Sep 28, 2018

The National Youth Service Corps and Data Protection | Nonso Anyasi*

Good Morning Stephanie, is me okafor Stanley your 2017b copa mate in Oyo state. Am working with Shell Oil Company in Rivers State branch, call me now 4 details b/cos internal recruitment  is going on now.”

A colleague of mine who is a serving as a youth corps member shared the message above to me and narrated how the sender of the text message was able to provide sensitive information like her NYSC State Code, platoon, present local government and her place of primary assignment when she contacted him.  It became clear to her that some very skilled person talented in the art of cyber crime had somehow gotten access to her personal details at the NYSC database.

Other friends and colleagues have reported similar incidences wherein some unscrupulous elements represent themselves to have been their platoon mates and promise offers of a mouth-watering offer upon exchange of monetary consideration. Indeed, with the recent increase in legal education and awareness, only a few Nigerians are likely to fall for this gimmick.

However, this does not negate the very alarming issue that the fraudsters were able to get access to very sensitive information (such as the full names, phone numbers, NYSC State Code, local government and Place of Primary Assignment) of innocent corps members. When such happens to only one person, it can be assumed that the fraudster accidentally came across the singular file of the victim, and decided to capitalize on this. But, where this happens on a mass scale (as it has reportedly happened in Lagos, Oyo, and Edo states) it cannot but be assumed that the fraudster has access to the NYSC database.

Indeed, the National Directorate and the State Governing Board of the NYSC established by Sections 3 and 6 of the NYSC Act are responsible for everything that has to do with the collation and maintenance of data of both corps members and prospective corps members who have evinced an intention to join the scheme.  It is regrettable that both the NYSC Act and the NYSC Bye-Law are silent on the protection of the database of corps members they maintain. 

It is even more painful that there is no direct legislation on the protection of data/information of Nigerians held by government/public agencies in the country. Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as Amended) has tried its best to secure the privacy, homes, telephone conversations and telegraphic communications of Nigerian citizens. However, that constitutional provision is not penal; neither does it protect the personal data and information of Nigerian citizens.

Some sensitive sectors of the economy have attempted to protect the personal data of Nigerians as it relates to that sector. For example, the Nigerian Communication Commission (NCC) has the Consumer Code of Practice Regulations 2007 and the Registration of Telephone Subscribers Regulation 2007 which regulates data obtained by telecommunications operators in Nigeria and imposes administrative fines ranging from N200,000 (Two Hundred Thousand Naira) to N1,000,000 (One Million Naira) in the event of an unauthorized disclosure of information.  These regulations are however industry specific and relate to only the communications sector.

The National Information Technology Development Agency came close to prescribing a detailed framework on protection of personal data of Nigerians with its draft Guidelines which prescribe the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information. The Guidelines attempt to regulate all organizations or persons that control, collect, store and process personal data of Nigeria residents within and outside Nigeria for protecting of a specific category of data commonly known as Personal Data or Object Identifiable Information (OII).The Guidelines are to apply to only to federal, state, and local government agencies and institutions as well as private-sector organizations that own, use, or deploy information systems of the Federal Republic of Nigeria.[i] The Directorate and the State Governing Board of the NYSC therefore falls under the purview of the Guidelines, but it remains very sad that the Guidelines which have remained a draft since 2013 are still currently undergoing review.

It is proposed that penal provisions be incorporated into the Guidelines which should in turn be proposed as a Bill for the National assembly to legislate on. In other advanced climes, unauthorized access to personal data is taken very seriously and treated as an offence. It is time Nigeria gravitates away from mere constitutional theorems to adopt a more pragmatic approach for the protection of sensitive personal data of Nigerians. This will no doubt have a corresponding decrement in the rate of cyber crime which is often times facilitated by access to such personal data.

* Nonso Anyasi is an Associate at Charles Mekwunye & Co. He has keen interests in intellectual property and ICT law and practice. He is also the Vice-President of the Legal Watchmen.

[i] Data and Privacy Laws in Nigeria by David Oluranti accessed via on 17/09/2018.