Preamble:
I must place on record our gratitude to the Director General of this Commission Mr. Chris E. Onyemenam and the Committee on Personal Information and Data Protection Legislation set up by the National Identity Management Commission for their efforts in drafting this bill.
2. Today’s stakeholders’ workshop on the Draft Bill on Personal Information and Data Protection is long overdue considering the fact that our policies more than often, have not kept pace with the advances in technology.
3. May I draw your attention to the fact that the National Identity Management Act 2007 the enabling Act that created the Commission provide for the establishment of the National Identity Database; a secured means to access the National Identity Database so that individual can irrefutably assert his/her identity, harmonization and integration of Identity Database in Government Agencies to achieve resource optimization and shared services facilities, etc.
4. It is as a result of the above provision in the principal legislation establishing the Commission that the bill to provide for regulations governing the processing of Personal Information and Data Protection by invoking the relevant provisions of the Act which provide the Commission with powers to make regulations connected with its functions.
5. Before the Commission proposed the draft bill slated for stakeholders’ deliberation Identity theft has become one of the fastest growing global crimes. This can be attributed to a number of reasons:
• Huge margins for little effort and risk on the part of criminals
• Inadequate legislation or punishment to deter identity thieves
• Organizations not deploying appropriate security measures
• People not being aware of the value of their personal information.
It had for a while been thought that the only victims of identity theft were individuals whose personal information has been obtained illegally. Evidence has however shown that organizations, which obtain and sell personal information, have fallen prey to sophisticated criminals.
For examples:
• Customers of financial institutions have been tricked into handing their personal data through phishing scams,
• Personal information brokers have had their systems breached by identity theft criminals.
In realizing that personal information has value and that it can be used to obtain false documents which in turn could be used to commit criminal activity, data protection legislation should be enacted to identify the responsibilities of organizations that collect, transmit, store and process personal information. These legislations shall also have provisions, which provide for redress in the event that the organization breaches data protection provisions in the handling of personal information; hence the need for the support of the prompt passage of the Bill into law.
6. The purpose of the bill:
The rationale for this draft bill is a demonstration of the Government of the Federal Republic of Nigeria in its resolve towards providing assured and sustainable identity infrastructure for her citizenry which will in turn give the populace a decent robust and crime free environment to function in line with the provisions of the Commission’s Act.
The purpose of this Bill according to Section 1 is to establish rules to govern the collection, use and disclosure of Personal Information in a manner that recognizes the right of privacy of individuals with respect to their Personal Information and the need of organization to collect, use or disclose Personal Information for purposes that a reasonable person would consider appropriate in the circumstances.
By virtue of section 2(1); this Act applies to every organization in respect of Personal Information that:
(a) The organization collects, uses or discloses in the course of the organization’s commercial activities; or
(b) Is about an employee of the organization and that the organization collects uses or discloses in connection with the operation of a federal work, undertaking or business.
2(2); The Act does not apply to
(a) Any government institution
(b) Any individual in respect of Personal Information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or discloses for any other purpose; or
(c) Any organization in respect of Personal Information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, uses for any other purpose.
These two opening sections clearly capture and underscore the essence of the proposed law. That is, making and ensuring privacy of Personal Information of individuals and National Identity Database accessible to the Government MDAS and appointed Identity Verification Service Providers.
7. In general terms, the bill covers the followings:
Part 1 Sections 1-9 deals with purpose, application, compliance with obligations, etc. Part 2 sections 10-20 on contravention, application to Court, remedies, summary hearings, etc. Part 3 sections 19-20 audits to ensure compliance and report of findings and recommendations.
Part 4 Sections 21-34 confidentiality, regulations, whistle blowing, prohibition, etc. Lastly is the schedule which is on privacy principles.
8. Ladies and gentlemen, there is need for the stakeholders to critically examine during their panel discussion session today the provisions of this Bill vis-à-vis the provisions of the Freedom of Information Act which came into operation on 1st June, 2011. There are some similarities in the two.
9. Permit me at this juncture to dwell into the definitions of Personal Information/Data Protection.
What is data protection?
Data protection involves the implementation of administrative, technical or physical measures to guard against unauthorized access to such data. It involves the protection of Personal data, which covers both facts and opinions about an individual.
Singaporean Example:
The Singapore Parliament recently passed the long-awaited Personal Information and Data Protection Bill (“PIDPA Bill”) after its third reading. The PIDPA Bill establishes a baseline data protection framework that applies to all organisatio9ns in the private sector. This implies that private sector organizations in certain highly regulated industries (e.g. banks, telecommunication service providers, healthcare institutions) will additionally have to comply with data protection requirements set out in sector-specific regulations.
The other major component of the PIDPA is the establishment of a national do-not-call (“DNC”) registry, which will hopefully provide individuals with a simple and efficient way to opt out of receiving unsolicited marketing messages. Essentially, organizations intending to make marketing calls or send marketing messages or facsimiles to a Singapore telephone number would be required to filter their list against the relevant DNC register (more on this below).
The PIDPA is expected to be gazette at the beginning of 2013, but the substantive provisions of the PDPA will only come into effect after a sunrise period of 18 months for the data protection framework, and a further period of 12 months for the implementation of the DNC registry. This transition period allows the Personal Data Protection Commission (“Commission”) time to engage in outreach efforts to build up awareness on the requirements imposed by the PDPA, and affords organizations an opportunity to “get their houses in order” for achieving compliance with the PDPA.
In recognition of the risks that can accrue to an individual, privacy laws have been enacted to act as a cushion to define what constitutes legal and illegal activity when it comes to the protection of an individual’s data when it is being transmitted over telecommunication streams.
There is a proverb which admonishes that “when the rhythm of the drum changes, the dance movement must also change accordingly.”
The western world had gone on to make laws and regulations administering collection, access and retention of personal data. Good examples in Africa are our West African neighbors, Ghana who’s Data Protection Act 2012 (No. 843) was passed in March 2012; Zambia, and Tunisia. It should also be noted that Kenya had gone ahead to develop its own Data Protection and Privacy Policy for a sustainable social and economical growth.
You would therefore agree with me that the passage of the Bill into law would improve free communications amongst citizens and foster greater confidence in the private sector while curtailing negative impacts on data collation.
10. There is no doubt also that programmes like this as well as sustained dialogue between all stakeholders should be further encouraged as we collectively engender a culture of transparency and accountability in governance.
*Excerpts from a keynote address by Mr. Mohammed Bello Adoke, SAN, CFR
Hon. Attorney-General of Federation & Minister of Justice and Minister of Justice at the stakeholders workshop on the draft bill on personal information and data protection in Abuja recently.
... Making SENSE of digital revolution!
No comments:
Post a Comment