A look at Nigeria’s Data Protection

A year ago (October 2019), the National Information Technology Development Agency (NITDA) commenced investigation into a potential breach of privacy rights of Nigerians by Truecaller Service. You must know about this. That app that lets people know your name when they call your phone. Apparently, the privacy policy of Truecaller was divided into two sets – one for those in the European Economic Area (EEA) and another for those outside the EEA. Nigeria fell under the second category. An assessment of the relevant policy revealed noncompliance with the NDPR.

An expository press release (as published on NITDA’s website) concluded with the following words:

NITDA would like to assure Nigerians that we will continue to monitor the activities of digital service providers with a view to ensuring that the rights of Nigerians are not unduly breached while also improving the operational environment to support ethical players in their bid to get maximum benefit from Nigeria.

How well has NITDA done since then? How secure is data in Nigeria? 

Last Friday, thisdaylive.com wrote about the efforts of NITDA to implement the Nigeria Data Protection Regulation (NDPR). According to this article, within the space of one year in office, NITDA has created more than 2,700 jobs. Also, Nigeria’s data security industry has surpassed the N2.5 billion mark. Ultimately, the agency has ensured strict compliance with the NDPR. While we cannot confirm or challenge these commendations, today’s article discusses the NDPR and prior legislation that are part of Nigeria’s data protection efforts. Just so you know your rights?

Data Protection Laws in Nigeria 

In the beginning, there was no comprehensive law for data protection. However, the privacy of persons was protected by Section 37 of the 1999 Constitution which guarantees the privacy of citizens, their homes, correspondences, telephone conversations and telegraphic materials. Soon, there were specific laws that contained snippets of data protection. 

The National Identity Management Commission Act of 2007 established a commission. This commission is responsible for operating a National Identity Database. The Act provides that no person or company shall have access to data or information contained in the database with respect to a registered individual without authorization.

Also, the Freedom of Information Act No. 4 of 2011. This Act actually provides for public access to public records. Still, it prevents a public institution from disclosing personal information to the public unless the concerned individual consents to such disclosure. It also provides that a public institution may refuse to disclose information that enjoys professional privilege (lawyer-client privilege, for instance).

The Consumer Code of Practice Regulations was issued by the Nigerian Communications Commission (NCC) in 2007. It requires telecommunication operators to take reasonable steps to protect consumer information against “improper or accidental disclosure”. 

The National Health Act of 2014 requires health establishments to maintain health records for every user of health services. The confidentiality of such records is to be maintained and protected. 

Meanwhile, the Cybercrimes Act 2011 prevents the interception of electronic communications and imposes data retention requirements on financial institutions. 

Finally, the Federal Competition and Consumer Protection Act of 2019 requires the Commission to protect the business secrets of all parties involved in the Commission’s investigations.

The Nigerian Data Protection Regulation

In 2007, the National Information Technology Development Agency was set up by the National Information Technology Agency Act as the statutory agency with the responsibility for planning, developing and promoting use of information technology in Nigeria. The Agency is mandated to develop regulations for electronic governance and to monitor the use of electronic data. In line with this responsibility, the Agency issued the Nigerian Data Protection Regulation (NDPR) in January 2019.

Essentially, the Regulation aims at protecting the personal data of all Nigerians and non-Nigerian residents. It targets transactions that involve the processing of personal data. The Regulation is directed to government agencies and private organizations that own, use and deploy Nigerian information systems as well as foreign organizations that process personal data of Nigerian residents.

Data is personal when the information relates to an identified or identifiable natural person, whether it relates to his or her private, professional or public life. Personal data must be processed for the specific lawful purpose as consented to by the Data Subject. It must be without prejudice to the dignity of the human person. Also, it must be stored only for the period within which it is reasonably needed. Finally, it must be secured against all foreseeable hazards and breaches. A Data Subject is identified as the individual who the data is about. A Data Controller is the company or organization that possesses/requests for your data.

The advent of information technology has quadrupled the amount of information available. Necessarily, governments of the world are promulgating data protection legislation to regulate the processing of data and to safeguard information of persons. The Nigerian experience has been slow and steady.