Since his days as the Governor of Lagos State, President Bola Ahmed Tinubu has been battling questions about his degree certificates as evidence of his academic qualifications. The matter has even gone to the American courts and now back to our Supreme Court where the opposition desires to adduce the discoveries in evidence. Expectedly, the matter has been predominantly analysed from political and legal points of view with varying (un)learned pontifications and conclusions.
In all these, I find some interesting data protection issues worthy of analysis as done in the following paragraphs:
1. Examination certificates constitute personal data
Universally, the term personal data has been defined in the context of information that identifies a natural person directly or otherwise. This definition is rehashed under section 65 of the Nigeria Data Protection Act 2023 (NDPA) – a significant reproduction of the European Union’s General Data Protection Regulation (GDPR).
Interestingly, the Federal High Court of Nigeria in has had cause to rule that examination certificates are not personal data thus:
“This therefore brings me to the issue of whether a result or certificate of result issued by the Respondent to a candidate who sat for examination amounts to personal information. It is important to first identify what is an educational certificate or result of an examination conducted by the respondent. … This result is not only issued to the student or candidate but also copies of the result are submitted to public and private institutions to enable the bearer secure entry, or employment or nominations. In effect, this certificate is a public declaration to the world at large that the Candidate has sat and scored the marks stated therein. The certificate therefore is the public declaration by the respondent the original of which is issued out to the candidate, a counterpart of which is kept by the respondent and certified copies are distributed to the individual institute or organizations to which the certificate may concern. How therefore could such a certificate become a personal information? In my respectful view, the clear purport of section 14 of the Freedom of Information Act does not envisage that a certificate or statement of results issued to candidates should be treated as personal information. They are public documents within the provisions of section 104 of the Evidence Act and therefore should be publicly available.” (See Dr. Chris Nlemoha v WAEC (Suit No. FHC/L/CS/342/2019) at page 97 of Casebook on Data Protection by Olumide Babalola)
Even though the decision above may be the only existing court pronouncement on the issue, it is (with respect) an erroneous interpretation of what constitutes personal data. From its statutory definition, personal data are clearly information but not the documents housing them. However, while some information are separable from the documents bearing them, others are not. For example, a birth certificate devoid of date of birth does not qualify as one, hence the date of birth is inseparable from the certificate for the purpose of proof of age. The decision which was given without any consideration of the provision of article 1.3(xix) of the Nigeria Data Protection Regulation 2019 which was the major legislation on data protection at the time of the decision. Once a piece of information (document inclusive) can identify a natural person, it constitutes personal data even if it is publicly available.
2. Transparency usually starts with privacy notices
Every data subject is entitled to adequate information on the processing of his/her data. Hence, under every data protection regime, a school should proactively provide students and the general public with information on how personal data is processed. This is usually done through a privacy notice (usually referred to as ‘privacy policy’ on websites).
From a data protection perspective, Chicago State University (CSU) is unfortunately opaque with its privacy practices especially since there is no privacy notice on its website despite the ranging legal warfare over one of the acclaimed student records with the school. With their omission of privacy notice on their website, the public is left in the dark on how the school processes data and for as long as they process data of Nigerians remotely or onsite, this constitutes a violation of the NDPA. (section 27 NDPA).
3. Data (in)accuracy could be decisive
One of the cardinal principles of data protection is data accuracy mandated by the provision of section 24(1)(e) of the NDPA 2023. This principle essentially requires personal data to be: “accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed.”
Surrounding the President’s education records are inaccurate reports given at varying times by different institutions. Without necessarily pushing blame to anyone’s doorstep, organisations and their customers are duty-bound to ensure personal records kept are accurate and updated when necessary. In our President’s case, his records in the institutions concerned suffer regrettable inaccuracies going by the reports and analyses flying around. This offends the data protection principle of accuracy, but the million-dollar question is – who takes responsibility for the breach?
4. Data retention duties may be infinite
Another principle of data protection frowns at indiscriminate storage/retention of personal data. The storage limitation principle theoretically stipulates that personal data should only be kept for as long as necessary but in practice, the necessity of indefinite retention of data can oftentimes be determined by the data controller. Curiously, CSU does not have a privacy policy on their website, hence not many people know for how long they retain personal data or who to even relate with on data protection issues. For example, some institutions disclose information on their websites stating how long they retain unclaimed certificates before destruction.
CSU’s omission constitutes another violation of the extant NDPA which expressly mandates controllers to publish a ‘clear, concise, transparent, intelligible, and easily accessible’ privacy notice. (section 27(3).
Conclusively, the whole certificate saga leaves so much to be desired from a controller-data subject’s perspective. Apart from the legal or political considerations, the data protection issues raised in the (counter) allegations ought to serve as lessons to organisations for a more improved privacy practice.
