The Ghana SIM Card Registration: Speaking from a Professional Perspective, not Political!

I have chosen to remain silent on the SIM Card Registration matter -- until now. But the more I read, the more I witness distortion from so-called professionals who lack practical understanding of the complexities involved in managing massive data infrastructure. Let us leave politicking to the politicians -- NDC and NPP. Professionals must speak to what is technically sound and aligned with best practice. The technology space comprises distinct disciplines: Computer Science, Information Technology, Computer Engineering, Software Engineering, and others. In my professional view, those best positioned to speak on this matter are practitioners with practical experience in software development, large-scale database management, and interoperability. Anyone speaking from a purely theoretical standpoint -- or claiming expertise without hands-on experience -- risks spreading misinformation or projecting political bias. Such voices may sound logical, but they carry no technical substance. Avoid them. I watched Akosua Manu on TV3 on Saturday. She was eloquent -- as she always is. She spoke on SIM Card Registration from a political lens. I will not judge her on that basis; she did exactly what her role requires. Given her understanding of AI, she was right to say what she said. Leave her alone. And let's focus on guiding Hon Sam George to do the right thing! On the previous SIM Card Registration exercise under Hon. Ursula Owusu, I must acknowledge it was a great initiative. What Hon. Sam George now seeks to do is a step further -- building on and improving what was initially established. As industry practitioners, our role is not to align with political lines. Our duty is to speak from a place of professional and technical integrity -- to guide public discourse, equip citizens with accurate information, and enable them to make informed choices grounded in knowledge delivered by technocrats and professionals. Let us do that. Nothing more. Nothing less. 1.0: Contextual Background The question of which body -- the National Identification Authority (NIA) or the National Communications Authority (NCA) -- is best positioned to provide verification of SIM card registration using the Ghana Card is not merely an administrative choice. It is a fundamental question of data governance, institutional competence, security architecture, and legal accountability. This analysis critically examines both institutions through a technical, legal, and professional lens, identifying the critical questions that must be asked before any determination can be made. The integration of the Ghana Card into SIM card registration represents a significant shift in Ghana's digital identity ecosystem. It is part of a broader strategy to create a single source of truth for identity verification, reducing fraud, enhancing national security, and enabling digital transformation. However, the technical implementation of this integration raises profound questions about: * Data flow architecture: How does identity data move between institutions? * Verification authority: Which body holds the authoritative source of truth? * Security responsibility: Who bears accountability for breaches or misuse? * Legal liability: Where does legal responsibility lie when verification fails? 2.0: Institutional Mandate Analysis 2.1: National Identification Authority (NIA) Statutory Foundation: National Identification Authority Act, 2006 (Act 707) Core Mandate: * Create, maintain, provide, and promote the use of national identity cards * Collect and maintain the National Identity Register * Ensure accuracy, integrity, confidentiality, and security of personal data * Make data available to persons or institutions authorised by law Key Strengths: Critical Weaknesses: 2.2: National Communications Authority (NCA) Statutory Foundation: National Communications Authority Act, 2008 (Act 769) Core Mandate: * License and regulate electronic communications activities and services * Ensure quality of service and consumer protection * Manage the radio frequency spectrum * Regulate the telecommunications sector Key Strengths: Critical Weaknesses: 3.0: Technical and Professional Questions for Critical Evaluation Question 1: Where Does the Authoritative Source of Truth Reside? Technical Question: Who holds the master copy of the biometric and demographic data against which SIM registrations will be verified? Analysis: * The authoritative source of truth for Ghana Card data is the National Identity Register maintained by NIA under Act 707. * If NCA hosts or caches this data, it creates a secondary data repository -- increasing attack surface and introducing synchronisation risks. * If verification is performed via API call to NIA's systems, NIA remains the data controller, and NCA becomes a processor or intermediary. Professional Judgment: The authority that controls the authoritative source of truth must retain ultimate accountability for data integrity and security. NIA holds that authority. Question 2: Who Bears Legal Liability for Verification Errors? Legal Question: If a SIM card is registered to the wrong person due to verification failure, which institution is legally liable under Ghana's Data Protection Act, 2012 (Act 843)? Analysis: * Under Act 843, a data controller is the person who determines the purposes and means of processing personal data. * If NIA determines the verification criteria and controls the authentication system, NIA is the data controller for the verification transaction. * If NCA directs MNOs on how to conduct verification and sets the rules, NCA may be a joint controller with NIA. * Liability for inaccurate data, unauthorised access, or system failure follows data controller status. Professional Judgment: Liability must be clearly assigned by law or memorandum of understanding. NIA, as the custodian of the identity data, cannot delegate liability for misuse or inaccuracy of that data. Question 3: Who Conducts Biometric Matching? Technical Question: Which institution owns and operates the biometric matching engine? Analysis: * Biometric matching is the most technically sensitive component of identity verification. It requires: * NIA has developed this capability as its core mandate. NCA has not. Professional Judgment: Biometric matching must remain within NIA's custody and control. Introducing a second institution into the biometric verification chain creates unnecessary risk of template exposure, algorithmic manipulation, and accountability fragmentation. Question 4: Who Is the Data Controller Under Act 843? Legal Question: For the purpose of SIM verification transactions, who is the data controller under Ghana's Data Protection Act, 2012 (Act 843)? Analysis: * Act 843 defines a data controller as a person who determines the purposes for which and the manner in which personal data is processed. * During SIM verification, multiple institutions may determine different aspects of processing: Professional Judgment: Clear data controller designation is legally non-negotiable. The current ambiguity -- where multiple institutions have overlapping responsibilities without clear accountability -- creates unacceptable legal risk. NIA, as the custodian of the underlying identity data, must be designated as the data controller for verification transactions, with NCA and MNOs acting as processors or joint controllers with clearly defined boundaries. Conclusion and Recommendations: A Collaborative Framework for SIM Verification Neither the National Identification Authority (NIA) nor the National Communications Authority (NCA) can singly deliver a secure, accountable, and citizen-centric SIM verification system. This is not a binary choice between two institutions -- it is a question of deliberate, structured collaboration. Success lies in leveraging the distinct competencies of each body while establishing clear boundaries of authority, accountability, and liability. A Division of Institutional Responsibilities * Data Custodianship and Verification Service rest with NIA. As the holder of the authoritative National Identity Register, NIA is legally mandated to ensure data integrity and possesses the core biometric expertise required to operate the matching engine. Verification cannot be credible without NIA at the centre. * Regulatory Oversight and Compliance Auditing belong to NCA. With statutory authority over Mobile Network Operators, licensing powers, and a consumer protection mandate, NCA is best positioned to enforce compliance and impose sanctions where necessary. * Consumer Redress is led by NCA, given its consumer protection mandate, with escalation to NIA for data-specific issues that originate in the National Identity Register. * Security Architecture is led by NIA -- because data security follows data custody -- with NCA ensuring MNO compliance with security standards. * Data Protection Compliance must be joint. Multiple controllers are involved, which requires a formal data sharing agreement and a mandatory Data Protection Impact Assessment under Ghana's Data Protection Act, 2012 (Act 843). The Way Forward The choice is not NIA or NCA. It is NIA and NCA -- operating under a legally binding framework that assigns clear roles, enforces accountability, and prioritises the citizen at the centre of the system. Anything less will repeat the failures of the past. The NIA must retain control of the verification service, as it holds the authoritative identity data and possesses the specialised biometric competence required for secure authentication. However, NCA must retain regulatory authority over MNOs and serve as the primary consumer protection interface. The two institutions must operate under a formal collaboration framework with clearly defined roles, responsibilities, and accountability mechanisms.