A number of agencies and institutions have collected, gathered, stored and or used personal information of Nigerians over the years. The information gathered have either been statutorily compelled (registration of telephone subscribers); obtained in the process of procuring an identity document (National Identity Card/International Passport); volunteered whilst accessing a service (e-commerce transactions/BVN); in the exercise of a privilege or a right (voters card, LASRRA); or through a combination of some or all of the above. It is highly probable that the information so obtained have been stored without appropriate technical safeguards and probably used for some other objectives different from that for which it was provided, without the knowledge or consent of the data provider, clearly illustrating the inadequate legal, administrative or technical protection against accidental, improper, or unauthorized access, disclosure, alteration, use or loss.
Some of the agencies and institutions that collect and store personal information in Nigeria include but are not limited to – the National Identity Management Commission (NIMC), Nigerian Communications Commission (NCC), Central Bank of Nigeria (CBN) and Financial Institutions – Bank Verification Number (BVN), The Nigerian Immigration Service (NIS),Independent National Electoral Commission(INEC), Federal Road Safety Corps (FRSC), the Lagos State Residents Registration Agency (LASRRA), Motor Vehicle Administration Agency, Nigeria Population Commission, Federal Inland Revenue Service and State Inland Revenue Services. Furthermore, because the information gathering efforts of these agencies are specifically targeted at the collection of information, the laws establishing them do not make provisions for data protection or where there are any such provisions; they are grossly inadequate to guarantee against the unlawful and unauthorized access and or the misuse of such data
Clearly the multiplicity of these data collection agencies is unnecessary, a drain and an inefficient use of already stretched government resources. This is why the government recently set up a harmonization programme with a fourteen months target for the harmonization and integration of all databases operated by all government departments and agencies into the National Identity Database under the management of the NIMC.
In Nigeria, there is currently no detailed, specific or comprehensive law on data protection and privacy. In some cases there are industry, sector or agency specific attempts to address data protection issues with such sector specific laws/regulations/guidelines compelling the provision of the personal information offering some sort of protection to the information provider. However, these provisions are often insufficient and inadequate in protecting against the potential losses or damage that may be suffered by the providers of such information in cases of compromise, unauthorized access, misuse, loss or disclosure.
Internationally, eight core data protection and privacy principles have evolved over the years in respect of the processing of personal information and several countries have adopted these principles in their data protection laws. In Nigeria these internationally accepted principles and best practice for data protection have been incorporated into the NITDA Guidelines, the NCC’s General Consumer Code of Practice and the Telephone Subscribers Regulation. The principles provide that personal data must be- processed fairly and lawfully; processed only for limited and identified purpose; relevant and not excessive; accurate; kept for no longer than is necessary; processed in accordance with the rights of data subjects; protected against improper and accidental disclosure; not be transferred outside Nigeria unless adequate provisions are in place for its protection or with the prior written consent of the NCC.
The usual tools for compelling compliance in most jurisdictions are notices, fines, penalties and criminal prosecution for breaches and violations. However in Nigeria, persons whose rights have been violated may commence civil suits for redress. They would however have to rely on the standard rules for establishing claims in civil proceedings as there are no statutory rights of recovery for damages or compensatory provisions in Nigeria for data protection and privacy breaches.
The need for the enactment of a specific and comprehensive legal framework for the collection, storage, protection and use of personal data in Nigeria has become increasingly important and urgent due to the risks associated with the likely improper or unauthorized access, disclosure, alteration or loss of such collected personal data both to the individual, businesses and national security interests.
Clearly tenuous protection is afforded personal information or personally identifiable data by guidelines and regulations but no specific legislation in Nigeria. The eight core principles of data protection and privacy that have developed overtime and internationally accepted should form the fundamental pillarsfor a substantive law on data protection and privacy law in Nigeria. Nigeria will not be reinventing the wheel in this respect as there are well articulated, detailed comprehensive laws applicable in several countries like the United Kingdom, USA, Canada, the European Union and South Africa.
ROTIMI AKAPO
