An Open Letter to Mr. Olumide Akpata, the President-Elect of the Nigerian Bar Association
Dear Mr. President (Elect),
Now that the elections are over: Can the Nigerian Bar Association now take its members’ data protection seriously?
I sincerely congratulate you on your unprecedented and epoch-making election as the 30th President of our great association. Interesting times are indeed ahead of us all.
When we both shared a stage at the NBA-YLF Owerri Summit in December 2019, you disclosed your interest in data protection albeit passively but I dare (respectfully) say that, your attentiveness to such issues ought to now be revved up owing to the status of the NBA as the largest bar association in Africa.
As a privacy professional, I have a number of privacy/data protection concerns about the activities of the bar which I respectfully opine, should be addressed as a matter of national urgency and I have decided to use this medium of expression for posterity’s sake as follows:
Designation of a Data Protection Officer (DPO)
It is needless to say that the bar processes the personal data of well over 30, 000 lawyers but we do not have a DPO. Apart from the fact that the designation of a DPO is a mandatory obligation of every data controller by virtue of article 2.1(2) of the Nigeria Data Protection Regulation (NDPR) 2019, it also conforms with international standard practice. For instance, the International Bar Association (in which activities, the NBA prominently participates) has a DPO in Mr. Joe Bell as publicly published on its website.
On this issue, it is my modest belief, as advised in my previous article titled “https://www.lawyard.ng/2020/06/09/the-ecnbas-publication-of-provisional-voters-list-on-the-internet-data-protection-matters-arising/ published on June 6, 2020, for the Association to designate any of its existing officers/employees as a DPO and I hope the process must have been initiated by the incumbent administration which I believe, has ticked certain remarkable boxes in governance of the Bar.
I humbly expect that, this designation/appointment is made as soon as possible so that someone can represent the Association’s mouthpiece for its data processing activities.
Display/publication of the NBA’s Privacy Policy/Notice on its website
At about 7.15pm on Friday, July 31, 2020, I searched the NBA’s website (https://nigerianbar.org.ng/) and could not find anything like privacy policy/notice anywhere on the home page or other pages. It is scary that, a website that processes lawyers’ personal data (names, sex, education data, ethnicity, contact addresses, telephone number etc) does not have a (conspicuous) privacy policy/notice in this age of technological awareness.
Article 2.5 of the NDPR mandates every data controller to display its privacy policy on every medium through which it collects data but the NBA’s website which processes membership data including health insurance scheme (sensitive data under article 1.3(xxv) of NDPR) does not care to inform its members of the activities
surrounding the processing of their personal data.
Mr. President (elect) sir, your electioneering campaign mooted inclusivity as its mantra, hence, it is my respectful advice for you to kick start this new dispensation with respect and transparency on processing of members’ personal data as well as identification of legal basis for the continued processing of such data under article 2.2 of the NDPR.
Wanton violation of members’ privacy by unsolicited messages and telephone calls
Never in the history of the NBA had we received the volume of unsolicited emails, text messages and telephone calls like we witnessed from the camps of various candidates in the past couple of months leading to this year’s election all in the name of campaigns.
Lawyers were bombarded with all sorts of campaign messages to the point of exasperation and helplessness leaving many data protection questions unanswered:
(a) How did the candidates gain access to our personal data?
(b) Did the NBA obtain our consent in any form before sharing our personal data?
(c) Does the voluntary surrender of our personal data to the NBA amount to consent to process our data for all purposes including receipt of incessant and indiscriminate campaign messages?
(d) Has the NBA identified legal basis for processing member’s data for election campaigns?
The honest answers to the foregoing question will help us fix the problems on our hands and avoid a repeat in the future.
Data Protection Compliance Audit
Article 4.1(7) NDPR obliges every data controller in the ilk of NBA to conduct and file data protection compliance audit on or before the 15th day of March every year but I am not aware our Association has complied with this obligation since the issuance of the NDPR in January 2019.
The audit exercise is beneficial to the Bar in many respects: first, it advertises our regulatory compliance as a responsible professional body. Then, it will help us ascertain the gaps in our data protection practices (which are non-existent, truth be told) and fix them as quickly as practicable. It will ultimately guarantee our respect and protection of members’ privacy and/or data protection rights. Charity must begin from home as far as our promotion of rule of law is concerned.
A Committee on Privacy/Data Protection is long overdue
According to a report by www.researchandmarkets.com published in June 2020, titled ““Insights on the Data Protection Global Industry to 2025 – Featuring CA Technologies, Oracle & McAfee Among Others.” the Global Data Protection Market is expected to grow at a formidable rate of around 10% during the forecast period.
The American Bar Association has a Privacy and Data Security Committee which provides members with updates on new technologies, including what is available and how it can be used cost-effectively, and updates on legal issues affecting, or affected by, technology ranging from electronic discovery to evidentiary issues to courtroom techniques.
Like its American counterpart, the NBA must come alive to this reality and empower its members to take advantage of the new opportunities this emerging practice area promises by setting up a dedicated committee or sub-committee to drive members’ awareness and collaborations for growth in data protection practice.
Conclusively, it is my respectful advice that, in fulfilment of its lofty promises, the NBA under Mr. Akpata’s watch must be:
• A Bar that does not breach our data under the guise of electioneering campaigns
• A Bar that no longer exposes us to data privacy violations
• A Bar that will inform us (via privacy policies/notices) of activities surrounding processing of our personal data
• A Bar that complies with data protection laws/regulations
• A Bar that truly promotes rule of law by first respecting and protecting its members’ privacy rights (section 37 of the Constitution)
I believe you (Mr. Akpata) is a “hearer” and “doer”, hence we keep our fingers crossed while anticipating a systemic delivery of all your campaign promises.
Please accept the assurance of my best professional regards as always.
Respectfully,
Olumide Babalola
July 31, 2020
