Tuesday, 10 December 2019

An Appraisal of Nigeria’s Data Protection Framework

By Larry C. Nkwor

Data protection is the regulation of the access and use of personal data. It is the process of safeguarding personal information from abuse, compromise or loss.  Where a strong data protection law exists, organizations that collect and use personal data have obligations to comply with the law in the handling of personal data. Enforcement and redress must be made available when these obligations are not adhered to. The expansion of information technology capabilities together with the increasing use of personal data has made the need for an effective data protection framework more important than ever.

The Right to Privacy
The right to privacy is a fundamental right enshrined in the 1999 Constitution of the Federal Republic of Nigeria and in many Constitutions around the World as well as in International Human Rights Law. Data protection is a fundamental aspect of the right to privacy and as such there is a need to safeguard the fundamental right to privacy as enshrined in the Constitution.

Nigeria's Data Protection Framework
Nigeria has no principal data protection law. There is a however subsidiary legislation;  Nigeria Data Protection Regulation 2019 made pursuant to the National Information Technology Development Agency Act 2007 (NITDA Act). Nigeria also has other sector-specific laws that contain data protection provisions. 

1. The 1999 Constitution of the Federal Republic of Nigeria
The 1999 Constitution under Section 37 guarantees privacy as a fundamental right. Section 37 provides that the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected. Although personal data is not expressly mentioned in this section, data protection can be seen as a component of the right to privacy.

2. The Child Rights Act 2003
Section 8 of the Child Rights Act 2003 reiterates the constitutional right to privacy as it relates to children.

3. Nigeria Data Protection Regulation 2019 
The National Information Technology Development Agency (NITDA) was established under the NITDA Act, 2007. The NITDA issued the Nigeria Data Protection Regulation to regulate and control the use of data in Nigeria. This Regulation was issued on 25 January 2019. It is made by virtue of the NITDA Act 2007,  the principal Act.

This is the most comprehensive legislation on data protection in Nigeria. The Regulation prescribes minimum data protection standards for all organizations or persons that control, collect and process personal data of Nigerian residents and Citizens outside Nigeria.

The Regulation defines Personal Data as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others

Section 2.1 of the Regulation provides for basic data protection principles. Section 2.1 (1) provides that personal data shall be:
a) collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data subject;
b) adequate, accurate and without prejudice to the dignity of human person;
c) stored only for the period within which it is reasonably needed and
d) secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by 
rain, fire or exposure to other natural elements.

Although Section 2.1 (1) (a) makes clear that personal data collected must be processed only in accordance with the purpose consented to by the data subject, it goes further to provide exceptions. The provision provides that a further processing may be done only for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Section 2.1 (2) provides that anyone who is entrusted with the personal data of a data subject or who is in possession of the personal data of a data subject owes a duty of care to the said data subject.

Section 2.1 (3) makes provision for accountability of data processors and collectors. It provides that anyone who is entrusted with the personal data of a data subject or who is in possession of the personal data of a data subject shall be accountable for his acts and omissions in respect of data processing and in accordance with the principles contained in Section 2.1 (1).

Section 2.3 makes provision for procuring of the consent of the data subject. Consent must be freely given. Consent is a core principle of data protection which allows the data subject to be in control of the processing of their personal data.

Section 2.6 provides that anyone involved in data processing or the control of data shall develop security measures to protect data; such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.

Section 2.8 provides that the right of a Data Subject to object to the processing of his data shall be safeguarded at all times. Accordingly, a Data Subject shall have the option to:
a) object to the processing of personal data relating to him which the Data Controller intend to process for the purposes of marketing;
b) be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge.

Section 2.10 makes provison for penalty for default. The Penalty for breach depends on the number of data subjects the data controller handles. The section provides that any person subject to the Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable in addition to any other criminal liability, the following:
a) in the case of a Data Controller dealing with more than 10,000 Data Subjects, 
payment of the fine of 2% of Annual Gross Revenue of the preceding year or 
payment of the sum of 10 million naira whichever is greater;
b) in the case of a Data Controller dealing with less than 10,000 Data Subjects, 
payment of the fine of 1% of the Annual Gross Revenue of the preceding year or 
payment of the sum of 2 million naira whichever is greater.

Section 3.2 makes provison for an Enforcement Mechanism. The section provides that without prejudice to the right of a Data Subject to seek redress in a court of competent jurisdiction, NITDA shall set up an Administrative Redress Panel under the following terms of reference:
a) investigation of allegations of any breach of the provisions of the Regulation;
b) invitation of any party to respond to allegations made against it within seven days;
c) issuance of Administrative orders to protect the subject-matter of the allegation pending the outcome of investigation; and
d) conclusion of investigation and determination of appropriate redress within 28 working days.
Any breach of the Regulation shall be construed as a breach of the provisions of the NITDA Act 2007.

3. The Cybercrimes Act 2015
This Act criminalizes the abuse and misuse of data for fraudulent purposes. The Act promotes a legal and regulatory framework that prohibits, detect and prosecute cybercrimes in Nigeria.

4. Consumer Code of Practice Regulations 2007 (NCC Regulations)
The Nigerian Communications Commission (NCC) issued this regulation to protect consumer information against improper or accidental disclosure and to ensure that it is not kept longer than necessary. It also restricts the transfer of consumer information.

5. Consumer Protection Framework 2016
This framework was issued by the Central Bank of Nigeria. It prohibits financial institutions from disclosing personal information of their customers. Consent must be obtained from consumers before personal data can be shared with a third party or used for promotional offers.

6. National Health Act 2014 (NHA)
Under this Act, health establishments are required to maintain health records for every user of health services and maintain the confidentiality of such records. The Act imposes restrictions on the disclosure of user information.

7. Freedom of Information Act 2011
The Act prohibits a Public institution from disclosing personal information to the public unless the individual involved consents to the disclosure.

8. National Identity Management Commission (NIMC) Act 2007
This Act creates the National Identity Management Commission (NIMC) to establish and maintain a National Identity Management System. The Act provides that no person or corporation shall have access to information contained in the Database with respect to a registered individual without authorization from the NIMC. The NIMC can provide a third party with information without the individual's consent provided it is in the interest of National Security.

Persons who process or control personal data of individuals are expected to comply with the obligations in legislations that govern data protection. The Nigeria Data Protection Regulation is a welcome development for data protection in Nigeria. It provides for accountability and enforcement which are key to the success of protection of personal data. The Regulation might not be the most sufficient of data protection legislations but it is certainly a huge step towards the safeguarding of personal information. Despite being a subsidiary legislation, the regulation has the same force of law as it's principal legislation by virtue of the Interpretation Act 1964. It has been held in Njoku v. Iheanatu (CA/PH/EPT/454/2007) that a subsidiary legislation is made or enacted under and pursuant to the power conferred by a principal legislation and It derives its force and efficacy from the principal legislation. Thus, there must a strict compliance with the provisions of the legislation by data controllers and data processors.