President Muhammadu Buhari is expected to sign the Nigeria Data Protection Bill 2022 into law before the end of his tenure, the nation’s data privacy watchdog chief has told Technology Times.
Dr. Vincent Olatunji, National Commissioner and CEO of Nigeria Data Protection Bureau (NDPB) says that the imminent data protection law will further empower the privacy watchdog to adequately protect and safeguard the private data of over 200 million Nigerians.
The National Commissioner dropped the hint while reacting to the Federal Government’s recent directive that all Federal institutions should comply with the provisions of data privacy regulations in the country.
Mr. Boss Mustapha, Secretary to the Government of the Federation, had in a circular dated November 7, 2022, with Ref No. SGF/OP/l/S.3/Xll/186 instructed all Government Ministries, Departments, and Agencies (MDAs) to comply with the provisions of the Nigeria Data Protection Regulation (NDPR), the nation’s data privacy and protection rules.
In the exclusive interview with Technology Times (published below) the Nigerian privacy watchdog agency’s CEO says the SGF’s circular will be a big boost for NDPB’s efforts to improve compliance by Federal Government institutions where “we discovered that the level of compliance in the public sector was just 4%.”
Download The Nigeria Data Protection Bill, 2022
Technology Times: Dr. Olatunji, To your Bureau, what’s the significance of the circular from the SGF to all MDAs regarding immediate compliance with some of the key provisions of the NDPR? We saw where you were quoted as saying that it is historic. Can you further expatiate on this?
Dr. Olatunji: Yes. It is historic and a welcome development in the sense that people say charity begins at home, which is government. A full fledge implementation agency, that is the NDPB, has been set up to ensure implementation. And in the public sector, there is no compliance or there is a very low level of compliance. I think it would be sending the wrong signal to the entire nation and the international community.
It is part of what we have been pushing for that compliance in the public sector should be taken seriously for all government MDAs, and even the vendors, and contractors working for the government.
On annual basis, we carry out our implementation evaluation. And the last one we did last year, we discovered that the level of compliance in the public sector was just 4%.
And you know what that means. And that was why part of what we did when the Bureau was set up was to first create awareness in the public sector. We have gone around over 50 MDAs to preach the gospel about data privacy and protection on the part of all these MDAs who are major data controllers and they have a lot of data processors working for them.
So this actually started with a visit to the Secretary to The Government of The Federation and topmost on our agenda to him was that we actually need a circular to the public service for them to comply.
And the good thing is that there’s a new guideline now for the use of IT equipment in the public sector under the guidelines issued by the Head of Service of The Federation. That guideline has also endorsed this circular issued by the SGF. So very soon we will hear from The Office of the Head of Service too also directing government offices to comply with the regulations.
And even in terms of our reputation as a nation, considering that the whole public sector in the country has been mandated to comply with the provisions, it encourages the international community to now have confidence; to have trust in whatever they do with the government. They will know that the issue of confidentiality, integrity, and availability of data are all taken seriously by the government. It is very good news. It is cheery news to us.
On annual basis, we carry out our implementation evaluation. And the last one we did last year, we discovered that the level of compliance in the public sector was just 4%.
-Dr. Vincent Olatunji, National Commissioner and CEO of Nigeria Data Protection Bureau (NDPB)
Technology Times: With the benefit of insight you’ve taken very top leadership positions before the Bureau at the topmost IT agency of the Federal Government. And every time we talk about local content in ICT, people would usually refer to the fact that there were equally several instances of executive orders regarding local content, but we didn’t see much compliance within the MDAs. How do we ensure that this latest directive does not go the way of local ICT content? Of course, you know what I’m talking about regarding buying Nigeria-made PCs and devices in Federal MDAs.
Dr. Olatunji: Thanks. The first one on non-compliance with the local content directive, I won’t say there has been no compliance to it. As you very well mentioned, I was a top executive of NITDA before the appointment and I was fully involved in a lot of initiatives embarked on by NITDA to ensure proper compliance. But what we kept hearing from people, from the organisations, is the standards of the IT products and services, which is one; and support services which is absolutely necessary for people who buy their products, who engage in their own service or the other. That was really lacking. And there are structures being put in place by NITDA to work with the service providers to ensure that they correct all these things to further compliance.
As a matter of fact, NITDA has a Compliance Committee to put in place the necessary framework and guidelines to ensure that these are actually addressed fully.
There was a time that the OEMs actually formed an association for them to be able to graduate to the level of ODM where all of them will have a plant where they can go to and do their assembly. To a large extent, that would drive down the cost of setting up a factory on their own. I am sure that work is still going on on that.
The unique thing about the issue of data protection is that it concerns everybody and the moment data subjects know their right, I am sure they will push for it. The moment data controllers and processors know their obligations to their data subjects, they will have to put in place necessary measures to ensure that this is done.
Now, one unique thing we have done with the issue of data privacy and protection is to have a PPP, which is a public-private partnership arrangement. That’s a model that is unique to us in Nigeria. It has never been done in any part of the world, whereby we licensed DPCOs: Data Protection Compliance Organisations who offer compliance to the end users as a service. We have licensed 103 of them, and we have even opened the opportunity for more to come in. We slashed the fees to 150 (150,000 Naira) because of the size of the country, and increasing awareness on the part of data subjects for controllers. So, these organisations are the ones that will be going round to MDAs.
“I was a top executive of NITDA before the appointment and I was fully involved in a lot of initiatives embarked on by NITDA to ensure proper compliance. But what we kept hearing from people, from the organisations, is the standards of the IT products and services, which is one; and support services which is absolutely necessary for people who buy their products, who engage in their own service or the other. That was really lacking.”
-Dr. Vincent Olatunji, National Commissioner and CEO of Nigeria Data Protection Bureau (NDPB).
As a matter of fact, a lot of them have gone to MDAs, but what they kept telling them is the fact that there is no directive from the Government for them to comply. So these DPCOs have gone to a lot of MDAs, and what they kept telling them is that we don’t have any authority to comply. But now that that authority has been issued, we have set up a monitoring mechanism under the Head of Service, and part of the directive, given this circular, is that all the MDAs should send their names or their DPOs: Data Protection Officers, because they are now to designate appropriate officers as Data Protection Officers who will coordinate their data processing activities, create awareness, and do the PIA to supervise that and we would build their capacity on what to do, how to do and when to do one thing or the other on data processing.
So we have the framework to put in place to ensure proper monitoring and evaluation of what is going to happen going forward, and I’m sure that from next year, you will see that happening. If you look at the circular, the deadline given to all MDAs to comply is the fifteenth of March next year. I’m sure that the number is going to increase compared to what we had last year. Although, we do not expect a complete shift, or complete compliance in the first year, and that’s why the issue of awareness comes in which is really topmost in our agenda, and that’s number one of our strategic pillars. But we have put in place measures to ensure that proper awareness is carried out. We are pretty optimistic that they are going to comply.
Technology Times: Is there anything more you might want to add that we may have left out regarding this directive?
Dr. Olatunji: I’ll just say that this task ahead is not for one person. It is not for one organisation or government alone. It is for everybody. That is why we keep saying that we are ready and willing to partner with all stakeholders who are ready to partner with us because we are talking about Nigeria and over 200 million Nigerians here whose data should be adequately protected and safeguarded and ensure that they are processed within the laws of the country guiding issues of data privacy and protection.
And by the way, our Bill is now with the Minister, who is now preparing to take it to FEC, that is the Federal Executive Council, for approval to be sent to the National Assembly. Our target is to get it passed before the tenure of this government. We are currently working with Regulation, by the time we have the Act, that is the Nigeria Data Protection Act, which gives us powers to ensure proper enforcement and gradually change the minds of our people and let them know the importance of data protection.
With all of us working together, and that’s where the media is really important and strategic to us in whatever we are doing to drive up this issue of awareness.
We are also collaborating with a lot of government organisations. About three weeks ago, we signed an MoU with the FCPC, which is the Federal Competition and Consumer Protection Commission. We have visited NOA, that is the National Orientation Agency, they have offices in 774 Local Governments in Nigeria. So in the area of advocacy, we believe we can work together.
For the health sector, we have visited the Ministry of Health, because their own data there is more peculiar because they are sensitive data and there are additional measures we need to put in place to ensure compliance.
We are working with the Lottery Commission, where over 60 million Nigerians partake on a regular basis.
So we are trying to build strategic partnerships with government agencies, the private sector, the media, and NGOs to create proper awareness to ensure that the issue of privacy is brought to the front burner in Nigeria. And if we will continue, very soon, we will be able to look back and realise that we have been able to make an impact in the country.
