Non-existence of data privacy framework in Nigerian schools

Less than one per cent of Nigerian schools are compliant with the Nigerian Data Protection Regulation (NDPR). Yet, many schools manage sensitive personal information and personal information of students and employees daily. This disregard for fundamental human rights is worrying.

You probably are thinking that Nigerian private schools take data privacy seriously, but you are wrong. The widespread disregard of data privacy in educational institutions cuts evenly between public and private educational institutions.  Nigerian schools expose their students to data privacy breaches daily, and no one is doing anything about it.

The question then is, why? To answer why Nigerian schools don’t respect the information assets of their students and employees, I would categorise it in two main aspects.

First, there is the question of leadership. A school that is not compliant with the Nigerian Data Protection Regulation only shows that the stakeholders within that particular school are not “educated” enough to understand the importance of having the right data protection and privacy frameworks in place. You’d probably expect that schools, where knowledge is shared, would pay attention to protecting the freedoms and human rights of students. But statistics show otherwise.

All non-compliant private and public schools must begin to look at how they can ensure that they are taking the right step towards complying with data protection laws and ensuring that they have the proper self-regulatory standards.  Leadership in various schools must ensure that they take data privacy seriously, especially now that most processes are moving digital. You would not like your university or your secondary school or primary school to suffer a significant data breach, and you don’t have the right approaches to handle such.

Another aspect of why schools are not taking this seriously is the absence of punitive measures by data regulatory body. In other climes, schools – public and private – must comply with data protection regulation or face fines from the data protection authorities. In 2018, the Information Commissioner’s Office (ICO), the data protection authority in the United Kingdom, fined University of Greenwich £120,000 ($160,000) for a security breach in which the personal data of 19,500 students was placed online. The Swedish Data Protection Authority, in December 2020, fined Umeå University €54,000 for storing special category data of students in a cloud service, without sufficiently protecting the data.

The Nigerian data protection regulatory body, Nigerian Information Technology Development Agency (NITDA), has an immense role to play here and perhaps should make scapegoats of some non-compliant schools to motivate them towards complying with the regulation.

Data privacy and protection of information is what every institution should give critical attention.

The world has gone digital. Education is going to change radically, and schools will begin to explore technological tools to enhance teaching and learning. The recent Covid-19 pandemic has shown us that education will be interrupted and most teaching might move to the digital space. Vice-chancellors, Headmasters, Principals, and school Proprietors should act by embedding the right data privacy frameworks into these technological tools and avoid exposing the information assets in their possession to danger. More importantly, they shouldn’t wait until something drastic happens before taking action. Designing processes that respect privacy is, therefore, a must.

The stark reality is that Nigerian schools don’t pay attention to data privacy. The stats released by NITDA shows it. Therefore, schools who care about the welfare and wellbeing of their students and employees’ human rights must act quickly. The education commissions must encourage schools to comply with the data protection regulations, build useful privacy frameworks, and continually monitor these systems to reduce the risk of data privacy breaches.