Nigerians routinely supply personal data to so many government and private organisations and these personal data, some of them sensitive, are held separately on many databases belonging to these organisations. They include NIMC (National ID card), INEC (Voters card), network providers (SIM registration), FRSC (Drivers license), Bank Verification Number (BVN), hospitals, schools, insurance firms, and many more.
These data sometimes get leaked, stolen, lost or sold, and used against the owner through criminal and unauthorized actions; but the multiplicity of the data platforms makes it difficult to hold any agency responsible for the breach
At a two-day conference on Personal Data protection in Nigeria held Monday and Tuesday in Ibadan, experts and internet stakeholders dissected the issues which include:
- The need for a Data Protection law in Nigeria
- The urgent need to harmonise data collecting agencies and efforts of government agencies, in order to produce just one database.
- A call to Nigerians to be careful with the amount and kind of personal information they divulge on social media and the internet as a whole.
The conference was held at the International Institute of Tropical Agriculture (IITA). It was hosted by the Ibadan School of Government and Public Policy (ISGPP), as a member of the African Academic Network on Internet Policy, a network that includes the World Wide Web Foundation, Paradigm Initiative, data protection experts from South Africa, Kenya, Ghana, Uganda and other African countries, with support from Google.
No Personal Data Protection law in Nigeria
The first point of agreement is that even though the Nigerian Constitution guarantees privacy as a fundamental human right, there is no comprehensive data protection legislation.
Section 37 of the Constitution provides that: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”. There is also hodgepodge of other industry (or situational specific) frameworks such as the National Health Act applicable to health records, the Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations applicable to the communications sector and the BVN policy applicable within the financial services sector.
But according to Barrister Chukwuyere Izuogu, who presented a commissioned research on Data Protection, these regulatory frameworks are consistent with the data protection principle of lawful processing of personal data but most of them “do not clearly define the level of protection afforded to the personal data collected, state the data controller’s accountability obligation(s) or contain any other data protection principle as is the norm in the data protection legislation of other countries”.
Izuogu recommended that legislative, exexutive, judicial and social measures be taken to achieve the enactment of a Data Protection law, harmonisation of all data being collected by various agencies so that Nigerians would register once and for civil society organisations and concerned Nigerians to push for the data protection framework.
At a press conference on the sidelines of the conference, Mrs Tope Ogundipo, the director of programmes, Paradigm Initiative, stressed that the issue of data protection should be seen first as a human rights issue before it is seen as an economic one.
According to her, Nigerians should ask questions on how the barrage of data they provide to agencies are kept and used. She said that internet users should not leave the advocacy to CSOs but join in calling for their rights to be protected in the way and manner their personal data is taken, stored, managed and used.
African countries are dangerously duplicating and manhandling data instead of harmonising
The calls for harmonisation of data reverberated across the conference room. At the press conference, Godfred Frempong (PhD) CSIR Science and Technology and Research Institute, Ghana, regretted that the case of duplicity of data collection was not peculiar to Nigeria. He lamented that even though Ghana had a Data Protection law, so many organisations were collecting data and storing data, thereby weakening the whole essence of the law.
Barbara Imaryo, during a panel session, recalled how improper data handling, a product of lack of well thought out data protection and management framework,, led to a serious data privacy breach in her home country, Uganda. She narrated that during the last general elections, the electoral commission decided to use data collected by the National Identity Commission, to execute the elections. But while attempting to publish details needed for voting, the electoral commission ended up publishing sensitive personal data of people.
Online data, a double-edged sword
Mrs Nnenna Nwakanma, Senior Policy Manager, World Wide Web Foundation, warned that users should understand that while data is a huge asset for the modern economy, it could also hurt if not properly handled, both by the data handlers and data providers. She stated that while the fight for data protection could help with protection of personal details supplied within the country, users have very limited control over the information they supply on websites and social media sites.
She frowned at posting of very personal details on social media sites as they could be used by criminals. According to her, “the internet has a very strong memory. Whatever you post, even if deleted, cannot be retrieved”. She however pointed out that the positives of the internet far outweighs the negatives.
The next move on the road a data protected Nigeria
Dr Tunji Olaopa, Executive Vice-Chairman of ISGPP, at the press conference said that with the success recorded in the conference, the next step for the network would be to involve more critical stakeholders in further discourse and create platform for formal engagement and training of people and designing knowledge packs.
He stated that the African countries have been weak on data policy, hence the current Africa-wide initiative on the subject, to see a continental approach to the desired policy.