Why SIM-card Re-registration is a Flawed Process

Every other Kenyan has been demanding answers as to why mobile phone service operators have put in place a requirement that they re-register their SIM-cards or else they get disconnected from the service. The details required for re-registration include a photograph and a signature. Many mobile phone subscribers had already registered their SIM-cards years ago. The demand for new registration details was met with a lot of apprehension. Being an election year, there are lots of conspiracy theories as to why the operators are making such demands from their subscribers.

Registration of SIM-cards is a legal requirement. Re-registration on the other hand is not specifically provided for in law. In 2015, the Kenya Information and Communications (Registration of SIM-cards) Regulations were enacted. The object of these Regulations is to ‘provide a process for the registration of existing and new subscribers of telecommunication services provided by telecommunication licensees’. As per the Regulations, to register a SIM-card, one is required to provide the following:

‘(a) full names; (b) identity card, service card, passport or alien card number; (c) date of birth; (d) gender; (e) physical address; (f) postal address, where available; (g) any other registered subscriber number associated with the subscriber; (h) an original and a copy of the national identity card, service card, passport or alien card; (i) an original and a copy of the birth certificate, in respect of registration of minors; (j) subscriber number in respect to existing subscribers; (k) a certified copy of the certificate of registration or incorporation and a copy of the national identity card or passport of at least one director, where relevant; and (l) a letter duly sealed by the chief executive officer or the person responsible for the day to day management of the statutory body.’

The assumption is that once one has duly registered their SIM-card, there is no need for re-registration unless the details provided were false or incorrect. It is important to note that the regulations do not provide for a photograph and signature as details required for registration of a SIM-card. This was a detail clarified by the Director General of the Communications Authority. Yet, Safaricom still requires its subscribers to provide a signature for re-registration. This calls into question the motives of the mobile phone service provider for demanding personal data that is not contemplated under the Regulations and against clarifications made by the Communications Authority.

The SIM-card registration Regulations were enacted before the Data Protection Act, 2019. Thus, it goes without say that since the Act is operational, all collection of personal data/information must comply with principles and guidelines set out under the Act. One of these principles is that personal data ought to be collected lawfully, fairly, and transparently. We have established that the demand for a photograph and a signature are not legal requirements. Second, why didn’t the service providers clearly inform their subscribers the reason for demanding additional personal data to enable the subscribers make an informed choice? Such information would be availed in the form of a revised privacy notice by the service provider.  As per the Data Protection Act, an individual ought to be informed what their personal data is going to be used for.

Third, since the additional personal data is not contemplated by the law, individuals have a right to exercise their data subject rights under the Data Protection Act and object to the collection of the additional data. This means that there ought to be no repercussions such as disconnection of a SIM-card for declining to provide a photograph or a signature. Fourth, since the Data Protection Act provides for a right of correction of false or misleading data, perhaps what the service providers would have done is request subscribers to verify their SIM-card registration details within a defined period. This would ensure the accuracy of data held by the service providers without the need for issuing threats of disconnection from service.

Fifth, the service providers ought to inspire confidence to the subscribers about security of their personal data. Through the revised privacy notices, the service providers ought to simply and clearly indicate to subscribers the reasons they require the personal data, how long they will retain the data, how they will keep the data secure, and with whom they share the data with. Without such information in the public domain, the service providers are going against the data protection principle of transparency.

Sixth, from a data protection practitioner’s angle, the question is whether the service providers carried out a data protection impact assessment for the collection of re-registration data and whether the assessment reports were considered and approved by the Office of the Data Protection Commissioner. The data protection impact assessment would indicate the potential risks to the collection of the personal data and strategies set out to mitigate those risks.

Finally, the radio silence by the Office of the Data Commissioner on the issues raised by subscribers is worrying. The Office ought to have provided clear directions to the service providers on how to proceed in the re-registration process. What emerges from the SIM-card reregistration demands by the service providers is an attempt to act outside the law and not paying attention to basic data protection principles.