Thanks to Facebook’s Cambridge Analytica fiasco and the endless barrage of GDPR emails over the past few weeks, data protection and privacy are items on the conversation menu now. The people are curious, companies are spending tons of money and stakeholders are consuming all the information they can.
For a nation of 180+ million people, the lack of robust data management infrastructure of any kind means parallel data collection is common and individual government institution systems do not talk to each other. And that belies a common theme in Nigeria’s data landscape: a litany of information silos.
Different government bodies collect the same data over and over. Same with the banks, telcos, insurance companies and startups. Gbenga Sesan, Executive Director of Paradigm Initiative Nigeria (PIN), writing for the Web Foundation in 2017, said, “Unfortunately, the conversation around the need to harmonize such sensitive data remains just that — a conversation.”
Are there systems that protect consumer data/privacy?
There are no laws or policies specifically (and wholistically) dedicated to data and privacy protection in Nigeria. Another angle to what Gbenga was trying to say is that despite the extensive (and repetitive) data sets scattered across file cabinets, government servers and local devices, there are no protections for these massive troves of data.
Also, data protection is not part of design thinking at the government level so government websites are routinely hacked and citizen data is stolen. Isa Ali Pantami, DG of the Nigerian Information Technology Development Agency (NITDA) said recently, “A total of 585 government-owned websites were among the 2,175 Nigeria websites hacked in 2015.”
There certainly is no way for consumers to control what data is being collected on them, what is being done with that data and there is no clear path for reprieve if that data is abused either. There are also no protections against data breaches and entities that collect and/or store data are not held accountable for the use (or misuse) of these data.
What options are in place to protect consumer data?
Current data protection provisions in Nigeria at the moment are vertical in that they exist in certain sectors and only apply to portions of the data-collecting pie. One good example is the NCC’s Consumer Code of Practice Regulations 2007 which prescribes directives for how telecommunication companies handle customer data. It is however industry-specific and does not apply to startups outside of the communications industry.
Other similar guidelines are the NITDA Data Protection Guidelines 2017 (pdf) and Nigerian Communications Commission RTS Regulation 2011 (pdf).
What rights do consumers have over their data?
Section 37 of the Nigerian constitution does say, “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected,” but the reality is quite different.
Consumers really have no control over any aspect of the data value chain. Various data sets are put up for sale all the time, if you know where to look, and they can include sensitive details like email addresses and phone numbers.
Other times, these data are just mishandled. For example, in 2016 the Independent National Electoral Commission (INEC) gave out sensitive voter data to a third-party – data it is charged with protecting.
There is no telling how much data was stolen or the attendant effects of these breaches and consumers are neither informed of these breaches nor can they seek redress in a clear, defined manner.
Nigeria’s best foot forward at the moment, in terms of data protection, will be the Digital Rights and Freedom Bill (pdf) which has been passed by the house and awaiting presidential assent. If that bill gets enacted into law, it will offer a better protective shell around data handling, collection and use in Nigeria. Then we can start to look at more comprehensive coverage in the likeness of Europe’s recently activated GDPR.