Why re-capture biometrics for re-registration of SIM cards

December 8, 2021

General data protection principles require that data collected must:

be obtained and processed fairly,
have been obtained for specified or explicit and legitimate purposes,

not be further processed in a manner incompatible with that purpose or those purposes,

be retained subject to appropriate security measures against unauthorized access, and
be processed in accordance with the rights of data subjects.

The telcos and the National Communication Authority are capturing our biometrics again for the purpose of the SIM registration when the Ghana card which already has our biometrics is being used as the only form of identification. Is there something wrong with the earlier capture? Are we as data subjects at risk? Has it been compromised hence the need to re-capture?

The capture does not seem relevant and is an infringement of our right to privacy as data subjects. We need to be convinced how it is in the interest of the public and why this is being done but it seems our rights are being infringed upon because telecommunication has become a way of life and we seem to have no choice.

This is like a lady who badly needs a job to take care of her ailing mother and the Human Resource manager is demanding sex. What choice does she really have? If we do not get our biometrics captured again our phones will be cut off. What choice do we really have?

The re-capture of course would have been relevant, necessary and not excessive if other non-biometric identification cards are allowed.

DATA PROTECTION ACT, 2012 (ACT 843)

Section 22 of Act 843 allows the Telcos as data controllers to collect personal data for a purpose which is specific, explicitly defined and lawful and is related to their functions or activity but the Telcos under sections 20 and 23 of Act 843, must make us the citizens aware of the purpose and giving us the right to object or stop such processing.

Section 19 of Act 843 requires that personal data is only processed if the purpose for which it is to be processed, is necessary, relevant and not excessive. The Ghana card which is the only identification document to be used already has our biometrics, now is this necessary? Is this not excessive?

The object of the Data Protection Commission (DPC) in Act 843 is to:

protect the privacy of the individual and personal data by regulating the processing of personal information, and
provide the process to obtain, hold, use or disclose personalinformation.

COMMERCIALISATION OF PERSONAL DATA

The factors of production in the traditional economy as we have been thought in economics are land, labour, capital and entrepreneurship. In the digital economy the factors, for me, are information, skill, capital and entrepreneurship. This makes personal data a very valuable asset for wealth creation and hence it must be protected.

Who is selling or giving our data to the political parties and marketing companies to send us unsolicited messages which is in itself illegal without our consent and an invasion of our privacy? Who is selling our data to the banks for their verification of transactions? An online identity verification system, GVIVE, that is being used by the banks is owned by a private limited company called Bsystems Ltd. Bsystems has collaborated with the Electoral Commission, Passport Office, Driver and Vehicle Licensing Authority, and Social Security and National Insurance Trust to bring the Biometric Voter ID, Biometric Passport online, Driver License and Biometric SSNIT ID online.

It might seem harmless and cool and yes, it is to combat fraud but why is a private company having access to and making money out of our personal data? Were we data subjects informed of such use when our details were being taken for those particular intended purposes? Were we allowed to opt-in or opt-out as the case may be for consent? Do we as data subjects have the right to records on who has made searches on us and for what purpose? Should we be sent alerts on any access made on our records and for what purpose to monitor unauthorized access as a right? In case of a breach of the use or misuse of our persona data, do we have any remedies?

It is better for the government to own any such identity verification system as part of the digitalization agenda so we would know who has been given access and the fees will then be paid to the government instead of private individuals. This will give more confidence to us data subjects as to the protection of the data, making it easy for us to invoke our rights when necessary.

DANGERS OF BIOMETRIC DATABASES

Biometric data is basically any data that can be used to uniquely identify a specific person. This makes it highly sensitive special category data that must be processed appropriately to protect the safety of Ghanaians. It is not an ordinary personal data hence classified as “sensitive data”. This requires greater level of protection and merely having a legal basis to process biometric data is not in itself sufficient.

Everybody is collecting biometrics and we seem to be helpless because we need the services. For example, if you refuse to get your biometric captured by the Telco, you cannot get your SIM registered. What do you do?

Our biometrics are being captured again by the Telcos and we are at the mercy of their information security systems that they have put in place. The truth is, I have some many questions which requires answers from the Government but below are a few of them. Is every Telco going to hold its own biometric database? Is it being captured off line to be later merged into one centralized national database? Do we know how dangerous it is to merge a wrong biometric to a name? Where is the server and backup located? Is it off shore especially with the foreign owned Telcos hence subject to trans-border dataflow legal issues?

The reason we should be worried is the unintended uses of biometric databases called “function creep”. Function creep is where a technology is introduced to do one popular cool thing (function) but later used to do other things which may be unpopular un-cool things (functions), meaning the original function has “crept” into another unrelated function.

These could be both planned and unplanned. Once a biometric database is set up, there can be uses for it without boundaries, especially when there is a breach, hence its capture should be very limited to only when it is absolutely necessary.

The General Data Protection Regulation (GDPR), that regulates data protection and privacy in the EU for example; prohibits the processing of biometric data for the purpose of uniquely identifying natural persons with very limited exemptions of an express consent or a compelling public interest.

The GDPR for example has introduced a new requirement that data controllers must conduct Data Privacy Impact Assessment(DPIA) when processing is likely to result in a high risk to the rights and freedoms of Data Subjects.

The UK in response had to pass a Protection of Freedoms Acts 2012 with a section that specifically deals with biometrics and the appointment of a Biometric Commissioner. This Commissioner is independent of government and his duty amongst others is to have an independent oversight to review national security determinations of the use of biometrics.

The point is Government can collect biometric when in the public interest but because it is sensitive data; there should be an independent check, review of the use, retention and destruction of biometrics by even the government.

The Dutch Data Protection Authority (DDPA) once imposed one of its highest fines on an organization that used biometric data of its employees for attendance and time registration. SIM card registration with Ghana card which already has our biometric captured cannot in anyway be a compelling public interest for a recapture of our biometrics. We need to be protected by the Data Protection Commission as an independent body.

Multiple biometric databases in itself creates data integrity issues where a change in a data element such as an address in one database may not necessarily lead to a change in all other databases if they are not being synchronized. This puts all of us at risk with respect to false positives when a criminal investigation has to be conducted.

The data subjects should be able to sue the data controllers for breaches of their digital persona, where their biometric have been wrongly linked to a different name and you are being accused for having committed a crime. The trauma, waste of time and reputation cannot be quantified.

Conclusion

The Ghana card which already has our biometrics and personal data is being used as the only means of identification. This makes collecting biometric for a SIM registration superfluous, not necessary for the intended purpose and the data protection principles as in Act 843 does not sanction it.

All it takes is to link the SIM card to the Ghana card and the already captured biometric should be available for whatever fraud protection we want. The Telcos are not going to investigate cybercrime by themselves using the biometric database they are setting up but through the law enforcement agencies.

The law enforcement agencies can subject to the appropriate legal requirements have access to our biometric database that have already been collected under the Ghana card. All that is needed is the link of our Ghana card number to our registered SIM cards for purposes of reporting a crime.

What is the compelling national interest for another biometric to be taken? The Data Protection Commission, if independent; should please let us know its position on this. This will help prevent situations like the lady looking for a job to take care of her critically ill mother and at the mercy of the HR manager but had no choice than to just give in.

This is my word of caution and I hope it will not lead to a situation where one day those who have the power to stop the recapture, either acquiesced or refused to stop it and is being used against their right of privacy. Remember Esther 7:10 “So they hanged Haman on the gallows that he had prepared for Mordecai. Then was the king’s wrath pacified.”