A PhD researcher at the University of Portsmouth and leading data protection expert, Olumide Babalola, has written an open letter to Professor Charles Arinzechukwu Igwe, Vice Chancellor of the University of Nigeria, NSUKKA, expressing grave concern over the university’s public display of sensitive student information on its official website.
The letter highlights the university’s violation of the Nigeria Data Protection Act (NDPA) 2023, specifically sections 24(1), 25, and 26, which require data controllers to process personal data lawfully, fairly, and transparently, implement security measures, and obtain explicit consent for data disclosure.
Babalola notes that this practice poses significant privacy risks to students.
Read the open letter below:
OPEN LETTER TO PROFESSOR CHARLES ARIZECHUKWU IGWE, THE VICE CHANCELLOR, UNIVERSITY OF NIGERIA, NSUKKA
By Olumide Babalola
Dear Prof.,
DISPLAY OF STUDENTS’ PERSONAL DATA ON UNIVERSITY WEBSITE: URGENT CALL TO ADDRESS BREACH OF STUDENTS’ PRIVACY AND DATA BREACH
I hope this letter finds you well. I write to express grave concern over the on-going routine violation of students’ right to privacy arising from the University’s public display of sensitive personal information on its official website. It has come to my attention that the University of Nigeria has made the personal data of its students, including registration numbers, JAMB numbers, phone numbers, full names, gender, local government areas, states of origin, dates of birth, and dates of graduation, publicly accessible online. This practice is highly concerning and constitutes a violation of both Nigerian law and global data protection standards.
Violation of the Nigeria Data Protection Act (NDPA) 2023
The Nigeria Data Protection Act (NDPA) 2023 clearly stipulates provisions that are designed to protect individuals’ personal data, safeguard their privacy, and prevent unauthorized access or exposure of such data. The personal data being publicly displayed on the University’s website qualifies as sensitive information under this law, and its unauthorized disclosure constitutes a serious violation of several sections of the NDPA, including but not limited to:
1. Section 24(1) of the NDPA requires that data controllers (in this case, the University) must process personal data lawfully, fairly, and in a transparent manner. Publicly displaying students’ sensitive information online violates the principle of lawful and fair processing.
2. Section 25 obligates data controllers to implement appropriate technical and organizational measures to ensure the security of personal data. The University’s failure to safeguard this information from public access violates this provision.
3. Section 26 requires that personal data shall not be disclosed to third parties without the explicit and informed consent of the data subject except other lawful grounds exist. The public availability of this data without the consent of students is in clear contravention of this section.
Privacy Harms and Risks to Students
Beyond the legal ramifications, the public exposure of students’ personal information poses significant privacy risks and potential harm, including but not limited to:
• Identity theft: The publication of sensitive data such as registration numbers, phone numbers, and dates of birth makes it easy for malicious actors to impersonate students for fraudulent activities.
• Harassment and Safety Concerns: Publicly available phone numbers and personal identifiers can lead to unwarranted and harmful contact, harassment, and threats to students’ personal safety.
• Discrimination and Profiling: Sensitive details such as state of origin, gender, and local government area can be used to perpetuate discriminatory practices, undermining the principles of fairness and equality.
Violation of Students’ Right to Privacy
The right to privacy is a fundamental human right, recognized under the Nigerian Constitution and international instruments. The University, as an educational institution, has a duty to uphold this right by ensuring the confidentiality of students’ personal data. The public disclosure of sensitive data infringes on this right, leaving the affected individuals vulnerable to various forms of privacy invasion.
Call to Action
I respectfully urge you to take immediate steps to address this breach of privacy. Specifically, I call on the University to:
1. Cease the public display of personal data: Promptly remove all students’ personal data from public access on the University’s website to prevent further unauthorized disclosure.
2. Implement appropriate data protection measures: Introduce and enforce data security measures in line with the provisions of the Nigeria Data Protection Act 2023, including encryption, access controls, and regular audits of data processing practices.
3. Adopt a privacy-first approach: Ensure that the University adopts contemporary data protection practices and privacy by design principles, ensuring that students’ personal information is collected, stored, and processed only with their explicit consent and with the highest level of security.
4. Notify affected students: Consider notifying all affected students about the data breach and compensating them for any damages or risks they have incurred as a result of this data exposure.
Conclusion
As a renowned institution of higher learning, the University of Nigeria should be at the forefront of upholding the rights of its students, including their right to privacy. By aligning with contemporary data protection standards and complying with the Nigeria Data Protection Act 2023, the University can not only avoid legal penalties but also demonstrate its commitment to the security and well-being of its students. I trust that you will give this matter the urgent attention it requires and take corrective actions without delay.
Thank you for your understanding and anticipated cooperation.
Respectfully,
Olumide Babalola
PhD Researcher,
University of Portsmouth
United Kingdom