In an article published by www.thenigerialawyer.com on the 21st day of June 2020, Dr. Adekemi Omotubora -an undeniably consistent and meticulous writer on data protection in Nigeria rightly expressed her dissent to the Federal Government’s enrolment of lecturers via the Integrated Payment and Personal Information System (IPPIS) claiming that, it violated the Nigeria Data Protection Regulation (NDPR) 2019 but in this rejoinder, without necessarily touching on the moral or economic propriety of the migration, I will respectfully share my thoughts on her recondite position within the precincts of the NDPR.
The learned Doctor of laws wrote that:
“I have argued elsewhere the combined reading of articles 2.1.1(a) and 2.2 leads to the invariable conclusion that consent is not only one of the bases for legitimate processing of personal data, but it is also the only basis” but this conclusion, with respect, overlooks the purport and contents of both articles 2.1.1(a) and 2.2.”
For the avoidance of doubt, article 2.1 clearly provides for the principles of data processing while article 2.2 expressly provides for the grounds/bases of lawful processing, they ought not be confused with each other especially as seen in their respective subtitles. The principles of data processing, by their definitions, serve as the system of beliefs for data processing/protection while the lawful bases represent the grounds or reasons for processing which must be situated in the law. The difference in the two concepts further exists in the fact that, while all the principles of data processing must be observed by a data controller, only 1 lawful basis is required to legally process data. I am however not unmindful of the provision of the newly issued Guidelines for the management of personal data by public institutions in Nigeria (the Guidelines) on the necessity for co-existence of two bases for some categories of processing, the propriety of which, is discussed later hereunder.
Also, the difference in principles and bases for lawful processing is further accentuated by the express wording of article 2.2 thus: “Without prejudice to the principles set out in this Regulation, processing shall be lawful if at least one of the following applies”. Reported at page 404 of Babalola’s Law Dictionary, 2nd edition, the phrase “without prejudice” is defined by the Court of Appeal as: “Notwithstanding the above provisions.” See Umeji v Attorney- General of Imo State (1995) 4 NWLR (Pt. 391) 552. Hence, it is our position that the use of “without prejudice” clearly establishes the separate existence of principles from grounds.
Ultimately on this issue, contrary to Dr. Omotubora’s position, consent cannot, with respect, be the only legal basis when the exhaustive list of the bases of lawful processing under article 2.2(a) to (e) is considered. Although I posited at page 113 of my recently published Casebook on Data Protection that, it is arguable whether legitimate interest pursued by a controller as a basis of data processing has been excluded under the NDPR. This remains moot until we have the benefit of a Nigerian decision on the issue.
While she relied on articles 2.3 and 2.4 of the Guidelines to argue that, processing of sensitive data by public institutions can only be lawfully done by consent, she, with respect, smartly evaded the provision of article 2.5 of same Guidelines that: “The exception to the above may be cases of health emergency, national security and crime prevention.” The Federal Government has repeatedly said that, the implementation of IPPIS is to detect ghost workers, prevent academic moonlighting where some lectures earn multiple salaries in different government universities and ultimately, to investigate and prosecute corruption in the system. These objectives, to my mind, come under the exception of crime prevention which Dr. Omotubora did not refute in her well-written piece.
She continued that, “other bases do not support the IPPIS” but I respectfully think, the system was introduced in the public interest especially to plug leakages in government and for accurate and timely payment of salaries with appropriate tax and other statutory deductions . The Federal Government further stated that, since inception in 2007, the IPPIS project has saved the country billions of Naira by eliminating ghost workers (see IPPIS website). This is, in my respectful opinion, a matter of public interest. The Supreme Court in Centre for Pollution Watch v. NNPC (2019) 5 NWLR (Pt. 1666) 518 @ 583, defined the term “public interest” as:
“…the general welfare of the public that warrants recognition and protection of something in which the public as a whole has a stake especially, an interest that justifies government regulation.”
The Nigerian public clearly has a stake in the finances and revenue of the government as well as salaries of lecturers which are paid with taxpayers’ money, hence it is in the interest of the public that, ghost workers are eliminated, corruption in payment of lecturers’ salaries investigated, prosecuted and further perpetration prevented or deterred.
The learned lecturer again, placed reliance on article 2.2(f) and (g) of the Guidelines on additional bases for lawful processing which are not in the NDPR. First, it must be observed that, with this provision, the Guidelines appear to be at loggerheads with the NDPR which expressly provides for an exhaustive list of lawful bases of data processing. It must be observed that, while the NDPR contemplates “legitimate interest pursued by the data controller” the Guidelines surprisingly provides for legitimate interest of data subject. This conflict must necessarily be resolved in favour of the NDPR – the principal legislation ,on the trite principle of law that, a subsidiary or dependent legislation cannot have wider reach or powers than the principal legislation. See the Supreme Court’s decision in Osadebay v AG, Federation (1991) LPELR-2781(SC). Hence, it is our respectful view that, the Guideline is bereft of capacity to add a new lawful basis outside what is in the NDPR. This brings to mind the foreign case of Patrick Breyer v Germany where the Republic of Germany (like NITDA here) also attempted introducing a new legal basis for data processing, the CJEU held that:
“The Court has held that Article 7 of Directive 95/46 sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as being lawful and that the Member States cannot add new principles relating to the lawfulness of the processing of personal data or impose additional requirements that have the effect of amending the scope of one of the six principles provided for in that article. Under Article 5 of Directive 95/46, Member States also cannot introduce principles relating to the lawfulness of the processing of personal data other than those listed in Article 7 thereof, nor can they amend, by additional requirements, the scope of the six principles provided for in Article 7.” See page 19 of my Casebook on Data Protection.
Reading through the learned Dr.’s piece, one will observe that she kept on referring to IPPIS as though it is a data controller, this appears to, with respect, be her conclusion’s archilles heel especially on the available remedies. For the avoidance of doubt, article 1.3(x) defines a ‘data controller’ as: “a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed.”
My search on the IPPS reveals that, it is neither a natural or legal person. Dr. Omotubora even admitted this much when she stated that: “the IPPIS is not founded on any law or legal instrument”, how then do you sue, petition or prosecute such a non juristic personality as the learned Dr advised ASUU.
Conclusively, it is my respectful view that, the Federal Government, using the IPPIS lawfully processed the lecturers data under the NDPR on the ground of public interest since it is in the interest of the taxpayers that, ghost workers are detected, academic moonlighting is discouraged, corruption and embezzlement and other financial crimes surrounding the payment and remittance of lecturers’ salaries are not only prevented but also prosecuted.
Olumide is the managing partner of Olumide Babalola LP (A licenced Data Protection Compliance Organisation)