An IT security consultant, Prince Kpasra has said that the manner in which the Electoral Commission published the basic details of voters on Google Drive poses a high fraud risk.
He explains that fraudsters now have easy access to the details of other people and they can use them to do all kinds of transactions like register SIM cards, open bank account, hack people’s social media accounts among other things.
“There could be identity fraud where fraudsters can use your ID number to register a SIM card,” he said. “Having all the information will make it easier for fraudsters to steal your identity for opening bank accounts and hacking social media among other things.”
The IT security expert therefore believes the EC erred in the manner in which it made basic data of registered voters public.
He said it was “very bad” that the EC made the names, ages and genders of prospective voters available on Google Drive on a polling station basis.
Mr. Kpasra thinks the data should have been protected by some further restrictions.
“The first thing is that, they should have put it on their website and restricted access, but they put it on a public cloud, which is Google, and allowed anybody who wanted to download the information to download it,” he said
He, however, did not cite a specific law the EC had breached.
What the law says
The Data Protection Act outlines for handing data and specifically, “special personal data.”
The law says a data controller may process special personal data in accordance with the Data Protection Act where “processing is necessary, or the data subject consents to the processing.”
Special personal data shall not be processed unless the processing is “necessary for the protection of the vital interests of the data subject where it is impossible for consent to be given by or on behalf of the data subject, the data controller cannot reasonably be expected to obtain the consent of the data subject, or (c) consent by or on behalf of the data subject has been unreasonably withheld.”
Special personal data shall not be processed when it does not involve the disclosure of the personal data to a third party without the consent of the data subject.
The C.I. 91, which regulates aspects of the EC’s activities, also says the voter data “shall be published in a manner determined by the commission.”