Good Morning Stephanie, is me okafor Stanley your 2017b copa mate in Oyo
state. Am working with Shell Oil Company in Rivers State branch, call me now 4
details b/cos internal recruitment  is
going on now.”

A colleague of mine who is a
serving as a youth corps member shared the message above to me and narrated how
the sender of the text message was able to provide sensitive information like
her NYSC State Code, platoon, present local government and her place of primary
assignment when she contacted him.  It
became clear to her that some very skilled person talented in the art of cyber
crime had somehow gotten access to her personal details at the NYSC database.

Other friends and colleagues have
reported similar incidences wherein some unscrupulous elements represent
themselves to have been their platoon mates and promise offers of a
mouth-watering offer upon exchange of monetary consideration. Indeed, with the
recent increase in legal education and awareness, only a few Nigerians are
likely to fall for this gimmick.

However, this does not negate the
very alarming issue that the fraudsters were able to get access to very
sensitive information (such as the full names, phone numbers, NYSC State Code,
local government and Place of Primary Assignment) of innocent corps members.
When such happens to only one person, it can be assumed that the fraudster
accidentally came across the singular file of the victim, and decided to
capitalize on this. But, where this happens on a mass scale (as it has
reportedly happened in Lagos, Oyo, and Edo states) it cannot but be assumed
that the fraudster has access to the NYSC database.

Indeed, the National Directorate
and the State Governing Board of the NYSC established by Sections 3 and 6 of
the NYSC Act are responsible for everything that has to do with the collation
and maintenance of data of both corps members and prospective corps members who
have evinced an intention to join the scheme. 
It is regrettable that both the NYSC Act and the NYSC Bye-Law are silent
on the protection of the database of corps members they maintain. 

It is even more painful that
there is no direct legislation on the protection of data/information of
Nigerians held by government/public agencies in the country. Section 37 of the
Constitution of the Federal Republic of Nigeria 1999 (as Amended) has tried its
best to secure the privacy, homes, telephone conversations and telegraphic
communications of Nigerian citizens. However, that constitutional provision is
not penal; neither does it protect the personal data and information of
Nigerian citizens.

Some sensitive sectors of the
economy have attempted to protect the personal data of Nigerians as it relates
to that sector. For example, the Nigerian Communication Commission (NCC) has
the Consumer Code of Practice Regulations 2007 and the Registration of
Telephone Subscribers Regulation 2007 which regulates data obtained by
telecommunications operators in Nigeria and imposes administrative fines
ranging from N200,000 (Two Hundred Thousand Naira) to N1,000,000 (One Million
Naira) in the event of an unauthorized disclosure of information.  These regulations are however industry
specific and relate to only the communications sector.

The National Information
Technology Development Agency came close to prescribing a detailed framework on
protection of personal data of Nigerians with its draft Guidelines which
prescribe the minimum data protection requirements for the collection, storage,
processing, management, operation, and technical controls for information. The
Guidelines attempt to regulate all organizations or persons that control,
collect, store and process personal data of Nigeria residents within and
outside Nigeria for protecting of a specific category of data commonly known as
Personal Data or Object Identifiable Information (OII).The Guidelines are to
apply to only to federal, state, and local government agencies and institutions
as well as private-sector organizations that own, use, or deploy information
systems of the Federal Republic of Nigeria.[i] The
Directorate and the State Governing Board of the NYSC therefore falls under the
purview of the Guidelines, but it remains very sad that the Guidelines which have
remained a draft since 2013 are still currently undergoing review.

It is proposed that penal
provisions be incorporated into the Guidelines which should in turn be proposed
as a Bill for the National assembly to legislate on. In other advanced climes,
unauthorized access to personal data is taken very seriously and treated as an
offence. It is time Nigeria gravitates away from mere constitutional theorems
to adopt a more pragmatic approach for the protection of sensitive personal
data of Nigerians. This will no doubt have a corresponding decrement in the
rate of cyber crime which is often times facilitated by access to such personal

Nonso Anyasi is an Associate at Charles Mekwunye
& Co. He has keen interests in intellectual property and ICT law and
practice. He is also the Vice-President of the Legal
[i] Data and
Privacy Laws in Nigeria by David Oluranti accessed via
on 17/09/2018.