Why data management protection law is needed
Despite the huge amount of data generated through the electronic systems in the ICT and Telecoms sectors (including the financial sector), an alarm has been raised over inadequate legal safeguards and framework to protect customers from unauthorized use of personal information, web attacks, identity theft, loss of information or fraudulent use of same, writes Tony Nwakaegho.
But speaking in an exclusive interview, Barrister Emmanuel Edet, Head Legal Services and Board Matter Unit, Nigerian Information Technology Development Agency, (NITDA), told The Daily Times at the NiRA Media Academy College in Lagos, that Nigeria does not have data management protection law.
Edet said, “FIRS is collecting your data, banks and telcos also collect your data. What do they even do with it? Even those gadgets they used for finger prints were sold as second hand and nobody has raised that issue.”
He said,“I believe that we have never, ever enacted data protection law because we did not realize the value of data. However, with the advent of Internet and Internet governance, data is actually the value of trade in an online environment. People can just use your data and do all kind of things because your data is a representation of your person.”
He said,“So, if somebody have, let’s say your ATM card, the machine will not know whether you are the one using it or not. As long as the person has the right data that is associated with you, he can use the data to do whatever he likes.
“I think, it is about time we enact a data privacy law and then try as much as possible to make sure that all the data that we have gathered is being regulated by whoever is the data holder and at the same time also ensure that the multiple point of collection of data is actually eliminated by creating an interoperability framework that will help in harmonizing all the data that is collected.”
According to him,“Who do you prefer to handle our data, government or private company; of course,it is the government, but when it comes to data, but do you Google more data on you than your government? Yahoo has more data on you than your government. So, why are we not trying to protect our data?”
He said,“We don’t want to protect our data because they offer us free services. But your data is what they are using to offer you services. With the introduction of artificial intelligence in the world, I can guarantee you that in the near future; you will not have anything to hide as long as you are on the Internet.”
Daily Times gathered that the European Union’s Data Protection Directive, the Directive on Privacy and Electronic Communications (2002/58/EC) and the United Kingdom’s Data Protection Act 1998, are the legislation that forms a model after which many countries of the world have fashioned their data protection laws.
The UK Data Protection Act, (which contains similar provisions as the European Union’s Data Protection Directive and the Directive on Privacy and Electronic Communications ),defines ‘Personal Data’ as, “Data that relates to a living individual who can be identified from such data, or and other information, which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”
The only legislation that provides for the protection of the privacy of Nigerian citizens in general terms is the Constitution of the Federal Republic of Nigeria (as amended), and Section 37 of the Constitution provides that: “The privacy of citizens, their houses, correspondence, telephone conversations and telegraphic communication is hereby guaranteed and protected”.
There are also some industry specific legislations and/or regulations of general application that deal with some aspects of data protection. One such industry-specific regulation is the Consumer Code of Practice Regulations 2007, issued by the Nigerian Communications Commission (NCC).
The Regulations provide that all licensees (i.e. the telecoms operators) must take reasonable steps to protect customer’s information against “improper or accidental disclosure” and must ensure that such information is securely stored.
It also provides that customer’s information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”.
In order to protect the data of subscribers of telephone services in Nigeria, the NCC revised and amended the SIM Card Registration Regulation 2010. The amended regulation was cited as, “Regulation of Telephone Subscribers Regulation (RTS Regulation) 2011.
It represented a wider perspective and afforded some protection of the data collected, collated, retained and managed by the telecommunication companies and independent agents in respect of their obligations to collate and retain data of subscribers under the regulations.
It will be recalled that in 2013, the National Information Technology Development Agency (NITDA) published Draft Guidelines on Data Protection (the Guidelines). The Guidelines were the first attempt in Nigeria at establishing a data protection framework of general application.
Since that publication, however, there has been no indication that the Guidelines have been fully adopted. Finding indicated that the draft guidelines are not more than it claims to be “draft guidelines” with little or nothing to show legislative authority.
Other attempts to legislate was the passage of the Electronic Transaction Bill in 2015 by the 7th National Assembly, which though contains data protection provisions of general application, falls far short of acceptable minimum standards and does not offer comprehensive data protection when compared with the United Kingdom Data Protection Act, 1998 (DPA) and the Protection of Personal Information Act (POPI’) enacted by the Republic of South Africa in 2013.
The significance of robust data protection legislation cannot be underrated, as it would bring about transparency and accountability in the way and manner the industry operators deal with individual’s sensitive data.
It will be expedient that the policy makers and industry operators identify this need and work in tandem to propose a brand new Draft Bill on Data Protection to the National Assembly that will be passed as data privacy management law.
