By Adanna Nnamani, Abuja
As more and more Nigerians are getting involved in activities in cyberspace and as the National Identity Management Commission’s database as well as other data controllers are growing, Dr. Vincent Olatunji has been saddled with the arduous task of supervising the activities of the Nigeria Data Protection Bureau (NDPB), which was recently created to safeguard the rights of citizens to data privacy, prevent manipulation of personal data, provide expert advice and awareness on data protection issues and handle complaints lodged against violations of the Nigeria Data Protection Regulation (NDPR) and the relevant national laws, among others.
Olatunji has a doctorate degree in geography and planning from the University of Lagos and an advanced diploma in computer studies. He is a Certified Public Private Partnership Specialist (IP3 Specialist) and a PECB Certified Data Protection Officer. He has worked for almost 30 years in the public sector, thereby acquiring practical proficiency and thorough understanding of government operations in Nigeria and other countries. Before his appointment as NDPB commisioner, he was the director of e-Government Development and Regulations at the National Information Technology Development Agency (NITDA).
In this interview, the commissioner spoke about the huge capacity deficit in the data privacy field, the need for a principal data privacy law, update on some of its investigations such as that of the case of Senator Ihe Ekweremadu’s daughter, the level of data privacy compliance in the country, what the bureau is doing to curtail the activities of loan sharks as well as some milestones and challenges, among others.
According to Olatunji NDPB is also mandated “to build capacity of Nigerians because there is a huge gap in this ecosystem. For this instance, in Nigeria, we have about 500,000 data controllers and data processors who need experts to work with them in terms of data protection officers, data analysts, security experts, legal experts. But when you talk of expertise in Nigeria, those of us playing in this sector, are not up to 10,000. Whereas, there is a gap of about 490,000 jobs waiting and that is why we need to create awareness on the part of our citizens and build their capacity for them to be able to serve this market both here and the international community.
“And the good thing about it is that you don’t need to be an expert in any field. You can study anything and still be a professional in the data protection space.”
What Nigeria stands to lose by not having a data protection law
A lot. First is about our reputation as a country. Now we’re moving almost everything online. And the foundation to anything you do online is your digital identity. You must have an identity. You want to do transaction, you want to go on social media, you want to do sports. Anything. You have an identity. It may be your name, your telephone number, your IP address or anything. That identity that you carry speaks a lot about you and about your country. Whatever you are doing online, if you do not have a law that is protecting you, your reputation is at stake. There are some countries we regard as white-list countries. Mostly, these are countries that have their laws and supervisory legislations in place. And there are some things you need to put in place to qualify to get to that level. Now, the black-list countries are countries who do not have laws and supervisory authorities. So, why would any country want to do business with you, if you don’t belong to that white-list countries? If you do not have laws in place, nobody will want do business with you.
Secondly, in terms of identity theft, in terms of security, when you are online, cybercrime, these are issues which are really important to any digital economy. But when you have a law in place, and you have a supervisory authority, there is guarantee. There is trust, there is confidence in whatever you are doing.
Factors responsible for delay in passing Data Privacy Act
I think the awareness was poor before, but between when we came in and now, we have created a lot of awareness. We engaged with a lot of stakeholders, the private sector and the public sector as well as other major stakeholders. The National Assembly, the ministries. The one that was struck by the National Assembly before, the major gap identified there was lack of proper awareness on the part of data stakeholders and data consumers.
Some gaps were identified as the major issues and that is why, when we started this process, we made sure that we engaged everybody. Business people, public sector directors, civil society organizations, to ensure we have a kind of holistic approach to it, whereby everybody is involved. That is why we had focus group discussions, a lot of workshops. After we held all these things, we sent it to the Attorney-General’s Office, so he has to approve before any law is passed. It has been sent to our minister, who is going to present it to the Federal Executive Council (FEC). After that, it is going to NASS. It is going there as executive bill now and when it goes there as executive bill, it is faster. So, our target is to get it passed before the end of this administration.
What Nigeria has lost to data breaches
I don’t have it now but what I can assure you is that there have been some cases of data breaches, which we have investigated. And we keep telling people that what is really important to us is compliance. Because of our reputation as a country, because of what our businesses have to gain or lose. So, we concentrate more on compliance.
We want compliance to become a culture in the country so that you don’t need to force them. You don’t need to fine them before they comply. To a large extent, I think that has really assisted us as the rate of compliance is now increasing, as compared to when we started.
Level of data privacy compliance in Nigeria and prosecutions
The compliance level in the private sector is higher than in the public sector. The last evaluation we did, it was 49 per cent in the private sector and 4 per cent in the public sector. And that is part of why we started our awareness with the public sector to encourage them to comply and that was what led to that circular. With the circular, we have been receiving a lot of compliance notices from public institutions and there is a programme we are currently handling, which is the adequacy notice from data controllers and data processors. It is to let us know what they are doing in the area of organizational measures and technical measures to ensure that they put in place measures to protect data. Then they should send the names of their data protection officers to us and we intend to train them on a regular bases to bring them up to date in the area of data protection. So, gradually it is spreading. Even in the public sector, part of the directive is that their vendors, their contractors who are in the area of data protection, must have a data compliance confirmation before they can do business with them.
Update on investigation of data breaches such as that of Sen. Ekeremadu’s daughter, David Nwamini, banks and betting companies
Some of the investigations have been concluded. Some are ongoing. Why we decided not to publish the penalty is to protect these businesses. Because, yes, we are protecting Nigerians, their data and information. We need to protect the ease of doing business too. As I said before, what is really important is to take these companies through compliance to ensure that they comply with the provisions of the law. Then, on individuals, those who are principal complainants, we have put in place ways of mediation, which is really important.
The case of Ekweremadu’s daughter and the boy involved that you mentioned, there is a court ruling on it. And if there is a court ruling, we can’t say we want to, but we are monitoring what is going on and we have even written to obtain the court ruling so that we will now determine the approach to take. But the most important thing is that we are trying to monitor what is happening. As for those who have complained to us and those we have discovered on our own, we ensure that they see compliance as a culture. Some of the cases have been closed, some are still ongoing. And you know investigation take time before it is concluded. We do not want to intimidate anyone with our powers as regulators or make unnecessary noise in the media, unless we have a stubborn data processor or data controller that is not ready to cooperate with us.
Awareness among rural dwellers
The awareness we are creating, we are taking it in phases. We started with the public sector, especially at the federal level. Now, I don’t know if you are aware that there is a circular from the office of the Secretary to the Government of the Federation that all MDAs must comply with the provisions of the NDPB. Also, there is a new guideline issued by the office of the Head of Civil Service that reiterated the fact the all MDAs must comply. This is the level of awareness we have created at the federal level. The next thing will now be states. Then the next one will be the local government. And we have visited NTA, we have visited NOA. NOA has offices all over Nigeria, whereby we can even disseminate information about data privacy and protection in local languages. So, we are trying to see how we can work with all these established public institutions and even NGOs and civil society groups to see how we can really drive this. That is the next stage we are entering next year. But for now we are focusing in the elite, mostly those who do one thing or the other online.
Procedures to report a case of data breach
You can do that through our portal. We respond immediately, and you can even write physical letters to us. Or you can make telephone calls or reach us via our social media handles. And if any report gets to us, we take it up immediately and commence investigations.
What are you doing about loan sharks?
It has been a major challenge in the sense that these loan sharks, they take advantage of some vulnerable people in the country, these are the low-income earners or those who do not even have any income, offer them loans of N25,000, N20,000 and when they default they have access to your phone contacts and they start sending messages. They have caused a lot of havoc. Some people have even committed suicide. Some have developed high blood pressure. When we noticed it, we tried to arrest them. We actually investigated Soko Loans, but the thing is, most of these loan sharks are operated by faceless people. You can’t pin them down to a specific address, you cannot get their personnel. But in March this year, we started working with some other regulators like the Federal Consumer Protection Commission, the EFCC, the ICPC, the CBN, and other regulators to look at various issues surrounding what these loan sharks are doing and we now identified two major areas. One, the regulatory part. Who regulates what they do? How did they get licensed ? Who monitors what they do? In the aspect of technology, what technology do they deploy for them to have access to contacts in your phone? We discovered that some of these things, the consent of the debtor must have been obtained in one way or the other but those people are not even aware that when you click you have accepted all of those conditions. But it is like taking advantage of them. So, there was as sting operation on Soko Loans, who is like the lead in this thing in Lagos. Some of their officials were arrested. One funny thing is that these guys employ thousands of Nigerians. When you get to some of their offices, the number of Nigerians that you see, how do you say you want to shut them down and they are employing people? So, we are trying to weigh our options to see how we can address the issue.
Milestones so far
Yes. We thank God that we have recorded a lot of milestones. One is the level of awareness on data privacy in Nigeria, which is better than the way it was. A year ago, you would not have seen anyone to interview on the issue of data privacy and protection. Now we are here. We have attended a lot of workshops, conferences within Nigerian and outside. Three, we now have that reputation. Another thing is the area of earnings. The wealth we have created. We have a combined earnings of over N4 billion in the ecosystem. In the area of job creation, what we have done alone has created over 4,000 jobs. And international reputation, we are now a member of Commonwealth of Data Protection Organizations. We now belong to a lot of organizations.
Challenges
Challenges are normal, even when you are starting your own business. There is the initial stage where you need to grow. That is not any different from us. For example, in the area of funding. Funding has been a major issue. But we thank God, with the intervention of the minister, NITDA and NCC have been supportive to the cause of the the bureau’s act.
Another challenge is in the area of capacity of staff that we need to really drive the bureau. There is still a huge gap and we still need to get experts so that we are globally competitive. Then training, which is really key. How do we train our staff to ensure that we bring them to the level that we want? Also, the awareness.It is still an emerging sector because a lot of people don’t even know what your are talking about.