- The NPDC said it is currently engaging with the CBN over its directive to banks to obtain social media handles of their customers as part of enhanced customer due diligence regulations, which it described as illegal.
- The commission said there are prerequisite steps to be taken and basic principles to be met when you want to collect citizens’ data, adding that any default will attract a fine.
- The National Commissioner of NPDC, Olatunji, said that asking for social media handles from bank customers is not necessary.
The Nigeria Data Protection Commission (NDPC) said the Central Bank of Nigeria (CBN)’s new directive to banks to obtain social media handles of their customers as part of enhanced Customer Due Diligence (CDD) regulations is against the law.
The commission said it is already engaging with the apex bank on the issue because there are basic principles to be met when you want to collect citizens’ data.
According to a statement issued by the commission’s Head of Media, Mr. Itunu Dosekun, on Thursday in Abuja, this was made known by the National Commissioner of NDPC, Dr Vincent Olatunji.
Prerequisite steps must be taken before data collection
Olatunji pointed out that before the establishment of the Nigerian Data Protection Act (NDPA), on June 12, indiscriminate collection of citizens’ data by Data Controller Organisations was not taken seriously.
A major highlight of this bill which was signed by President Tinubu, is its guidelines for the processing of personal data, some of which include that it must be done in a fair, lawful and transparent manner, that it is limited to the minimum necessary for the purpose it is collected and is not retained for longer than necessary.
He explained that there were prerequisite steps any Data Controller must take before collecting data from data subjects, adding that any organization that defaulted was going against the law and causing a data breach, which would attract a fine.
The NDPC boss said, “There are provisions in the law to go against any data controller be it private or government office, NGOs, hotels, because we are pro-citizens.
- “The whole idea of this law is to protect the rights, the interests of Nigerians who are data subjects.
- “We are already engaging with the CBN to let them know that what they have done is against the law because there are basic principles you must meet when you want to collect citizens’ data.
- “There is data minimisation, meaning you don’t collect data beyond the purpose for which it was intended, purpose limitation, what purpose is it for.’’
Social media handles not necessary for account holders
Olatunji said that asking for social media handles from bank customers is not necessary.
He, however, noted that if the collection of the social media handles happened under public interest, which could include monitoring some transactions, there should be proper awareness to the customers.
Olatunji added that they would be inquiring on why the CDD regulation came up and how best to resolve that in line with global best practices.
What you should know
- Recall that on June 25, 2023, the CBN issued guidelines directing deposit money banks to collect and verify social media handles as part of their know your customer (KYC) procedures.
- The apex bank in its recently gazetted legislation titled ‘Customer Due Diligence Regulations 2023’, said the objective of the regulation is to prevent financial crimes and terrorism while boosting the precision and thoroughness of customer identification.
- According to the CBN, financial institutions will be required to identify their customers, regardless of whether they are permanent or occasional clients.
- This requirement applies to both individuals and legal entities and seeks to enhance the accuracy and depth of customer identification.
- Meanwhile, President Bola Tinubu had earlier assented to the passage of the Nigeria Data Protection Bill, 2023 into law.
- The Nigeria Data Protection Bill which had been proposed by former President Muhammadu Buhari a few months back seeks to provide a legal framework for the protection of personal information and the practice of data protection in Nigeria.
- It also establishes the Nigeria Data Protection Commission headed which will be headed by a National Commissioner with the responsibility of regulating the processing of personal information.