Nigerian lawyers react to massive NIN, BVN data sales, blame agencies 

OpinionOasis
OpinionOasis
10 Min Read
Nairametrics

[ad_1]

Contents
What Nigerian Data Lawyers/Experts Are Saying What Next? Backstory: Alleged NIN, BVN Sale in Nigeria: EFCC, NIMC Positions 

Data lawyers and experts have weighed in on news that over 12,000 Nigerian youths residing across the country are selling the personal information of victims including Bank Verification Numbers (BVN) and National Identification Numbers (NIN) to some fintech institutions.

Some, argue that the development showed that relevant authorities are allegedly violating data protection laws by failing to timely disclose data breaches to the public while containing same.

Some also suggested the need for criminal prosecution of persons involved in unlawful data access so as to deter fraudsters.

In this exclusive interview with Nairametrics, these prominent data lawyers and experts shared their views on the legal and regulatory laws that oversees such activities, while offering recommendations.

What Nigerian Data Lawyers/Experts Are Saying 

  • In an exclusive interview with Nairametrics, Barrister Oladipupo Ige, Director of Policy and Managing Partner at the Data Privacy Lawyers Association (DPLAN), stated that Section 39 of the Nigeria Data Protection Act requires data controllers to protect and safeguard personal data in their custody from accidental or unlawful destruction, loss, misuse, alteration, unauthorized disclosure, or access.
  • He added that the law further states that, in providing these safety measures, data controllers must consider the sensitivity of the data, the possible harm a breach can cause, and the extent of processing, among other factors.

 “The law states that the controller must take measures to ensure the security of processing systems and services. See Section 39(2),” he said. 

According to him, the law also provides for data controllers’ obligations in the event of a data breach, including notifying data subjects within 72 hours and taking measures to minimize exposure.

Regarding the current development, Ige stressed, “there have been multiple data leaks from the same data controllers, i.e., NIMC and NIBSS, as they are the agencies in charge of the NIN SLIP and BVN respectively,” highlighting that it can be reasonably inferred that the agencies allegedly do not comply with legal provisions regarding data security in Section 39 because “the data in their custody has been exposed to misuse, unauthorized access, and unauthorized commercialization.”

While these unauthorized actors and their websites are public, Ige stressed that the agencies have not released any breach notifications or offered guidance to data subjects on risk mitigation.

 “This is a possible violation of the law as well,” he said, adding that data-controlling agencies need to take responsibility as there is no need to hide data breaches. 

 “Cyber hackers are good, so it is really a matter of cybersecurity and the security systems in place to safeguard data in their custody,” he added. 

  • He alleged that the presence of “multiple unlicensed actors” selling NIN and BVN data suggests something is wrong with the security or data collection systems of the responsible agencies.
  • Aloysius Gapa Paul, Esq. of AAGU Legal & Notaries, Lagos, told Nairametrics that the 1999 Constitution of Nigeria, under Section 37, guarantees the right to privacy forming the foundation upon which the Nigeria Data Protection Act (NDPA) 2023 is built.
  • He added that while the NDPA is the country’s primary legislation governing the handling of personal data, unauthorized sale of BVNs and NINs by individuals or institutions to third parties (including fintech companies) without lawful basis or consent constitutes a clear breach of the NDPA.

“Furthermore, the NDPA imposes a duty of confidentiality and security on data controllers and processors. 

“Under Section 39 of the NDPA, data controllers and processors, such as fintech companies, are required to maintain the confidentiality, integrity, and security of the personal data they handle,” he said, adding that several liabilities are outlined in the NDPA, including criminal prosecution of defaulters and defaulting agencies. 

Regarding government agencies like NIMC and NIBSS, Paul explained that if the data in question (NINs and BVNs) were obtained via unauthorized access to the databases of the NIMC or NIBSS—whether due to insider compromise or security lapses—these institutions, as data controllers, could be held accountable under the NDPA.

He added that such liability could arise if their systems lacked adequate security controls (Section 39), they failed to implement or enforce data breach prevention measures, or they neglected to report and contain a breach (Section 40 of the NDPA).

However, if, as both institutions have claimed, the data was obtained directly from individuals who voluntarily sold their information without any system breach, then their legal liability may be limited, Paul added.

He added that nonetheless, the institutions still have a public duty to improve identity verification safeguards and raise public awareness on the risks of disclosing sensitive information, as provided for in the NDPA’s enforcement and remedies sections.

He concluded that whether the failure lies with individuals, institutions, or private firms, all responsible parties must be held accountable under the law.

He recommended that a coordinated multi-agency approach involving the NDPC, EFCC, and affected regulators is essential, not only for enforcement but also to rebuild trust and promote data responsibility across all sectors.

Barrister Uche John Paul opined that while NIBSS and NIMC may not be directly responsible or liable for this breach of personal data, it behooves them, as agencies that serve as repositories for Nigerians’ personal information, to do all in their power to ensure such large data breaches do not occur again—starting with proper sensitization and promotion of a privacy-conscious culture.

He emphasized that fintech platforms must also strictly verify the origin of Know-Your-Customer (KYC) data.

He shared the view that accepting data acquired illicitly suggests some fintechs may be complicit in fraudulent activities, as disclosed by the EFCC.

What Next? 

  • The alleged sale of NINs and BVNs to fintech companies represents a grave breach of Nigeria’s data protection laws and a direct attack on citizens’ privacy rights.
  • It raises major concerns about cybersecurity, institutional oversight, and regulatory enforcement.
  • All eyes are on the Economic and Financial Crimes Commission to arraign the suspects for possible prosecution.

Backstory: Alleged NIN, BVN Sale in Nigeria: EFCC, NIMC Positions 

  • The BVN and NIN sale  issue became widespread following a recent press release by the Economic and Financial Crimes Commission (EFCC).
  • The EFCC emphasized that this large-scale fraud, which is currently under investigation, is being carried out by the affected youths.
  • Nairametrics previously reported that several findings indicate that unauthorized third parties still have access to Nigerians’ databases—not just NIN, but also BVN, driver’s licenses, international passports, and more.
  • According to the EFCC, this BVN/NIN fraud scheme is largely driven by an army of young Nigerians who offer a paltry payment of between N1,500 and N2,000 to their victims to make them surrender copies of their personal information, which are then sold to some fintech institutions for about N5,000.

 “These pieces of information are then used to open accounts with fintech companies for investment scams and other fraudulent schemes,” the statement partly reads. 

  • Nairametrics observed that the development sparked widespread online reaction, with some critics blaming the National Identity Management Commission (NIMC).
  • Hours later, NIMC denied any association with the youths in question and disclaimed liability:

 “The NIMC wishes to state clearly that it will not be held responsible for any personal information shared by an individual, directly or by proxy, for the purpose of financial gain or inducement. 

“Nigerians have been informed repeatedly in the past by the NIMC not to disclose their NIN to any unauthorized individual or organization. Equally of note is that any NIN presented to access services must be duly verified before granting such services. Nigerians and service providers should note,” the NIMC added. 

  • The general public was encouraged to download the NINAuth App on either the Apple iOS or Google Play Store to enjoy seamless benefits, including but not limited to protection and security of the NIN, power to control personal information associated with the NIN, and more.
Follow us for Breaking News and Market Intelligence.

[ad_2]

Source link

Share This Article
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You Might Also Like