By Olumide Babalola
1. Introduction In the first week of December 2022, Nigeria’s judiciary made a strong statement of intent on information privacy – (whether we choose to call the term ‘data privacy’ or ‘data protection’, one’s preference at this time pales into insignificance in the face of avoidable data breaches that the third arm of government continues to suffer, condone or engineer)- when the National Judiciary Council (NJC) reportedly reviewed its Judicial Information Technology Policy to include provisions on data protection. (see Ifeoma Peters, ‘NJC Receives New Guidelines for Data Protection in the Judiciary’ published by DNL Law & Style blawg on the 2nd day of December 2022).
In that same week, a letter signed by the Chief Justice of Nigeria (CJN) approving the reinstatement of Justice R.N. Ajumogobia back to the bench was shared on various WhatsApp platforms and published by many newspaper outlets (see https://www.thisdaylive.com/index.php/2022/12/08/njc-reinstates-justice-ofili-ajumogobia-as-judge-of-federal-high-court-2/) Many issues continue to arise from the contents of the ‘leaked’ or published letter, but my concern here borders on the information privacy issues staring the judiciary in the face. There is no gainsaying that information privacy is a fundamental right guaranteed by section 37 of the Constitution and supplemented by the Nigeria Data Protection Regulation (NDPR) (see Digital Rights Lawyers Initiative v National Identity Management Commission (2021) LPELR – 55623(CA)
It is also beyond doubt that the courts are duty bound to enforce fundamental rights violated by government agencies and others (See Baro v Commissioner of Police, Delta State (2019) LPELR 48611 (CA), how then do we reconcile cases where the judiciary is the entity violating fundamental rights, in this case -information privacy.
2. The principle of integrity and confidentiality breached Information privacy thrives on a number of principles, one of which is – integrity and confidentiality. This twin principle simply mandates controllers (in this case, the NJC/judiciary) to implement organizational and technical measures that prevent unauthorized or undesired access, disclosure and/or loss etc. of personal data. The picture flying around neither shows that the letter has been dispatched or received by the recipient, one then wonders who leaked the supposedly confidential letter conveying personal information. If the NJC had privacy policies or data security in place, publishing such a confidential letter would not have been that possible or easy without consequences for the organization and actors.
3. Public documents do not absolutely exclude reasonable expectations of privacy One may be tempted to argue that the letter is a public document, hence there should be no privacy conversations surrounding same. First, the Constitution expressly provides for ‘privacy of correspondences’ which covers letters of this nature except expressly excluded by law. Secondly, even though our current realities necessitate an amendment to accommodate the unprecedented possibilities enabled by advancement in technology, section 97(1) of the Criminal Code prohibits such publication thus:
“Any person who being employed in the public service, publishes or communicates any fact which comes to his knowledge by virtue of his office and which it is his duty to keep secret, or any document which comes to this possession by virtue of this office and which it is his duty to keep secret, except to some person to whom he is bound to public or communicate it, is guilty of a misdemeanor, and is liable to imprisonment for two years.”
Thirdly, the Court of Appeal confirmed the reasonable expectation of privacy even in the public when it ruled on voting in public thus: “Therefore requiring or compelling him to vote openly in the public watch and knowledge by queuing in front of the poster carrying the portrait of the candidate he has decided to vote for intrudes into, interferes with, and invades the privacy of his said decision, choice and voting, completely removing that privacy, therefore amounting to a clear violation of his fundamental right to the privacy of a citizen guaranteed him and protected by S.37 of the 1999 Constitution. The decision of the trial Court that it does not see how making the appellant to vote publicly violates his privacy is therefore clearly wrong.”
It is worthy of note that the Freedom of Information Act 2011 also addresses the expectation of privacy on public documents except public interest outweighs privacy but this exception cannot be utilized extra-judicially as done by the leakage constitutes a data breach. Even if an argument is rightly made in favour of the public’s right to know, it does not lie in the hands of any judicial staff to leak the document in such a manner.
4. NJC and data transparency The first principle of data protection is ‘lawfulness, fairness and transparency’. Transparency in this context, mandates organizations to proactively disclose their data management practices on their websites and other platforms. The NJC’s website (www.njc.gov.ng) is devoid of any privacy statement which is meant to give the public an idea of the body’s privacy culture and persons(s) responsible for its privacy practices etc.
5. NJC and data breach Except the ‘leakage’ was authorized by the CJN, the NJC had just suffered a data breach with legal implications. As the bastion of rule of law, the court must lead from the front. In this case, the NJC needs to come up with policies on data breach management, notification, prevention and remediation.
6. Conclusion Privacy remains the least litigated fundamental right in Nigerian courts. Since independence, the Supreme Court has only ruled ‘extensively’ on right to privacy in one case (See Medical Dental Practitioners Disciplinary Tribunal v Dr. Emewulu Okonkwo (2001) 7 NWLR (Pt. 711) 206). Judicial attitude towards the right to privacy within and outside the courtroom arguably gives credence to western researchers’ submission that Africans do not value privacy but that narrative needs to change and that change must begin with judicial actors.
Going forward, it is my respectful inexhaustive advice for the judiciary at all levels to: a. Designate (not necessarily appoint) a Data Protection Officer (DPO) to take responsibility for building a privacy culture among judicial actors. b. Publish a privacy notice (policy) on their websites showing transparency and setting the tone for public engagement on their privacy practices. c. NJC ought to include information privacy in its training modules for judges. d. Periodic training for judiciary staff on information privacy. e. Draft workable policies and privacy documents to guide judicial actors.