Safaricom just bagged the gold standard in privacy protection, becoming one of the first Mobile Network Operators in the region to receive the ISO 27701 Privacy Information Management System (PIMS) certification. According to Safaricom, this impressive feat comes after a meticulous review by the British Standards Institute (BSI), which awarded the telco on October 16, 2024. This is no small win — the PIMS certification is the highest a company can achieve for privacy information management, underscoring Safaricom’s dedication to protecting customer data across its popular GSM and M-PESA services. However, a section of Kenyans may not agree with this certification.
Safaricom says that this rigorous audit went deep, examining Safaricom’s customer support, billing systems, M-PESA operations, and data centers. The evaluation didn’t stop there; it scrutinized every corner of Safaricom’s ecosystem, from its Customer Relationship Management (CRM) system to the M-PESA apps we all have on our phones. The focus was on ensuring that Safaricom’s policies, like its Data Protection Policy, are actually implemented in a way that shields user data from any prying eyes.
Peter Ndegwa, CEO of Safaricom, gave a nod to his team for this achievement, saying, “I would like to applaud the dedicated cross-functional teams whose tireless efforts have made this achievement possible. The attainment of the PIMS certification reaffirms our ongoing commitment to continuously improve our privacy and security measures, ensuring we provide exceptional experiences for our customers while safeguarding their private information.”
Safaricom also recently upgraded its Payment Card Industry Data Security Standard (PCI DSS) certification to the latest version, v4.0, enhancing its security for card transactions on platforms like M-PESA.
However, this win for privacy protection comes at a time when Safaricom finds itself under scrutiny. A recent report by Nation Africa suggested that the company has been collaborating with police to share user location data, allegedly aiding in the tracking of suspects and activists. Safaricom has pushed back strongly on these claims, stating that it respects customer privacy and only provides data when legally required through court orders.
In a separate response to these allegations, Safaricom explained that its Call Data Records (CDRs) don’t even include real-time location tracking; the records are simply generated after calls end and are used for billing. And now, with the PIMS certification in hand, Safaricom aims to reinforce its commitment to keeping your data out of the wrong hands.
As Kenya steps up surveillance efforts — like the recent “Receipt Challenge” by the Kenya Revenue Authority (KRA) to curb tax evasion and proposals to register all phones by IMEI — privacy is a growing concern for many citizens. For now, Safaricom’s latest certification is a significant stamp of approval, but the balancing act between customer privacy and government requirements remains in the spotlight.
