Jump to...
- Data protection
- History of data protection legislation in Nigeria
- Sector-specific regulations
- Constitution of the Federal Republic of Nigeria, 1999 (as amended)
- Freedom of Information Act (FOIA) 2011
- National Identity Management Commission (NIMC) Act 2007
- The Child Rights Act (CRA) 2003
- Cybercrimes (Prohibition, Prevention, Etc.) Act 2005
- Others
Data protection
The need for data protection has experienced a great increase worldwide over the past few years as data has increasingly been recognized as a great resource—the most valuable resource.
All data or information that relates to an identifiable individual needs to be properly protected.
Key pieces of information, including user name, address, email address, phone numbers, bank and credit card details, health information, etc., are involved.
The world’s increasing reliance on our day-to-day activities, reports of data abuse by large corporations, reports of data breaches, etc. have led to the institution of data protection legislation in countries around the world.
These reasons have fueled the evolution of these laws in several economic industries as well.
Data protection is the process of safeguarding important information from corruption (errors in data that occur during creation, storage, transmission, or processing that introduce unintended changes to the original data, making it unusable, unreadable, or in some other way inaccessible to a user or application.)compromise (also known as a data breach, a security violation in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so) or loss (an error in which data is intentionally or accidentally destroyed or deleted.) – INPLP.
History of data protection legislation in Nigeria
In January 2019, the National Information Technology Development Agency (NITDA) introduced the Nigerian Data Protection Regulation (NDPR) to safeguard, regulate, and protect against personal data breaches, NITDA coming up with the NDPR in furtherance of its mandate under the NITDA Act to ‘develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions’.
The NDPR, followed by its second version, the Implementation Framework, in November 2019, is currently the most comprehensive data protection legislation in Nigeria.
Subsequently, the NDPR legislation brought significant change to the data protection landscape.
The NDPR comes with several pitfalls and shortcomings.
There is an ongoing debate as to the National Assembly acting beyond its powers when it enacted the NITDA Act in 2007 especially since nothing in the Nigerian Constitution empowers the National Assembly to legislate on matters of information technology, internet governance, and data protection, privacy, or electronic communication.
To combat the issues with the NDPR and come up with a nationwide specific data protection regulation, the Federal Government of Nigeria recently introduced the Nigeria Data Protection Bill.
This draft bill, the Data Protection Bill (DPB), initiated in 2020 was to replace the NDPR if passed into law.
The objective was to create a Data Protection Commission charged with the responsibility for the protection of personal data, rights of data subjects, regulation of the processing of personal data, and related matters.
The DPB would revolutionize the data protection landscape in Nigeria, offer data subjects more control over their data, and put data handlers on their toes to show transparency in their data processing activities.
However, the Federal Government is reported to have abandoned the Bill (DPB) and planned to outsource the role of drafting a data protection regulation to a consultant firm.
This is worrisome as the DPB was put together by cybersecurity and data privacy stakeholders in the country in a capital-intensive adventure and is applauded for meeting global standards.
The Federal Government is seeking credit funds from the World Bank, the French Development Agency (AFD), and the European Investment Bank (EIB) to engage the said consulting firm to draft fresh data protection legislation. Cybersecurity experts have questioned the rationale behind involving such a firm in important internal affairs such as the legislation to guide the protection of data of Nigerians.
In February 2022, the Nigerian President approved the establishment of the Nigeria Data Protection Bureau (NDPB), following a proposition by the Minister of Communications and Digital Economy.
This is the latest move in the Nigerian attempts to establish Data Protection legislation.
The minister emphasized that the Bureau will be responsible for consolidating the gains of the prior NDPR and supporting the development of primary legislation for data protection and privacy.
The NDPB was established in line with global best practices and to focus on data protection and privacy for the Nigerian populace.
NDPB’s vision statement is “To be a resilient world-class institution for the protection of data privacy”.
Owing to its mandate to oversee the implementation of the NDPR, the NDPB collaborates with stakeholders to achieve the objectives of the NDPR…
- Safeguard the rights of natural persons to data privacy;
- Foster safe conduct of transactions involving the exchange of Personal Data;
- Prevent manipulation of Personal Data; and
- Ensure that Nigerian businesses remain competitive in international trade through the safeguards afforded by a just and equitable legal regulatory framework on data protection that is in tune with best practices.
Since its approval, the NDPB has commenced work on enforcing data protection legislation in Nigeria, including its recent investigation of Wema Bank and Bet 9ja for data privacy breaches.
Sector-specific regulations
Aside from the provisions for data protection in the NDPR from NITDA, some sector-specific laws as well as the Nigerian Constitution dedicate sections to instructions concerning data privacy and protection.
Some of these laws are primarily for specific industries and institutions; hence, they do not cut across all industries or institutions in their adoption.
Some are included below.
1. Constitution of the Federal Republic of Nigeria, 1999 (as amended)
This is the supreme law of the nation.
The 1999 Constitution is the latest of the five constitutions Nigeria has ever had.
The Constitution validates every institution in Nigeria as well as spells out the fundamental rights of every citizen.
Section 37 states as follows:.
37. The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.
The scope of privacy was not defined; however, legislation concerning data privacy and protection all emanates from and gains validity from the Constitution.
Thus, data privacy and protection are extensions of Nigerian citizens’ constitutional rights.
2. Freedom of Information Act 2011 (FOIA)
The FOIA, an international law, passed by the National Assembly on 24th May 2011, is an Act that gives a person, group, association, or organization, and anyone, the right to request public information, whether or not contained in a written form, from Government Agencies, and Parastatals, as well as Private and Public sector organizations providing public services.
The FOAI aims to make public information more accessible by the public however, personal data are exempted from the Act.
This is to foster and protect user privacy.
As indicated under Section 14 of FOIA…
(1) Subject to subsection (2), a public institution must deny an application for information that contains personal information and information exempted under this subsection includes –
(a) files and personal information maintained with respect to clients, patients, residents, students, or other individuals receiving social, medical, educational, vocation, financial, supervisory or custodial care or services directly or indirectly from public institutions;
(b) personnel files and personal information maintained with respect to employees, appointees or elected officials of any public institution or applicants for such positions;
(c) files and personal information maintained with respect to any applicant, registrant or licensee by any government or public institution cooperating with or engaged in professional or occupational registration, licensure or discipline;
(d) information required of any tax payer in connection with the assessment or collection of any tax unless disclosure is otherwise requested by the statute; and
(e) information revealing the identity of persons who file complaints with or provide information to administrative, investigative, law enforcement or penal agencies on the commission of any crime.
(2) A public institution shall disclose any information that contains personal information if –
(a) the individual to whom it relates consents to the disclosure; or
(b) the information is publicly available
(3) Where disclosure of any information referred to in this section would be in the public interest, and if the public interest in the disclosure of such information clearly outweighs the protection of the privacy of the individual to whom such information relates, the public institution to whom request for disclosure is made shall disclose such information subject to Section 14 (2) of this Act.
Personal data is excluded from public accessibility, except under some conditions listed in the Act.
Worthy of note, the FOIA supersedes the Official Secrets Act (OSA), also an international law enacted in Nigeria in 1911, which prevents the disclosure to the public of any material that the government sees as confidential and forbids the unauthorized transmission, obtaining reproduction, or retention of such material.
3. National Identity Management Commission (NIMC) Act 2007
The NIMC Act enacted in 2007 created the National Identity Management Commission (NIMC), an institution with the mandate to establish, own, operate, maintain, and manage the National Identity Database in Nigeria, register persons covered by the Act, assign a Unique National Identification Number (NIN) and issue General Multi-Purpose Cards (GMPC) to those who are citizens of Nigeria as well as others legally residing within the country.
Section 26 of the NIMC Act states, thus:
(1) No person or body corporate shall have access to the data or information contained in the Database with respect to a registered individual entry except with the authorisation of the Commission and only if-
(a) an application for the provision of the information to that person is made by or with the authority of that individual; or
(b) that individual otherwise consents to the provision of that information to that person.
(2) Notwithstanding any other provisions of this Act, the Commission may, without a registered individual’s consent provide another person with information recorded in the individual’s entry in the Database if the provision of the information is authorised by this section.
(3) The provision of information is authorised by this section where such disclosure is-
(a) in the interest of national security;
(b) necessary for purposes connected with the prevention or detection of crime; or
(c) for any other purpose as may be specified by the Commission in a regulation.
(4) The powers of the Commission to make regulations by virtue of this section authorising the provision of information to a person are exercisable for the purposes only of authorising the provision of information in circumstances in which its provision to the person in question is strictly necessary in the public interest
Details of an individual’s data in the NIMC database are protected by the Act; however, under some conditions, the data can be accessed by a third party with the NIMC’s permission, without the individual’s permission.
4. The Child Rights Act (CRA) 2003
CRA is the Nigerian law that guarantees the rights of all children in Nigeria.
Children, as defined by CRA, are any person under the age of 18.
The CRA is a local adoption of the United Nations Convention on the Rights of the Child (UNCRC), an international human rights treaty that sets out the civil, political, economic, social, health, and cultural rights of children.
It was signed in 1989 but became effective on September 2, 1990.
Section 3 of the CRA, Application of Chapter IV of the 1999 Constitution, states thus…
(1) The provisions in Chapter IV of the Constitution of the Federal Republic of Nigeria 1999, or any successive constitutional provisions relating to Fundamental Rights, shall apply as if those provisions are expressly stated in this Act.
(2) In addition to the rights guaranteed under Chapter IV of the Constitution of the Federal Republic of Nigeria, 1999, or under any successive constitutional provisions, every child has the rights set out in this Part of the Act.
This part incorporates the provisions of the Nigerian Constitution, that deal with the fundamental rights of every Nigerian citizen – adults and children alike.
Another section mentioned the privacy of children’s affairs as long as it does not interfere with the supervision of their guardians.
Section 8 of the CRA – Right to private and family life, states thus…
(1) Every child is entitled to his privacy, family life, home, correspondence, telephone conversation and telegraphic communications, except as provided in subsection (3) of this section.
(2) No child shall be subjected to any interference with his right in subsection (1) of this section, except as provided in subsection (3) of this section.
(3) Nothing in the provision of subsections (1) and (2) of this section shall affect the rights of parents and, where applicable, legal guardians, to exercise reasonable supervision and control over the conduct of their children and wards.
Nigeria adopted the Child Rights Act (CRA) in 2003 on a federal level; it is not yet ratified in all states of Nigeria, as only 24 states have currently adopted it.
5. Cybercrimes (Prohibition, Prevention, Etc.) Act 2015
Enacted on May 15, 2015, the Cybercrimes Act is to promote cybersecurity and cybercrime prevention.
The purpose of the Act is to come up with a framework for the prohibition, prevention, detection, prosecution, and punishment of cybercrimes in Nigeria.
It provides obligations to the private sector, telecommunication operators, financial institutions, etc. to report data attacks and breaches and cooperate with law enforcement authorities in addressing the attacks.
Section 38 of the Act states, thus:
(1) A service provider shall keep all traffic data and subscriber information as may be prescribed by the relevant authority for the time being, responsible for the regulation of communication services in Nigeria, for a period of 2 years.
(2) A service provider shall, at the request of the relevant authority referred to in subsection (1) of this section or any law enforcement agency –
(a) preserve, hold or retain any traffic data, subscriber information, non-content information, and content data; or
(b) release any information required to be kept under subsection (1) of this section.
(3) A law enforcement agency may, through its authorized officer, request for the release of any information in respect of subsection (2) (b) of this section and it shall be the duty of the service provider to comply.
(4) Any data retained, processed or retrieved by the service provider at the request of any law enforcement agency under this Act shall not be utilized except for legitimate purposes as may be provided for under this Act, any other legislation, regulation or by an order of a court of competent jurisdiction.
(5) Anyone exercising any function under this section shall have due regard to the individual’s right to privacy under the Constitution of the Federal Republic of Nigeria, 1999 and shall take appropriate measures to safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement.
(6) Subject to the provisions of this Act, any person who contravenes any of the provisions of this section commits an offence and shall be liable on conviction to imprisonment for a term of not more than 3 years or a fine of not more than N7,000,000.00 or to both fine and imprisonment.
The Act requires these providers to keep subscriber information for 2 years, during which the data is to be preserved, protected, and only retrieved for access by law enforcement agencies for legitimate purposes.
It further lends credence to data privacy and protection under the Nigerian Constitution.
6. Other laws
- Consumer Protection Framework 2016 (CPF)
- Registration of Telephone Subscribers Regulations 2011
- Consumer Code of Practice Regulations 2007 (NCC Regulations)
- The Credit Reporting Act (CRPA) 2017
Obisesan Damola
Damola is a medical doctor who has worked in the Nigerian healthcare industry for a little over 3 years in a number of primary, secondary, and tertiary hospitals. He is interested in and writes about how technology is helping to shape the healthcare industry. He graduated from the College of Medicine, University of Ibadan, the foremost medical training institution in Nigeria.