The National Information Technology Development Agency, has launched an investigation into data breach by Lagos State Internal Revenue Service. The agency issued a statement on Friday confirming the incident and the steps it is taking to address it. The statement reads:
“The National Information Technology Development Agency (NITDA) was reliably informed and duly ascertained that the Lagos State Internal Revenue Service (LIRS) published…
…a web portal – https://t.co/gpLxOjgIjE – where personal information of tax payers of Lagos State was gleaned by the general public in breach of the Nigeria Data Protection Regulation (NDPR), 2019.
“We have also been informed that the LIRS has indicated that public access to the portal was a glitch from a consultant of the Service and that the portal has been duly disabled.
We commend LIRS for the swift remedial action in disabling the portal and pulling the website away from the public domain.
“We however warn that glitches of this kind do not insulate LIRS from responsibility or culpability from whatever actions, civil or criminal, that may arise from such glitch, as personal and confidential information of data subjects were made available to the public illegally.
“We stress that such glitches are in breach of the NDPR and invariably the National Information Technology Development Agency Act 2007.
“The Agency will further investigate this breach and the circumstances surrounding it with the aim of assessing the impact of the breach as well as determine responsibility and culpability of data controllers or processors connected to the breach and prevent future occurrence.
“We also advise the public to be vigilant and to report immediately to NITDA or other law enforcement agencies if they notice that the information of any data subject on the LIRS database is further disclosed or used in any manner in violation of the NDPR.
“We enjoin all parties to cooperate with NITDA as we seek to protect the personal and confidential information of Nigerian Citizens from misuse and abuse.
“The Agency can be reached through its email address: [email protected]”
NITDA was established in 2007 as the ICT policy implementing arm of the Ministry of Communication of the Federal Republic of Nigeria. It was saddled with the responsibility of developing programs that caters for the running of ICT related activities in the country. It is also mandated with the implementation of policies guidelines for driving ICT in Nigeria. NITDA plays an advisory role in copyright law by verification and revision of applicable laws in tandem with the application of software and technology acquisition.
In January 2019, NITDA issued the Nigeria Data Protection Regulations (NDPR). The overall objective of NDPR is to safeguard personal data rights, enhance security of transaction involving personal data rights, protect transactions involving personal data and improve the access of Nigerian companies to cross border data. Among the requirements it set out for data collecting organizations are, the mandate to publish a data protection policy, conducting a mandatory self-audit on data protection, every 6-12 months.
It didn’t take long before some organizations came under the radar of the data agency. It could be recalled that earlier this year, Truecaller came under the investigation of NITDA for breach of users’ data rights. That’s among others which include, Nigerian Immigration Service, Banks, Fintechs and telcos.
Upon the establishment of a framework to guide all organizations in the personal data collection business, NITDA stipulated penalties for those who would breach the rules and advised organizations to get professional advice from Data Protection Compliance Organizations (DPCO) on the compliance risks, obligation and responsibility under the NDPR.
This framework is supposed to guide companies and organizations that collect, store and use personal data. However, there have been a series of breach here and there, indicating a huge vacuum in the compliance.
Though Lagos State Internal Revenue Service blamed the breach on a third party, the incident is just an indication that many of the organizations are yet to come in terms with the seriousness of personal data rights and protection in Nigeria.
The website has been taken down until further notice, but the prevalence of these occurrences is a cause for worry. As many organizations delve into fintech and other personal data collection businesses, the need to protect users’ information becomes a business they should be conscious about.