IPPIS backdoor enrolment of lecturers violates NDPR | EduCeleb
EduCeleb
21st June 2020
By Adekemi Omotubora
The Academic Staff Union of Universities (ASUU) has been in a face-off with the Federal government having directed its members to reject the Integrated Payment and Personnel Information System (IPPIS) platform adjudged by ASUU as corrupt, unconstitutional and inimical to the interests of lecturers and universities’ autonomy. However, in violation of the rights of the lecturers who then refused to enroll on IPPIS, the IPPIS surreptitiously collected their personal data and unlawfully enrolled the same on its platform. In this article, I argue that the actions of the IPPIS breach the Nigeria Data Protection Regulation (NDPR or Regulation) 2019 and the Guideline for Management of Personal Data by Public Institutions in Nigeria (PI Guidelines) released in May 2020. It is important to note from the outset that while the PI Guidelines, which only applies to public institutions, was issued after the IPPIS had enrolled lecturers on its platforms, it is relevant to the ongoing and continuous use of the data by the IPPIS to pay salaries.
The NDPR defines personal data as any information relating to an identified or identifiable natural person (Data Subject). This includes a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person. The Regulation recognizes sensitive data as a special category of personal data and defines it as meaning data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trade union membership and criminal records. It must be noted that sensitive data also includes biometric data under the PI Guidelines. ‘Processing’ under the NDPR means any operation or set of operations performed on personal data whether or not by automated means and includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission and dissemination, alignment or combination, and restriction, erasure or destruction of personal data. Part two of the Regulation sets out the governing principles and lawful bases for processing personal data on at least one of the grounds of consent, contract, vital interests, necessity to comply with data controllers’ legal obligation and public interest.
Based on the above, it is clear that information such as name, trade union membership, biometric and any identification number which have been enrolled by IPPIS is personal data and that the enrollment and continued use of lecturers’ personal data constitute ‘processing’. It is also clear that the processing cannot be justified on the basis of consent because lecturers’ have refused to enroll on the IPPIS system both when it was first offered and subsequently. Specifically, article 2.1.1(a) of the NDPR provides that personal data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data subject. As I have argued elsewhere, the combined reading of articles 2.1.1(a) and 2.2 leads to the invariable conclusion that consent is not only one of the bases for legitimate processing of personal data, but it is also the only basis. Assuming that this argument is incorrect however, the PI Guidelines offer additional protection against unlawful processing. Articles 2.3 and 2.4 of the Guidelines not only prohibit the processing of sensitive data such as biometrics and data relating to membership of a trade union, it also sets a higher standard of consent-seeking method. This standard is that consent must be sought through direct, unambiguous and distinct communication to the data subject. In effect, consent is mandatory to any collection and further processing of lecturers’ sensitive data which is part of the information now processed by the IPPIS.
Other bases for lawful processing do not also support the actions of the IPPIS. Contractual basis will only avail the data controller if the processing is necessary for the performance of a contract to which the data subject is a party. As there is no contract between IPPIS and individual lecturers, contract can be excluded as the basis for the processing. The objections to the processing on the bases of compliance with a legal obligation to which the controller is subject and vital and public interests can be taken together. Although, the NDPR itself did not define public and vital interests or what constitutes compliance with legal obligation, the PI Guidelines amplify these provisions. Under article 2.2(g), the Guidelines provide that processing of personal data by a public institution must be founded on Public, Legal and Vital interests This is to be determined by reference to whether the processing is directly or collaterally linked to the performance of a mandate stipulated by an Act of the National Assembly, is necessary for the promotion of security or welfare of the citizens, justifiable in a democratic and free society, and done to comply with the directive of the President in furtherance of the powers vested on that office by the Constitution or a legal instrument. The processing by IPPIS fails on all three grounds; the IPPIS is not founded in any law or legal instrument and there are no clear security and welfare interests’ implications for the lecturers as citizens in a free and democratic society. While, the president did direct the payment of lecturers’ withheld salaries, this cannot be taken as suggesting that payment must be made through the IPPIS particularly because a platform for payment of lecturers’ salaries already exists.
Finally, IPPIS cannot invoke the legitimate interests of the data subject, which is an entirely new basis for lawful processing under the PI Guidelines. While ‘legitimate interest’ is not defined in the guidelines and may indeed be difficult to define because of its broad scope, the UK ICO recommends that in order to determine whether processing is in the legitimate interest of the data subject, we must propose and answer some critical questions. One, who does the processing benefit? The answer to this must be that the IPPIS’ processing would be legitimate if it benefits the lecturers and illegitimate if it does not. As lecturers, through the ASUU, have consistently argued that IPPIS is against their interests and the universities they work for, it is unclear what specific benefits the IPPIS’ processing confers on the lecturers. Two, would individual (data subject) expect this processing to take place? The processing by IPPIS would be legitimate if data subjects expect the processing to take place. However, since individual lecturers have refrained from voluntary enrolment on IPPIS, it is clear that they would not have expected the processing of their personal data against their expressed wishes and actions. Three, is the Data controller in a position of power over the data subject? The suggestion here is that if the data controller is in a more powerful position, then the processing is illegitimate. The IPPIS arguably demonstrated its superior power when it (presumably) ‘commandeered’ employing universities and banks holding lecturers’ personal data and BVNs, to grant it (IPPIS) access to such data.
Four, what is the impact of the processing on the individual? The answer to this question must demonstrate that processing by the IPPIS has some positive impacts on university lecturers. This would be difficult as the processing is already having negative impacts including the sacking of contract scholars across higher institutions. Five, are the data subjects vulnerable? Exploiting vulnerability to process data is likely to render the processing illegitimate. Clearly lecturers who have not been paid for about three months when they were unlawfully enrolled are vulnerable. Six, is the data controller able to stop the processing at any time on request? If it can be shown that lecturers can request IPPIS to stop processing their data, then the processing is likely legitimate, if otherwise, it is illegitimate. In this case, it is difficult to see how the lecturers can request IPPIS to stop its processing of their data when contrary to article 2.5 of the NDPR, it failed to make available its privacy policy. The policy would typically contain the description of collectable data, the purpose of collection and available remedies for violation of the policy.
ASUU and its members have certain remedies against the IPPIS’ unlawful processing. Under the NDPR, Data subjects can submit access requests to Data controllers. Individual lecturers who submit such request would be able to determine the type of information collected by IPPIS and check for inaccuracies in the data. It must be noted that Data controllers must respond to such request for access in a concise, transparent, intelligible and easily accessible form, in writing, electronically or orally. ASUU can also petition the NITDA to investigate the IPPIS, (and any other institution or organization implicated in transmitting personal data to IPPIS), for unlawful processing of its members’ personal data. Data controllers can incur criminal liability by virtue of section 17 of the NITDA Act 2007 and can be subject to fines of up 10 million Naira if found to be in breach of the NDPR. Finally, since the particular processing undertaken by IPPIS in respect of personal data of ASUU members require consent and consent was not sought and obtained, ASSU through a class action, can seek a declaration setting aside the enrollment by IPPIS for being unlawful.
Adekemi Omotubora is a lecturer in the Department of Commercial and Industrial Law, University of Lagos.