I was advised by ICASA as follows:
The Authority is mandated through section 68 of the Electronic Communications Act (“the ECA”) (Act No. 36 of 2005) as amended to regulate the numbering resources. However, the ECA does not empower the Authority to regulate SIM registration.
Noting the challenges experienced in the country wherein numbers are hijacked either through SIM swap fraud or number porting, the Authority has tightened the number porting regime by prescribing a porting procedure and a port validation process in Schedule A of the Number Portability Regulations of 2018.
Additionally, the Authority resolved to amend the Numbering Plan Regulations of 2016, by inserting a provision that mandates licensees to collect subscribers’ biometric data during activation of services.
These regulatory measures are intended to empower and protect the public when activating/porting their numbers and/or services with the telecommunications service providers. Nevertheless, the biometric data collection provision was deferred by the Authority for further consultation with stakeholders on the technical and functional specifications associated with the implementation of the biometric provisions.
The Authority has been consulting with the Department of Justice and Constitutional Development (“DOJ & CD”) on the review of Chapter 7 of RICA which places an obligation on telecommunications service providers, who are licenced by the Authority to register all SIM cards by verifying customer information. It also mandates telecommunications service providers to retain customer data, and to respond to lawful interception requests. Further, the Authority is addressing concerns that it does not have access to the RICA database which is managed by the DoJ & CD to monitor compliance.
The Authority is also in consultation with institutions that have successfully implemented the biometric verification system – South African Banking Risk Information Centre, the State Information Technology Agency and the Department of Home Affairs - to seek guidance regarding the development of a functional biometric system.
Furthermore, clarity is being sought from the Information Regulator regarding the application of the Protection of Personal Information Act (Act No. 4 of 2013) (“POPIA”) on the appropriate safeguards to protect personal information of the data subjects. This is to ensure that the Authority’s Numbering Regulations are not in conflict with the provisions of POPIA.
Thank you