The release of the biodata of David Ukpo to the detained former Senate President, Ike Ekweremadu, and his wife, Beatrice, by the Federal High Court in Abuja may have violated the Nigeria Data Protection Regulation.
The PUNCH reported that the court ordered the National Identity Management Commission, the Nigeria Immigration Service, and some banks to release the biodata of David.
Ukpo had been at the centre of an alleged kidney harvesting controversy for which Ekweremadu and his wife were arrested in the United Kingdom on June 24. The donor’s passport had appeared online, prompting the Federal Government to order an investigation into the breach of his data privacy.
While the data breach had yet to be resolved, Justice Inyang Ekwo in a ruling on Friday granted the prayers of the counsel to the Ekweremadus, Adegboyega Awomolo (SAN), for Ukpo’s biodata to be released to the couple to aid their defence in the trial in the UK. “I make an order granting the prayers,” the judge ruled.
Meanwhile, a source at the NIMC expressed concern over the extent to which the ruling breached the provisions of the Nigeria Data Protection Regulation 2019, put in place in accordance with the Act establishing the National Information Technology Development Agency.
The source lamented that it was wrong for the data of a subject to be released to another individual, adding that the judgement was hasty and that the commission still had a window to file its processes when the court gave its judgement.
The NITDA Act 2007 had mandated the agency to “inter alia develop regulations for electronic governance and monitor the use of electronic data interchange”.
Section 2.3 of the regulation, which speaks to ‘Procuring Consent’ stated, among other provisions, that no data shall be obtained without the subject’s knowledge and that the subject must give consent without coercion.
Section 2.3 reads, “(1) No data shall be obtained except the specific purpose of collection is made known to the Data Subject; (2) Data Controller is under obligation to ensure that consent of a Data Subject has been obtained without fraud, coercion or undue influence; accordingly: (a) where processing is based on consent, the Controller shall be able to demonstrate that the Data Subject has consented to processing of his or her Personal Data and the legal capacity to give consent; (e) where data may be transferred to a third party for any reason whatsoever.”
The NIMC source noted that the commission was saddened by the ruling because there was no evidence of consent from the data subject; the request was in the private capacity of the Ekweremadus and that no provision in the NIMC Act, Regulations & NDPR permits such transmission of personal information.
The source hinted that the commission was only served with the court processes on June 27 and 30, 2022 and that the application before the court was to seek the order of mandamus to compel NIMC to disclose the NIN data of a citizen without the consent of the citizen, which was in contravention of the NDPR.
The source added, “The applicants are not law enforcement agencies and cannot, therefore, assert to the court that the information will be used to prevent crime. Therefore, they do not have the capacity to act for law enforcement agencies. The proper process is to apply to relevant law enforcement agencies and to join HAGF (Honourable Attorney General of the Federation) in the process.”