https://en.wikipedia.org/wiki/Hash_function ) to mask the telephone number. One would probably want to update the API to offer the possibility of adding a transaction reference number. Probably it would be easiest for such APIs to be openly developed, allowing easy incorporation of feedback. If only the telephone number is used, what happens when one changes telephone number or one has several telephone numbers that are used for mobile money? What happens if one uses an alternate money transfer mechanism such as bank transfer?

via till. Another example is the Naivas Supermarket Loyalty program which rewards loyalty points automatically to a customer who pays for shopping via Lipa na MPESA. Going forward, this will not be possible.

For those that want to enroll in loyalty point programs, issuing a tag with a barcode/QR code or other similar marker that can be quickly scanned and can be attached to a keychain should work and be easy to process.

Not sure whether there is any workaround around this problem. I personally think the data minimization should apply to generated till statements and not to information shared at an API level since this affects how some systems work. Or there should be a provision where businesses commit not to share data collected through payments with third parties under any circumstances.

Businesses may also be subject to data breaches even if there is a decision not to intentionally share data with third parties. Unlike banks where misuse of computer systems to transfer money is traceable, unauthorized data transfers are much more difficult to detect.

At the very least, data minimization should happen at the person to person level where MPESA allows me to know your three names just because I sent you money.

Please share your thoughts.

Best Regards, --------------------------------

*Nick Ngatia*