Telecommunication firms must secure customer data, Owalo tells Senate team

Telecommunications companies are required to secure the data of their customers and should not share the information without the express permission of their clients, except for law enforcement purposes, according to ICT Cabinet Secretary Eliud Owalo.

Owalo, who appeared before the Senate Information and Communication Technology Committee, said that the Communication Authority of Kenya has established the National Kenya Computer Incident Response Team, a multiagency coordination centre, for the detection, prevention, analysis, response and investigation of cyber threats.

The CS said the team supports critical information network operators and service providers, in the private and public sectors, in the management of cyber security. This is done through sharing of cyber threat advisories targeted at their network and the resolution of cyber incidents, he said.

"We also note that the enactment of the Data Protection Act, 2019 has made the handling of customer data more stringent and this is expected to further improve the security of customers' data as many firms bring themselves to full compliance with the Act. The licensed entities are required to develop measures to help secure and retrieve customer data whenever needed," said Owalo.

Many challenges

He told the committee chaired by Trans Nzoia Senator Allan Chesang that although cyber-attacks have presented many challenges, an escalation has been made through the national team, through early warning and advisory to licensees, for appropriate and timely interventions.

Owalo said licensees are also required to put in place measures to protect customer information independently.

"A licensee shall use all reasonable endeavours to ensure the privacy and confidentiality of proprietary information," said the CS.

Owalo said the communication authority is mandated to regulate tariffs, under the Kenya Information and Communication (Tariff) Regulation 2010.

"With respect to local calls, the authority has in the past received requests from some mobile network operators to review the Mobile Termination Rate (MTR), applicable for calls originating and terminating in Kenya. Subsequently, in August 2022, the authority intervened and reduced the MTR from Sh0.99 to Sh0.58 per minute," said Owalo.

He told senators that in 2022, the authority carried out a network cost study in the telecommunications sub-sector and one of the recommendations it came up with was a further reduction in the MTR, with the authority is expected to implement new rates within the next financial year.

Owalo said the telecommunications firms have interconnection agreements between local and international carriers with defined preconditions on traffic Calling Line Identity (CLI) and applicable rates, the tariffs charged are filed with the Authority for approval as per the market study and guidelines are given from time to time.

Fully liberalized

He said that under the current Unified Licensing Framework, the operation of International Gateways has been fully liberalized.

"Any applicant that meets the requirements set out for the award of a gateway licence is duly licensed under the current International traffic management regime while holders of International Gateway Licences are not compelled to interconnect with any foreign network," Owalo said.

He added: "Holders of Application Service Provider (ASPs) licences in Kenya that choose to work with traffic aggregators to terminate international traffic must seek to enter into agreements with local operators, but such agreements are considered to be under the international traffic management regime, where the local operators are not compelled to enter into and terminate such traffic."

The CS said MTR is applicable to all ASPs licensees terminating local voice traffic, thus by default, it does not apply to licensees who do not fall under this category. The licensed entities that provide international gateway services are preconditioned to ensure interconnection with local operators and to provide requisite capacity to other requesting interconnection licensees.

Owalo informed the committee that Mobile Network Operators (MNOs) licences also have a condition prohibiting them from undue discrimination or undue preference to or exercising undue discrimination against particular persons or persons of any class or description.

The CS said the licensee may be deemed to have shown such undue discrimination if it unfairly favours the provision of any communications services to another communication business it carries out so as to place at a significant competitive disadvantage a person competing with that business.

Approved standards

"The Kenya Information and Communications Act, 1998, as amended, places the responsibility of ensuring that systems deployed in the country's telecommunication and radio communication networks meet set standards and that in this regard, the authority, through its type-approval processes undertakes the necessary checks on equipment that is imported to ensure they conform to the standards adopted in Kenya," said Owalo.

He said the interconnection agreements are designed to accommodate the approved standards and that rather than the systems being developed to meet the requirements of the agreements with regard to harmful interference, Kenya subscribes to International Telecommunications Union standards on radio communications.

Owalo said the communication authority only type-approves equipment that conforms to these standards while regularly monitoring radio communication emissions to detect interference and advise the owners of equipment found to be generating harmful interference to make the necessary adjustments to eliminate the interference.

Radio communication

He said unlicensed entities that are found operating such systems are duly prosecuted. Since Kenya also subscribes to the standards set by the International Commission on Non-Ionizing Radiation Protection (ICNIRP) that ensures radio communication emissions do not exceed the set thresholds, which are considered safe for humans.

Owalo said that according to industry best practice, the handling of information exchanged between interconnecting parties is usually done under non-disclosure agreements where such information may only be required by the authority pursuant to the execution of its mandate, or by other agencies for law enforcement purposes or other lawful requirement as prescribed under other laws or statutes.