Ekweremadu: How the NDPR is violated by the court’s decision to divulge donor biodata

There are signs that the Federal High Court in Abuja may have broken the Nigeria Data Protection Regulation when it instructed some banks, the National Identity Management Commission, and the Nigeria Immigration Service to give the detained former Senate President Ike Ekweremadu and his wife Beatrice access to David Ukpo’s biodata.

Ekweremadu and his wife were detained in the UK on June 24 as a result of an alleged kidney harvesting dispute for which Ukpo was at the center. The Federal Government demanded a probe into the breach of his data privacy after the donor’s passport surfaced online.

Justice Inyang Ekwo approved the requests of Adegboyega Awomolo (SAN), the counsel of the Ekweremadus, for Ukpo’s biodata to be disclosed to the couple in order to aid their defense in the UK trial, despite the fact that the data breach was still ongoing. The judge declared, “I make an order granting the prayers.”

The Nigeria Data Protection Regulation 2019, which was put in place in accordance with the Act creating the National Information Technology Development Agency, was breached to what extent? A source at the NIMC expressed concern.

The agency was required under the NITDA Act of 2007 to “create regulations for electronic governance and supervise the usage of electronic data interchange,” among other things.

No data may be taken without the subject’s awareness, and the subject must give consent freely and without compulsion, according to Section 2.3 of the regulation on “Procuring Consent.”

Section 2.3 reads, “(1) No data shall be obtained except the specific purpose of collection is made known to the Data Subject; (2) Data Controller is under obligation to ensure that consent of a Data Subject has been obtained without fraud, coercion or undue influence; accordingly: (a) where processing is based on consent, the Controller shall be able to demonstrate that the Data Subject has consented to processing of his or her Personal Data and the legal capacity to give consent; (e) where data may be transferred to a third party for any reason whatsoever.”

The request was made in the private capacity of the Ekweremadus, and no provision in the NIMC Act, Regulations, or NDPR permits such transmission of personal information, according to the NIMC source, who also said that the commission was saddened by the decision because there was no proof of the data subject’s consent.

The source suggested that the commission was only served with court documents on June 27 and 30, 2022, and that the court had been asked to issue a mandamus order compelling NIMC to release a citizen’s NIN data without the citizen’s consent, which was against the NDPR.

The source added, “The applicants are not law enforcement agencies and cannot, therefore, assert to the court that the information will be used to prevent crime. Therefore, they do not have the capacity to act for law enforcement agencies. The proper process is to apply to relevant law enforcement agencies and to join HAGF (Honourable Attorney General of the Federation) in the process.”