In Nigeria, privacy is a fundamental human right guaranteed by the Constitution. This promise of privacy, however, is still not backed by comprehensive data protection legislation — even as the government and private organisations routinely collect and process citizens’ personal data.
Our paper, presented today at a seminar on personal data protection and security hosted by the Ibadan School of Government and Public Policy (ISGPP), reviews the data collection practices, policies and regulations in place to govern the management of online and offline personal data in Nigeria. It offers policy recommendations for a new data protection framework, necessary to protect the data privacy of Nigerian citizens.
Existing regulatory frameworks that apply to data protection are drawn from the Nigerian Constitution, and specifically from the broadly phrased Section 37, which states that: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected” — as well as a hodgepodge of other industry frameworks.
These frameworks currently fall short of providing Nigerians with an adequate level of personal data protection. They do not clearly define the level of protection afforded to the personal data collected, nor do they clearly define how personal data should be handled.
At the launch of the study, Senior Policy Manager Nnenna Nwakanma said:
“Nigeria is the continent’s biggest digital economy. Its data protection policies and practices influence the whole of Africa. As the continent begins to scope its digital policies, the rest of the world is already moving forward. The EU’s Data Protection Policy, coming into effect next year, will affect how digital business is done in Europe. We must take action must now to put in place digital policies that ensure a secure web for everyone”
Key data privacy concerns
We uncovered five primary concerns around the collection and use of personal data:
- The use of personal data may be incompatible with the purpose for which it was collected.
- Individuals have no rights in relation to the collection, use, and storage of their personal information.
- Nigerians are not offered adequate opportunities to consent to, or opt out of, data collection.
- There is limited-to-no transparency in the processing of personal data and there is a lack of information available on how this personal data is used and stored, leading to greater risk of a personal data breach.
- Children are exposed to privacy risks online and often lack the legal capacity to give valid consent, and may unknowingly disclose personal information to online platforms due to the appealing nature of their visual content.
Ways to improve personal data protection
Given these findings, we recommend the National Assembly include the following elements in a data protection framework or bill.
- Use of personal data must be in accordance with the purpose for which it was collected.
- Consent of the individual must be obtained prior to collecting his/her personal data.
- Rights of the individual to seek legal remedies for misuse and/or unauthorised access to his/her personal data must be guaranteed.
The preliminary paper presented today will be followed by a full study to be published by the end of this year.