Data breaches and Nigerians’ right to privacy
Gaily dressed graduates of University of Ilorin were all smiles as they celebrated their achievements of bagging fresh degrees in October 2023.
For them, it was a great moment with families and friends all joining in the celebrations that signified a turning point in their lives.
That joy was, however, replaced with fear and anxiety when many of the graduates received an unexpected broadcast message from Sen. Saliu Mustapha who represents Kwara Central Senatorial District at the National Assembly.
The message, which congratulated the graduates, raised a crucial question: Where did Sen. Mustapha obtain the graduates’ data? And by whose authority?
“I received the message too and it was purely a congratulatory message. I wasn’t bothered initially, but later realised it is a breach of my data rights since I didn’t authorise the release of my school information to a third party,” Mohammed Yakubu, a graduate of Civil Engineering, fumed.
The unsolicited broadcast sparked up concerns about data privacy as it threw up a significant challenge on the fundamental rights of the Nigerian people.
The Ilorin data breach is not an isolated incident; it is just one of many such breaches in the Nigerian cyber space.
That such breaches are becoming so common raise questions about the protection of individuals’ personal information in Nigeria.
According to Surfshark, a cybersecurity firm, data breach incidences in Nigeria increased by 64 per cent in Q1 of 2023, recording 82,000 cases of data breaches in Q1 2023, up from 50,000 recorded in Q4 2022.
Experts observe that data breaches in Nigeria come in various forms, ranging from unauthorised access to personal information, to the unlawful use of individuals’ data without their consent.
These breaches, they observe, do not only violate the privacy of individuals, but also present a direct threat to their security and rights as enshrined in the Nigeria Data Protection Act 2023.
The Nigeria Data Protection Act, which came into force in June, according to data rights advocates, is designed to safeguard the privacy of individuals and regulate the processing of personal data.
The Act outlines the rights of individuals with regards to the collection, use, and sharing of their personal information, so the prevalence of data breaches highlights the urgent need for enhanced awareness and enforcement of these rights.
In the light of the data breach incident involving the unsolicited broadcast message to University of Ilorin graduates, experts in data protection and privacy have emphasised the significance of upholding individuals’ rights under the Nigeria Data Protection Act.
Dr. Ada Nwosu, a cybersecurity expert and advocate for data privacy, comments on the incident.
“The unauthorised use of individuals’ personal data, as demonstrated in the case of the unsolicited broadcast message to graduates, is a clear violation of their privacy and rights.
“It is essential for both public and private entities to adhere to the provisions of the Nigeria Data Protection Act to ensure that individuals’ personal information is adequately protected.”
Nwosu further stressed the importance of raising awareness about data protection rights among the Nigerian populace, urging government agencies, educational institutions and businesses to prioritise the implementation of robust data protection measures.
Mr Tunde Adeleke, a legal practitioner specialising in data privacy law, highlights the legal implications of data breaches and the enforcement of individuals’ rights under the Data Protection Act, which include fines and imprisonment.
“The unauthorised access to individuals’ personal data, as exemplified by the incident involving Sen. Mustapha’s unsolicited message, constitutes a breach of the Data Protection Act.
“Individuals have the right to control the use of their personal information and must be protected from unlawful access and exploitation of their data,” he stated.
Adeleke stressed the need for stringent enforcement of data protection laws and the imposition of penalties on entities found to be in breach of individuals’ privacy rights.
The legal practitioner described as critical, the role of regulatory bodies in overseeing compliance with the Data Protection Act and holding accountable, those responsible for data breaches.
Besides the unauthorised broadcast message incident, experts assert, as well, that the issue of data breach in Nigeria extends to the realm of SIM card registration.
The mandatory registration of SIM cards aimed at enhancing security and curbing criminal activities, they note, has raised concerns about the potential compromise of individuals’ privacy and personal data.
Mr Ibrahim Yusuf, a telecommunications industry analyst, sheds light on the challenges surrounding SIM card registration and data privacy.
“While SIM card registration serves the purpose of identity verification and security, the process has given rise to apprehensions regarding the protection of individuals’ personal information.
“There have been cases of unauthorised access to the database of registered SIM cards, raising questions about the effective protection of individuals’ data,” he said.
The telecom expert made a case for comprehensive measures that would ensure the security of SIM card registration data and prevent unauthorised use, or disclosure of, individuals’ personal information.
He underscored the importance of striking a balance between security considerations and the protection of individuals’ privacy rights within the framework of the Nigeria Data Protection Act.
Amidst the prevailing concerns over data breaches and privacy violations in Nigeria, experts believe public awareness and education is important so as to empower individuals to assert their rights under the Data Protection Act.
Dr. Amaka Okafor, a consumer rights activist, describes as imperative, education of the Nigerian populace about their data protection rights.
“Many individuals are unaware of their rights with regards to the collection and processing of their personal information.
“It is essential to embark on comprehensive public awareness campaigns to inform citizens about their rights under the Data Protection Act, and the steps they can take to safeguard their personal data,” she says.
Okafor also states that it is the responsibility of government agencies, educational institutions and civil society organisations to disseminate information about data protection rights so as to empower individuals to exercise greater control over their personal information.
According to her, there is a need for accessible resources and channels through which individuals can seek guidance and redress, iyn case of privacy violations or data breaches.
Like Okafor, many Nigerians believe that as the country navigates the complexities of data protection and privacy rights, policy makers, regulatory bodies, stakeholders and the public must build a robust framework that upholds fundamental rights.
They posit that the protection of personal data is not only a legal imperative, but also a fundamental aspect of ensuring trust, security and dignity for all Nigerians.
This report is produced under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.
