The National Commissioner and Chief Executive Officer, Nigeria Data Protection Commission (NDPC), Dr. Vincent Olatunji, took on industry issues with the media recently. Tracy Yekaghe, IT Edge News. Africa monitored this interaction with the privacy ombudsman.
You are now the National Data Protection Commission by an Act of Parliament. What will be your first three primary tasks in the weeks ahead?
When you have a law that has been approved, it is important to ask what would be the next steps. From all perspectives, we believe that the data protection and privacy ecosystem is still a virgin in Nigeria so there are so many things for us to do to ensure that people know more about this subject to understand what their rights are, when they are being asked one question or the other in terms of collecting their data. It’s also important that the data controllers and processors too must know the obligations to data subjects because the issue of accountability is really key and that is what we are talking about here, on the part of the data controllers approach.
RELATED: EXCLUSIVE: Vincent Olatunji becomes statutory National Commissioner of Nigeria Data Protection Commission
So the key areas that we are going to focus on include
- Awareness: It is not enough to just have a law and people don’t even know what you have there and for data subjects to know their rights, data controllers and processors should know their obligations to their subjects so awareness is key. We intend to cover all the subjects. Even those in the villages need to understand what we are talking about when it comes to data protection.
- Capacity Building: I am sure you must have heard severally that this is an ecosystem that will create jobs; that will make us globally competitive and it is really important to say; we want to be globally competitive to have competent professionals who will participate in building this ecosystem. These are part of what we have in the law that each data processor and controller must have a data protection officer who oversees their data protection activities. Now in Nigeria, there is shortage of data protection officers and you are saying that over 500,000 organisations should have DPOs. How do you solve that challenge? So capacity building through the building of a pool of global publicity data professional experts is the second and we have put measures in place to ensure that it is done.
- Breakdown the law into implementable frameworks: Every part and section of the law would be broken down into specific activities for people to fully understand what we intend to do going forward with the law that Mr. President has graciously signed.
The CBN has mandated banks to include social media handles among the information they take as part of the Know Your Customers requirement. Is that not against the provision of the Act?
It is not proper because you need the consent of the data subjects who in this case are the banks’ customers. Did they seek their consent before issuing such an order? There is what is referred to as data minimisation which is part of the principles of data processing and data protection. Now you are asking for social media handles of the customers of these banks whereas you already have their names, international passports, driver’s licenses, home addresses already submitted to the banks and a lot of people now have their email addresses also submitted to the banks. I think all these instruments should be enough to know their customer very well. But if it has to be done, definitely there are some controls, some safeguards that must be put in place, because even, the banks are at high risk where they collect such data because anybody can just make use of the data in a malicious manner without the consent of the data subjects. The instruments that they already have should be enough for banks to know their customers.
If it is for security purpose, there are provisions in the law and guidelines that you have to follow for you to be able to do that. And you need to adequately inform the data subjects.
We have written to CBN on this. The most important thing is to meaningfully engage them and let them know the challenges that may come up with this kind of regulation that has been issued.
In summary, the discussion revolves around the principles that govern the collection of additional data; the need for legitimate purposes and informed consent, and the importance of engaging with the CBN to address the challenges associated with the issued regulation.
What is the status of investigations on organisations with alleged issues of data breach?
Investigation takes a very long process because we have to be both thorough and detailed to get our facts right. I keep telling my people, the model is not about sanction but all about doing the right thing. Encouraging data controllers to do the right thing, to let them understand the level of accountability they owe data subjects because they owe them that duty of care to ensure that their data is protected.
We have investigated about seven to eight banks and concluded three. Two have paid their regulation fee. When you pay your regulation fee, we take you through compliance and monitor you for six months so that you are properly in tune with the provisions of the law and while two banks have paid, one is still making the arrangement to pay. But there are some that their investigations are still on-going like Fidelity Bank, Guarantee Trust Bank, Unity Bank including other organisations like Leadway Insurance, Babcock University and some others.
There are other digital companies we are investigating but I think that the most prominent among them, we just concluded their case and we told them the penalties for the various breaches that occurred within their platforms. The investigation is on-going for some others.
Does the NDPC not run the risk of being seen as a punitive commission?
Like I said before, it is all about compliance and not fines since the most important thing is to create a culture of compliance in the area of data protection by default. We believe that by the time all of us are aware of what our rights are as well as the implications attached, there will be a higher sense of compliance. So it is not all about fines which is why even after you have paid your regulation fee, we still monitor you for six months to ensure you have done the right thing.
But you will agree with me that a major challenge for data protection authorities across the globe is funding. Currently in Nigeria, government is not willing to spend money on new organisations. They are trying to see how they can operate a very lean staff in the public sector. So the model we adopted is for DPCOs who would pay their licencing fees and organisations filing their annual report will pay a token for their annual filing, and from that we believe that we would get some money to run the Commission.
How are you planning to achieve the target for about 500,000 data protection officers (DPOs)?
We have already discussed with our data protection compliance organisations (DPCOs) because it is not something that government alone can do. Private sector will also drive this. What we need to do is to coordinate them and have a national certification body that after being trained by different training outfits, we are going to have the curriculum which would be circulated to the training outfits after which they will now write the national certification exams. And what we are trying to do is to build a pool of globally competitive data protection experts. The law says organisations must have their registered data protection officers (DPOs), meaning they must have resident data protection officers. Thus far we have licensed 160 DPCOs. These are the organisations that will help train and monitor DPOs after writing their national exams. We are going to have a national database of all the DPOs and those who may want to engage them. We will work with the DPCOs and the national certification body for the training. Our target from what we have in our roadmap is to do 50,000 per annum on our own. Capacity building is very key and we are trying to see how we can reach that figure of 500,000.
How can services of DPCOs be accessed?
The DPCOs are licensed by us. When we started, we started with 15 to 27 to 160, despite the fact that we revoked about 19 licenses due to none performance. We have a standard you must follow with guidelines. If your report is not up to standard or you submit what is not proper to us, we warn you after that we can revoke you license. We are working closely with DPCOs to ensure that the services they offer to organisations in terms of compliance meet the approved standard. DPCOs offer about 17 different services to data controllers and processors. But for now the portal is closed because we wouldn’t want too many of DPCOs to be in the ecosystem without really getting jobs to do. As demand increases, we will open up again for others to join.
Can the NDPC assert its true independence?
The independence of the commission is already guaranteed in the law. In whatever decision we take, we don’t need approval from anybody. But you know in our clime, if you don’t have a supervisory minister, how do you report to council?
For instance, we have a memo going to the Federal Executive Council, I don’t have a seat in council as a national commissioner so we have to go through the minister and that is why having a Minister of Communications and Digital Economy being able to supervise us in what we do in terms of policy and relevant areas is necessary. But when it comes to actual work, the independence of the commission is adequately guaranteed in law