DNA storm in Kabogo SIM registration rules

It added that it has not directed the telecoms operators to collect the data.

ICT Cabinet Secretary William Kabogo issued revised regulations on SIM card registration, which require telecoms companies to capture subscribers’ ID cards or passport details, name, postal address, and biometric data.

Read: DNA for SIM card: New CA regulations cause privacy jitters

The rules also require the operators to ensure completion of a form, which captures many entries including biometric details.

“A telecommunications operator or registration agent shall enter the registration particulars provided by a person in electronic or print form as provided in Form 1 set out in the Schedule and may require the subscriber to appear in person for registration,” say the regulations.

Section 5 b of the form requires biometric data, which the regulations describe as “personal data resulting from specific technical processing based on physical, physiological or behavioural characterisation, including blood typing, fingerprinting, deoxyribonucleic acid analysis, earlobe geometry, retinal scanning and voice recognition.”

But the CA said that the mention of biometric in the regulations does not point to collection of the personal data.

“This definition does not mean that all this information will be collected from subscribers during SIM card registration,” the CA said in a Tuesday statement.

“As a matter of fact, the Authority has not directed our licensees to collect this data.”

The CA said the regulations were developed to protect SIM card holders from fraud and criminal activities and support secure access to digital services such as mobile money, online government services and shopping platforms.

“Operators are prohibited from sharing subscriber data without their consent or a lawful order. CA and the Office of the Data Protection Commissioner will provide strict oversight, including regular audits and issue strong penalties for abuse or misuse of customer data,” the communications watchdog said.

The revised regulations give mobile operators the power to suspend SIM cards where subscribers provide false information or repeatedly ignore registration requirements.

This includes when a child attains 18 years of age and fails to register their personal identification details within 90 days.

Operators are, however, required to give notice through notifications and advertisements in print and broadcast media before the disconnection.

The new guidelines sparked concern as they were seen to violate the data minimisation principle provided for in the Data Protection Act, which requires organisations to collect and process only the personal data that is relevant and necessary for a specific, legitimate purpose.

“Avoiding the processing of personal data altogether when this is possible for the relevant purpose; limiting the amount of personal data collected to what is necessary for the purpose; demonstrate the relevance of the data to the processing in question,” the Act states.

Analysts also question telecoms operators’ capability to handle huge volumes of such sensitive data.

→ [email protected]