One of the most iconic scenes of the Batman movie, Dark Knight, produced by Christopher Nolan, and released in 2008, is the dialogue between Bruce Wayne and the character Lucius Fox portrayed by Morgan Freeman.
Christian Bale, who plays Bruce, Batman’s character, knew he was running out of time to find his long-lost love, Rachel Dawes, held hostage by the Joker. To save her, Batman was ready to tap into the city phone database system, which he could access directly from his bunker.
Looking at the impressive line of computer monitors tracking people’s cell phones in real-time, Batman exclaimed, “Beautiful!”
But Lucius replied, “Beautiful, unethical, dangerous… this is wrong… this is too much power for one person.”
Since the news of Isa Ali Pantami, minister of communications and digital economy, voicing support for jihadist movements like Al Qaeda and Taliban became public, many Nigerians have said they were concerned about the safety of the National Identification Number (NIN) database.
Pantami’s ministry of communications and digital economy oversees the National Identity Management Commission (NIMC) in whose custody is Nigeria’s national identity database.
Read Also: Planning for 400 million: Nigeria’s opportunities and challenges 2050
Like Lucius, the concern of many people is whether the information they supplied during the NIN registration exercise, which is now warehoused by NIMC, would not be compromised by someone as highly placed as the minister of communications and digital economy. There are over 51 million Nigerians with registered NIN.
The minister however renounced the inciting comments saying he was young and his views immature at the time the comments were made.
“Some of the comments I made some years ago that are generating controversies now were based on my understanding of religious issues at the time, and I have changed several positions taken in the past based on new evidence and maturity,” he said.
Many Nigerians seem unimpressed by the minister’s repentance, saying he remains a national threat giving he superintends a government department that is in charge of the national database.
The NIMC Act gives the best explanation of the data governance surrounding the NIN database.
The NIMC Act
The NIMC Act of 2007 established a national identity database that contains registered information or data relating to citizens of Nigeria and non-Nigerians.
The Act empowers the Commission to create, manage, maintain and operate the National Identity Database, including the harmonisation and integration of existing identification databases in government agencies and integrating them into the National Identity Database.
Membership of the Commission is drawn from mostly data generating government agencies such as Independent National Electoral Commission (INEC), National Health Insurance Scheme (NHIS), Federal Road Safety Corps (FRSC), Federal Inland Revenue Service (FIRS), National Population Commission (NPC), and the director-general of the NIMC.
Others are security agencies like the Nigeria Police Force (NPF), Nigeria Immigration Service (NIS), Office of the National Security Adviser (ONSA), and Economic and Financial Crimes Commission (EFCC). To represent the public interest are three persons who are knowledgeable in Information Communication Technology or identity management.
The minister is not mentioned in the Act as a member of the Commission despite his position as the head of the ministry. The minister does not also appoint the director-general of NIMC. The president makes the appointment. This provision could be to protect the director-general from being influenced by a powerful official like the minister.
The Act also limits the powers of the minister on the national identity database with the mandatory appointment of a chairman. The chairman of the Commission, according to the Act, is elected on a part-time basis by the President of Nigeria. The chairman holds office for four years and may be re-appointed for a further four years and no more.
The Act also provides that no person or body corporate shall have access to the data or information contained in the database with respect to a registered individual entry except with the authorisation of the Commission.
Does the minister have unchecked access to the database?
Security experts, who spoke with BusinessDay on condition of anonymity because of the sensitive nature of the matter, say while it is unlikely the minister or any single official has direct access to the national database, the country’s poor record in data governance makes it a possibility for there to exist a ‘backdoor’ through which data can be moved without authorisation.
The financial services sector, one of the most heavily regulated markets in Nigeria, still has poor data governance records. This is despite the existence of the Nigeria Data Protection Regulation (NDPR), which enforcement is yet to catch on in the industry.
The Nigerian Inter-Bank Settlement System (NIBSS) recently reported that Nigerian banks lost N3.5 billion between July and September 2020 to fraud-related incidences with data tampering mainly responsible.
The NIMC Act may not have presented a direct backdoor to data abuse, however, some of its provisions on disclosure of registration can easily be misinterpreted.
For example, it says the provision of information is authorised when such disclosure is (a) in the interest of national security; (b) necessary for purposes with the prevention or detection of crime; or (c) for any other purpose as may be specified by the Commission in a regulation.
Its lack of specificity on what constitutes a threat to national security or when it is “necessary” to release information to the state security agencies for the purposes of detecting crime.
“Beyond proper data governance, no one knows exactly the last time NIMC carried out an audit,” notes an expert who pleaded anonymity.
The NIMC Act mandates the Commission to not later than six months after the end of each year, submits to the President a report on the activities of the Commission and its administration during the immediately preceding year and shall include in the report the audited accounts of the Commission and the auditors’ comments thereon.
The last time NIMC published an annual report was in 2014, which means for about 6 years the Commission has yet to release a summary of its dealings with the national identity database.
