Addressing the data protection policy problem

According to Bennett,⁴²⁴ two principal and common elements gave birth to, and shaped information privacy protection policy in the post-industrial societies such as US, Germany, UK, Sweden etcetera. These elements are bureaucracy and information technology; these have created changes in the ways that public and private organisations collect and use personal information. It is these changes that prompted fears about ―the implications for the personal privacy of citizens…‖ thereby giving birth to data protection/information privacy policies in those countries.⁴²⁵

In the countries where they are available, data protection policies and legislation arose as a consequence of technological development. The question arises therefore, whether the spread of ICTs in Nigeria is wide enough to create a critical mass sufficient to constitute technological development and thus elicit a data protection policy response from the government. The answer is clearly that Nigeria is still at the

423 Telecommunications Networks Interconnection Regulations 2003 available online at the NCC website .

424 Bennett Regulating Privacy.

425 Ibid at 2-3.

130 nascent stage of technological development. Nevertheless, the government‘s response to data protection issues so far has been an articulation of policy objectives in key policy documents but no commensurate legislative and/or regulatory response. For example, the National Telecommunications Policy declares that:

Government shall continue to closely monitor the emerging applications of the Internet in areas such as banking, telephony as well as e-commerce and enact appropriate legislation and incentives that will encourage their use to promote rapid socio-economic development.⁴²⁶

The government is mindful of the benefits derivable from harnessing the potentials of ICTs in pursuit of the goal of socio-economic development. A Presidential Committee on Capacity Building for Outsourcing estimated in 2005 that Nigeria can earn about eight billion dollars annually from off-shore out-sourcing of ICT based services rendered to foreign based multinationals.⁴²⁷ The chairman of the committee is reported to have said that Nigeria was on the verge of embracing the out-sourcing⁴²⁸ initiative in order to earn foreign exchange from non-oil resource.⁴²⁹ What the chairman did not mention is that, in order for the out-sourcing dream to become a reality, several factors have to be in place.⁴³⁰ The outsourcing of business

426 National Telecommunications Policy Chp 7.1 (iii).

427 Ezigbo 17th Oct 2005 Thisday.

428 Outsourcing is the management and/or day-to-day execution of an entire business function by a third party service provider. It is carried out by company A, contracting with another company B or person to do a particular function. According to the 2004 Economic Report of the President:

One facet of increased services trade is the increased use of offshore outsourcing in which a company relocates labor-intensive service industry functions to another country.

For example, a U.S. firm might use a call center in India to handle customer service related questions. The principal novelty of outsourcing services is the means by which foreign purchases are delivered. Whereas imported goods might arrive by ship, outsourced services are often delivered using telephone lines or the Internet. The basic economic forces behind the transactions are the same, however. When a good or service is produced more cheaply abroad, it makes more sense to import it than to make or provide it domestically.

See Council of Economic Advisers Economic Report of the President 229 [online]. See also Mankiw and Swagel The Politics and Economics of Offshore Outsourcing 7 [online].

429 See n 427.

430 According to Van Der Linden and Hengeveld, the core factors that must be present in a country seeking to attract outsourced work are:

 Knowledge

131 services offshore is now an established practice and the requirement for a transparent legal and regulatory regime is a top priority for the big companies and financial institutions that outsource some of their business processes offshore. The risks arising from non-compliance with privacy laws is a key factor in a company‘s assessment of whether to outsource services or not. Recurring reports in the media about breaches of data security and identity thefts around the world have focused attention on the need for stringent privacy protection measures.⁴³¹ The reports have triggered a backlash of legislative interventions to secure data protection particularly in the US.⁴³² Companies in the US and EU are now under increasing pressure from legislations that insist on them guaranteeing the privacy of their customers' financial and medical data.⁴³³

 Investment into the local economy by large international companies

 Creation or expansion of a potential niche

 The political stability of a country

 Collaboration between the government, higher educational institutions and industry

See Van Der Linden and Hengeveld Critical Success Factors for Obtaining Outsourcing Projects 1-4 [online]. See also Pai and Basu Offshore Outsourcing [online].

431 See Privacy Rights Clearinghouse Chronology of Data Breaches [online]. The Privacy Rights Clearinghouse website contains links to other sources of information on data security breaches. Also, a widely publicised sale of customer IDs by an Indian call-centre staff in April of 2005 generated extensive discussions on the merits of outsourcing, prompting many enterprises to re-evaluate their assessments about the adequacy of data privacy and security laws in countries like India. See 23 June 2005 Daily Mail online.

432 In 2005 alone, several Bills were introduced in the American Senate and House of Representatives to mitigate identity theft, ensure privacy, provide notice of security breaches, require reasonable security policies and procedures to protect computerized data containing personal information and protect individual rights with respect to personally identifiable information. Other Bills introduced seek to establish procedures for the protection of consumers from misuse of, and unauthorized access to sensitive personal information contained in private information files maintained by commercial entities engaged in, or affecting, interstate commerce. The Bills are:

S 1789 Personal Data Privacy and Security Act, introduced 29/9/2005

HR 4127 IH Data Accountability and Trust Act (DATA), introduced 25/10/2005 S 500 Information Protection and Security Act, introduced 3/3/2005

HR1069 Notification of Risk to Personal Data Act, introduced 3/3/2005 S 1336 Consumer Identity Protection and Security Act introduced 29/6/2005 HR 3501 Consumer Access Rights Defense Act (CARD) introduced 28/7/2005

HR 3374 Consumer Notification and Financial Data Protection Act introduced 7/21/2005 HR 3997 Financial Data Protection Act of 2005 introduced 6/10/2005

See The Library of Congress (Thomas) Bills, Resolutions [online].

433 For example, the Federal Information Security Management Act (or Gramm-Leach-Bliley Act) of 1999 requires financial services companies in the US to create privacy policies that govern how information can

132 With the global outsourcing industry projected to continue its impressive growth, it is easy to see why the Nigerian government and the private sector are eager to participate in the global industry.⁴³⁴ However, the requirement for a transparent legal and regulatory environment will pose a very serious obstacle to the realisation of this dream of capturing a good portion of the outsourcing market. This is because the risks arising from the handling of information touch three key areas of concern to the information economy:

 Privacy

 Intellectual property rights

 Infrastructure security

The protection of these core interests of ICT users (whether for personal or business purposes) should be of utmost concern to the government and regulatory authorities.

The Nigerian regulatory regime has not adequately addressed these risks.⁴³⁵ Two of the key objectives of the NTP are:

 To guarantee the privacy, integrity, accuracy, confidentiality, security, availability, and quality of personal information.

 To promote electronic trade, business and commerce.⁴³⁶

To achieve these objectives, as well as other similar objectives, the NITDA is expected to sponsor and promote the enactment of relevant IT laws that guarantee freedom of access to information and establish rights in respect of information. Furthermore, it should promote laws for the protection of online transactions, privacy and

be shared within and between institutions. Also, the Health Insurance Portability and Accountability Act of 1996 (or HIPAA), governs how US health-care institutions handle sensitive patient information.

434 A study by the Federal Deposit Insurance Corporation (FDIC) of the US in 2004 on outsourcing (also known as offshoring) in the financial services sector observed that:

―In spite of different estimates of growth levels, most believe that offshoring will continue to increase for the foreseeable future……the Tower Group estimates that the share of offshored global financial services IT spending has steadily increased, from 50 percent in 1996 to 56 percent in 2003. While difficult to project with certainty, there are strong indications that offshoring will continue to grow into the future.‖

See FDIC Offshore Outsourcing [online].

435 See par 5.4 above.

436 National Policy on Information Technology chp 2.2 3.

133 intellectual property rights.⁴³⁷ Specifically, the NITDA is expected to sponsor and promote the enactment of a Data Protection Act for ―safeguarding privacy of National computerised records and electronic documents.‖⁴³⁸ To date, the NITDA has not submitted any draft Bill for an Act to protect personal data to the National Assembly.

For its part, the strategic thrust of the NCC for the period 2004-2006, for example, was ―Attaining Efficiency in the Telecoms Industry‖.⁴³⁹ During this period, the emphasis of the Commission was on network expansion, technology advancement, convergence and management of competition. There was no corresponding emphasis on data protection and information security.⁴⁴⁰ The Communications Act, 2003 does not have specific provisions that protect personal data. However, it requires the NCC to make interconnection regulations that address the protection of intellectual property rights and commercial information.⁴⁴¹ In 2003, the NCC published interconnection regulations under which it may impose conditions in interconnection agreements to ensure:

The protection of data, to the extent necessary to ensure compliance with relevant legal and regulatory provisions on the protection of data, including protection of personal data, the confidentiality of information processed, transmitted or stored and the protection of privacy.⁴⁴²

The above provision notwithstanding, there is no law on the protection of data (including personal data), or on the confidentiality of information processed, transmitted or stored. Furthermore, the Consumer Affairs Bureau⁴⁴³ established by the NCC to protect the consumer, has drawn up a weak Bill of Rights which makes no

437 Id at 33.

438 Id at 41.

439 Ndukwe NCC Policy and Strategic Thrust - 2005 and Beyond (2004) 6 [online].

440 Id at 13-15.

441 See s 99 Communications Act, 2003.

442 See n 423, Part IV Regulation 13.4 (b).

443 The Bureau was established in 2001 ―to inform, educate and protect all the consumers of telecommunications services in Nigeria.‖ See Consumer Affairs Bureau (Nigeria) webiste [online].

134 mention of data protection.⁴⁴⁴ The availability of personal information profiles resulting from the use of information and communication technologies is of considerable interest not only to the individual to whom the information points, but also to law enforcement, national security, public safety organisations and the commercial sector.⁴⁴⁵ Those nations, and indeed individuals who seek to participate in the global network economy, must agree to abide by the norms and rules that order activities in these globally networked economic and communication systems in order to minimise conflicts and maximise benefits. Information privacy and data protection have become frontline international trade issues thanks to the European Union‘s Directive on data protection.⁴⁴⁶

While most of the technologically advanced countries, and indeed some not so technologically advanced ones, have improved their laws on the transmission and protection of data, Nigeria is yet to enact such laws even in the face of clear policy expressions to do so. Any talk therefore about achieving the kind of success which India and lately South Africa have achieved in the area of call centre outsourcing, will remain a mere wishful thinking. Without enacting the appropriate data protection laws, it will be very difficult to persuade any sizeable corporation in Europe and the US to outsource the handling of its data to Nigerians.

It is therefore necessary to build trust in the telecommunication system by ensuring that a proper balance is maintained between, on the one hand, the need for personal information privacy and, on the other, the need for lawful access to information by law enforcement/state security agents and ordinary commercial interests. Building trust in the system requires the protection and enforcement of privacy rights of the people who use the system. What constitutes privacy, its origins, the threats to it and its relevance to the Information Society is examined in the next chapter.

444 Ibid.

445 Gow Privacy and Ubiquitous Network Societies 1 [online].

446 See Singleton Privacy as a Trade Issue 2 [online]. The South African Law Reform Commission (SALRC) identifies international trade as a primary motivation in seeking the enactment of data protection laws that fit the EU standard. See South African Law Reform Commission (SALRC) Privacy and Data Protection (Discussion Paper 109) vi.

135

CHAPTER 4