“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” – Section 37 of the Nigerian constitution.
Nigeria’s constitutional promise of data protection is far from being fulfilled.
This is especially true for transactions involving the transfer of personal data from individuals to governments and businesses. Despite the increasingly important role that data plays as the currency of the country’s emerging digital economy, Nigeria does not have a Data Privacy or Data Protection law.
Even though Nigeria lacks a robust data management infrastructure, several government agencies and sector regulators collect citizens’ private data with little respect for their rights. Not only is the same data collected by different agencies, citizens have little control over what is collected, how it is used and have no clear course of action should their data be abused.
The Nigerian Communications Commission, Independent National Electoral Commission, Nigerian Immigration Service, Central Bank of Nigeria, National Identity Management Commission, Federal Road Safety Corps, and other bodies routinely collect or oversee the collection of biometric and other data in their respective silos.
Unfortunately, the conversation around the need to harmonize such sensitive data remains just that — a conversation. Various legislative proposals that could protect people’s data are making little progress, exposing citizens to the real risk of data disasters.
Sensitive data including email addresses and phone numbers are frequently advertised for sale online. In one recent case, information of registered voters appeared online following a data breach. In an equally worrying example, sensitive health data processed by a bank on behalf of a hospital was made available online. In another case, laptops were sold still holding subscriber information that was captured during the SIM card registration process. In all of these breaches, the lack of a clear data protection law meant that those responsible for handling the data were not held accountable.
However, there is hope for better data control and protection in Nigeria. Various government agencies recently resumed discussions on duplicate data collection, control and use. In addition, a Data Protection Bill passed by the House of
Representatives is now being considered by the Senate. The Digital Rights and Freedom Bill, that has made good progress in the House of Representatives, also has a section on data and information privacy. Clearly, the problem we face is not lack of proposals but lack of follow-through.
The National Identity Management Commission, responsible for the management of citizen data, must work with other agencies and stakeholders to secure the appropriate legislative environment that Nigeria needs for personal data protection and privacy. Citizens, who are new to the concept of data ownership, need to be made aware of their rights — including the proposals that could soon become the law of the land.
Until a robust, enforceable law is in place, Nigerian citizens will continue to be denied the protections that their constitution grants them.