Many Kenyans want to know why they should re-register their mobile phone SIM cards. The deadline was April 15, but the Communications Authority (CA) extended it to October 15. Initially, the details required included a photograph and a signature.
Many subscribers registered their SIM cards years ago. The demand for new details was met with apprehension. Being an election year, many conspiracy theories are bandied about as to why the operators want those details.
Registration of SIM cards is a legal requirement but re-registration is not. In 2015, the Kenya Information and Communications (Registration of SIM-cards) Regulations were passed to ‘provide a process for the registration of existing and new subscribers of telecommunication services provided by telecommunication licensees’. The assumption is that once one has registered their SIM card, there is no need for re-registration unless the details provided were false or incorrect.
The 2015 regulations do not provide for a photograph and signature for the registration of a SIM card. This was clarified by CA’s Director-General. Yet, Safaricom still required subscribers to provide a signature. This calls into question its motives for demanding personal data that is not contemplated under the 2015 regulations and against clarifications made by CA.
The 2015 regulations were enacted before the Data Protection Act, 2019. Thus, all collection of personal data/information must comply with principles and guidelines set out under the Act. One of these principles is that personal data ought to be collected lawfully, fairly and transparently.
As per the Data Protection Act, an individual ought to be informed what their personal data is going to be used for. Since the additional data is not contemplated by the law, individuals have a right to object and there ought to be no repercussions when someone declines to provide a photograph or signature.
Also, the service providers ought to inspire confidence in the security of personal data. They should clearly indicate the reasons for requiring personal data, how long they will retain it, how they will keep it secure and with whom they share it. Without such information, they are going against the legal principle of transparency. It is not clear if the service providers carried out a data protection impact assessment for the collection of re-registration data and whether the assessment reports were considered and approved by the Data Protection Commissioner.
Finally, the silence by the Data Commissioner over the issues raised by subscribers is worrying. It should have provided clear directions to the service providers on how to proceed with the re-registration.
The writer is a Privacy and Data Protection Specialist.