search widget

Data Privacy and Protection Laws in Nigeria

Wednesday, March 22, 2017

I was in search for Nigeria Bank Secrecy Act earlier and couldn’t find any, but all i could come up with is this article that give more insight on the available Data Privacy and Protection Act available in Nigeria at time of writing.

Aside, Section 37 of the Nigerian Constitution(1999)  which provides that; "The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected"[1] unfortunately, there is currently not one comprehensive data privacy or personal information protection law in Nigeria that sets out detailed provisions on the protection of the privacy of individuals and citizens.

This calls for the passing of a law dealing specifically with issues of data privacy and the protection of the Nigerian citizen's private information and details of such required law have been made to the Nigerian legislature.

Given current technological trends the world over, and such that has been adapted within Nigeria, it is clear that Section 37 of the Nigerian Constitution as a stand alone right without strict rules of engagement on how these rights can be protected  and exercised is no longer enough protection for citizens.

Unknown to many Nigerians (both individual and a few corporate entities) industry specific regulations, rules of professional conduct and case law exists which provide privacy related protections for Nigerian citizens. These are examined below;

A. INDUSTRY SPECIFIC REGULATIONS:

1. The Consumer Code of Practice Regulations 2007: This code of practice is issued by the Nigerian Communications Commission (NCC), which is the body charged with the regulation of the communications industry in Nigeria.

The NCC code provides that all licensees (all Telecommunication service providers) must take reasonable steps to protect customer information against "improper or accidental disclosure" and must ensure that such information is securely stored.

It also provides further that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”.

Note that the application of the NCC Regulations is not restricted to Nigerian citizens alone; the regulation applies to customer information relating to customers of any nationality that use a licensee’s network, drawing a certain similarity with the Section 3 of the South African POPI Act which states that the application of the POPI Act will cover not only situations where the responsible party is domiciled in South Africa but also where the responsible party is not domiciled in the Republic, but makes use of automated or non-automated means in the Republic.

Unfortunately however, this Consumer code of practice is only industry specific and does not apply outside of the Nigerian communications industry.

2. NITDA GUIDELINES: The National Information Technology Development Agency (NITDA) is the national authority that is responsible for planning, developing and promoting the use of information technology in Nigeria.

NITDA in performing this duty issue guidelines which prescribe the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information. This is currently the only set of regulations that contains specific and detailed provisions on the protection, storage, transfer or treatment of personal data in Nigeria.
The guidelines regulate all organizations or persons that control, collect, store and process personal data of Nigeria residents within and outside Nigeria for protecting of a specific category of data commonly known as Personal Data or Object Identifiable Information (OII).
 The NITDA guidelines define “personal data” as: “any information relating to an identified or identifiable natural person (data subject); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”[2].
Data controllers (defined as persons which, alone or jointly with others, determine the purposes and means of the processing of personal data[3]) are obliged to prevent any transfer of data to any country that does not ensure an adequate level of protection within the prescribed context of the NITDA Guidelines.

The NITDA Guidelines also prescribe that in determining the adequacy of the level of protection afforded by another country in relation to the transfer of data, consideration must be given to the nature of the data, the purpose and duration of the proposed processing operation(s), the rules of law, both general and sectorial, in force in the receiving country in question and the professional rules and security measures which are complied with in that country, which should not be lower than the content of the Guidelines[4].

Notably, Section 2.1(2) of the NITDA guidelines recommend that processing of all data collected shall not take place without the consent of the data subject i.e. The Nigerian Citizen so concerned.
It should be noted that while the NITDA guidelines is currently the most comprehensive body of regulations on Data privacy and processing in Nigeria, unfortunately the guideline only applies to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems of the Federal Republic of Nigeria.

It also applies to organisations based outside Nigeria if such organisations process personal data of Nigerian residents, but is not mandatory for private companies involved in data processing and can only serve as a point of reference for such private data collectors with respect to the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls of personal data.

3. The Nigerian Telecommunications Commission RTS Regulation 2011: The Nigerian Telecommunications Commission is the Nigerian telecommunications sector regulator, charged with oversight functions on the industry. In line with this duty, it issued the Registration of Telephone Subscribers Regulation (RTS Regulation) in 2011.

The regulation attempts some protection of the data collected, collated, retained and managed by telecommunication companies operating in Nigeria and independent registration agents in view of their obligations to collate and retain data of subscribers under the Regulation.

As such, Section 11 of the RTS Regulation 2011 titled “Data Protection” states as follows:
“(1) in furtherance of the rights guaranteed by virtue of section 37 of the Constitution of the Federal Republic of Nigeria 1999 and subject to any reasonable guidelines, terms and conditions that may from time to time be issued by either the Commission or License, any Subscriber whose Personal Information is stored in the Central Database , shall be entitled to view the said information and to request updates and amendments thereto[5].

(2) The Subscriber information contained in the Central Database shall be held on a strictly confidential basis and no persons or entities shall be allowed access to any Subscriber information in the Central Database, except as provided in paragraph 1 above and in paragraph 5 of section 10 of these regulations or by any Act of the National Assembly[6]. Licensees, Independent Registration Agents, and Subscriber Registration Solution Providers shall not under any circumstance, retain, deal in or make copies of any Subscriber Information or store in whatever form any copies of the Subscriber Information for any purpose other than as stipulated in these Regulations or an Act of the National Assembly.

Section 11(4) of the Regulation, states that Licensees shall utilize Personal Information pursuant to the regulations, solely for their operations and in accordance with the provisions of Part V of the General Consumer code Practice for Telecommunications Services and any other instruments of the Commission or any Act of the National Assembly issued from time to time to regulate the specific purposes for which the Personal Information may be used[7], while Section 11(7) provides a blanket rule that the subscribers’ information shall not be transferred outside the Federal Republic of Nigeria much unlike under the NITDA guidelines.

The General Consumer code Practice for Telecommunications Services referred to above in the RTS Regulation 2011 also set out certain data protection mechanism for consumers of telecommunication services in Nigeria.

Specifically, Section 35 of the General Consumer Code Practice for Telecommunications Services which provides that a Licensee may collect and maintain information on individual consumers reasonably required for its business purposes.

However, such collection and maintenance of information on individual Consumers shall be-
(a) Fairly and lawfully collected and processed;
(b) Processed for limited and identified purposes;
(c) Relevant and not excessive;
(d) Accurate;
(e) Not kept longer than necessary;
(f) Processed in accordance with the Consumer’s other rights;
(g) Protected against improper or accidental disclosure; and
(h) Not transferred to any party except as permitted by any terms and conditions agreed with the Consumer, as permitted by any permission or approval of the Commission, or as otherwise permitted or required by other applicable laws or regulations.

A Licensee is required under Section 35 (2) of the code to meet generally accepted fair information principles including;
(a) Providing notice as to that individual Consumer Information they collect and its use or disclosure;
(b) The Choices Consumers have with regard to the collection, use and, disclosure of that information;
(c) The access Consumers have to that information, including to ensure its accuracy; and
(d) The security measures taken to protect the information and the enforcement and redress mechanisms that are in place to remedy any failure to observe these measures.
Please note that these rules apply to individual Consumer information whether initially provided verbally or in written form, so long as that information is retained by the Licensee in any recorded form[1].

 It is unfortunate to note that failure of Licensees, Independent Registration Agents or any such other entities to comply with the data protection provisions of the Regulation are only treated as a breach of the regulations. The penalty for non-compliance is a fine which could range from N200, 000 – N1, 000,000 and perhaps forfeiture of the commercial benefit derived from the unauthorized use of such Subscriber Information. The Regulations do not treat such breach of the data protection measures as a violation of the individual subscriber’s right to privacy, which is actionable at the instance of the affected Subscriber. Undoubtedly, this diminishes the potency of the data protection provision of the RTS regulation 2011 and renders it nugatory.

In the same vein, the provisions of the Consumer Codes can only be enforced in accordance with the “Administrative Fines” set out in Chapter IV of the Nigerian Communications’ (Enforcement Process) Regulation 2005 . The administrative fine against such an erring Licensee is a paltry sum of N500,000 and a further sum of N500,000 per day after the expiration of the notice for as long as the contravention persist.

The above positions reflect the neglect shown towards Data Privacy and Personal Information regulation in Nigeria. An ideal data protection law should be created that guarantees the right of citizens to seek adequate redress in Court for any breach occasioned by an act or omission of operators in the sector, including the Commission itself.


B.  LEGISLATION:

 1. The Childs Right Act, No. 26 of 2003 (the Child Rights Act): This law regulates the protection of children i.e. persons under the age of 18 years. The Act limits access to information relating to children in certain circumstances.
Section 8 of the Child Right Act guarantees every child’s entitlement to privacy, family life, home, correspondence, telephone conversation and telegraphic communications, while section 205(2) prohibits the publication of any information that will lead to the identification of a child offender, and requires that the records of child offenders be kept strictly confidential and closed to third parties except in certain limited circumstances.
2. The Freedom of Information Act No. 4 of 2011 (FOI Act): The FOI Act was created to, amongst many other things, make public records and information more freely available and to provide for public access to public records and information however the FOI Act limits the access to information in certain situations. The Act defines personal information as “any official information held about an identifiable person but does not include information that bears on the public duties of public employees and officials”.
Section 14 of the FOI Act, states that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available.
Furthermore, Section 16 of the FOI Act provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege and journalism confidentiality privilege).
While these provisions of the FOI Act are a welcome development the obvious snag in the data protection provisions of the FOI Act is that it only applies to personal information in the custody of public agencies and institutions in Nigeria. It does not protect personal information in the custody of private organisations, such as telecommunication, banking and insurance companies.
This lacuna challenges the individual in search of all-inclusive data protection legislation, to look elsewhere, including the courts.

CASE LAW:
It is imperative to note that there are little or no precedents in the Nigerian legal system dealing with issues of data privacy and identity theft. While this may appear a plus for the justice system, in truth the situation should be a cause for concern.

However, going by the decision of the Nigerian Court of Appeal in the case of HABIB (NIG) BANK LIMITED v KOYA[1b], it appears that an individual citizen whose data is collected, retained and managed by any public or private institution may bring an action in tort of negligence against such public or private institution if it can be established that:

(a) Upon collation of personal data of individuals, the collating institution or its personnel owes a duty of care to such individual whose personal data is being collated, stored and managed by them;
(b) If the collating institution or its personnel fails to safeguard and protect the personal data of such individuals with the standard of care reasonably required and applied by other collating institutions and their personnel in that business, such that the personal data are compromised for any purpose, which results in calculable damage to the individual whose personal data are compromised; and
(c) The said individual can establish that the loss he/she suffered was as a result of the breach of the duty of care to protect his personal data by the collating Institution.
While this in itself is no legislation, it is important to note that it lays down a judicial precedent for the protection of individual rights to data protection, this is however not enough to ensure adequate protection and regulation of personal information and data privacy.

In the modern world, with all of the social media outlets and technological advancements available, Identity Theft and data fraud is a real threat to any growing economy and population such as Nigeria. It is has thus become imperative that Nigerian lawmakers direct energies towards creating a comprehensive Law which will ensure that citizens feel safe and protected with the access to and usage of the their private information and data.


PLEASE NOTE: This article is for general information only. It is not offered as advice, on any particular matter, whether legal, procedural or otherwise.
HAVE any comments or questions? Please drop a note in the comment section or contact the author via oolaw@outlook.com

REFERENCES
[1] Constitution of the Federal Republic of Nigeria (Promulgation) Act, Chapter C23, Laws of the Federation of Nigeria 2004 (as amended)
[1b] [1990 - 1993] 5 NBLR p. 368 at 387
[2] Section 1.6 NITDA Guideline, Version 3.1, September 2013
[3] Section 2.1 NITDA Guidelines, Version 3.1, September 2013
[4] Section 2.1(4) NITDA Guidelines, Version 3.1, September 2013
[5] Note Similarity with Sections 17 & 18 of the POPI Act
[6] Note Similarity with Sections 19(1) of the POPI Act
[7] Note Similarity with Section 13(1) of the POPI Act
[8] Section 35(3) General Consumer Code Practice for Telecommunications Services

 Curled from David Oluranti/Linkedin


No comments:

Post a Comment