Right to Privacy and Data Protection in Nigeria: What Companies Should Know

Explore this article to uncover vital insights into data protection and privacy rights in Nigeria. Gain valuable knowledge on securing data and ensuring compliance with regulations for a more secure business landscape.

The right to privacy and data protection has become one of the most critical topics of global discussion. The concept of "Privacy" is recognised globally as a fundamental human right, found in the letters of international conventions and national laws. In Nigeria, for example, Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) guarantees an individual right to the privacy of his home and communication. This means that everyone has a right to be left alone or the right to be free from any unwarranted interference. Data protection is an attribute of privacy that the Constitution seeks to protect. Protecting personal data goes beyond respecting people's right to be left alone. It extends to protecting their private information at home and in the work environment.

In a work environment, the law has placed certain obligations on employers to protect the personal data of their employees and third parties with whom they share such information. On the one hand, employers must observe the privacy of the employers' data and, on the other hand, comply with the minimum standard of protection prescribed by law when processing data. The principal legislation that oversees compliance for data privacy is the Nigerian Data Protection Commission.

In 2023, the President of the Federal Republic of Nigeria, President Bola Ahmed Tinubu, signed into law the Nigeria Data Protection Act, 2023, among other things, to safeguard the rights of natural persons to the privacy of their data. The importance of protecting the privacy of individual data cannot be over-emphasised, especially for companies. Every organisation whose activities involve collecting and processing personal data of natural persons must comply with the minimum standards placed by law for data protection. Such organisations are recognised by law as "Data Controllers" or "Data Processors" and, thus, must comply with the following obligations:

Obligations of Data Controllers/Processors

Under extant Nigerian privacy laws, Data Controllers determine the purposes and how personal data is processed. They have responsibility for control over personal data and, in effect, have ultimate accountability for the safety of the data. Conversely, Data Controllers engage Data Processors to process, analyse and store data on the Controllers' behalf. Processors must maintain personal data records in their custody and processing activities. Section 65 of the NDPA describes a "Data Controller" as an individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing personal data, while a "Data Processor" is described as an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor.

To remain compliant with the provisions of the NDPA, Data Controllers, in addition to their obligations under the law, must first observe seven fundamental principles when processing personal data. These principles embody the spirit of the privacy regime, and all Data Controllers are mandated to observe them. They are:

  • Lawfulness, Fairness and Transparency: This principle mandates Data Processors to inform the data subject of the type of personal information obtained and the manner in which the data will be processed. The data collected should be processed for a lawful purpose and in a transparent manner in relation to the data subject.
  • Purpose Limitation: This principle mandates that personal data must be collected only for specified, explicit and legitimate purposes and must be processed for the purpose for which it was collected. The data should not be further processed in any manner incompatible with the purpose.
  • Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary with the purpose for which it is processed. Data Controllers/Processors should only stick to information needed for the processing and nothing more.
  • Accuracy: Data Controllers must ensure that every data in their care is always accurate and up to date. Data controllers must take reasonable steps to ensure that inaccurate data are rectified without delay.
  • Storage Limitation: This principle states that Data Controllers must ensure that personal data is not stored longer than necessary. From employee records to financial statements, most businesses are responsible for storing confidential information, and as such, a comprehensive retention policy must be prepared to ensure proper management and timely disposal of sensitive records.
  • Integrity and Confidentiality: By this principle, there is an obligation on Data Controllers to adopt technical and organisational measures that facilitate the protection of personal data in their care. Such measures include setting up firewalls, employing data encryption technologies, constantly updating their systems, saving sensitive files on clouds, limiting access to sensitive or classified data to authorised individuals, and properly labelling files according to their importance (sensitive files should be marked "Red" or "Classified"), developing policies on the use and management of data as well as ensuring capacity building for both staff and top management.
  • Accountability: There is a duty of care on Data Controllers to protect the personal information of data subjects against misuse, loss, or unauthorised access by third parties. Accountability requires the Data Controller to take responsibility for what they do with personal data and how they comply with the other principles.

Other obligations of Data Controllers include:

  • Data Controllers and Processors must have a privacy policy about how they collect and handle personal data. Such a privacy policy must be published in a conspicuous part of the company's website.
  • Where a Data Controller engages the services of a third party to process personal data, such transaction must be governed by a written contract between the Data Controller and the Data Processor.
  • Where Data Controllers outsource processing to a third party, otherwise known as the "Data Processor", such Controllers must take reasonable measures to ensure that the third party complies with the principles and obligations applicable to them, assist them in the fulfilment of their obligations to honour the rights of data subjects, and, where applicable, provide them with information reasonably required to comply with the NDPA.
  • Data Controllers are required to show proper governance by appointing a Data Protection Officer (s) to ensure adherence to the laws on data protection. The Data Protection Officer(s) should be trained to monitor compliance, manage internal privacy activities, and advise on privacy obligations.
  • Data Controllers must implement suitable measures to safeguard the fundamental rights, freedoms, and interests of data subjects and ensure that a detailed audit of its privacy and data protection practices is conducted, and the same is filed with the Nigeria Data Protection Commission on an annual basis.
  • Data controllers should implement security measures within their organisations to protect the personal information of their staff, customers, and vendors.
  • Where a Data controller transfers data to a third-party data processor outside the territory of Nigeria, it must ensure that such country has enacted an adequate data protection framework for the processing of personal data. Where a country does not have an adequate framework for data protection or where such a country has yet to pass a law on data protection, the data controller should ensure that it executes standard contracts that will regulate such processing by the Data processor or third party.

Data Subject Rights

The legal meaning of an obligation does not only denote a duty but also denotes a correlative right, which means that where one party has an obligation, another party has a correlative right. Having highlighted the obligations of Data Controllers and Processors under our privacy laws, it becomes pertinent to highlight the statutory rights of data subjects under the Nigeria Data Protection Act. Such rights include:

  • The right to be informed about the collection and the use of their personal data.
  • The right to access personal data.
  • The right to opt in and opt out from processing at any time.
  • The right to have inaccurate personal data rectified or completed if it is incomplete.
  • The right to request for the erasure of data.
  • The right to be informed on the retention period of their personal data with the Controller.
  • The right to restrict processing in certain circumstances.
  • The right to data portability allows the data subject to obtain and reuse their personal data for their own purposes across different services.
  • The right to object to processing in certain circumstances.
  • The right to withdraw consent at any time (where relevant).
  • The right to lodge a complaint with the Commission.

Benefits of Compliance

There are so many benefits attached to compliance with the principles of data protection in Nigeria. They are:

  • Increased Visibility: Data controllers are more likely to enjoy greater visibility when they comply with their privacy obligations. More so, highly talented professionals are more likely to take up employment in companies with an excellent privacy culture.
  • Customer's Trust: Every business aims to retain old customers while attracting new ones. Hence, customers are more likely to outsource services to organisations they can trust to protect their privacy with those of their employees. Trust is an essential attribute of any business, and companies must ensure that they do their best to uphold the trust of their customers.
  • Reputation: A good reputation is important for every business in today's digitalised economy. Now more than ever, companies must strive to maintain a good reputation to attract more customers and capable staff. A company with a bad reputation will likely not attract the best staff or international clients in today's highly competitive business environment.
  • Avoidance of Sanctions: A compliant data controller is more likely to be in the good books of regulators. Avoidance of sanctions remains one of the important benefits for compliant organisations.
  • Avoidance of Litigation: Companies with good corporate privacy frameworks are less likely to be victims of litigation from data breaches. This is why data controllers need to develop security measures that protect their customers' personal data from loss, theft, misuse, or unauthorised access by a third party.
  • Financial Loss: Regulatory sanctions and the cost of litigation can affect a company's books, thereby resulting in red flags in their accounts. Companies must ensure they do not attract penalties or sanctions that will affect the company's working capital. Too much penalty is capable of sinking a company to the ground.

Conclusion

It has become increasingly important for Data Controllers/Processors to adopt transparent policies and privacy practices that protect the personal data of their employees, partners, and clients on the understanding that trust and accountability are essential for business growth. To this end, every organisation should incorporate a data protection framework in their business activities to avoid breaking the law. Data controllers should appoint a Data Protection Officer (s) to oversee compliance with data protection principles. They should educate their staff on the best privacy practices, and to do this, they should seek the services of Data Protection Compliance Organisations (DPCOs) to guide them through the process of staying compliant with their obligations under the Nigeria Data Protection Act 2023.

Want to know more?