Prior to this year, a handful of civil society organizations and interested individuals have made a public outcry to the Nigerian government to codify a body of laws that would put mechanisms in place to protect the data of its citizens. As at the beginning of this agitation, it was perhaps difficult for the government and common citizens alike to understand what this request meant? What was data and why was everyone talking about keeping it so safe? What harm could possibly be occasioned if this data was not protected? Was it worth government resources and time to invest in data protection?
But it’s the 6th month in the year 2019 and it is looking as though Nigeria has come to terms with the need for the regulation and legislation of data protection for its citizens. In just this year, the National Information and Technology Development Agency (NITDA) has released a Data Protection Regulation and the National Assembly has concurred on and passed a Data Protection Bill which is now waiting for Presidential Assent.
But before the regulation and Bill are discussed, it will be ignorant to assume that the questions concerning what data protection is and why it is so important, have been answered.
Essentially, data protection as used in this context speaks of personal data. Personal data is simply any information about a person. It could be about a person’s family or private life, it could be about your career or profession, it also could be about one’s health such as one’s genes, health status, sex and reproductive information, it could also be your biometric information, financial information, political affiliation or opinion, gender, or even your religious beliefs.
Personal data is a big deal in this age because it’s arguably the lifeblood of the internet and digital technologies. When the information age commenced in the early ’90s and communication and commerce became more fluid by means of digital technology, data became increasingly relevant to the survival of any business or service. Businesses are beginning to profit, not just from properly analyzing data but also just from merely owning data. You probably know someone who offers to sell emails or phone numbers or other personal information. And so you have to think, ‘what is so important about my personal data that it can be sold for value?’
This is why data protection enthusiasts continue to advocate for both technical and legal frameworks to guarantee that in the midst of the data craze, the actual owners of data – you- are protected. Data protection, therefore, refers to the rules, practices, policies and safeguards put in place to ensure that personal information are collected, used, accessed, updated, and even deleted properly, lawfully, fairly and transparently.
It is almost an impossibility for this area of law or policy to be left to cooperation or self-regulation. That is, because of the commercial value of data and the sensitivity of same, it becomes irresponsible to simply demand that data custodians or controllers ‘do their best’ to keep data in their care safe, without backing it up with laws and repercussions. And perhaps this is the mindset that has informed Nigeria’s development of two data protection documents in the space of 5 months.
The Data Protection Regulation 2019 released by NITDA applies to all transactions that intend to or actually process personal information of natural persons (who are called ‘Data Subjects’) in Nigeria. The Regulation mandates that personal data shall only be collected for the lawful purpose consented to by the data subject, will be adequate and accurate information (as given) and will not be to the prejudice of any person, will be stored only for a period within which it is reasonably needed, and will be secured against all foreseeable attacks (digital and physical).
The Regulation also clearly defines what will be regarded as lawful processing of data and from its provisions it is clear that the act of purchasing and processing data from third parties is against the law unless the data subjects are aware at the time of disclosure that their data will be used for such a purpose.That is, data cannot be collected for a particular purpose and used for another. As it says in Reg 2.3 “No data shall be obtained except the specific purpose of collection is made know to the Data Subject”.
The Bill passed by the National Assembly is not accessible on the NASS website but pending its availability, perhaps reference can be made to a Data Protection Bill on the National Identity Management Commission’s website. The Bill also aims at providing rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information. While it is my genuine hope that the president gives his assent to the Bill, I also eagerly anticipate access to studying the provisions in the Bill.
Perhaps all of the outcries of civil society organizations culminated into prophecies which are now being fulfilled in the enactment and release of Data Protection laws in Nigeria.
Perhaps the government and its agencies have been persuaded of the urgency and importance of data protection laws and regulations.
Or perhaps it is just a response to pressure.
But the year is 2019, it is the 6th month and Nigeria has two documents which hint that the country cares about her citizens’ personal information.
Welcome to our year of Data Protection!