How to protect Nigerians’ personal information while combating COVID-19 · Global Voices
Editor’s note: The following post was co-authored by guest writers Tomiwa Ilori and Adeboye Adegoke. Ilori is a researcher, policy analyst with the Centre for Human Rights, University of Pretoria, South Africa; Adegoke is a digital rights advocate, policy analyst and program manager with the pan-African digital rights organisation, Paradigm Initiative.
Check out Global Voices’ special coverage of the global impact of COVID-19.
On 5 April 2020, the Nigeria Governors’ Forum partnered with MTN Nigeria — a telecommunication and internet service provider in Nigeria, — to deliver a range of services to combat COVID-19. Using subscribers’ information, the goal is to conduct contact tracing, deliver palliative measures and services and other needs related to COVID-19.
The Forum is made up of Nigeria’s 36 state governors with a vision that “actively and effectively promotes inclusiveness, democratic values, good governance and sustainable development.”
This move has raised concerns over information sharing, privacy and the protection of human rights. How can Nigerian citizens minimise risk and optimise results while also complying with extant laws?
Adversity begets innovation
COVID-19 has challenged societies to find innovative solutions that are legally permissible to combat the spread of the coronavirus. Optimising government access to citizens’ information presents a range of challenges for governments, private companies and civil society groups alike.
Out of Nigeria’s teeming population of more than 200 million, over 184 million people use active mobile connections in their daily lives, as of December 2019. In terms of combating COVID-19, the potential reach is quite far in terms of preventive education and contact tracing measures.
However, these measures rely on the government’s ability to access subscribers’ central databases. The 2011 Registration of Telephone Subscribers Regulations creates a framework for registration of subscribers’ information and creates a central database for such purpose. This regulation is the legal framework for mandatory registration of mobile phone subscribers despite the several risks of misuse, function creep and insecurity associated with mandatory registration.
The Nigerian Communications Commission (NCC), the regulatory agency for the telecommunications sector in Nigeria, has powers to make subsidiary legislation including regulations to further its objectives.
Regulation 2(b) states that “the Central Database shall be domiciled within the Commission and shall provide a platform for the central processing and storage of subscribers information.”
These databases contain personal subscriber information including “biometrics and other personal information of a subscriber recorded and stored by licensees or the Independent Registration Agents.”
Information used especially to combat the spread of COVID-19 will be personal information that was not originally shared or intended for this purpose.
While the regulations allow for the use of this information through the NCC’s Consumer Code of Practice Regulations, 2007, this must include fair and lawful use and accuracy of information that respects consumers’ other rights.
Perhaps the most relevant of these regulations details how licensees — especially service providers — can ensure accountability under regulation 35(2). It states that subscribers should receive notices on the information collected and for what purpose; subscribers must be presented with choices on the collection, use and disclosure of such information; and the subscriber must have access to such information and security measures in place to protect it.
While the legal landscape in Nigeria on data protection is largely disconcerted considering how key government agencies seem to duplicate policies on data protection — both regulations discussed above seem to be directly related to access to subscribers’ information in fighting the COVID-19 pandemic.
This duplication of policies is largely due to the lack of a multistakeholder-sourced, comprehensive and primary data protection legislation in Nigeria.
The principles in the regulations mentioned above have also been highlighted by the Global System for Mobile Communications (GSMA) in their mobile privacy principles for COVID-19 in April 2020.
Establishing oversight for accountability
One of the practical ways to implement these regulations is to establish an ad-hoc multi-stakeholder committee. Despite the provisions of Regulation 5 of the Telephone Subscribers’ Regulation that the central database is the property of the Nigerian government, it is held in trust for Nigerian citizens and does not absolve the government of any likely claims on misuse in that regard should such arise.
A committee that oversees responsibility and compliance with the letter of the law within a practical time frame could help citizens protect their privacy while also combatting the novel coronavirus.
Here are some points to consider:
Representation: The committee must draw its members from diverse stakeholders in the ICT sector, including government agencies, civil society, the private sector, research and development, policymakers, etcetera. This creates the possibility of mainstreaming accountability into state policy on access to citizens’ information and combating COVID-19.
Compliance and implementation: The bulk of this committee’s responsibilities would be to comply with extant laws while also implementing others on access to subscribers’ information. Subscriber consent is critical. However, most Nigerians are not immediately available to give such consent given the present circumstances. To mitigate negative effects, it is important to design more inclusive and accessible tools like USSD codes with opt-in and opt-out options that may be used to secure subscriber’s consent. USSD, which means “unstructured supplementary service data,” is an interactive and menu-based technology supported on nearly all mobile phones. Its codes allow users the possibility of accessing confirmation and consultation services through dialing.
Also, to prepare for the possible fallout from the inability to secure consent from subscribers, the committee must ensure the publication of periodic audits on the use of subscribers’ information in major newspapers online.
Redress: This committee could create diverse mechanisms for seeking redress if and when subscribers feel aggrieved. There should be systems in place to address grievances with respect to data collection, uses and disclosures.
Proactive disclosures: An important step toward accountability is transparency and to this end, the committee must inform the public on its scope, powers and functions. It must also disclose information about data usage, security measures and available means of redress. The committee can also determine the period of time for which such data will be used.
Combating COVID-19 through all available legal means is urgent. However, such means need not be at the expense of protecting human rights — including the right to privacy.
Using the central database for COVID-19 related measures requires the best designs to mitigate against the risk of privacy breaches.
The government’s recent call for data protection legislation seems late but it is still a welcome call in light of the current COVID-19 challenges. This is an opportunity for the Nigerian ICT sector to use a multistakeholder approach to harmonise its various laws toward a more unified front for COVID-19 — and future emergencies.
While the options suggested above do not foreclose other legally permissible approaches, it shows how human rights protections are not mutually exclusive of public emergencies.