The National Information Technology Development Agency (NITDA) has commenced investigation into some banks, network operators, financial technology companies and the Nigerian Immigration Service (NIS). This could cost the affected companies 2% of their annual revenues.
What led to probe: Investigation into the companies and the Immigration was initiated because they reportedly used data belonging to Nigerians. According to NITDA, the unnamed companies violated the data privacy rights of their customers.
[READ ALSO: Opinion: Is NITDA’s grant to these startups a joke?]
It was learnt that the companies’ handling of customers’ data was not in compliance with the Nigeria Data Protection Regulation (NDPR), while the NIS breached Article 2.1(2,3) of the NDPR.
The NDPR was created to protect the data and privacy of individuals, and deter companies or agencies from abuse of data. The NDPR said,
“Anyone who is entrusted with the personal data of a data subject or who is in possession of the personal data of a data subject owes a duty of care to the said data subject.
Anyone who is entrusted with the personal data of a data subject or who is in possession of the personal data of a data subject shall be accountable for his acts and omissions in respect of data processing and in accordance with the principles contained in Subsection 1of this Section.”
While addressing the investigation, the NITDA’s Director General, Dr Isa Ibrahim said, “The management of the National Information Technology Development Agency will like to bring to the notice of the general public the on-going investigation of alleged breach of the data privacy rights of Nigerians by some data controllers.
NITDA is currently investigating some entities including banks, fintechs, telcos, etc, who are in alleged breach of the NDPR. The Nigeria Immigration Service is also under investigation for alleged violation of Article 2.1(2,3) of the NDPR.
We therefore wish to assure all Nigerians that NITDA is willing, able and ready to implement the NDPR with the ultimate aim of ensuring compliance and making businesses and government work better for every Nigerian.”
Although he didn’t disclose how the data were used by the companies and NIS, the NDPR, however, stated that data should not be obtained without the consent of the owners, or received through fraud, coercion or undue influence.
Penalty for breach: If the companies and NIS are found to have breached the data protection regulation after the investigation, they will be sanctioned. According to the NDPR Article 2:10, the following penalties will be applied, depending on crime involved.
- In the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of N10 million, whichever is greater.
- In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of N2 million, whichever is greater.
[YOU SHOULD ALSO READ: Stanbic IBTC issues sober, yet optimistic message after losing N2.5 billion case]