We are currently in the Information age where the submission of personal identification information is the new price to be paid for access to the basic essential services.
In recent times, citizens have been made to go through the National Identity Number registration, the BVN registration, SIM Card registration and a number of other compulsory registrations all of which have a data collection phase. In the process, a passport size photograph, all ten finger prints, digital signature and other sensitive personal details, are recorded. All captured data is then centrally stored in a database.
The undeniable truth is that the data collected is essential but one can only imagine the havoc waiting to happen if it falls into the wrong hands. If mismanaged, this information can quite easily be used for identity theft ultimately with dire consequences.
Therefore the question that agitates the mind is, 'what remedy is available and against whom if my data is stolen or used for other purposes detrimental to me?' There is, sadly, no general Data Protection Act in Nigeria under which adequate remedy for breach of trust relating to personal data/information can be sought. Although, there are laws providing for some loose form of protection of personal information in Nigeria, these laws are grossly insufficient.
The existing provisions are miniscule and they struggle to protect a rather limited scope of information. For example, The NCC Regulations require that all network providers must take reasonable steps to safeguard users' information against improper or accidental disclosure, and to ensure that information is securely stored. This is just some form of 'best practices' suggestions and not with a heavy weight of law. Similarly, the Child's Right Act in Sections 112, 142 and 205 provides that no information about children at foster homes or information that would lead to the identification of a child offender should be published.
This cannot be contrasted with the position in other jurisdictions where concerted efforts at protecting personal and sensitive data are well established. The United States, Canada, China and United Kingdom are a good example in this regard.
The United Kingdom has a single-statute approach. It implemented the EU Data Protection Directive pursuant to the Data Protection Act 1998. This is enforced through a dedicated Information Commissioner's Office ('ICO'). This is obtainable in all E.U countries. Additionally, United Kingdom is set to adopt the General Data Protection Regulation ('GDPR') from May 2018. Notable provisions in GDPR include, Article 17 which provides that a person has the right to request erasure of personal data related to them on any one of a number of grounds. Article 25 requires that privacy settings for data collected must be set at a high level from the onset of a business.
Having examined the current position of the law in Nigeria as well as in other jurisdictions, it is recommended that a general Data Protection Act is enacted. The following provisions are of great implication to the effectiveness of the proposed Act;
- The proposed Act should apply to public and private organizations which have any form of access to personal data and information (i.e hospitals, banks, schools e.t.c)
- The proposed Act should establish an independent agency which would ensure compliance with the Act.
- It must create mandatory security measures for the protection of data and information.
- It should provide that data should not be processed for commercial purposes except with express consent of subscribers.
- The proposed Act should also allow users to request that their data be erased when they stop using service from data collectors.
- The Act should also provide for remedies and reliefs for breach of privacy or wrongful use of data.
Beyond calling for a general Data Protection Act in Nigeria, this article also recommends that substantive control over data be given to the citizens who own these data and not the data collectors.