Minister of State for Home Leon Schreiber has gazetted draft rules that pave the way for smartphone-based Digital Identity System in South AfricaPotentially able to operate enrollment points with banks and other private sector “trusted entities” and receive automatic updates from the National Population Register.
draft amendment (PDF) According to the Identity Rules 1998, gazetted for public comment until June 6 on Monday, a digital identity credential will be created that will be delivered through a mobile application called MyMjansi – not a replacement for South Africa's existing smart ID card.
The use of the digital credential will be optional, and the rules clearly state that no one will be forced to obtain one in order to continue using a valid physical ID card.
Citizens aged 16 and over will apply at a “recognised enrollment point”, which under the draft regulations includes Home Affairs offices, South African overseas missions, ports of entry, branches or premises of recognized trusted institutions and mobile enrollment units deployed by the department.
Standard personal enrollment will include documentary verification, cross-referencing against population registers, biometric deduplication, capturing of facial biometrics and fingerprints, liveness detection, verification of mobile number and e-mail address, proof of residential address, “device binding” – linking credentials to a specific phone through cryptographic means – and an automated fraud detection assessment.
proof of identity
Once issued, the digital credential can be presented for proof of identity through near-field communication, Bluetooth, QR code or “such other secure presentation means as the Director General may prescribe”.
Its validity will be five years and can be renewed through facial biometric verification through the MyMjansi app, which will notify holders 90 days before expiry. The credential will expire if the holder has not undergone personal enrollment or personal verification at a recognized trusted entity in the last 10 years.
Reading: South Africa's digital ID gets a targeted launch date
The draft requires digital credentials to be cryptographically signed and proposes the use of “asymmetric cryptography”, including elliptic-curve methods. The biometric template will be stored in encrypted form in the population register.
Standard personal enrollment will be free at home affairs offices and at “no additional cost over and above the prescribed identity document fee” at accredited private sector enrollment points. The Director General must ensure that such nomination is available in every municipality “as soon as may be after the commencement of these regulations”.
The most consequential element of the draft is the governance around so-called trusted entities – a defined class of organizations that can enroll citizens, verify identities in real time against population registers, and in some cases receive automatic updates of personal information.
The draft rules define a trusted entity as a person or organization under a “direct and primary statutory obligation” to verify identities for purposes including anti-money laundering and counter-terrorist-financing compliance, controlling access to electronic communications networks, administering social benefits, issuing licenses and permits, administering taxes, or law enforcement.
Banks, telecommunications operators, the South African Revenue Service and the South African Police Service will all fall within the scope of the definition of relevant statutory functions, subject to validation by the Director-General.
A notable provision in the draft is Regulation 38A, which will allow the Director-General to record a “verified relationship” in the population register between a recognized trusted entity and an individual whose identity has been personally verified – and then send updated notifications to that entity “in near real time” whenever the relevant details in the register change.
In practice, this would mean that a citizen's bank or mobile operator could be informed automatically about a change in address or contact-details, without the citizen needing to inform each separately. The rules limit such information to details that have actually changed, and only in relation to the categories the entity is authorized to keep under its data sharing agreement. The Personal Information Protection Act will prevail over the rules in any conflict.
clear boundaries
The draft imposes clear limits on the access of law enforcement and security agencies. Regulation 32(4) states that nothing in the regulations authorizes the production of population register information “to any law-enforcement or security body in accordance with applicable law that allows such access, including any requirement of that law for judicial authorisation, warrant or court order”.
Trusted entities would be barred from using identity information for “data commercialization, open-ended intelligence gathering, profiling or generalized searching”, and would be required to demonstrate that each access is “necessary and proportionate” for a specific statutory function. Audit logs of access to the population register must be maintained for at least seven years.
Reading: Estonian digital ID text for South Africa
Offenses under the rules – which include enrolling under a false identity, presenting the credentials of another person, tampering with credentials, attempting to avoid vital activity detection or misusing population register data – will be punishable by a fine or imprisonment of up to two years.
The draft also requires that the system be “implemented in a way that does not unfairly exclude people who do not have appropriate mobile devices, do not have reliable Internet access or are otherwise unable to use digital services without assistance”.
“The draft rules propose the creation of a world-class digital identity system as the ultimate expression of our vision to leverage digital transformation to bring home affairs closer to home,” Schreiber said in a statement Tuesday. He said the department is working with the President to support the goal of digitalizing government services.
The new rules will come into force on a date to be determined by the Minister. Written submissions on the draft should be submitted to the Chief Director of Legal Services at Home Affairs by 6 June 2026. – © 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.