DATA PROTECTION: THE RIGHT TO PRIVACY AND CONFIDENTIALITY* OPEYEMI AFENI Introduction There is virtually no engagement or interaction in which

there is no form of collection of basic data of some sort however minute. From an applicant for an examination to the one applying for job; or a patient in a hospital, data collection is crucial. In a lawyer-client relationship, data collection is involved. With the technological advancement, people can now apply for jobs; travelling documents, scholarships on the internet. Some even search for marriage partners via dating websites while some merely shop for articles; and all these activities, amongst others, demands imputing personal data or information for set purposes[1]. A more pivotal example of this exercise is the mandate imposed by the Nigerian Communications Commission (NCC) on the telecommunication service providers to register all the existing and new SIM on their network if the subscribers must continue to enjoy the service. The increase in the use of information and communication technology in business in recent times has been phenomenal. This ICT invention offers a modern way of paperless data processing as against the traditional ways of pen, papers and array of long files. Though this paperless way offer a faster, seamless[2], boundless, tidier, neater, less cumbersome and arguably cheaper way of gathering data, it also poses greater challenges to users more than the challenges open to the traditional mode of gathering and storage of data. Storing data on computers makes it easier for that data to be accessed and retrieved by the user but it can also make it more available to those who would misuse it[3]. There is the concern of personnel used in data processing as to their knowledge of, and divulging the data of people while on the job[4] as well as the management and monitoring of the database with a view to securing it[5] thus preserving the confidentiality of persons and their personal information. Aside the aforementioned, there is also the fear of hackers hacking[6] into their storage systems with the intent of stealing data to perpetrate fraud among other vices. As a result of this ICT phenomenon, personal data input now occur largely on the internet. Usually, each site has their own policy [7] that informs the site users of the purpose of data input and how those piece of personal information are processed, handled and administered guaranteeing essentially the security of the information. For instance, the United Nations Development Programme website has its information disclosure policy stating that such information required by the site is only for the purposes stated (e.g. job applicant to the UNDP) and that such information will not be shared with parties outside UNDP or published for general access. It is common place to find these sites including a clause exempting responsibility for the security of the information. Personal data collection is necessary in interactions. They are often required in the relationship for purposes that are determined by the scope of the relationships; and the extent of the relationship or interaction should appropriately determine the extent of personal information required. For instance, in a doctor-patient relationship, certain data considered personal might be required by the doctor from the patient that will help the doctor decide on what will be best treatment for the patient; same goes for a client who is suing for divorce, he or she might be compelled by virtue of the his or her case to disclose quite some deep personal information. On the contrary, asking a patient to fill in his credit card PIN details for medical record is not within the purview of that kind of relationship; apparently, it is in excess of the interaction between the two. It is trite that communication under these special relationships are privileged [8] and are long-settled issues of ethics and professionalism. This paper is a humble attempt on the nature of personal data being exchanged in both the traditional or manual mode and the modern or automated mode[9] with bias for the latter: the ICT driven data processing and the challenges it poses to users or subscribers to those services vis-a-

vis their right to privacy and right to confidentiality, as well as the database security obligations on the data collector and concluding with suggestions for the polity. THE CHARACTER OF PERSONAL DATA AND ITS IMPORTS Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into the possession of the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual[10]. The Data Protection Act 1998 (UK) also made mention of sensitive personal data but that is not within the purview of this paper but suffice it to say that sensitive personal data bothers on sensitive issues indeed such as data covering ones physical, mental health, sexual life.[11] Personal data may simply refer to personal information of individuals such as full names, date of birth, maiden name (in case of married women), place of residence, nationality and also hobbies. According to EU Data Protection Directive (95/46/EC)[12], personal data shall mean: any information relating to an identified or identifiable natural person (Data Subject); an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

It is reasonable to expect that the full name of a person including pseudonym[13] is one way by which an individual is identifiable. National Identity Card number or any of such documents are also means of identifying a person and so thus comes within the purview of a personal data. This definition has also been said to be technology neutral[14] as it does not lay emphasis on how the data is stored on paper, on an IT system, on a CCTV system etc. It goes without saying that the issue of data storage device is not much of importance as much as the protection given to it save only that technology poses its peculiar challenges. It is imperative to point out that there is yet another class of data that is referred to as non-personal information but are connected to a person accessing or using the services of the organisation giving such services. This is especially true of organisation hosting websites and allowing public access. Through the use of cookies[15], certain information are stored into the computer system unit with which the site is being accessed and by that, the site administrator is able to read this cookies whenever such user accessed the site again. This is largely regarded as anonymous information as the information represents the system unit rather than the person. It is basically for information purposes and to monitor the effectiveness of the service being offered on the site such as delivery of pages upon request whether successful or not and whether on time or not. It covers information such as the type of internet browser used, the IP address[16], date and time visited the site, the part of the site visited, the website with which you linked the website and so on. (occasionally, cookies alert pop on the site screen to alert users of its presence and giving a chance to either disable or leave it[17]) Certain reasons have been identified by various organisations requesting for personal data. In most cases, unless the required personal information are imputed, users may not be able to access the service:[18] 1. To process orders and applications by users

2. Administer market research 3. Tracking of sales data 4. To respond to queries and requests submitted by users[19] Generally, purposes will be different but ideally, every organisation requesting for personal information should clearly spell out the purposes for which the information is required and should only be exploited to the extent of that which was stated[20]. In some other instances, certain purposes may be implied as naturally following the stated ones but even at that, the implied use purposes must not be manifestly outside what has been stated. For example, it is logical that an email address with which an enquiry about a product was sent has impliedly subscribe to future updates on other products by the company. The sender should not find it strange to receive on a future date, aside the response to its inquiry, another mail informing of another product. In any case, an organisation which is keen on the ideal use of peoples personal information such as email address always provide a link at the tail end of the mail for the recipient to unsubscribe should they not be willing to receive future offers [21]. It will however be out of implied purpose usage to find emails from a sister company advertising another line of product all because the first company gave out the email address. There are many in this country who are largely disturbed by countless unsolicited SMS[22] of both genuine and bogus offers by third party companies to GSM service providers. While a subscriber on a network may have willy-nilly subscribed to its news of offers or that of company having business relationship with it[23] by buying its SIM card, it should at least have his right to privacy intact and be protected from third party companies invasion or be allowed to elect whether to continue to receive future alert of offers or not; but even where such option is given, they are hardly honoured. While it is understandable that SIM numbers can be easily formed or guessed by anyone[24], there seem to be, arguably, some level of connivance by the telecom providers with some companies using the medium for advertising their products that are not related to telecommunication. Whereas under the EU Data Protection Directive 95/46EC, a SIM comes under personal data and as such, should be so accorded (by everyone especially the service provider) that respect of privacy and confidentiality. Subscriber Identity Module (SIM) is used to identify subscribers to mobile telecommunication providers[25]. The issue is even more burgeoning with the SIM registration exercise mandated by the Nigeria Communications Commission (NCC) in which subscribers photograph and biometrics are taken. Under the EU Directive, the photographs and biometrics are also personal data and it is only reasonable because they mutually and exclusively form part of what can be used to identify a person. As opined earlier in this paper, the extent of data requested for should be determined by the scope of the relationship or interaction taking place or existing between the two parties. DATA PROCESSING Data processing is when an operation is carried out upon personal data whether or not by automatic means. The processes include collection, recording, organisation, storage, administration, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination, blocking, erasure and destruction of personal data.[26] Taking the recently conducted SIM Card registration exercise as a focal point, the Nigerian Communication Commission (NCC) had mandated all telecommunication operators to register SIM cards before they are purchased and the existing subscribers too under the Know your customers project. Besides personal information, operators are also required to capture biometric data. Jointly and severally, they sum up as personal data. As it was practicable, each of the operators contracted the job out to technology companies to manage the registration project on their behalf apart from the centralised arrangement by NCC that catered for all the networks. This was a multi-billion naira project that involves a lot of sub-contractors in the chain and created massive short term employment for a lot of Nigerians especially fresh graduates from the high school and higher institutions. The data process involved begins with the computer operator capturing the details and the

biometrics up to the extent of storing it on the computer unit or synching it to the back-end database directly depending on the technology employed and also include the management of the data centre. What we are yet to see now is whether there will be room for alteration or update when the occasion arise. Some of the information taken are somewhat basic and immutable but some are subject to change. For instance, a spinster who is now married or a fellow whos residence has changed. Since it is the aim of NCC to provide the best reliable data for Nigerians in so far the ultimate is to hand over to the Nigerian Identity Management (NIM), it is wise that there should be provision for people to update their record especially when there is a substantive change like name, name change advertorial in newspaper notwithstanding. It is an essential part of the right to privacy as codified under the UK Data Protection Act 1998. RIGHT TO PRIVACY AND CONFIDENTIALITY The regret in Nigeria is that we do not have a Data Protection Law per se though people placed heavy reliance on constitutional provision of section 37[27] in the absence of none. There are some other laws that one may rely on guaranteeing right to privacy and imposing responsibility on the body managing the data[28] to secure it and prevent it from being divulged to third party without permission of the data subject[29]. The right to privacy, defined, is the right to have control over the availability of information about one, or to restrict access to information about one which one does not want others to have access to without ones knowledge or consent.[30] In other words, according to O.A Yusuff[31], as an individual, I have the right to control of information about me or to restrict access to information about me which I do not want others to access without my knowledge. Confidentiality on the other hand is the right that I have to restrain somebody else who probably by reason of certain relationship between us, has some information about me from disclosing it to someone else, or otherwise, it is an obligation which such person has towards me to maintain the secrecy of information about me in his or her possession. This submission is in tandem with one of the general principles guiding the process of personal data under the EU Directive; that is, consent of the individual. For every release of information from any individual to another party, be it to a person or an organisation, there must be consent and such consent must be specific and informed not inferred or on the basis of misrepresented facts. (emphasis mine)That is to say, the individual must not be deceived or manipulated into divulging information about himself. The right to privacy comes to the fore at the point of getting information while confidentiality comes into play after the details might have been given to the data collector. He or she must be well informed as to the purposes of the information required. This is especially imperative in a semi-literate or stark illiterate environment, for they are the most vulnerable in this aspect. Because they are not so educated, sometimes, they could be manipulated into disclosing information about themselves notwithstanding that the body requesting the information is a statutory body or that the process is mandated by law.[32] If this right is jettisoned or not honoured, it is submitted that it is no less a breach of a constitutional right[33]. GENERAL PRINCIPLES GUIDING PROCESSING OF PERSONAL DATA[34] The English Data Protection Act of 1998 lays down these principles about how personal data should be handled and processed by anyone be it government agencies or private organisations and whether by manual means or ICT driven: 1. Consent of the individual must be sought. The consent must be specific and informed not inferred or on the basis of misrepresented facts. This means that personal data must not be collected by deceiving or misleading the person into providing it and the personal data can only be used lawfully[35]. A situation where someones index finger or even the big toe was taken to stand in for thumbprint because the scanner refuse to capture the thumb and also largely due to the ignorance of the person is unacceptable. That happened a lot in the SIM registration exercise from feelers obtained by this author. However, one can expect that the integrity test[36] will weed out all these anomalies and many will still have to re-do the exercise

2. 3.

4. 5. 6. 7.

if they must continue to use their lines. It is commendable that they will be notified on their lines on their final status after the integrity test and given time to remedy the error before their lines are barred should they refuse. Data maybe processed when the processing is necessary for the entering into contract with the private individual. For instance, a candidate and an examination body or an applicant for a job vacancy. Data maybe processed in order to comply with a legal obligation. For example, the directive by NCC on SIM registration. It is a legal obligation which no one can avoid. Anyone who failed to have his SIM registered by the deadline or after the integrity test will be barred and can only continue to use the line upon registration. Data maybe processed when the vital interest of the private individual is at stake. For instance, a person willing to take on a life insurance policy with an Insurance company. Data may also be processed when the process is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or a third party to whom the data are disclosed. The quantity of the information required must be adequate and relevant; no excessive information in relation to the purpose for which they are processed. This has been said to mean that information not within the ambits of the interaction should not be exploited. Personal data must be accurate and up-to-date. It follows that individuals should have access to data held about them and where appropriate have it corrected or erased. It is submitted that this is a culture that it is not so welcomed in our polity. There are institutional bodies in this country that flatly forbids one from attempting to change any information they held about them until you have passed through them and gone on to something else in life; thus, we find that some married women still transact in their maiden names. In some instance, when a wrong information has been held by a body due to no error of the concerned, attempt to have it corrected is usually met with stiff resistance either due to the lethargy of the officer concerned or to some bureaucratic bottlenecks. The author is aware of a university student who went throughout her university career under a wrong state of origin and could not get it corrected despite frantic efforts to have it changed and reflect her true identity. This is a blatant blow to the students right under an appropriate Data Protection law.

However, the right of access was denied Mr. Durant in his case against Financial Services Authority. In that case, personal data was given a narrow interpretation: the case borders on a right in the Data Protection Act of 1998 that generally lets an individual access personal information held by an organisation that relates to him. After a dispute with his bank, the bank successfully applied for an exemption from the right of access, Mr Durant complained to the Financial Services Authority. The FSA investigated, but did not reveal detailed information about its investigation to Mr Durant. So he tried to use the Act's right of access in relation to the FSA. The FSA refused, and Mr Durant embarked on a lengthy court process. Mr Durant lost his case in the Court of Appeal in November 2003. The Court ruled that merely mentioning a person in a document does not make that whole document available as "personal data" in the event of such a request. This decision was criticised by the European Commission and held that the UKs Data Protection Act is defective in implementation of the original intention of the Commission[37]. 1. Another crucial principle enunciated in the law is that data could only be retained for the time it is required. In other words, there should be time frame for the retention of data. The author is aware that the draft of a particular law specifying a minimum of five years of data retention by Internet Service Providers (ISP) was largely criticised as imposing burdens more than necessary on them. According to them, keeping of all records transactional and traffic records of all activities on their service for that long period will be expensive and thus increase their overall overhead cost. 2. Data must be protected to prevent unlawful access or alteration. This means the database administrators must do all within their reasonable means to protect the data in their care. Measures to be employed include encryption of data, setting of passwords, levels of access and even physical method to protect the data.[38] The popular exemption clause through which most bodies avoid responsibility for security of information should not be advanced

beyond the necessary. All hands must be on deck to ensure the security of personal data. SUGGESTIONS/CONCLUSION With the absence of a clear-cut data protection law embodying the afore-mentioned principles to protect data collection and storage in this country, where lies the much needed protection by the populace? With the ubiquitous presence of fraudsters and computer hackers around, there is the need for a special law to adequately tackle the challenges confronting data protection in Nigeria. We may not have had much issue with peoples data but as the society is growing more knowledgeable, it will soon begin to generate heat[39]. We must not wait till that time before we have the law. We must be proactive. The drafting of the law should involve computer security experts because this is largely the realm of storage of data these present times. During the presentation of the first draft of the Regulations by NCC on the SIM registration, safety of personal information was the major concern brought by Telecommunication Service Providers and the Association of Licensed Telecom Operators of Nigeria (ALTON)[40]. This is obvious because the NCC was to make use of third party contractor to handle the registration exercise before synchronising all the data back to NCC database who will then set on it the integrity test. The fact that they threaten to impose fine and other penalties on the third party companies who divulge unauthorised information is not enough. How safe is the information even in their custody? As opined by the National President of National Association of Telecomm Subscribers (NATCOM) there is the need to provide for a tracking system within the central base so that when any information is released, it can be traced back to the person who released it[41]. The author also submits that the data could also be encrypted[42] to allow for a barest minimum of access, and if at all accessed, a barest minimum of people who can understand the data. Sophisticated software could also be employed on computer storage systems to make hacking of database almost impossible[43]. The English Data Protection Act of 1998, in spite of its imperfections, provides a good model for Nigeria to replicate with the necessary adjustments to cater for our own peculiarities. It is an indictment on Nigeria that the Act provides that the personal data of their citizens should not be transferred to countries outside of European Economic Area (EEA) that do not have adequate data protection law or to countries with levels of data protection lower than in force in the UK.[44] It is submitted that with the necessary political will, the afore-mentioned suggestions are possible and it will help Nigeria present herself as a serious country among the comity of nations, who knows what is to strongly protect the data of its citizenry obtained under any guise.

*Opeyemi Afeni, LL.B, B.L is a counsel at Andy Igboekwe & Co, TBS, Lagos, Nigeria [1] Each website usually display their Privacy Policy or Information Disclosure Policy that explains the purpose for the requirement of personal data input before further access or service of the site are allowed.

[2] Data can be gathered and processed simultaneously from anywhere in the world and synchronised to the same database

[3] Legal, Social, Ethical and Environmental Issues when Using ICT. ( Accessed on www.friaryschool.com/documents/subjects/ict/chapter6Book.pdf on 16/09/2012; see also http://www.teach-ict.com/gcse/theory/computer_misuse_act/miniweb/index/htm. for more on Computer Misuse Act (UK)

[4] In the SIM card biometric registration exercise mandated by NCC, it was reported that NCC gave warning to all their third party contractors involved in the registration that they will face fine and other penalty if they keep or give out any unauthorised information. www.thisdaylive.com>Home>News of 4 June 2012 (Accessed on 16/09/2012)

[5] NCC will have control, administration and management of the central database and later sent it to National Identity Management (NIM). Source: http://www.nigeriannewsservice.com/index.php? option=com_k2&view=item&id=1831:telecom-providers-fault-sim-registrationproject&itemid=231&tmpl=component&print=1 (last accessed on 24/09/2012). The author humbly submits that this in itself does not solve the problem for even the statutory bodies are also manned by human beings. See The Punch Newspaper of 24/09/2012: SSS traces data leakage to personnel, begins reorganisation. There is the need for a law which provides for stiff sanctions. Other suggestions are outlined in the paper.

[6] Hacking is the unauthorised accessing of materials stored on computers as well as using computers to access data or programme stored on computer.

[7] See for instance UNDP website Information Disclosure Policy www.undp.org. See also privacy policy of Shell Nigeria, www.shell.com.ng>shellNigeriaHomepage>About

[8] See generally s.192 Evidence Act 2011; also R.19 Rules of Professional Conduct for Legal Practitioners 2007

[9] The classification is according to the author for mere clarity purposes in this paper.

[10] Data Protection Act 1998 quoted on www.devon.gov.uk/index/councildemocracy/import-ourservices/access-to-information/data_protection/personaldata.htm (last accessed on 24/09/2012)

[11] Ibid. www.devon.gov.uk./index/councildemocracy/import-our-services/access-toinformation/data_protection/personaldata.htm (Accessed on 24/09/2012)

[12] Cited in www.dataprotection.ie/viewdoc.asp?DocID=210. Office of the Data Protection Commissioner, Ireland (Accessed on 16/09/2012)

[13] Creative writers often adopt pseudonym; for instance, George Orwell, author of Animal Farm, has his real name as Eric Arthur Blair

[14] Op.cit. www.dataprotection.ie/viewdoc.asp?DocID=210. Office of the Data Protection Commissioner, Ireland

[15] Cookie is a piece of computer software which enables a website you have visited to recognise you if you visit it again. Source: Collins Cobuild Advanced Dictionary of English. (c) Harper Collins Publishers, 2009 [Berlitz Digital 2006-2010]

[16] Internet protocol

[17] An example on www.out-law.com: We use cookies to make this site as useful as possible. They are small text files we put in your browser to track usage of our site but they dont tell us who you are.

[18] This is true for online services e.g. applying on an Examination bodys website but also true for traditional mode.

[19] The author relied heavily on the Shell Nigeria website and is greatly indebted to the site.

[20] See again the Privacy Policy of Shell Nigeria Website. www.shell.com.ng>shellNigeriaHomepage>About

[21] A sample reads like this: you are receiving this mail message because you are a valued customer of... If you no longer wish to receive message from us, please click here to unsubscribe

[22] Short Messaging Service (SMS)

[23] GSM service providers often form business relation with some other service providers. Eg. With Health Service providers for daily health tips or a music company for music downloads.

[24] Fraudsters most at times frame SIM numbers of unsuspecting people

[25] See Chukwuemeka Izuogu, Data Protection Issues and the Legal implications in NCCs Directive on SIM registration. www.facebook.com/notes/international-legal-strategistsgroup/nigeria-data-protection-privacy-issues-in-nccs-directive-on-sim-card-registration (Accessed on 16/09/2012)

[26] Ibid.

[27] Constitution of the Federal Republic of Nigeria, 1999, s.37 reads: The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.

[28] S.9(1)(e) Wireless Telegraphy Act, CAP. 469 LFN 1990, CAP. W5 LFN 2004

[29] Data subject is the person whose personal data has been collected

[30] Op.cit Chukwuemeka Izuogu: Data Protection Issues and the Legal implications in NCCs Directive on SIM registration. www.facebook.com/notes/international-legal-strategistsgroup/nigeria-data-protection-privacy-issues-in-nccs-directive-on-sim-card-registration (Accessed on 16/09/2012)

[31] O.A Yusuff, The Imperative of Statutory Control of Access to IVF Services in Nigeria in Law, Politics & Development The Challenges of an Emerging Mega city: Essays in Honour of Babatunde Raji Fashola (by NBA, Ikeja Branch 2010) p.285

[32] NCC was criticised by many on the aspect of media campaign to the grass-root not enough to really explain to people the purpose of the SIM registration.

[33] S.37 Constitution of the Federal Republic of Nigeria (CFRN) 1999

[34] The author is indebted to Chukwuemeka Izuogu: Data Protection Issues and the Legal implications in NCCs Directive on SIM registration. www.facebook.com/notes/international-legalstrategists-group/nigeria-data-protection-privacy-issues-in-nccs-directive-on-sim-card-registration (Accessed on 16/09/2012)

[35] Op.cit. Legal, Social, Ethical and Environmental Issues when Using ICT. ( Accessed on

www.friaryschool.com/documents/subjects/ict/chapter6Book.pdf. on 16/09/2012)

[36] It is a phase in the SIM registration exercise by NCC to verify all the data synchronised into their database in order to ensure that the registration was proper and adequate.

[37] http://www.out-law.com/page-5820

[38] Op.cit. Legal, Social, Ethical and Environmental Issues when Using ICT. ( Accessed on www.friaryschool.com/documents/subjects/ict/chapter6Book.pdf. on 16/09/2012)

[39] News item: SSS traces data leakage to its own men The Punch Newspaper 24/09/2012; see also Nigeria Daily Post 5 September, 2012: SSS data leakage: PenComm denies responsibility. www.dailypost.com.ng>Home>Hot News

[40] Op.cit http://www.nigeriannewsservice.com/index.php? option=com_k2&view=item&id=1831:telecom-providers-fault-sim-registrationproject&itemid=231&tmpl=component&print=1 (last accessed on 24/09/2012)

[41] Ibid.

[42] Encryption is a computer jargon meaning writing in a special code so that only certain people can read it.

[43] Securities agencies in Nigeria began this fortification after suspected sympathisers of Boko Haram leaked the personal data of 60 personnel of State Security Service (SSS) and posted them online. It was a grave issue as it posed security challenges to the personnel and their families.

[44] Op.cit. Legal, Social, Ethical and Environmental Issues when Using ICT. ( Accessed on www.friaryschool.com/documents/subjects/ict/chapter6Book.pdf (Last accessed on 24/9/2012) See also http://www.teach-ict.com/gcse/theory/dpa/miniweb/index/htm. for more explanation on the Data Protection Act 1998