A number of agencies, institutions and entities have collected, gathered, stored and or used personal information of Nigerians over the years. The information gathered have either been statutorily compelled (registration of telephone subscribers); obtained in the process of procuring an identity document (National Identity Card/International Passport); volunteered whilst accessing a service (e-commerce transactions); in the exercise of a privilege or aright (voters card, LASRRA); or through a combination of all of the above. It is highly probable that the information so obtained by any of the above means have been stored without appropriate technical safeguards and probably used for some other objectives different from that for which it was provided without the knowledge or consent of the data provider, clearly illustrating the inadequate legal, administrative or technical protection against accidental, improper, or unauthorized access, disclosure, alteration, use or loss.
Some of the agencies and institutions that collect and store personal information in Nigeria include but are not limited to – the National Identity Management Commission (NIMC), Nigerian Communications Commission (NCC), Central Bank of Nigeria (CBN) and Financial Institutions – Bank Verification Number (BVN), The Nigerian Immigration Service (NIS), Independent National Electoral Commission(INEC), Federal Road Safety Corps (FRSC), the Lagos State Residents Registration Agency (LASRRA), Motor Vehicle Administration Agency, Nigeria Population Commission (NPC), Federal Inland Revenue Service (FIRS), State Inland Revenue Services . At one time or the other and for various reasons these agencies and institutions have collected processed and stored personal information of Nigerians.
In most instances and because the information gathering efforts are specifically targeted at the collection of information, the laws establishing these agencies, and or institutions do not make provisions for data protection or where there is any provision for such, they are grossly inadequate to guarantee against the unlawful and unauthorized access and or the misuse of such data.
Clearly the multiplicity of these data collection agencies is unnecessary, a drain and an inefficient use of already stretched government resources. This is why the Federal Government of Nigeria recently set up a harmonization programme with a fourteen (14) months target for the harmonization and integration of all databases operated by all government departments and agencies into the National Identity Database under the management of the NIMC.
This issue is further exacerbated with the advent of e-commerce transactions where personal information is provided on a daily basis. This information are stored, processed, analysed or mined by vendors and or financial institutions to determine purchasing patterns, trends, locations, e.t.c. all without certainty as to the security or safety against the corruption, compromise, unauthorized use and access by third parties or protection for the data providers.
In Nigeria, there is currently no detailed, specific or comprehensive law on data protection and privacy. In some cases there are industry, sector or agency specific attempts to address data protection issues with the sector specific laws/regulations/guidelines compelling the provision of the personal information also offering some sort of protection for the data collected. However, these provisions are often insufficient and inadequate in protecting against the potential losses or damage that may be suffered by the providers of such information in cases of compromise, unauthorized access, misuse, loss or disclosure.
A few of the provisions in Nigerian laws that have tangentially provided for data protection include-
- Section 37 of the 1999 Nigeria Constitution (as amended) which guarantees and protects the privacy of telephone conversations but appears to protect only Nigerian citizens.
- The Child’s Right Act No 26 of 2003 which provides that “every child is entitled to his privacy, family life, home, correspondence, telephone conversation and telegraphic communications”, subject to the exercise of reasonable supervision and control by parents or legal guardians.
- The Freedom of Information Act No 4 of 2011 which requires a public institution to deny any request for information that contains personal information.
- Cybercrime (Prohibition, Prevention etc) Act 2015 which provides that in providing information to law enforcement agencies, telecommunications companies are to have due regard to the privacy rights of the individual and shall take appropriate measures to safeguard the confidentiality of the data provided to law enforcement agencies.
- The General Consumer Code of Practice issued by the NCC as a schedule to the Consumer Code of Practice Regulations 2007 which recognizes and restates the internationally accepted general principles on data protection and privacy.
- The Draft Guidelines on Data Protection 2013 issued by National Information and Technology Development Agency (NITDA) which applies to data controllers in the public and private sectors and covers the processing of personal data and restates the eight internationally accepted data protection principles. The Guidelines cover all organizations that process the personal data of Nigerian citizens within and outside Nigeria and prescribe minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for such information.
- The Registration of Telephone Subscribers Regulation 2011 issued by NCC which requires providers of mobile telephone services to collect, store and transmit subscriber information to the Central Database managed by the NCC. Subscriber information retained by service providers are used in accordance with the provisions of the General Consumer Code of Practice for Telecommunications Services referred to above. The Central Database is to be administered in accordance with the latest standards issued from time to time by the International Organization for Standardization in relation to security and management of electronics and personal data and subscriber information is not to be transferred outside Nigeria without the prior written consent of the NCC.
Internationally, eight core data protection and privacy principles have evolved over the years in respect of the processing of personal information and several countries have adopted these principles in their laws. In Nigeria these internationally accepted principles and best practice for data protection have been incorporated into the NITDA Guidelines, the NCC’s General Consumer Code of Practice and the Registration of Telephone Subscribers Regulation 2011.
The principles as restated in these regulations, guidelines and code provide that processed personal data must be –
- processed fairly and lawfully;
- processed only for limited and identified purpose;
- adequate, relevant and not excessive;
- accurate and where necessary kept up to date;
- kept for no longer than is necessary;
- processed in accordance with the rights of data subjects;
- protected against improper and accidental disclosure;
- not be transferred to any third party or outside Nigeria unless adequate provisions are in place for its protection or with the prior written consent of the NCC.
The usual tools for compelling compliance in most jurisdictions are notices, fines, penalties and criminal prosecution for breaches and violations. These are the same enforcement tools adopted in Nigeria by the guidelines, regulations and codes discussed above. Persons whose rights have been violated may commence civil suits for redress. However, they would have to rely on the standard rules for establishing claims in civil proceedings as there are no statutory rights of recovery for damages or compensatory provisions in Nigeria for data protection and privacy breaches.
The need for the enactment of a specific and comprehensive legal framework for the collection, storage, protection and use of personal data in Nigeria has become increasingly important and urgent due to the risks associated with the likely improper or unauthorized access, disclosure, alteration or loss of such collected personal data both to the individual, businesses and national security interests.
Clearly tenuous protection is afforded personal information or personally identifiable data by guidelines, regulations and codes but no specific, detailed legislation. The eight (8) core principles of data protection and privacy that have developed overtime and internationally accepted should form the fundamental pillars for a substantive law on data protection and privacy law in Nigeria. Nigeria will not be re-inventing the wheel in this respect as there are well articulated, tested, detailed and comprehensive laws applicable in several countries like the United Kingdom, USA, Canada, European Union, India and South Africa.
As these data gathering agencies and institutions cut across several industries, sectors, jurisdictions and regulators in Nigeria as can be seen from our analysis above , there should be an independent statutory body to prescribe, monitor and enforce standards for the gathering, storage and retrieval of information in the custody of the various organizations both public and private. This would provide the required comfort to data providers that that their personal information will be protected and their privacy legally assured.