Data Protection Legislation for Nigeria, The Time is Now (Part 1)

Over the last decade, identity theft has become one of the fastest growing global crimes. This can be attributed to a number of reasons: •       Huge margins for …


Over the last decade, identity theft has become one of the fastest growing global crimes.

This can be attributed to a number of reasons:

•       Huge margins for little effort and risk on the part of criminals

•       Inadequate legislation or punishment to deter identity thieves

•       Organisations not deploying appropriate security measures

•       People not being aware of the value of their personal information


It had for a while been thought that the only victims of identity theft were individuals whose personal information has been obtained illegally. Evidence has however shown that organisations, which obtain and sell personal information, have fallen prey to sophisticated criminals.


For example:

•       Customers of financial institutions have been tricked into handing their personal data through phishing scams,


•       Personal information brokers have had their systems breached by identity theft criminals. This can be illustrated with Choicepoint and Lexisnexis, both of which have been hit by large scale identity theft of personal information stored on their databases


•       Internal staff have colluded with criminals to illegally sell personal information, which is then used to purchase goods without the knowledge of the individual.


•       The U.S. Attorney’s Office has prosecuted approximately ten individuals for being involved in the use of financial institution computers to obtain customer information, and using that information to commit fraud. The prosecutions have included financial institution employees, and impostors who assumed the identity of account holders to commit bank fraud and fraud on the Internet. As part of each plea agreement, the financial institution employees agreed to be statutorily barred from employment at any federally insured financial institution for ten years following the date of conviction, pursuant to 12 U.S.C. § 1829(a). According to court documents, some convictions have included:


o      Kimberley Molette Smart, 27, of Sacramento, was sentenced on December 5, 2002, to serve one year and one day in prison, and given a three-year term of supervised release, in connection with using her financial institution position to obtain customer account information from the financial institution computer, and provide it to others who caused an intended loss of approximately $121,146.63.


o      Lynn Booker, 34, of Sacramento, a former credit union employee, pled guilty to committing a check “kite” through unauthorised computer access to customer account information from a financial institution. On January 21, 2003, Booker was sentenced to a five-year term of probation and ordered to pay restitution in the amount of $25,510.97.


In realising that personal information has value and that it can be used to obtain false documents which in turn can be used to commit criminal activity, data protection legislation has been enacted to identify the responsibilities of organisations that collect, transmit, store and process personal information. These legislations also have provisions, which provide for redress in the event that the organisation breaches data protection provisions in the handling of personal information.


What is Personal Data?


A good definition can be derived from the UK Data Protection Act  which defines personal data as follows, “Data that relates to a living individual who can be identified from such data, or and other information which is in the possession of, or is likely to come into the possession of, the data controller  and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual .”

What is data protection?


Data protection involves the implementation of administrative, technical or physical measures to guard against unauthorised access to such data.

It stems from legislative requirements such as the European Convention of Human Rights, and has with the advancement in automated processing of data been influenced by new legislations such as the European Data Protection Directive  and the Directive on Privacy and Electronic Communications .

It involves the protection of personal data, which covers both facts and opinions about an individual.


An instance of data protection legislation can be illustrated with the European Convention on Human rights, which provides for the right of respect to private and family life . It further provides that there shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well being of the country, for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others .


This has implications relating to information about data of individuals in respect to how it is kept, processed and transmitted, this is so especially since misuse can lead to a breach of the aforementioned right.


Why do we need Data Protection?


Advances in technology has led to easier ways of carrying out daily routines, indeed, many activities which in the past required physical presence before a purchase could be made of a product, now only need the supply of personal details. While this is convenient, and has led to faster means of conducting business, it has also led to a rise in identity theft.


It is also to be noted that with the proliferation of business activity in relation to customer information, a number of organisations have sprung up which have identified the fact that information about a person can be of value to other organisations. This has led to a number of underhanded means of collecting personal information in what appear to be promotional information leaflets. 

Victims tend to fill these leaflets in only for this information to be collated and then sold to marketing companies. It is this type of activity that has led to the call and development of data protection laws leading to stiff penalties for organisations and individuals that breach them. Indeed, under the UK 1998 Data Protection Act it is an offence for a person, knowingly or recklessly, without the consent of the data controller, to obtain personal data .

To buttress this point further an individual named Alistair Fraser, trading as Solent Credit Control , pleaded guilty to offences of unlawfully obtaining and selling personal information in breach of the Data Protection Act 1998.

Mr Fraser had obtained the personal information of certain individuals by deception from the Department for Works and Pensions. He then sold the information to third parties. He was found guilty and fined. A feature of this case is the fact that it was brought to court by the Information Commissioner, thus showing that the Commissioner is prepared to use enforcement powers to combat and discover agencies that illegally obtain and sell personal information.


In the United States organisations that violate data protection legislations relating to privacy of information are severely punished. In the case between United States of America (for the Federal Trade Commission) v. Hershey Foods Corporation: Mrs. Fields Cookies and Hershey Foods Corporation each agreed to settle Federal Trade Commission charges that their Web sites violated the Children’s Online Privacy Protection Act (COPPA) Rule by collecting personal information from children without first obtaining the proper parental consent.


Mrs. Fields are to pay civil penalties of $100,000 while Hershey will pay civil penalties of $85,000.

The separate settlements also bar the companies from violating the Rule in the future.

 The COPPA Rule applies to operators of commercial Web sites and online services directed to children under the age of 13 and to general audience Web sites and online services that knowingly collect personal information from children under 13. Amongst other things, the Rule requires that Web site operators obtain verifiable consent from a parent or guardian before they collect personal information from children.

In this article

Join the Conversation