ARTICLE
31 March 2022

The Principles Of Data Privacy And Data Protection In Nigeria

MC
Marcus-Okoko & Co

Contributor

Marcus-Okoko & Co logo
Marcus-Okoko & Co is a full-service International law firm committed to providing a wide variety of topnotch legal services to clients within and outside Nigeria. Our areas of expertise cover a broad range of corporate and commercial legal services amongst which include Corporate and Commercial Law and practice; Arbitration; Litigation; and other forms of ADR such as Legal and Regulatory Compliance; Mergers & Acquisitions; Competition & Antitrust; Project Management and Capital Markets.
Explore
Data protection is commonly defined as the law designed to protect your personal data. Data protection is the legal mechanism that ensures privacy.
Nigeria Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

INTRODUCTION

Data protection is commonly defined as the law designed to protect your personal data. Data protection is the legal mechanism that ensures privacy. While conceptually distinct from the 'right to privacy', most good data protection regulatory frameworks are similar in the sense that they contain similar principles for collecting, processing, and transferring personal data.

For over two centuries, Oil has been considered one of the most valuable physical assets in the world. However, in this age of information, Data is gradually and steadily becoming the most priced asset. According to Shivon Zilis, a partner with the venture capital firm Bloomberg Beta, "Data is the new oil." David Kenny, the general manager of IBM's (IBM) Watson data crunching service, agreed with Zilis and said "the value of data goes up every day AI (Artificial Intelligence) advances." He also explained that only 20% of the world's information is stored on the Internet, with the other 80% being privately held within companies and organizations.

According to David Kenny, "Data will become a currency." Each website (or app) that we use and each page we view on the internet are recorded. While browsing, we are inadvertently leaving behind our digital footprints and technology Companies are able to leverage on it and monetize our data. Technology Companies and most data processing Companies trade on collated data as major advertising Companies rely on collated data to ascertain target prospects. Data helps predict customer behavior. It also helps to target people who may have an interest in a product. This is vital information for Companies that want to find individual customers based on their needs, rather than trying to guess.

Often times the use of personal data may be incompatible with the purpose for which it was collected; Individuals have no rights in relation to the collection, use, and storage of their personal information; individuals are not offered adequate opportunities to consent to or opt out of data collection; There is limited to no transparency around the processing of personal data.1

To curb data exploitation and the misuse and/or unauthorized access to personal data, the UN Human Rights Committee, the treaty body charged with monitoring implementation of the ICCPR, recognised the need for data protection laws to safeguard the fundamental right to privacy recognised by Article 17 of the ICCPR which provides thus:

"The gathering and holding of personal information on computers, data banks, and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. ... Every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files ... have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination"

In Nigeria, the Nigeria Information Technology Development Agency (the "NITDA") on the 25th of January 2019, issued the Nigeria Data Protection Regulation 2019 with the following objectives:

  1. To safeguard the rights of natural persons to data privacy;
  2. To foster safe conduct for transactions involving the exchange of Personal Data;
  3. To prevent manipulation of Personal Data; and
  4. To ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practice.

Also, Section 37 of the Constitution provides that:

"The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected".

The Consumer Code of Practice Regulations 2007 (the NCC Regulations) also provides that all licensees must take reasonable steps to protect customer information against "improper or accidental disclosure" and must ensure that such information is securely stored. It also provides that customer information must "not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations". In the case of Habib Nigeria Bank Limited v. Fathudeen Syed M. Koya2 which involved an alleged disclosure by a bank of a customer's transactional information, the Court of Appeal held that it is elementary knowledge that the bank owed its customer a duty of care and secrecy.

DATA PROTECTION PRINCIPLES

  • Fair, lawful Processing: The processing of personal data should be adequate, relevant and limited to necessity of the purpose for which it is being processed, and where appropriate, with the knowledge or consent of the data subject. This principle is key to addressing practices such as the selling and/or transfer of personal data that is fraudulently obtained.3
  • Data Minimisation: The processing of personal data should be adequate, relevant and limited to necessity of the purpose for which it is being processed. The data controller should limit the processing and/or collection of personal information to directly achieving the specific purpose for which the information is collected or processed. This principle requires that those processing data to consider what the minimum amount of data necessary to achieve the purpose would be. Processors should hold that and no more – it is not acceptable to collect extra data because it might be useful later on, or simply because no thought has been given to whether it is necessary in a specific scenario.4
  • Accuracy: Personal data that is processed should be accurate, complete and measures should be taken to ensure it is up to date.5
  • Storage Limitation: Personal data should only be ­retained for the period of time that is necessary for the purposes for which it was processed. Even if data has been processed fairly, lawfully, in a transparent manner, and with respect to the principles of purpose limitation, minimisation and accuracy, it is essential to ensure that the data is not stored for longer than required and necessary for the purpose for which it was collected.6
  • Purpose Specification: Personal data should be processed for a specified, explicit and legitimate purpose, stated at the point of collection and further processing also compatible with this purpose. Where information is processed for an alternative purpose, there must be a corresponding legal basis since the data controller cannot rely on the initial legal basis. If the data is to be used for a purpose other than the original purpose, then the data subject should be adequately informed of this and a legal condition for this processing identified; this may necessitate obtaining further consent. It is particularly important that sensitive personal data is not processed for purposes other than those originally specified.
  • Accountability: The processing of personal data should be lawful and fair and done in a transparent manner. The accountability principle is key to an effective data protection framework. It brings together all the other principles and puts the onus on those processing people's data (whether a company or a public authority) to be responsible for and to demonstrate compliance with their obligations.7
  • Security: Appropriate measures must be taken to ensure security of data and systems and to protect personal data from loss, unauthorized access, destruction, use, modification or disclosure. Data processing operations adopt security measures that safeguard the confidentiality, integrity and availability of the personal data processed, and the systems used for processing them. If security measures are not taken to protect data, and ensure the security and safety of the infrastructure, data is left vulnerable to threats and is at risk of breach and unlawful access. 8
  • Consent: Consent is a core principle of data protection which allows the data subject to be in control of when their personal data is processed: it relates to the exercise of fundamental rights of autonomy and self-determination. Consent must be freely given, specific, informed, and unambiguous, and can be a written statement, including by electronic means. It should be explicit and require an active process for the individual, rather than a passive opt-out process: as such, it requires positive affirmative action. The entity processing the data must be able to demonstrate they sought and received consent.9

RIGHTS OF DATA SUBJECTS

Right to Information: Individuals must be informed about how their personal data is being processed both where they have provided this directly to a data controller and where the controller has obtained it from another source, i.e. a third party.

Right to Access: Individuals must be informed when their personal data is being collected and they must be able to obtain (request and be given) information about the processing of their personal data.

Right to Object: Individuals the right to object to processing of their personal data.

Right to Data Portability: Data subjects have the right to obtain all of their personal data from a data controller in a universally machine-readable format or for that data to be ported to another service should they request it.

Right to an Effective Remedy: Data subjects have the right to an effective judicial remedy where they consider that their personal data was not processed in compliance with the law.

Right to Compensation: A person whose rights have been found to be violated has a right to compensation for the damage – material or non-material – suffered.

Rights Related to Profiling and Automated Decision Making: All rights contained in the law should apply to profiling and automated decision making and include the right to request human intervention or to challenge a decision.

Rights to Rectify, Block and Erasure: Individuals should have the right to rectify, block, and to request the erasure of data processed about them to ensure that such data is accurate, complete, and kept up-to-date.

Footnotes

1. World Wide Web Foundation: Personal Data Protection in Nigeria (March 2018)

2. [1990 – 1993] 5 NBLR p. 368 at 387

3. 2.2 of Nigeria Data Protection Regulations 2019

4. 2.1.1 (a) of Nigeria Data Protection Regulations 2019

5. 2.1.1 (b) of Nigeria Data Protection Regulations 2019

6. 2.1.1 (C)of Nigeria Data Protection Regulations 2019

7. 2.1.3 of Nigeria Data Protection Regulations 2019

8. 2.8 of Nigeria Data Protection Regulations 2019

9. 2.3 of Nigeria Data Protection Regulations 2019

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More