An attorney with an eye for the big picture and details, Stephen Azubuike’s legal expertise and interdisciplinary approach to problems puts him in a class of his own. A lawyer with expertise in commercial dispute resolution, technology law practice and many more, he is a partner at Infusion Lawyers and creator of the popular legal blog stephenlegal.ng where he dissects legal, national and sundry issues. Stephen Azubuike in this interview with Lillian Okenwa addressed some nagging question about the on-going national identity number registration with particular focus on data protection and remedies.
L&S: As Nigerians hastened to get registered following the Federal Government’s December 15, 2020 statement to the effect that SIM cards not registered with valid NINs on the network of telecommunications companies by December 30, 2020 would be blocked, a viral message on social media announced that those who had BVN already have NIN. The implication was that they do not need to register for NIN. But a tweet from NIMC said NIN registration must be completed despite NIN generation through BVN. What do you think about this confusion?
Answer: I consider the confusion unfortunate. This is because the confusion appears to reinforce the concern Nigerians have been expressing about the country’s failure to not only collect citizen’s data for the purpose of a reliable and secure national identity database but also the lack of integration of data collected via various channels. As I understand it, there was no time the custodian of BVN, the Nigerian Interbank Settlement System (NIBSS), created or issued NIN to Nigerians. NIN was issued by and continues to be issued by the NIMC. The BVN-generated NIN in question therefore is not a creation of NIBSS but that of NIMC. So when I read the Tweet from NIMC warning that BVN-generated NIN is invalid, the first thing that came to my mind was, is it really a BVN-generated NIN that we are talking about here or an already NIMC-generated NIN that is retrievable simply by dialling *346#? I believe it is the latter. By commanding that code on your phone, it pops up your NIN because the phone number with which you did the registration captures your NIN. How then would such NIN be declared invalid?
So, for me I think the NIMC should have been more cautious about its declaration via a tweet particularly in the second wave of Covid-19 pandemic. The NIMC cannot renounce the NIN retrieved from the BVN records or whatever in their view came from the BVN without challenging its authenticity. That is how I see it. NIMC is not saying they have record that the NIN that comes from a person’s phone number, which incidentally is also connected to the BVN, is invalid or that they have discovered some lapses in the process. They haven’t said that. Instead they just came up to say that they are not accepting BVN-generated NINs. So, if independently I generated my NIN using the USSD code provided or even through my BVN, do I go about announcing to them where I retrieved my NIN from? Thus, so far, we don’t have any report of any invalidity in the NINs that are connected to the BVN.
L&S: If NIMC had in time past captured some Nigerians and generated NINs for them, why the inconvenience of asking them to do it all over again? I’m aware that a couple of years back, people’s data were captured under a different exercise that was eventually cancelled. What then is the essence of the previous exercise? I still have a 2003 National Identity card issued during a much earlier exercise.
Answer: Apart from the obvious inefficiency in the system, NIMC’s position that BVN-generated NIN are invalid makes Nigerians wonder whether the NIMC is just out to frustrate Nigerians or there are problems the NIMC may be having with the integrity and reliability of these NINS. Sincerely, the way some of our government agencies pilot their affairs and implement their programmes and policies leave much to be desired. On the lips of an average Nigerian, you would hear that the government likes to “punish people.” That seems to be the modus operandi of the government. They seem to always come up with implementation procedures that put the masses under avoidable stress and problems. You can imagine in a period when the government is trying to get people to observe COVID-19 protocols and social distancing, and in the same breath asking them (the people) to go all out and register for their NINs.
At the same time information pops up that appears a successful synchronization had been done such that you can now track your NIN using your BVN details as it were, and government just jumps out to say it’s invalid without interrogating the process to confirm if truly this can ease off the stress in the public space. That is not encouraging. The closest thing to an explanation that the NIMC has dropped out there is that the reason why BVN-generated NINs are invalid is because they must be updated at the NIN Enrolment Centre. If NIMC wishes to have NIN-carrying Nigerians update their data, this should not warrant a declaration of the NIN already issued as invalid. Data update is a continuing process. If the NIMC puts a more efficient NIN registration and NIN-update mechanism in place, I don’t see why the country should be experiencing this challenge in the first place.
L&S: Some private companies have been recruited by government to register Nigerians for the NIN. It is believed that that will speed up the registration process but about data protection and privacy? What are the legal implications?
Answer: On the first note, the NIMC is principally responsible for data collection and protection for the fulfilment of their mandate, which primarily is to ensure that the National Identity Management process is well taken care of. So, in trying to execute that mandate, if NIMC deems it fit to recruit third parties, whether local or foreign companies to carry out that mandate, nothing stops them from doing so.
On a general note, that is not really where the problem lies, because, for instance, the NDPR (Nigeria Data Protection Regulation) captures the fact that third parties may at some point get involved with the data that a particular agency or organization may be collecting. So, there are procedures for ensuring that third-party participants in the process observe the laid down regulations. It is basically the duty of the NIMC to ensure that they (the third) parties observe those regulations.
On the question of data protection, the risks are there. That is why the NIMC as an agency of the Federal Government is not immune from the obligations of observing the regulations as contained in the NDPR (Nigerian Data Protection Regulation). Engaging anybody to help with the process only further puts them (the NIMC) on the spot to ensure that all those guidelines and regulations are not breached. The NDPR have all these in sight in making the provisions as contained therein.
L&S: Are there remedies for any infraction of the NDPR provisions?
Answer: The NDPR provides remedies for violation of the data privacy of any citizen. NIMC is the data controller here. Specifically, the NIMC shall be liable to a fine of 2% of its Annual Gross Revenue of the preceding year or payment of 10 million Naira, whichever is greater. With NIMC’s decision to recruit private companies to also get involved in collecting the personal data of Nigerians, NIMC as well as these recruited private companies must be extremely cautious. Should there be infractions, data subjects are entitled to seek redress. Recently, we saw some early lapses when the NIMC abandoned the initial issuing of manual ID cards, saying they were going all digital. Some civil rights organizations even took the NIMC to court to challenge the NIMC’s actions, arguing that there were lots of data leaks. According to the claimants, the personal data of private individuals were being leaked and that there was no adequate protection for Nigerians who may be coming on board to use the App NIMC was said to have developed. So all parties must not only respect data privacy but must also put administrative and technical measures in place to ensure data security and integrity. If we get this right once and for all, we won’t have embarrassing situations such as the case where the US questioned the security and integrity of Nigeria’s national identity database. Think about it. If NIMC itself is questioning the validity of its own NIN, who wouldn’t?