Data Privacy and Protection in the Telecommunication Sector

The Association of Telecommunications Companies of Nigeria (ATCON) is happy that the current Minister of Communications and Digital Economy in the person of Prof Isa Ali Ibrahim Pantami has established the Nigeria Data Protection Bureau which presently has Dr Vincent Olatunji as its National Commissioner/Chief Executive Officer. For us at ATCON, we consider this dialogue apt and timely and we are proud to identify with the Nigeria Data Protection Bureau. To start with data privacy is the protection of personal data from those who should not have access to it and it is also the ability of individuals to determine who can access their personal information. 

Data Privacy and Data Protection are interchangeably used. Data Protection is important since it prevents the information of an organization from fraudulent activities, hacking, phishing and identity thief. Any organization that wants to work effectively need to ensure the safety of their information by implementing a data protection plan. As Nigeria move to the implementation of digital economy, more information like never before would be transmitted via internet. 

The Nigerian Communications Commission (NCC) has been working with various stakeholders to establish an internet code of service in order to promote and safe guard an open internet. It should be emphasis that the Nigeria Communications Act does not have any direct or specific provision on net neutrality of traffic management. We strongly believe that with the creation of the Nigeria Data Protection Bureau the issue of specific provision on net neutrality of traffic management would be put in place in collaboration with the Nigerian Communications Commission (NCC), National Information Technology Development Agency (NITDA) and National Information Management Commission (NIMC). 

Data Retention

Under the consumer code of practice regulation, the operators in the telecommunications industry are required to retain records of consumers bills and related charges for a minimum period of 12 months. Information collected and recorded as part of the operator’s complaint handling process is also required to be retained for at least 12 months after the resolution of the complaint. The Cybercrime (prohibition, prevent, etc) Act 2015 requires service provider to keep all traffic data and subscribers’ information for a period of 2 years. On the request of a relevant authority or any law enforcement agency as service provider is required to preserve, hold or retain:

  • Traffic data
  • Subscribers’ information
  • Non content information and content information

It should be noted that NCC is currently seeking stakeholders’ comments on Consumer Code of Practice Regulation (as amended).

Government Interception/Retention

The Cybercrime (prohibition, prevent, etc) Act 2015 provides that where there is reasonable ground to suspect that the content of an electronic communication is required for the purpose of a criminal investigation, on the basis of an information on oats, a judge may order a service provider to intercept, collect, record, permit or assist with the collection or recording of content data and traffic data in relation to specified communication transmitted by means of an electronic devices (a computer system, telephone, etc). Pursuant to the Nigeria Communications Act 2003, the NCC may determine whether an operator should implement the capability to allow for authorized interception of communications and it may specific the technical requirement for doing so.

Telecom Operators’ General Data Security Obligations to Consumers

The draft guidelines on Data Protection 2013 issued by the National Information Technology Development Agency (NITDA) covers all organization that process the personal data of Nigeria citizens inside and outside of Nigeria and prescribes minimum data protection requirement for the collection, storage, processing, management, operation and technical control in relation to such information.

The draft NITDA guidelines provide that:

  • personal data must be processed fairly and lawfully;
  • personal data must only be used in accordance with the purposes for which it was collected;
  • personal data must be adequate, relevant and not excessive;
  • personal data must be accurate and where necessary kept up to date;
  • personal data must be kept for no longer than is necessary;
  • personal data must be processed in accordance with the rights of data subjects;
  • appropriate technical and organisational measures must be established to protect the data; and
  • personal data must not be transferred outside of Nigeria unless adequate provisions are in place for its protection.

The General Consumer Code issued by the NCC as a schedule to the Consumer Code of Practice Regulations 2007 recognises and restates the internationally accepted general principles on data protection and privacy and is largely similar to the provision of the draft NITDA guidelines. The code also provides detailed complaint submission and handling processes for the contravention of any of the provisions of the code.

The Registration of Telephone Subscribers Regulation 2011 was issued by the NCC to provide a regulatory framework for the registration of subscribers to mobile telephone services and for the establishment, control, administration and management of the central database. In compliance with the regulations, providers of mobile telephone services are required to collect, store and transmit subscriber information to the central database. In line with the provisions of the regulations, the central database is the property of the Federal Government of Nigeria and is kept at the NCC. However, the regulations allow mobile telephone service providers to retain and use subscriber information collected by them on their networks in accordance with the provisions of the General Consumer Code of Practice for Telecommunications Services, which has provisions that comply with the international standards on data protection and privacy.

Under the Cybercrime (Prohibition, Prevention etc) Act 2015 service providers are required to preserve and retain traffic data and subscriber information for a period of two years and to release this information to law enforcement agencies if requested to do so. When providing the information to law enforcement agencies the service provider must consider the privacy rights of the individual and take appropriate measures to safeguard the confidentiality of the data retained, processed or retrieved. The act also details fines and terms of imprisonment for:

  • the interception of electronic messages;
  • unlawful interception;
  • computer fraud and forgery;
  • unauthorised modification of data; and
  • systems interference.

Thank you for your attention.