PRIVACY AND DATA PROTECTION IN THE NIGERIAN EDUCATIONAL SECTOR
By: Tojola Yusuf
Educational institutions at all levels hold personal data of students, staff, guardians or parents. These personal data include names, contact details, home address, bank details, health information, age, biometric data, photographs, dates of birth, examination results, payment details etc. The academic environment is also home to intellectual property and data collected from people for research purposes. Also, schools tend to spend and focus less on security and data protection and cybersecurity. Such was the case of an elementary school in Lekki, Lagos state disposed of its old personal computers without wiping out all data on the system. Subsequently parents started complaining of receiving unusual requests from the school which the latter did not send. Similarly, students in primary and secondary schools and a few in tertiary institutions are majorly minors who require special protection in the processing of their data.
Furthermore, the COVID-19 pandemic has forced many schools into conducting virtual learning and examinations. Schools use different education management platforms and online platforms like Zoom, WhatsApp, Microsoft Teams, etc. All of these have raised privacy and data protection concerns because of the amount of personal data being collected. If these data fall into the wrong hands, data subjects, especially the students categorised as children under the law would likely be the most at risk. Hence, this article focuses on the laws governing data protection, activities of schools that negate the spirit of privacy and data protection, the implications thereof and recommendations.
LAWS GOVERNING DATA PROTECTION IN THE NIGERIAN EDUCATIONAL SECTOR
- The 1999 Constitution of the Federal Republic of Nigeria, as Amended
The Constitution guarantees and protects the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications.
- The Child’s Rights Act
The Child’s Rights Act specifically gives every Nigerian child the right to privacy, family life, home, correspondence, telephone conversation and telegraphic communications, however, it shall not affect the rights of parents and, where applicable, legal guardians, to exercise reasonable supervision and control over the conduct of their children and wards.
- The Nigeria Data Protection Regulation (NDPR)
The NDPR sets out the governing principles of data processing, what constitutes lawful processing of data, third party data processing, rights of data subjects, data security, obligation of controllers and processors, etc. Its objectives are to safeguard data protection rights of natural persons; foster safe conduct of transactions involving the exchange of personal data, etc. Also, in March, 2020, The National Information Technology Development Agency (NITDA) introduced the Implementation Framework which is an addendum to the NDPR proffering clarity and guidance on the compliance and enforcement strategy.
OBLIGATIONS OF EDUCATIONAL INSTITUTIONS AS DATA CONTROLLERS AND PROCESSORS
The school owes the students, parents, teachers and non-teaching staff whose personal data it holds, a duty of care. In exercising this duty, the school must take into consideration the key principles of data processing. Also, while partnering with organisations that offer Learning Management Systems (LMS) services, the educational institution should give consideration to the organisation that adhere to the NDPR and the relationship must be governed by a written contract.
The School also has the responsibility to secure personal data by protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff. At the point of data collection, the school must display a privacy notice which shall inform the data subjects of their rights, data collected, purpose of processing, etc. for the purpose of transparency and fairness. In addition, where the school relies on consent for processing, it must ensure that the consent is properly obtained without fraud, coercion or undue influence.
Finally, the school shall be accountable for its acts and omissions in respect of data processing, and in accordance with the principles contained in the NDPR. In other words, the school must demonstrate its compliance by filing an audit report which shall contain a detailed account of its processing activities.
PRIVACY AND DATA PROTECTION ISSUES IN THE NIGERIAN EDUCATIONAL SECTOR
Schooling in time of pandemic
The coronavirus pandemic forced many educational institutions into operating online learning. The use of the internet to facilitate learning births the creation and exchange of more data, and increased privacy risks. Internet-enabled platforms are susceptible to threats like hacking, identity theft, impersonation, phishing, etc. In April, 2020, a virtual meeting organised by a school in Germany was hacked and pornographic images were posted into the session. Cases like this are called “zoom-bombing”. Questions arise as to the security of personal data in online learning platforms vis-à-vis the duty of educational institutions as controllers or processors to protect personal data of students, teachers, parents against all foreseeable hazards and breaches.
Besides the security of these personal data, the school is expected to collect and process only the personal data which is adequate, relevant and necessary for the purpose it is to be processed which is otherwise known as data minimisation. Also, there are concerns as to how the school ensures that LMS partners act within the ambit of the law and the terms of their contract. Where schools use WhatsApp for online learning, students now have access to one another’s phone number. Where students do not own devices of their own, how does the school protect the personal data of fellow students from a devious third party who has access?
At the point of personal data collection, both virtually and physically, there is usually no privacy notice and where there is one, it is devoid of the essential elements. A visit to the websites of 13 schools (universities and secondary schools) reveals that only 2 of them (Nile University and Redeemers University) have a privacy notice. The privacy notices of these schools lacked contents like the rights of the data subjects, lawful basis for processing, period of storage of personal data, etc. which are legal requirements. In this case, the schools have ignored important principles of data processing like accountability in respect of its actions and omissions, transparency because the data subjects do not know the necessary facts about the processing of their data. Schools collect personal data like dates of birth of parents, hometown, name of town or village of origin, etc. which is of no use and violate the principle of data minimisation especially because the data are usually not anonymised, pseudonymised or encrypted. Schools also need to pay attention to record management, data should not be held for longer than it is necessary.
Excessive data collection obsession and poor record management problem
Another privacy issue which is commonly found in the Nigerian educational sector is the publication of their best students’ results or grades in external examinations like the West African Senior School Certificate Examinations (WASSCE), Cambridge A-levels Examinations, etc. This is accompanied by the full names and pictures of the students. Usually the purpose of this is to subtly market the school to prospective parents and students. Similarly, the use of students’ photographs on the school billboard on expressways, streets, websites, books, etc. are instances of disclosure of students’ personal data that raises concerns. The use of students’ results and photographs as mentioned above is no doubt outside of the core day-to-day operations of the school; it is pure marketing and advertising.
In addition, in Parents Teachers Association (PTA) meetings or on visiting days in schools, the schools have a culture of having parents sign in or fill attendance sheets by passing a book around or stationing one at the gate for parents to fill in their names, child’s name, contact details and sometimes, time of arrival and departure. These details are filled in the same book by each parent giving every parent access to the personal data of those who have filled before them. The need for this unnecessary data collection is borne out of failure of the school to keep a proper record of parents. A parent with ulterior motive may pick the personal data of another without their knowledge. This violates the principle of confidentiality, data minimisation, and security. In the end, what happens to these books after a while? Does the school have a data retention plan?
In the same light, when politicians visit schools, they take pictures with students in class, which always end up in newspapers and online news platforms. Has the appropriate consent been sought? Such publications without consent violate the principle of lawfulness which mandates that every processing must be done on at least one lawful basis, one of which is consent. It is important to mention that such publications also breach the fundamental rights to privacy of the students. Where it is breached, it may result in breach of other fundamental rights like the right to life as information containing names, name and address of schools, and pictures of students is enough to put their safety on the line.
It is a practice in this part of the world to sell stacks of papers no longer in use to vendors who wrap their wares in papers. Many organisations including schools deem this disposal of these papers whereas, it is a negligent transfer of personal data of data subjects. Little wonder why we find snacks wrapped in sheets in report cards, attendance sheets, completed personal data forms of a student in a school. In the same fashion, schools dispose of personal computers by selling or throwing in the bin because it is seen as waste and disposed of as same without having properly deleted the personal data contained therein which could end up in the hands of others. Such was the case of an elementary school in Lekki, Lagos state that “disposed” of its old personal computers without wiping out all data on the system. Subsequently parents started complaining of receiving unusual requests from the school which the latter did not send. This breaches the principle of confidentiality for failing to keep the personal data properly, lawfulness, security and particularly, storage limitation which is to the effect that personal data should not be retained longer than it is necessary and that personal data should either be destroyed completely or archived.
The horror of error
Furthermore, grading errors could constitute a breach of the principle of accuracy of personal data. Occasionally, when students complete continuous assessment tests or tasks, their test or assignment scripts carrying grades are distributed to them. However, when the teacher or lecturer compiles the grades, it is wrongly entered in the grading sheet and subsequently, in the students’ transcripts. The implication of this is that the students’ grades will be erroneously derived from the inaccurate data which determines the class of degree at graduation. Where the student discovers such errors, it is usually difficult to exercise the right to rectification, right to deletion or erasure and right to object to processing of personal data especially in public universities majorly because of the bureaucratic nature of the administration and the God-complex of the instructors.
The insecurity pandora box
Websites are now a must-have for educational institutions. It serves as a platform to attract prospective customers or clients, to sell products and services, communicate, gain knowledge, etc. Schools own websites for this purpose too. They contain resources which enhance learning and classroom teaching, have links for students to log into their dashboards where they can register subjects or courses, pay school fees, check results, etc. In June, 2020, the University of Benin and Ahmadu Bello University were reported by TechPoint to have vulnerable and porous websites and databases and as a result, admission lists, course registration details and some other personal data of students were shared on some hackers’ platforms. In 2017, the Joint Admission and Matriculation Board (JAMB) website was also hacked by some miscreants. This case put the personal data of thousands of students, lecturers and other staff at risk.
In some public tertiary institutions, grades are still pasted on notice boards for students. The sheet containing the grades houses every students’ grades including their matriculation numbers and or names. This gives other students or just anybody access to students grades. The school has the responsibility of keeping students’ grades confidential and must take steps to achieve it. In the Nigerian Law School, the only detail needed to check one’s result is the examination seat number. The implication is that a nosy student can check another student’s result. One wonders why the institution fails to include the use of passwords for result checking. The only reason that comes to mind is the failure of the school to take privacy and data protection seriously.
Finally, because a lot of schools still keep hard copy files of staff, students and other staff in offices and stores, they are prone to undue access by outsiders or staff who have no business having access. Cleaners access lecturers or teachers’ offices early in the morning to clean them. Are the files kept under lock and key?
EFFECTS OF NON-COMPLIANCE
- PENALTIES AND SANCTIONS
Any person or organisation subject to its provisions who is found to be in breach of NDPR shall be liable to the payment of 2% of its Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater, where the Controller deals with more than 10,000 data subjects. Where the controller deals with less than 10,000 data subjects, the penalty upon conviction is the payment of 1% of its Annual Gross Revenue or payment of the sum of 2 million naira whichever is greater. In other words, the extent of liability is dependent on the number of students, teachers, parents, etc. whose data the school processes.
Besides the money that will be lost, a lot of time and effort will be put into the administrative procedure. An aggrieved data subject can also approach the National Information Technology Development Agency (NITDA) who shall set up an administrative redress panel to investigate allegations, invite the parties, issue administrative orders and determine appropriate redress within 28 working days. It actually costs less to comply as against non-compliance when the loss of revenue and clients that accompany non-compliance are considered.
2. RIGOURS OF LITIGATION
The regulatory sanctions in the NDPR do not preclude the data subject from approaching a court of competent jurisdiction to seek redress in the form of breach of contract, violation of fundamental human rights and so on. This helps the data subject to demand damages for injury suffered because of the acts or omission of the controller or processor. Courtroom proceedings are filled with a lot of technicalities which gulps time, money, and energy. About 8 cases on data protection which involves NITDA are pending in Court, presently half of which commenced in 2019. Should the data subject succeed, the controller or processor could get slammed with damages running into millions of naira which results in revenue loss which is bad for business. In addition to approaching the Court for civil remedies, if a breach affects national security, sovereignty, and cohesion, the NITDA may seek to prosecute officers of the school.
3. BREACH OF DATA SUBJECTS’ RIGHTS
Where data protection and security are not taken seriously, the right to privacy of data subjects may be violated. The violation may extend beyond the right to privacy because in the absence of rights to privacy, freedom of thoughts and expression are adversely affected as thoughts, beliefs, expressions which are kept safe may be accessed by persons or bodies who ordinarily should not. This may amount to threat to safety and to negligently aiding the violation of the data subjects’ right to life. Where human rights are violated, the school may get slammed with actions for enforcement of fundamental rights, class actions, etc. and still get to pay a lot of money in damages to the victims of the violation.
Also, the personal data of students, staff, and parents may get into the hands of data hawkers or buyers. In the end, neither the school nor the data subjects will be able to control the processing or misuse of those data. If a data subject does not know about the existence of its personal data, he or she is deprived of the right to information, access, rectification, etc.
4. REPUTATIONAL DAMAGE
Where a school is known for compliance failures with respect to data protection and privacy, it faces severe reputational crisis. The resultant effect of this is that parents exercise fear over the safety of their children and as such withdraw them from such schools. In essence, the school loses funds while the parents lose trust in the school’s brand. The school is as much a business as organisations like Uber, British Airways and Lagos State Internal Revenue Service (LIRS), who have at one time or the other suffered reputational harm due to compliance failure in respect of privacy and data protection.
5. LOSS AND THEFT OF DATA
Where there is non-compliance, standard technical and organisational security measures will not be observed. This leads to loss of data, theft of data and identity, as well as loss of intellectual property especially because it is a school. Upon the loss or theft of these data, they become tools in the hands of the recipient who may engage in various criminal activities using the data. One of such is child pornography, digital impersonation, etc.
The NDPR might not be all-encompassing but the data protection issues in the educational sector stems more from the lack of awareness, understanding of the law, compliance, and enforcement of its provisions in schools. The main issue is the level of awareness, For compliance, a case in point is the fact that NITDA’s NDPR performance report reveals that of the 635 institutions that filed their annual statutory audit report, less than 1% is in the educational sector.
In addition, to ensure compliance, there is the need for the supervisory authority to issue guidelines and notices that will simplify and explain the provisions of the NDPR or any law that may be enacted to cater for privacy and data protection in educational institutions. Also, consistency is key in enforcing the law. This makes for easier enforcement or implementation.
Another important recommendation is the judicial resolution of matters that border on privacy and data protection in Courts. There is the need for the matters to be resolved in time and be handled by judges who have expertise in the area of law. Case laws that interpret complex issues are important to aid the growth of jurisprudence in this field.
For Educational Institutions and Staff
Also, schools should organise training or user education that will be facilitated by privacy professionals who would give an insight into the duties, rights and interests of the school, teachers, students, parents or guardians and other staff in relation to data protection and privacy. Training could be physical or virtual. People absorb and retain information in various ways which may be through audio, visual images or texts. A combination can cater for all. The schools may include privacy classes in the students’ curriculum. This guides everyone on their responsibilities and rights as regards privacy and data protection and should help to solve issues of public display of students’ results, lackadaisical attitude to entering inaccurate grades and rectification of same for students, etc.
In the same vein, at the point of collection of personal data of students, staff, parents or guardians, the school must display a privacy notice that will inform the data subjects of their rights, purpose of collection, who their data is shared with, how their data is secured and so on, as prescribed in the NDPR. It must be clear, concise, intelligible and in plain language.
It is further recommended that all files and devices that contain personal data are kept and maintained safely. Proper technical and organisational measures should be put in place to prevent loss or theft of personal data. Access must also be restricted. Install surveillance that respects privacy, use lock and key, and create retention schedule to manage records. Protection of personal data should last through the lifecycle of the personal data. From the point of collection to disposal. Disposal is one aspect that is mostly overlooked. Papers containing personal data should be properly shredded manually or with a shredding machine. They should not be sold to or given out to traders who use papers to wrap goods. Laptops or other devices containing personal data should be properly formatted before disposal.
Programs which the schools run on the web should be adequately secured technically such that sessions cannot be intercepted by third parties who ordinarily should not have access. Furthermore, schools are advised to use paid software and update as often as possible for the purpose of security. Where the school uses cracked software, it puts the data at risk. Where passwords are used for protection, it is advised that strong passwords are used. It should be long, contain a mixture of letters, numbers, upper case and lower case, symbols, etc.
The use of Multi-Factor Authentication is also recommended. It is an extra layer of protection that requires multiple distinct forms of identification or authentication process to have access to something. For instance, when the school or student or anyone else is signing into an application through another device, it demands extra information or codes which only the original user can provide.
If parents, teachers or students have to sign in using a book, the school can make use of a unique confidential sign-in book that has a blacked-out name panel upon which personal data are written, the data written is then transposed through to the sealed back bar beneath. Nobody is able to see the entries on the black bars. When the school needs to access the data, it only needs to be separated from the front blacked-out panel to reveal the back page. If the school can afford a digital visitor management system, it makes it all better.
Finally, if the school processes personal data of more than 2,000 data subjects, it must file a data processing audit report with the NITDA annually not later than 15th of March of the following year. The school may need to work with a DPCO to get this done. This becomes crucial as the Nigeria Data Protection Regulation Performance Report (2019 – 2020) reveals that the audit reports filed by the Education sector is less than 1% of the total audit reports filed.
Parents are also advised to take some of the precautionary steps as the schools and teachers in protecting personal educational records of children. Use of strong passwords on kids’ devices, two-factor authentication, avoiding cracked software, educating kids on privacy, keeping files or devices containing personal data safely, etc. Furthermore, parents are enjoined to ask questions and minimize the amount of the child’s personal data given out.
The lack of awareness and proper privacy and data protection education in the Nigerian educational sector has given room for a lot of practices that are not compliant with the laws on privacy and data protection. Thus, this article makes recommendations as to implementation and awareness to help address these issues.
Recommendations have also been made to help schools, teachers, non-teaching staff, parents or guardians, and students in addressing these issues. A joint effort on all sides will be a good start.
 Claire Morgan, “Why is the Education Sector a Target for CyberAttack”,
https://www.isdecisions.com/blog/it-security/why-is-education-a-target-for-cyberattack/ accessed on 1st November, 2020
 Chris Ikosa, “Can Data Protection be Breached in Schools?”, https://www.businessamlive.com/can-data-protection-be-breached-in-schools/#:~:text=An%20unauthorised%20person%20accessing%20data,data%20breaches%20in%20Nigerian%20schools.&text=Schools%20must%20have%20a%20proper,they%20must%20pseudonymise%20the%20data. , accessed on 25th October, 2020
 Section 37 of the 1999 Constitution
 Section 8 Childs Rights Act
 Section 5 NDPR
 Section 6 NDPR
 Section 11
 Section 16-31 NDPR
 Section 1 NDPR
 Section 2.1(2) NDPR
 These principles are contained in Section 2.1(1) of the NDPR. They are lawfulness, transparency, accountability, fairness, accuracy, data minimisation, storage limitation and purpose limitation
 LMS are software that are used to create, track, develop, manage, document and deliver training or educational services.
 Section 2.7 NDPR
 Section 2.6 NDPR
 Section 2.13.6 NDPR
 Section 2.3 NDPR
 Section 2.1(3) NDPR
 Section 3.1.6 and 3.1.7 NDPR
 “What Are the Harm in Zoom Schooling or Contact Tracing?” https://www.dw.com/en/whats-the-harm-in-zoom-schooling-or-contact-tracing/a-53568876 accessed on 6th November, 2020
 Section 2.1(1)(d) NDPR puts the duty of securing personal data on the controller and processor
 Section 2.1(1)(b) NDPR
 Obafemi Awolowo University, University of Ilorin, University of Nigeria, Lagos State University, University of Lagos, Caleb University, Covenant University, American University of Nigeria, Corona School, Queens COllege, Nile University, Redeemers University, and American International School of Lagos. The websites were last accessed on 18th November, 2020
 Section 2.13.6 NDPR
 Chris Ikosa, “Can Data Protection be Breached in Schools?”
https://www.businessamlive.com/can-data-protection-be-breached-in-schools/#:~:text=An%20unauthorised%20person%20accessing%20data,data%20breaches%20in%20Nigerian%20schools.&text=Schools%20must%20have%20a%20proper,they%20must%20pseudonymise%20the%20data. , accessed on 25th October, 2020
 Section 2.1(1)(b) NDPR
 Emmanuel Paul, “Hackers Have Access to Data from Nigerian and Kenyan Universities”, https://techpoint.africa/2020/06/01/nigerian-kenyan-universities-hacked/, accessed on 25th October, 2020.
 Friday Oloko, “We Spent N20m to Hack into JAMB Registration Portal- Suspects, Punch Newspapers https://punchng.com/breaking-we-spent-n20m-to-hack-into-jamb-registration-portal-suspects/#:~:text=Is%2Dhaq%20Oloyede.&text=Some%20suspects%20who%20were%20allegedly,hacked%20into%20JAMB’s%20registration%20portal. accessed on 5th November, 2020
 Section 2.10 (a & b) NDPR
 Section 3.2 NDPR
 “Final NDPR Performance Report (2019-2020) https://technologytimes.ng/wp-content/uploads/2020/10/FINAL-NDPR-Performance-Report-2O19-2O2O.pdf at pages 23-24..
 Ridwan Oloyede, “Nigeria: One Year of Data Protection Regulation” https://dataprotectionlawyer.ng/nigeria-one-year-of-the-data-protection-regulation/ accessed on 9th October, 2020
 Section 2.13.6 NDPR
 “8 Simple Ways To Improve Your Website Security” https://www.commonplaces.com/blog/8-simple-ways-to-improve-your-website-security/ accessed on 9th November, 2020
 Will Kenton, “Two-Factor Authentication 2FA”, https://www.investopedia.com/terms/t/twofactor-authentication-2fa.asp accessed on 31st October, 2020
 Geoffroy De Cooman, “Experts Weigh in on GDPR Visitor Sign-in: Paper v Digital”, https://www.commonplaces.com/blog/8-simple-ways-to-improve-your-website-security/ accessed on 9th November, 2020
 Section 3.1.7 NDPR
 “Final NDPR Performance Report (2019-2020) https://technologytimes.ng/wp-content/uploads/2020/10/FINAL-NDPR-Performance-Report-2O19-2O2O.pdf at page 15.