Tochukwu Onyiuke
Data privacy is a vital term as the world revolves around data and information. It is also connected to fundamental rights of citizens as the law protects the right to privacy. In Nigeria, Section 37 of the 1999 Constitution guarantees the privacy of citizens, their homes, correspondences, telephone conversations and telegraphing communications.
Data is a highly sought-after commodity as people are more concerned than ever before about how their data is being transferred and processed in this era of business information technology.
Despite the concerns around privacy and protection of personal data globally and the grave consequences of leaving personal data processing unregulated, Nigeria still has a long way to go in adequately addressing these concerns, as there is currently no dedicated principal legislation on data protection. Although in January 2019, the National Information Technology Development Agency issued the Nigerian Data Protection Regulation, there is no substantial data privacy control in Nigeria.
The Nigerian Data Protection Regulation defines data as “characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals stored in any format or any device.” Upon analysis, the inadequacy of the above definition is clear for its use of the word “computer” as it implies that the NDPR does not seek to safeguard data stored in paper form.
Furthermore, the regulation expressly distinguishes between personal data and sensitive personal data in its definitions but such distinctions in its definition provide no varying prescribed standards in the treatment to be accorded to personal data and sensitive personal data. As such, the same degree of protection is to be accorded to both.
The definitions under the NDPR need to cover all grounds to ensure that they cannot be misinterpreted. The purpose of personal data protection is not to just protect a person’s data, but also to protect the fundamental rights and freedoms of persons that are related to that data. By not complying with the personal data protection regulations, individuals may stand the risk of financial fraud where certain personal information gets into the domain of fraudulent third parties. This can obviously lead to unauthorised access to accounts and subsequently grave financial loss. Also, in a health system where centralised data collection has been developed for an efficient national health insurance scheme, health information of important politicians could be manipulated to suit a political agenda. In the commercial world, data protection regulations are necessary for ensuring fair and consumer-friendly commerce and provision of services. The NDPR ought to ensure that these purposes are fulfilled. The NDPR omitted the phrase “Protect Fundamental Rights and Freedoms” from its objectives even though the same forms part of the objectives of GDPR, from which the NDPR derived inspiration.
It does appear that NDPR offers protection only to rights of natural persons under the regulation. These rights include right of access to data, rectification of errors, deletion, data portability and right to restrict processing and to withdraw consent. This is insufficient as legal entities or artificial persons can also be affected by the misuse of data and this lapse in the regulation means that legal entities or artificial persons cannot seek recourse under this regulation. It is opined that since the regulations’ main focus is to protect data, then its restriction to personal data may be counterproductive.
In addition to the above, privacy protection has not been afforded a high priority it deserves. For instance, in the health sector, the transition from paper to computer-based record keeping promises greater efficiency and cost saving but this also has caused an increase in concerns about the threat to patient’s privacy in the course of data processing. Under the regulation, it sets out the conditions under which patients’ data can be processed as processing means an operation performed on personal data and this applies also to data storage or retention. There have been cases in the health sector where patients’ data were deleted from electronic storage system, thus making it impossible for the patients to refer to old records in the event the medical history of the patient is needed for proper diagnosis or medication. The inability of the regulation to provide for this has contributed to the total decadence in the storage of patients’ health information in the country’s health system. However, despite the absence of a robust regulatory framework in this regard, Section 10 of the Freedom of Information Act makes it a criminal offence for any officer to willfully destroy any records kept in their custody.
The regulation does not address certain cogent matters such as the issue of data subjects being unable to give consent. It does not address who can give such consent on their behalf when they are incapacitated due to drunkenness, mental illness or health issues. It also does not stipulate how long data can be stored in organisations, especially in the health sector, as this can be paramount in saving the lives of patients with long-term illnesses.
It is the opinion of this writer that though NDPR has the force of law as a regulation, it is largely unknown in Nigeria. The generality of Nigerians are unaware of their rights under the data protection regulation. This might be due to the reason that it is just called a regulation and does not form part of any codified laws in the country.
It is not enough for the government to bring up regulations in data privacy; what is important is that such regulations must address specific needs. Firstly, sensitisation is needed to make people aware of their rights. The essence of a regulation is in doubt if the citizens are unaware of the said regulation.
There is a proposed Bill on Data Protection which provides for a more robust regulatory framework. The need for the bill to be passed into law cannot be overemphasised.
Onyiuke, a lawyer, wrote from Lagos