By Emmanuel Elebeke
The Lagos State Government stands the risk of losing 2 percent of its 2018 annual revenue for breaching the National Data Protection Regulation, NDPR if found guilty in the ongoing investigation by the National Information and Technology Development Agency, NITDA.
However, the State may as well face criminal prosecution based on sections 7 and 8 of the NITDA Act or be dragged to court by aggrieved taxpayers in Lagos whose personal data were exposed by the state revenue service.
Speaking to Vanguard, the Legal Officer with eGovernment Development and Regulation Department at NITDA, Femi Daniel said any of the three punishments are likely to be applied in the case against Lagos State Government for the alleged NDPR breach as stipulated by NITDA Act.
It will be recalled that the National Information Technology Development Agency (NITDA) had last Friday, 27th December 2019 said that it was investigating the Lagos Internal Revenue Service over an alleged breach of the Nigeria Data Protection Regulation (NDPR), 2019.
In a statement signed by the Director-General of the agency on Friday, Kashifu Inuwa Abdullahi, the agency said it was reliably informed and duly ascertained that the Lagos State Internal Revenue Service (LIRS) published a web portal – https://lagos.qpay.ng/TaxPayer – where personal information of taxpayers of Lagos State was gleaned by the general public in breach of the Nigeria Data Protection Regulation (NDPR), 2019.
It, therefore, resolved to further investigate the alleged breach and the circumstances surrounding it with the aim of assessing the impact of the breach as well as determine the responsibility and culpability of data controllers or processors connected to the breach and prevent future occurrence.
Mr. Daniel stated that exposing peoples’ personal data remains a criminal offense saying that NITDA would leave no stone unturned in ensuring that the matter is fully investigated and perpetrators brought to book. He insisted that ‘‘In data protection, it does not matter whether it was done by mistake because there are punishments for the violators,’’ adding that those who did not follow remedial steps will be met with severe punishments.
Following the receipt of the complaint against the Lagos Internal Revenue Service, he said the department had swung into action by issuing a press statement based on the public nature of the complaint in line with NITDA rules and is now waiting for the response before the final decision will be taken on which of the punishments to apply.
With the 7 days window given to the LIRS to respond beginning from last Monday, he said that the agency now expects to hear from them early next week.
‘‘We have an enforcement process working, which the agency has been following. After we received the complaint the Lagos Internal Revenue Service, LIRS breached National Data Protection Regulation, NDPR, what we did was to issue a press statement based on the public nature of the complaint.
‘‘The next thing is for us to hear from the other side. We have written them, LIRS, to give us further information on what transpired, the parties involved and the consultant that developed the portal.
‘‘We are also aware that LIRS has recruited a Data Protection organization, in line with Article 4.5 of the National Data Protection Regulation, NDPR, though, there is no official communication regarding that. But it must be made clear that it does not make them expose peoples’ data. The important thing is that they have realised that they made a mistake and consequently pulled down the site.
‘‘We expect to hear from them early next week because we gave them 7 days starting from yesterday, Monday, December 30th, 2019. With evidence of delivery of the letter, we will be able to get an idea of how they have gone,’’ he said.
The Data Protection Organizations are licensed agents that help organizations comply with the NDPR.
For him, it does not matter whether a data breach offense was done by mistake or not because there are punishments for the violators, noting that those who failed to follow lay down procedures will be met with severe punishments.
‘‘Glitches of this kind do not insulate LIRS from responsibility or culpability from whatever actions, civil or criminal, that may arise from such glitch, as personal and confidential information of data subjects were made available to the public illegally,’’ noting that such glitches are in breach of the NDPR and invariably the National Information Technology Development Agency Act 2007.
He advised the public to be vigilant and to report immediately to NITDA or other law enforcement agencies if they notice that the information of any data subject on the LIRS database is further disclosed or used in any manner in violation of the NDPR.
‘‘I enjoin all parties to cooperate with NITDA as we seek to protect the personal and confidential information of Nigerian Citizens from misuse and abuse,’’ He said.