Image: mikedugeri.wordpress.com
The National Information Technology Development was mandated by the National Information Technology Development Act (NIDTA) to come up with laws that will regulate the use of information technology and electronic data. This was as a result of the need to ensure the privacy and protection of Nigerians' personal data due to the alarming increase in breach of personal data. To achieve this goal, the National Information Technology Development Act (NITDA) issued the Nigerian Data Protection Regulation (NDPR).
The objectives of the NDPR as contained in section 1 of the Regulation are as follows:
a) To safeguard the rights of natural persons to data privacy;
b) To foster safe conduct of transactions involving the exchange of personal data;
c) To prevent manipulation of personal data, and
d) To ensure that Nigerian businesses remain competitive in international trade; through the safeguards afforded by a just and equitable legal regulatory framework on data protection and which regulatory framework is in tune with global best practices.[1]
From the above, the NDPR seeks to protect the privacy an individual's personal data; to provide safety or security in dealing with an individual's personal data; and to help Nigerian businesses compete in international trade since the regulatory frame work is in tune with global best practices.
For a proper understanding of this topic, it is necessary to be conversant with the meaning of some terms which will constantly be referred to in the course of this article. These terms are as follows:
The NDPR applies to every Nigerian residing inside or outside the country; it also applies to transactions intended for the processing of personal data (i.e. transactions that involve collecting, structuring, making available, etc., an individual's personal data) in respect of natural persons in Nigeria.
Major Features of the Nigerian Data Protection Regulation
The NDPR is a regulation enacted to provide for the privacy and security of an individual's personal data. In doing that, the NDPR contains some features that will bring about the achievement of its objectives. Some of those key features will be discussed below.
a. What constitutes the data subject's consent;
b. Description of collectable personal information;
c. Purpose of collection of personal data
d. The technical methods used to collect and store personal information, cookies, etc.;
e. Access (if any) of third parties to personal data and purpose of access;
f. Available remedies in the event of violation of the privacy policy, and the time frame or remedy, and
g. Any limitation clause. (This limitation clause will not avail any data controller who acts in breach of the principles set out in section 6 of the Nigerian Data Protection Regulation.)
A privacy policy is required of data collectors to assure data subjects that their personal data is secured; that the personal data is used for a legitimate purpose; that the personal data is kept private; that the personal data is protected from cyber-attacks and other things set out in section 5 and 6 of the NDPR; to reveal to the data subject the method used to collect and store the personal information; the privacy policy must contain the fact that the data subject has remedies when the privacy policy is violated, etc.
If a third party is going to have access, or be involved in the processing of the personal data of a data subject; there must be a written contract between the data controller and the third party to that effect
a) The identity and contact details of the controller.
b) The contact details of the data protection officer.
c) The purposes of the processing for which the personal data is intended, as well as the legal basis for the processing.
d) The legitimate interest pursued by the controller or by a third party.
e) The recipient of the personal data (if any).
The data subject has the right to know whether the data controller shall transfer the personal data to an international organisation; whether the data subject has the right to request the data controller to rectify or erase the personal data; whether the data subject has the right to lodge complaints at any point in time to the relevant authority; whether the provision of the personal data is a statutory, or contractual requirement, and the consequences if the data subject does not provide the personal data; the data subject also has the right to know when the data controller intends to use the personal data for purposes other than that for which the personal data was collected.
The Benefits of the Nigerian Data Protection Regulation
The NDPR was issued in January 2019, as the country's first codified Data Protection Legislation to protect the data-privacy of Nigerians. In a brief interview with, Adeoluwa Akomolafe, he stated that the importance of data-privacy cannot be over emphasized. He said that the attacks on businesses were based on data breaches, which led to an increase in regulatory focus worldwide. Regulations such as the European Union's General Data Protection Regulation; the Asia Pacific Data Protection and Cyber Security Guide 2020; the German IT Security Act 2015, etc., were all created to address the issue of the rampant breaches of data belonging to individuals and companies.
According to him, the NDPR was created as a response to the increase in data breaches. The purpose of the NDPR, in his statement, is to ensure that Nigerian companies understand the data in their custody; how such data is classified; their obligations in ensuring security of that data; and other relevant issues relating to the data in their custody.[20]
That said, the four benefits of the Nigerian Data Protection Regulation are as follows:
The above provisions are laudable, yet critiques have said that companies and organisations cannot take cover under the NDPR because the definition of data subject refers to 'natural persons'. It is true that registered companies enjoy separate personality, i.e., they have an identity distinct from the persons who run the affairs of the companies' and so the data-privacy of a company can be breached.
However, Adeoluwa Akomolafe in answering this question explained that a person is usually put in charge of people's data in every company. This person is referred to as the 'data protection officer'. The data protection officer is appointed by the organisation (i.e. the data controller) to take responsibility for driving the protection of data. The primary role of a data protection officer is to ensure that the organisation (i.e. the data controller), processes the personal data of its staff, customers, service providers, etc., in compliance with the applicable data protection rules. Hence, the organisation as the data controller, through its data protection officer will be responsible for the privacy-breach of another company complaining of a breach. In other words, the NDPR is applicable to companies; the organisation which is the data controller will be held responsible when another company suffers a breach of data-privacy.
In conclusion, the NDPR applies to all storage and processes of data in respect of Nigerian citizens. The purpose of NDPR is to safeguard the rights of natural persons to data privacy; to bring about safe conduct of transactions involving exchange of personal data; and to prevent manipulations of personal data. The NDPR imposes numerous compliance obligations on data controllers and processors in the processing of personal data of natural persons.
Data controllers should ensure that all data collected must be secure; they (data controllers) must have the tools to guard against data manipulation. Explicit consent from data subject must be obtained by data controllers if the personal data is about to be shared to a third party.
Adeiye Adenekan.
Email address: [email protected]
LinkedIn: https://www.linkedin.com/in/michaelmas-chambers-5a49000146
Twitter: @MichaelmasLaw
Phone no: 09090008231.
Section 1 of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3(q) of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3(k) of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3(g) of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3 (r) of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3 (s) of the Nigerian Data Protection Regulation, 2019.
Section 2, regulation 1.2 of the Nigerian Data Protection Regulation, 2019.
Section 5, regulation 2.1(1) of the Nigerian Data Protection Regulation, 2019.
Section 5, regulation 2.1 (2) of the Nigerian Data Protection Regulation, 2019.
Section 6, regulation 2.2 of the Nigerian Data Protection Regulation, 2019.
Section 7, regulation 2.3 of the Nigerian Data Protection Regulation, 2019.
Section 9, regulation 2.5 of the Nigerian Data Protection Regulation, 2019.
Section 11, regulation 2.7 of the Nigerian Data Protection Regulation, 2019.
Section 10, regulation 2.6 of the Nigerian Data Protection Regulation, 2019.
Regulation 2.10 of the Nigerian Data Protection Regulation, 2019.
Section 14, regulation 2.11 of the Nigerian Data Protection Regulation, 2019.
Section 16-31 of the Nigerian Data Protection Regulation, 2019.
Section 16-31 of the Nigerian Data Protection Regulation, 2019.
Ibid. Nigerian Data Protection Regulation, 2019.
Adeoluwa Akomolafe, Certified Information Systems Security Personnel (CISSP) Certified Ethical Hacker (CEH), Chief Information Security Officer & Assistant GM, Wema Bank Plc.
Adeoluwa Akomolafe, Certified Information Systems Security Personnel (CISSP) Certified Ethical Hacker (CEH), Chief Information Security and Data Protection Officer, Wema Bank Plc.
Section 1 of the Nigerian Data Protection Regulation 2019
Olumide Babalola, Nigeria: My Thoughts on the Nigerian Data Protection Regulation (NDPR) 2019. (Published March 2020) Cited in
Adeoluwa Akomolafe, Certified Information Systems Security Personnel (CISSP) Certified Ethical Hacker (CEH), Chief Information Security and Data Protection Officer, Wema Bank Plc.