Data protection is the process of safeguarding important information from corruption, compromise or loss. It is a way of handling information and giving legal rights to people who have information stored about them. Basically, data protection gives you the right/ ensures you remain in control of your data or information. It is the law that protects your data by giving you rights over your data, imposing rules on the way third parties (companies, governments, people) use data and establishes regulators to enforce the laws. Data protection is a constitutional right which emanates from the right to privacy as enshrined as a fundamental human right in the Constitution of the Federal Republic of Nigeria 1999 (as amended).
Data protection is a branch of data security concerned with the proper handling of information. It is important not just because privacy is the right of an individual to be free from uninvited surveillance which forms the basis of freedom enjoyed in a democratic setting like Nigeria but also because data is one of the most important assets a company has. Companies like Google, Facebook, Amazon and so on, have built their capital on data economy and as such data collected must be protected not just as a means to guard against economic tyranny and blackmail but also to protect the freedom of individuals.
Data Security and Data Privacy are mostly used interchangeably when referring to Data Protection but it has been argued that both has distinct differences. While data security protects data from compromise by external attackers and malicious insiders, data privacy governs how data is collected, shared and used. It means that secured data does not automatically translate to not violating a data privacy. While it is possible to have protection without data privacy, you might not have data privacy without data protection. This is because data privacy includes the regulations required to protect data.
Nigeria does not have a principal data protection law but there are general legislation that have direct impact on data protection. An obvious reason for an absence of a principal legislation on data protection is the fact that each sector of the economy seems to have its own unique legislation on data protection. In other words, as far as Nigeria is concerned, data protection law is determined by the sector that requires data protection. The necessary implication of this is that Nigeria has no single data protection regulatory body or authority. There are different authorities or regulatory bodies for data protection as determined by each principal and subsidiary legislation of each sector.
There are also general legislations that affects data protection such as the 1999 Constitution of the Federal Republic of Nigeria (as amended); the Freedom of Information Act 2011; the Nigerian Communications Act 2003; the Child Rights’ Act 2003; the Cybercrimes (Prohibition, Prevention etc) Act 2015 and the National Identity Management Commission Act 2007. The Nigeria Data Protection Regulation (NDPR) 2019 is a subsidiary legislation on data protection which was issued by the National Information Technology Development Agency (NITDA) and was made by virtue of a Principal Act, the National Information Technology Development Agency Act 2007, that empowers the NITDA to make regulations it deems necessary or expedient for giving full effect to the provisions of the NITDA Act and for effective administration of its provisions.
It is worth noting that this (the NDPR) is not the first subsidiary legislation on data protection. It is in fact the revised edition of the Data Protection Guidelines of 2013 (https://punchng.com/nitda-to-issue-new-guideline-on-data-protection-soon/). The 1999 CFRN (as amended) under section 37 provides for citizens’ privacy as a fundamental right and it protects homes, correspondence, telephone conversations and telegraphic communications. The Freedom of Information Act under section 14 protects personal data by restricting disclosure of personal records without obtaining consent. Section 8 of the Child Rights Act protects the right to privacy, family life, home, correspondence, telephone conversation and telegraphic communications of the child. The Cybercrimes Act makes abuse and misuse of data for fraudulent purposes a crime.
Sector-based legislation that impacts data protection includes the Nigerian Communications Commission (NCC) (Registration of Telephone Subscribers) Regulations 2011 which protects data privacy and confidentiality of subscribers’ personal data. It provides for collection, collation, management and storage of subscribers’ personal data protection. The Consumer Protection Framework 2016 introduced by the Central Bank of Nigeria (CBN) protects consumers assets and privacy. The Credit Reporting Act protects the confidentiality rights of data subjects. The National Health Act 2014 requires health service providers to keep a record of patients’ personal information by storing every user’s health records safely and in strict confidentiality. Consequently, the authorities responsible for data protection are also sector-based and they include the National Information Technology Development Agency (NITDA), the Nigerian Communications Commission (NCC), the Central Bank of Nigeria (CBN) among others.
However, from the various laws, data protection is achieved by the key principles of transparency, restricted purpose, retention, lawful basis or intention, data minimization, accuracy, accountability, storage limitation, integrity and confidentiality. When collecting data, the specific purpose for such collection must be made known before obtaining consent and the use of such personal data is only to the purpose for which it was collected. Data protection could also mean the prevention of collecting excessive data. The data collected must be proportionate to the purpose for which the data was collected. Personal data is not expected to be kept longer than necessary.
There is however, no general timeline that applies to data retention. For instance, the Credit Reporting Act requires the Credit Bureau to maintain credit information for at least six (6) years from the date such information was obtained, after which the data must be archived for a further period of 10 years before destruction of such. Whereas, the Cybercrimes Act only requires a retention period of two (2) years.
The right accrued under the various data protection laws include access to personal data; right to change or delete personal data; right to object to the use of data; right to have personal data moved or transmitted directly from one controller to another; right to withdraw an already given consent anytime; right to make complaint to a Data Protection Authority among others.
The regulation provides that any medium through which personal data is collected or processed must show a conspicuous but simple privacy policy. The policy will contain technical methods used to collect and store personal information ( Cookies, JWT web tokens).