The National Information Technology Development Agency (NITDA) is statutorily mandated by the NITDA Act of 2007 to develop regulations for electronic governance and monitoring of the use of information technology and electronic data. Conscious of the concerns around privacy and protection of Personal Data and the grave consequences of leaving Personal Data processing unregulated, NITDA has issued the Nigeria Data Protection Regulation (NDPR).
OBJECTIVES OF THE REGULATION
The objectives of the regulation are as follows:
to safeguard the rights of natural persons to data privacy;
to foster safe conduct for transactions involving the exchange of Personal Data;
to prevent manipulation of Personal Data; and
to ensure that Nigerian businesses remain competitive in international trade through the
safe-guards afforded by a sound data protection regulation.
SCOPE OF THE REGULATION
The regulation applies to all public and private sector organizations who handle storage and processing of personal data of Nigerian Citizens and Residents, for strict compliance
the Regulation applies toall transactions intended for the processing of Personal Data, to the processing of Personal Data notwithstanding the means by which the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria;
the Regulation applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria;
the Regulation shall not operate to deny any Nigerian or any natural person the privacy rights he is entitled to under any law, regulation, policy, contract for the time being in force in Nigeria or in any foreign jurisdiction.
The NDPR regulation requires organizations to mandatorily appoint Data Controllers and Data Processors. In addition, it requires Data Controllers and Data Processors to;
Engage a Data Protection Compliance Organization (DPCO) to perform a Data Protection Audit and file a report with NITDA within a stipulated time line
Designate a Data Protection Officer (DPO) who will be responsible for driving NDPR compliance initiatives within the organization
Document and publish a data protection policy in line with the requirements of the regulation
Ensure continuous capacity building for Data Protection Officer and other personnel involved in processing personal data
KEY FEATURES OF THE NDPR
The Nigerian Data Protection Regulation introduces new restrictions on collection and processing of personal data and requires such activities to be in accordance with a lawful purpose consented by the Data subject.
Compliance with these requirements will impact Data Protection Governance, Information Systems and Security Configurations, as well as documented policies and processes
KEY COVERAGE AREAS OF THE NDPR
Rights of Data Subject
Third Party Processing
Data Integrity and Storage Limitation
International Data Transfer
Prohibition of Improper Motives
Data Protection Governance
Rights of Data Subject The Controller shall communicate any information on processing relating to the Data Subject in a concise and accessible form.
Lawful Processing Processing of data is lawful if, at least, one of the following applies: consent has been given; processing is necessary for the performance of a contract; compliance with a legal obligation; to protect the vital interests of the Data Subject or any public interests
Data Security Data controllers and processors should implement security measures (including firewalls, data encryption technologies, etc.) to protect data from theft, cyber attack, manipulations, environmental hazards, etc.
Third Party Processing Data processing by a third party shall be governed by a written contract between the third party and the Data Controller.
Explicit Consent Consent is one of the lawful basis for obtaining and processing personal data. Consent must be informed, freely given and unambiguous.
Data Integrity and Storage Limitation Personal data should be: adequate, accurate and without prejudice to the dignity of the human person; stored only for the period within which it is reasonably needed
International Data Transfer Transfer of Personal Data to a foreign country may be allowed where NITDA has decided that the affected country ensures adequate data protection. Transfer activities are subject to the supervision of the Honorable Attorney General of the Federation.
Prohibition of Improper Motives No consent shall be sought, given or accepted in any circumstance that may engender propagation of atrocities, hate, child rights violation, criminal and anti-social acts.
POTENTIAL CONSEQUENCES OF NON COMPLIANCE
1. A penalty of 1% of an organization’s gross turnover in the previous year, if the company maintains personal data of 10,000 subjects or less 2. A penalty of 2% of an organization’s gross turnover in the previous year, if the company maintains personal data of 10,000 subjects or less 3. Reputational damage 4. Prosecution of Principal Officers of the organization
In relation to the meaning and context of the Nigerian Data Protection Regulation, unless the context otherwise requires, these terms and meanings apply:
“Computer” means Information Technology systems and devices, whether networked or not;
‘Consent’ of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
“Data” means characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device;
“Database” means a collection of data organized in a manner that allows access, retrieval, deletion and processing of that data; it includes but not limited to structured, unstructured, cached and file system type databases;
“Data Administrator” means a person or an organization that processes data
“Data Controller” means a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed;
“Database Management System” means a software that allows a computer to create a database; add, change or delete data in the database; allows data in the database to be processed, sorted or retrieved;
“Data Portability” means the ability for data to be transferred easily from one IT system or computer to another through a safe and secured means in a standard format;
“Data Protection Compliance Organization (DPCO)” means any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection Law or Regulation having effect in Nigeria;
“Data Subject” means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
“Data Subject Access Request” means the mechanism for an individual to request a copy of their data under a formal process which may include payment of a fee;
“Filing system” means any structured set of Personal Data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
“Foreign Country” means other sovereign states, autonomous or semiautonomous territories within the international community;
“Regulation” means the Nigeria Data Protection Regulation (NDPR) and its subsequent amendments, and where circumstance requires it shall also mean any other Regulations on the processing of information relating to identifiable individual’s, including the obtaining, holding, use or disclosure of such information to protect such information from inappropriate access, use, or disclosure;
“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others;
“Personal Identifiable Information (PII)” means information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in a context
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
“Recipient” means a natural or legal person, public authority who accepts data;
“Relevant Authorities” means The National Information Technology Development Agency (NITDA) or any other statutory body or establishment having government’s mandate to deal solely or partly with matters relating to Personal Data;
“Sensitive Personal Data” means data relating to religion or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information;
“The Agency” means the National Information Technology Development Agency;
“Third Party” means any natural or legal person, public authority, establishment or any other body other than the Data Subject, the Data Controller, the Data Administrator and the persons who are engaged by the Data Controller or the Data Administrator to process Personal Data.