By Erick Shapumba
For years, we have advocated by running campaigns, hosting workshops, publishing articles, and using every platform available to educate the public on the risks that come with living, working, and banking in a digital world.
And to a degree, the message has landed. The working class and the younger generation are, by and large, competent users of technology.
They know their way around a smartphone, are active on the internet, and are, in every sense, plugged in.
We also know they understand, at some level, that their devices carry information worth protecting. The phones are password-protected. The banking apps have PINs and biometrics.
There is a clear understanding that technology holds value, and that value is worth protecting.
So why, then, do we keep getting it wrong?
The Classification Problem
The gap is not in general awareness. The gap is in classification, the ability to identify what information is sensitive, what is at risk, and what the real cost of exposure might be.
Most people struggle to apply a basic definition: personal information is any data that can be used to identify you, your full name, ID number, physical address, phone number, and your email, among others.
These are not abstract concepts, they are the building blocks that criminals use to impersonate you, defraud you, or access your accounts without permission.
The problem is that we have normalised giving this information away casually, without hesitation, and without consequence, at least none that we have seen yet.
Think about the last time you stood at the till. The teller asked for your ID number, your email address, or your phone number.
You gave it and moved on. But ask yourself: do you ever stop and ask why? What does that store need your ID number for? What are they going to do with your email address?
Do they even have security measures in place to protect that information? Is it truly necessary to give it at all?
If your honest answer is no, you have never asked, then you are not alone. Most of us have never asked, and that silence is exactly where the risk lives.
We Have Not Seen the Consequences
In my experience, the deeper issue is not ignorance, but the absence of visible consequence.
People are rational, but in a narrow, immediate way. We secure what we have already felt the cost of losing.
We lock our phones because we understand what it means for a stranger to pick it up, we protect our bank accounts because money disappearing is immediate, tangible, and devastating.
But handing over an ID number at a till? Nothing bad happened, so the brain files it under safe.
Psychologists call this optimism bias, the quiet belief that bad things happen, just not to you. Cybersecurity awareness campaigns have largely failed to dismantle this belief because they deal in abstract, future-tense threats, statistics from other countries and hypothetical scenarios.
What we need are local, real, and relatable examples of what happens when personal information falls into the wrong hands.
We need look no further than the Namibia Students Financial Assistance Fund (NSFAF). Earlier this year, students’ personal information was published on the institution’s own website following a data breach.
The Communications Regulatory Authority of Namibia noted that institutions lack clear protocols for managing data breaches, not out of negligence alone, but because in the absence of a comprehensive legal framework, there is nothing compelling them to have any.
The consequences of unprotected data are not hypothetical. They are local, they are recent, and they affected real Namibians.
The Digital Permanence
There is another layer to this problem that deserves attention: our collective failure to understand what digital existence truly means.
When you write something on a piece of paper and throw it away, it is gone. When you share information digitally, on a form, on a platform, with an app, it is rarely gone. It can be stored, copied, sold, leaked, or hacked. Digital data has a permanence that physical data simply does not.
We have caught a glimpse of how carelessly people treat this reality through the recent social media trend of asking AI tools to generate images or profiles based on what those platforms “know” about a person.
When we analysed what people were actually entering into those systems, their workplace, their location, their physical description, their daily routines, the results painted a troubling picture.
People were assembling detailed personal profiles and feeding them to AI tools, all in the name of a trend, without pausing to consider where that information goes or what it could be used for.
This is not a small thing, it is the kind of data that, in the wrong hands, enables identity theft, targeted fraud, and manipulation-based scams.
What Changes Behaviour
Awareness alone has a ceiling, and we have reached it.
What actually changes behaviour is the habit of pausing before handing over personal information and asking: Is this necessary? What will this be used for? Who else will have access to it?
These are not paranoid questions, they are smart ones, and they are precisely what data protection law is designed to empower you to ask.
Namibia’s Data Protection Bill has been in development since 2021 and was expected to be tabled in Parliament in late 2025. When passed, it will establish clear obligations for how organisations collect, store, and handle your personal information.
It will require them to justify why they need your data, put security measures in place to protect it, and be held accountable when they fail. It will, in other words, give legal weight to the very questions this article is asking you to start asking.
But a law only works when the people it protects know their rights under it, and are willing to exercise them. Legislation without awareness is as ineffective as awareness without legislation.
What changes behaviour is consequence visibility, not statistics, but stories. Real people, real losses, real lives disrupted by information that was shared too freely, too casually, in too many places.
Finally, what changes behaviour is a cultural shift in how we think about personal information. Not as a courtesy to hand over freely and speed up a transaction, but as something with value, value worth protecting, worth questioning, worth keeping close.
We have done the work of raising awareness, the next challenge is making people act on what they know. That starts with one question, the next time someone asks you for your ID number at the till or anywhere: Why do you need this?
Ask it, and get comfortable asking it. And if they cannot give you a satisfactory answer, you have every right to decline.
Your information is yours. Treat it that way.
