DATA PRIVACY AND PROTECTION IN NIGERIA
– By Chioma Chijioke and Stephanie Maduabum
The significant value of data in today’s world cannot be overemphasized. Most organisations including tech companies such as Google, Facebook and Apple require and use data provided by subscribers to improve their operations. Therefore subscribers are required to grant data access to these tech companies in order for the subscribers to access their platforms.
With the advent of new technologies in this digital age, the need to protect the privacy of data subjects has become highly imperative. This has led to the recognition of data privacy and protection as an international recognized right.
Data has been defined in the Cybercrimes Act as “representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer”. Again, the Nigeria Data Protection Regulation (“NDPR”) 2019 defines data as “characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device”.
Data Protection is the process of protecting data and involves the relationship between the collection and dissemination of data and technology. It aims to strike a balance between individual privacy rights while allowing data to be used for business purposes.
The principal legislation governing Data Protection in Nigeria is the Nigeria Data Protection Regulation (“NDPR”) 2019 issued as a subsidiary legislation to the National Information Technology Development Agency (“NITDA”) Act by NITDA on 25th January 2019 pursuant to Section 32 of the NITDA Act 2007. Other general and sector specific legislation on data protection include:
- The Constitution of the Federal Republic of Nigeria 1999 (as amended) – guarantees and protects the privacy of citizens in their homes, correspondences, telephone conversations and telegraphic communications.
- The Freedom of Information Act 2011 – expressly excludes information relating to private or personal data of individuals from the categories of information to be made available to the public.
- The National Identity Management Commission Act (“NIMC”) – mandates prior authorization of the NIMC before an individual or corporate entity can access data or information contained in the National Identity Database.
- The Child’s Right Act 2003 – provides for the right to privacy of a Child in Nigeria.
- The Central Bank of Nigeria’s Consumer Protection Framework 2016 issued pursuant to the Central Bank of Nigeria (“CBN”) Act 2007 – requires financial institutions to ensure adequate protection of customer data.
- The Cybercrime (Prohibition, Prevention, etc.) Act 2015 – criminalizes cybercrimes in Nigeria. Section 14 and 16 prohibit dealing with data stored in a computer system or network in a fraudulent manner for fraudulent purposes. Section 19 requires financial institutions to protect customer data and Section 12 prohibits unlawful interception of electronic communications.
- The Credit Reporting Act 2017 – guarantees the right of individuals under the Act to privacy and confidentiality with respect to their credit information in the possession of the credit bureau.
- The Nigerian Communications Commission (NCC) Consumer Code of Practice Regulations 2007 – requires licensees in the telecommunication sector to ensure adequate protection of customer information.
- The NCC (Registration of telephone subscribers) Regulation 2011 in Sections 9 and 10 provides for the confidentiality of telephone subscriber records maintained in the NCC’s central database. The Regulation further provides telephone subscribers with a right to view and update personal information in the NCC’s central database of a telecommunication company.
- The National Health Act (“NHA”) 2014 – provides for the rights and obligations of healthcare users and healthcare personnel. It mandates health establishments to retain health records of every user of health services and maintain the confidentiality of such records. Section 29(1) of the NHA also imposes restrictions on the disclosure of user information and requires persons in charge of health establishments to set up control measures for preventing unauthorized access to such information.
- Federal Competition and Consumer Protection Act (“FCCPA”) 2019 – Section 34(6) of the Act requires the Federal Competition and Consumer Protection Commission to protect the business secrets of all parties involved in the Commission’s investigations. Section 33(2) also requires the Commission’s hearings to take place in public. However, the Commission may, particularly to preserve business secrets, conduct hearings in camera.
DATA PROTECTION FILING AND AUDIT UNDER THE NDPR
The NDPR in a bid to ensure data protection compliance by Data Controllers provides for filing of Data Protection Audit Reports with the NDPR. The NITDA also imposes an obligation on Data Controllers handling the personal data of a certain threshold to comply with the Data Protection Audit.
Data Protection Audit is an investigation or examination of the records, processes and procedures of a Data Controller or Administrator to verify compliance with NDPR Requirements. It is important to note that a Data Protection Audit can also be done by a Data Controller or Administrator internally. However, where a Data Protection Audit is to be filed with NITDA, a Data Controller would need to engage a Data Protection Compliance Organisation (“DPCO”) which has been defined by NITDA as an entity duly licensed for the purpose of training, auditing, consulting and rendering services aimed at ensuring compliance with the NDPR.
When the NDPR came into force, it required that Data Controllers file an initial Data Protection Audit Report within 6 months of its coming into force.
The Compliance requirements under the NDPR are that every Data Controller that processes the Personal Data of more than 1,000 Data Subjects is to submit the summary of the audit within 6 months to NITDA and every Data Controller that processes the Personal Data of more than 2,000 Data Subjects on an annual basis is to submit Data Protection Audit Report to NITDA no later than 15th March each year. However, for the year 2021, the timeframe for filing the audit report was extended to 30th June 2021.
CHALLENGES OF DATA PRIVACY AND PROTECTION IN NIGERIA
Despite the benefits of the NDPR, the regulation does not consider online privacy protection and regulation of access to the internet, video surveillance, search engines and social networking. The lack of a comprehensive Database of Data Subjects poses a challenge to the enforcement of the Regulation.
Again, the Regulation solely “applies to all transactions intended for the processing of personal data and to actual processing of personal data….and to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent” This provision means that the regulation excludes other forms of data (e.g sensitive personal data) and also corporate organisations.
Critics of the NDPR believe that since the NDPR is a Regulation and not a statue enacted by the National Assembly, it lacks the requisite force of law required to address such an important subject as Data Protection. It is believed that the NITDA is not empowered by law within the ambit of Section 6 of the NITDA Act to make such regulation.
Prior to the enactment of the NDPR by the NITDA, most laws on data privacy and protection in Nigeria were industry specific. However, the quick convergence of the framework of implementation and enforcement structure under the NDPR by NITDA shows its seriousness in ensuring compliance with data privacy and protection laws by Data Controllers or Administrator.
The NDPR is however not without its flaws but is a step in the right direction and there is still room for improvement.
There is a Data Protection Bill currently pending before the National Assembly. The main objective of this Bill is to provide a structure for the protection of personal data and to regulate the processing of information relating to individuals, irrespective of their nationalities. It also seeks to protect the fundamental rights to privacy as enshrined in the constitution. The Bill is still undergoing review and before promulgation into law, may be further amended
 The NDPR defines “Data Subject” as any person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
 Section 58 of the Cybercrimes Act
 Section 37 of the Constitution
 Section 14 of the Freedom of Information Act 2011
 Section 26 of the NIMC Act
 Section 8 of the Child’s Right Act 2003
 Section 9 of the Credit Reporting Act
 The NDPR defines a Data Controller as a person who either alone, jointly with other persons or in common with other persons or a statutory body, determines the purposed for and the manner in which personal data is process or is to be processed.
 This has been defined by the NDPR to mean any information relating to an identifiable natural person. An identifiable natural person is one who can be identified, by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; it can be anything from a name, an address, a photo, an email address, bank details, posts on social networking websites, medical information and other unique identifiers such as, but not limited to the MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.
 The NDPR defines a Data Administrator as a person or organization that processes data
 Section 4.1(5) of the NDPR
 Section 4.1(6) and (7) of the NDPR
 Section 1.2 NDPR 2019