Advocating Data Privacy in Nigeria

The definition of data is extensive and contains all available information concerning individuals and corporations. The advent of information technology has quadrupled the amount of information available. Necessarily, governments of the world are promulgating data protection legislation to regulate the processing of data and to safeguard information of persons. The Nigerian experience has been slow and steady.

In the beginning, there was no comprehensive law for data protection. However, the privacy of persons was protected by Section 37 of the 1999 Constitution which guarantees the privacy of citizens, their homes, correspondences, telephone conversations and telegraphic materials. Specifically, the rights of children are protected by the Child Rights Act No. 26 of 2003. Section 8 of the Act guarantees every child’s right to privacy. Section 205(2) protects the records of child offenders.

Regulatory Framework

There have been specific laws that have contained snippets of data protection. For instance, the Freedom of Information Act No. 4 of 2011. This Act actually provides for public access to public records. Still, it prevents a public institution from disclosing personal information to the public unless the concerned individual consents to such disclosure.[1] It also provides that a public institution may refuse to disclose information that enjoys professional privilege (lawyer-client privilege, for instance).[2]

The National Identity Management Commission Act of 2007 establishes a commission. This commission is responsible for operating a National Identity Database. The Act provides that no person or company shall have access to data or information contained in the database with respect to a registered individual without authorization. The commission is only authorized to share such information if it is in the interest of national security.

The Consumer Code of Practice Regulations was issued by the Nigerian Communications Commission (NCC) in 2007. It requires telecommunication operators to take reasonable steps to protect consumer information against “improper or accidental disclosure”. It further provides that consumer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations.” Interestingly, the Registration of Telephone Subscribers Regulation 2011 (as issued by the NCC) affords confidentiality for telephone subscriber records maintained in the NCC’s central database.

The National Health Act of 2014 requires health establishments to maintain health records for every user of health services. The confidentiality of such records is to be maintained and protected. Meanwhile, the Cybercrimes Act 2011 prevents the interception of electronic communications and imposes data retention requirements on financial institutions. Finally, the Federal Competition and Consumer Protection Act of 2019 requires the Commission to protect the business secrets of all parties involved in the Commission investigations.

The Nigerian Data Protection Regulation 2019

In 2007, the National Information Technology Development Agency was set up by the National Information Technology Agency Act as the statutory agency with the responsibility for planning, developing and promoting use of information technology in Nigeria. The Agency is mandated to develop regulations for electronic governance and to monitor the use of electronic data. In line with this responsibility, the Agency issued the Nigerian Data Protection Regulation (NDPR) in January 2019.

Essentially, the Regulation aims at protecting the personal data of all Nigerians and non-Nigerian residents. It targets transactions that involve the processing of personal data.[3] The Regulation is directed to government agencies and private organizations that own, use and deploy Nigerian information systems as well as foreign organizations that process personal data of Nigerian residents.

What is Personal data?

Section 13 of the Regulation defines data to include a name, an address, a photo, an email address, bank details, posts on social networking sites, medical information, computer internet protocol (IP) address and any other information specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person. Data is personal when the information relates to an identified or identifiable natural person, whether it relates to his or her private, professional or public life.

Under the Act, certain general principles govern data processing. Personal data must be processed for the specific lawful purpose as consented to by the Data Subject. It must be without prejudice to the dignity of the human person. Also, it must be stored only for the period within which it is reasonably needed. Finally, it must be secured against all foreseeable hazards and breaches.[4] Accordingly, everyone who is in possession of the personal data of Data Subject owes a duty of care to the Data Subject.

Who is a Data Subject?[5]

The Data Subject is the identifiable person who is identified with reference to an identification number or other factors specific to his/her identity.[6] Simply, a Data Subject is the individual who the data is about. Every natural person is a Data Subject. That is humans, not companies. Data Subjects are accorded certain rights: the right to rectify the information and to have it in a portable format, the right to erasure of the information, restriction in processing the information and the right to transfer the information to a third party.[7]

Who is a Data Controller?

A Data Controller determines how (“the processes for and the manner in which”) personal data is processed. In most cases, the Data Controller is the company or organization that possesses/requests for your data. This is distinguishable from a data administrator who simply processes data.[8]

A Data Controller must adhere to the legal basis provided by the Regulation. Data processing is only lawful in the following instances.[9] That is, the processing has been consented to by the Data Subject, the processing is for the performance of a contract, the processing is required for compliance with a legal obligation, the processing is required for protection of the vital interest of a data subject or another natural person; or the processing is necessary for the performance of a task carried out in the public interest.

When the Data Controller seeks to obtain information from the Data Subject, the Data Controller must provide certain information.[10] These include the identity and contact details of the Data Controller, the contact details of the Data Protection Officer, the purpose for which the data will be processed as well as the legal basis, recipients of the data, the period for storing personal information, rights of the Data Subject and information about the possible transfer of the information to third parties, foreign countries or international organizations.

Data Protection Officer

This person is designated by the Data Controller to ensure that the Data Controller is compliant with the Regulation.[11] That is, Data Controllers may hire compliance staff to oversee data protection within the organisation.

Penalties

The penalty for failing to comply with the Regulation is dependent on the number of data subjects that a Data Controller processes:[12]

• More than 10,000 Data Subjects – payment of the fine of 2% of Annual Gross Revenue or 10 million Naira whichever is greater
• Less than 10,000 Data Subjects – payment of the fine of 1% of the Annual Gross Revenue or 2 million Naira whichever is greater

Enforcement

The NDPR contains “implementation mechanisms”. For instance, it directs all public and private organizations in Nigeria (that control data of natural persons) to publish their data protection policies within 3 months after the issuance of the Regulation. It makes the designation of a Data Protection Officer compulsory.

The NDPR creates Data Protection Compliance Organizations (DPCO) to monitor the compliance of Data Controllers and provide advisory services. On 10th December 2019, NITDA published a list of licensed DCPOs that included 27 entities.

An Administrative Redress Panel is legislated to investigate allegations of breach. Ultimately, it directs the Agency to foster international cooperation mechanisms with foreign countries.

Conclusion

Overall, the NDPR is a welcome development for Nigeria and is perhaps the highlight of a legislative year. The actions of NITDA are visible and commendable. In October 2019, it commenced investigation into a potential breach of privacy rights of Nigerians by the Truecaller Service. Apparently, the privacy policy of the Truecaller was divided into two sets – one for those in the European Economic Area and another for those outside the EEA. Nigeria fell under the second category. An assessment of the relevant policy revealed noncompliance with the NDPR.

The expository press release (as published on NITDA's website) concluded with the following words:

NITDA would like to assure Nigerians that will continue to monitor the activities of digital service providers with a view to ensuring that the rights of Nigerians are not unduly breached while also improving the operational environment to support ethical players in their bid to get maximum benefit from Nigeria.

References

DLA Piper, Data Protection Laws of the World https://www.dlapiperdataprotection.com/index.html?t=collection-and-processing&c=NG

Aelex An Overview of Big Data & Protection in Nigeria https://www.aelex.com/wp-content/uploads/2019/05/An-overview-of-Big-Data-and-data-protection-in-Nigeria-1-compressed.pdf

Udo Udoma & Belo-Osagie Data Privacy Protection in Nigeria  https://www.uubo.org/media/1337/data-privacy-protection-in-nigeria.pdf

Templars Nigeria Data Protection Regulation 2019: A Safety Net for Personal Information or just Band-aid? https://www.templars-law.com/wp-content/uploads/2019/03/Templars-Thought-Leadership_NIGERIA-DATA-PROTECTION-REGULATION-2019_-A-SAFETY-NET-FOR-PERSONAL-INFORMATION-OR-JUST-BAND_AID.pdf

KPMG The Nigerian Data Protection Regulation https://assets.kpmg/content/dam/kpmg/ng/pdf/advisory/NDPR-journey-to-compliance.pdf

Nigeria Data Protection Regulation Nigeria Data Protection Regulation https://nitda.gov.ng/wp-content/uploads/2019/01/Nigeria%20Data%20Protection%20Regulation.pdf

[1] Section 14

[2] Section 16

[3] Section 1.2

[4] Section 2.1

[5] The Data Subject is the identifiable person who is identified directly or indirectly with reference to an identification number or other factors specific to his/her physical, psychological, mental, economic, cultural or social identity.

[6] Section 1.3

[7] Section 2.13

[8] Section 1.3

[9] Section 2.2

[10] Section 2.13.6

[11] Section 1.3

[12] Section 2.10