Mobile money is fast becoming the number 1 means of money remittance and payments in Africa, largely due to the inexpensive rates of setting up and using the service compared to traditional banking means. Mobile money services may also be closer to consumers than most banks, having an advantage over them.
However, as with all financial systems there is a great need for user data privacy and security. The GSMA shared 7 guidelines for mobile money data protection. These are:
Providers typically use an overarching framework to shape how data is managed. A clear governance structure and the codification of internal policies and processes are crucial elements of this. Guiding principles for data governance include:
- Appoint a specific individual or team to oversee good practice in customer data privacy, including through employee awareness programmes and training. This individual/team will undergo relevant training to adequately oversee the implementation of data protection principles in the organisation.
- Develop a strategy that clearly sets out the data protection journey, and the steps to be taken to improve the organisation’s data governance framework, including a roadmap with timelines for implementation
- Implement a risk management approach to data that involves the regular evaluation of risks, including through privacy impact assessments
User choice and control
Users should be provided with information about their personal data. Mobile money providers therefore take steps to provide users with meaningful choice and control over their personal data. Guiding principles for user choice and control include:
- Limit access, collection, sharing, disclosure and further use of personal information to what is required for legitimate business purposes, such as providing applications or services as requested by users, or as required by legal obligations.
- Ensure users can opt out of the collection or processing of their personal data, where it is not essential to the provision of mobile money services, or to meeting legal requirements.
- Provide customers with the means to access and to amend their data to ensure completeness and accuracy.
- Ensure that these options are made available to consumers in both rural and urban areas and that they account for varying levels of literacy.
A central aspect of best practice by mobile money providers is the minimisation of data. Only the minimum personal information necessary to meet legitimate business purposes and to deliver, provision, maintain or develop applications or render services should be collected and otherwise accessed and used. Personal information should not be kept for longer than is necessary to fulfill legitimate business purposes or legal obligations. Guiding principles for data minimisation include:
- Carefully consider what personal data will be needed to realise a particular purpose before proceeding with the collection of personal data.
- Document the type of personal data collected, as well as the justification for doing so, as part of information handling policies and practices.
- Minimise the number of people to whom personal data is disclosed or by whom personal data is accessed.
- Once personal information is no longer required to meet a specific legitimate business purpose or legal requirements/obligations, it should be destroyed or anonymised. Truly anonymous data may be retained indefinitely. To anonymise data, remove any information that could be used to identify a specific individual, ensuring it is not possible to re-identify the individual, and ensure that the data cannot be related to a single, unidentified individual by unique identifiers.
- Ensure the proper sanitisation of old devices so that retired hardware does not inadvertently contain personal data, in order to prevent breaches.
Openness, transparency and notice
Openness, transparency and notice are key to ensuring that users have a clear understanding of how their data used, enabling them to make informed decisions about whether to use a service. Guiding principles for openness, transparency and notice include:
- Through the use of notices, provide users with sufficient information to know how to access and correct their personal information. These notices typically account for varying literacy levels among consumers, and therefore adopt creative means of communication through the training of agents and customer call centre support.
Data and information security
Security of personal data is critical to data privacy. Mobile money providers typically implement a number of mechanisms to ensure the security of data. For mobile operators, this effort builds on deep expertise from the core GSM business and is designed to protect mobile money data from loss, or unauthorised access, destruction, use, modification or disclosure. Guiding principles for data and information security include:
- Develop, implement and regularly review a formal security policy for mobile money services, outlining the organisation’s approach to managing its information security objectives.
- Set out clearly the roles and responsibilities of information security teams, including security risk assessments, controls and mitigations. This will also include data breach response plans as well as a designated contact person for all regulatory notifications in the event of a breach.
- Design and develop secure systems, applications and networks for mobile money services in accordance with privacy requirements.
As mobile money services continue to evolve, the ecosystem is growing to include more players, such as financial ecosystem partners, or outsourced service providers for systems. The transfer of personal data between third parties is critical, as is the sharing of data within organisations, and this may occur across different national or regional legal jurisdictions. Where a provider permits access to or transfer of personal data through systems external to the organisation, as may be required for legitimate business purposes, mobile money providers must take step to ensure the data remains protected. Guiding principles for data sharing include:\
- Where personal data is transferred (either to third parties, or to other departments within the same organisation) providers set minimum default policies for sharing personal information that may pose risks to customers.
- Written agreements governing data privacy will be in place with all third parties that either process personal data or have access to personal data. These will typically include responsibilities for data privacy as well as further restrictions to personal data sharing.
Accountability applies to the measures implemented by mobile money providers which will serve to demonstrate adherence to the principles of data protection, as well as compliance with other applicable laws and regulations. Guiding principles for accountability include:
- Assign responsibility for ensuring the user’s privacy is considered and protected throughout the product lifecycle and through applicable business processes.
- Establish an organisational commitment to accountability and to the adoption of internal policies consistent with the Guidelines
- Introduce systems for ongoing internal oversight and assurance reviews.
- Introduce transparency and mechanisms for individual choice regarding the use of their personal data.
“In this context, data protection is critical to ensuring that data is not only fuelling innovation, but also that it is handled in a safe and responsible manner. To that end, mobile operators are building on the technical and compliance capabilities of the core GSM business to advance data protection in mobile money. In emerging market countries where data protection regulations are either outdated or yet to be introduced, there is also an active dialogue about how future rules can both ensure consumer protection and facilitate broad access to the digital economy.” – Juliana Maina, Advocacy and Regulatory Manager, Mobile Money – GSMA