In the past weeks, there has been a flurry of reports about the commercialization of personal data by some websites in Nigeria. Five of the websites alleged to be involved in this illegal practice have been flagged by the National Identity Management Commission (NIMC) including Anyverify.com, a site accused by digital rights advocacy organization Paradigm Initiative of selling sensitive data, including those of some well-known Nigerian government officials, for an amount as low as 100 Naira (US$0.062).

In the face of these reports, the NIMC has come out strongly to absolve itself of any possible blame. Through a number of press statements and interviews, the digital identity authority says it has not issued any licenses to any of these data-harvesting websites to collect, verify or manage personal data.

While some concerned Nigerians have rightly or wrongly accused the NIMC of being lax in its data management approach which has given room for these websites to sell personal data, the government agency insists the national identity registry under its custody has not been breached or violated and that it is implementing firm security measures.

In a recent interview with Arise News, the head of corporate communications at NIMC, Kayode Adegoke, denied allegations that personal data of Nigerians was being sold on a website for N100. Kayode said Paradigm Initiative was peddling a “false narrative” about the situation, insisting that the NIMC data repository has never at any point been compromised.

The ID authority says while further investigations are ongoing, it is also working with the relevant security and law enforcement institutions to make sure that all those involved in data theft are prosecuted in line with the regulations in force.

But while these efforts to protect personal data in Nigeria, as explained by the NIMC, continue, a Paradigm Initiative senior official and a Nigerian digital rights and data protection lawyer say the ID authority has a mammoth hurdle to surmount if it must prevent future occurrences of data leaks.

Khadijah El-Usman, senior programme officer for Anglophone West Africa at Paradigm Initiative, tells Biometric Update in an interview that in the face of this situation, there is a lot more that the government agencies responsible for identity management can do to better deal with these incidents of data harvesting and commercialization.

“Is the government doing enough? The answer is no. When it comes to the national identity number (NIN), the people with the sole responsibility to handle this are the National Identity Management Commission (NIMC). They called on Nigerians to come out en masse to register biometric information, promising that this was going to make life somehow easier,” says El-Usman who’s also a Barrister-at-law and digital rights advocate.

“Nigerians have come out to register for the NIN in trust, and the role of the NIMC at this point is to secure this data and make sure that they reduce any and every form of vulnerability that might come up on Nigerians. They have failed to do so.”

El-Usman says that while it will be great to advise Nigerians to do better when it comes to the security of their data, “there is not much anybody can do when the source is faulty.”

Because these data incidents are becoming rampant, the Paradigm Initiative official holds that there is need for stricter controls on websites that provide KYC services for individuals.

“Such a website needs to be able to verify that you are from a company, that you are using it for a certain purpose. They need to verify that the information you are collecting from someone else has been consented to by the person,” she says.

“For instance, if it is to open a bank account, you should be able to show that the customer has signed a particular form that allows you to verify their information, for verification sake only. This website AnyVerify allows anybody to verify anyone else’s information just for money. That makes people vulnerable.”

Data protection, digital ID and the digital economy

To El-Usman, data protection is at the very foundation of not only a trusted digital identity system, but also vital for a strong digital economy. To demonstrate the danger of the recent data leaks, she uses an analogy of a passport holder who normally has to show their passport details to authorities only when it is necessary at a port of entry.

“But imagine a situation where your international passport was put on a billboard in a car park. It’s possible that anyone around that car park could collect and use your personal information for whatever they want. Maybe, they look at your photo and say, this person looks like a rich man and then they use the address on there to rob or target you,”

“Or maybe, in seeing your date of birth on that passport, they are able to guess your password and then make sure that you are hacked. This brings me to this point.”

“For online trade (which adds up to the growth of the digital economy) to flourish, people must have a sense of digital security and this comes with the assurance that their personal data is safe and secure,” she posits.

“If people do not feel secure, then it stops them from transacting businesses online, and this includes major businesses as well. From the social media companies to oil companies, everybody is operating online. If we do not feel like we can have safe and secure transactions all the time and that our information cannot be kept safe and secure, then this is likely to drive away investors or the big guns in the economy.”

She adds: “We cannot possibly get better as a nation when it comes to technology in all its sense if we cannot start from the basics of data protection. And 95 percent of data breaches come from a human factor. If you leave just the machines then everything else is secure. So, this is something we have to do by ourselves to ensure that everything is secure.”

Other than data protection, El-Usman says legal identity has now become an issue of human rights, just like digital identity is becoming indispensable.

“Everybody must have an identity. We cannot live in a world where some people literally do not have access to any social services because they do not have an identity. Yes, to have an identity is a right, and to have an identity in the digital space is a right that people can have as well.”

“When we deny people these rights, we are essentially leaving people in the dark and if people do not feel like their data is protected, if it doesn’t come out in a controlled environment with their consent, and collecting as little data as possible, then it puts the digital economy and everything it stands for at great risk.”

Data governance future in Africa is not all bleak

Despite the problems with data management in Nigeria and elsewhere around Africa, El-Usman believes data governance is evolving and the future appears bright.

“I think that a lot of countries in Africa are truly beginning to see the importance of data governance. You would find that more and more countries in Africa are not just establishing data protection laws, but also establishing data protection authorities that are independent from government in order for them to undertake their duties.”

“We have data protection authorities in counties like Ghana, who have had their own data protection law since 2012. We have also seen data protection authorities in countries like Kenya who just celebrated five years of the existence of their data protection law. And there’s more awareness by African countries when it comes to data protection.”

As individual countries are making efforts to improve data governance by designing the appropriate frameworks and legislations, so are efforts also being made by regional bodies, she mentions.

“We’ve also seen that the regional bodies are leading when it comes to these efforts. ECOWAS has issued their own data protection directive, and you can find the directive with the AU as well. So, we’ve seen that there is direction, there is political will and this is a situation that is definitely going to get better over the years.”

“While there are still a lot of countries that do not have data protection laws or authorities, it’s also still evolving and getting better. So, my prediction is that we’ll definitely get to a point where every single country in Africa has one.”

NIMC must take responsibility

Sharing his thoughts on the data breach developments, Nigerian digital rights lawyer and data protection advocate, Solomon Okedara, tells Biometric Update in emailed comments he is not surprised with the recent reports because “we have lived with violation of citizens’ rights for as long as our nation has been in existence.”

Notwithstanding, he advises institutions, like the MIMC in this case, to always stand up to their responsibilities when “unfortunate developments” arise.

“I would have been pleasantly surprised if the NIMC had taken responsibility for the breach. The truth here is that most public institutions in this country do not take responsibilities for their failures and negligence, and this attitude stems from lack of understanding of what responsibility is all about,” says Okedara.

“Taking responsibility for your failure or negligence does not mean you are a failure as an institution. If anything, it engenders trust and trust is at the core of building a sustainable national identity system.”

To buttress his point, Okedara alludes to a previous case brought against the NIMC by Paradigm Initiative when the use of a USSD code released by the ID authority was allowing access to other citizens’ National Identification Number (NIN).

“Even though the matter was considered academic as the Nigeria Data Protection Regulation became issued during the pendency of the suit, the court urged NIMC to do more in the area of security to protect the privacy of citizens’ personal data. The court further stressed that it is not enough to have lofty policies, but there must be laws and parameters to ensure adequate implementation of the policies,” says Okedara.

For data breaches to be curbed, the advocate believes, among other things, that data controllers must conduct themselves in a responsible and legally-binding manner as outlined in the extant provisions of the Nigeria Personal Data Protection Act 2023 enacted in June last year, and must be cognizant of the fact that they occupy a very sensitive role.

“Some crimes were only possible because those criminals had unauthorized access to personal data of their victims, ranging from mobile phone numbers, email addresses, house addresses or even their Bank Verification Number (BVN) or the National Identity Number,” he notes.

He also mentions the need to have in place privacy-enhancing technologies commensurate to the size and sensitivity of personal data they process, and conduct regular Data Protection Impact Assessment (DPIA) drives for their data-processing activities which will show vulnerabilities in their system and guide them on how to mitigate or manage risks related to personal data.

“It is important for the regulator also to be firm in instances of breach, particularly when it involves public data controllers. The issue is that when the regulator takes firm stance against a public data controller, the private data controllers will wake up and smell the coffee,” Okedara proposes.

“However, if the only thing the public will get from the regulator when an allegation of breach of privacy and right to personal data is made against a public data controller, is an announcement of commencement of investigation and nothing more (as it has always been), the regulator will not be taken seriously and the rights guaranteed in our laws will not be worth more than the value of their ink.”

Article Topics

Africa  |  biometrics  |  data protection  |  digital ID  |  identity management  |  National Identity Management Commission (NIMC)  |  National Identity Number (NIN)  |  Nigeria  |  Paradigm Initiative