Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 5 years ago
Introduction
The Nigerian Information Technology Development Agency (NITDA) was established pursuant to Section 1 of the Nigerian Information Technology Development Agency Act and saddled with the responsibility of developing and regulating information Technology in Nigeria. Broadly speaking, NITDA’s core mandate under its enabling law is to create a framework for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of information technology practices in Nigeria by developing standards, guidelines and regulations for this purpose. In pursuance of these statutory objectives, the Nigerian Data Protection Regulations (NDPR) was issued by NITDA on 25th January, 2019.
Data Protection in Nigeria
Section 6(c) of the NITDA Act confers NITDA with powers to set guidelines for electronic governance and monitoring the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour, and other fields, where the use of electronic communication may improve the exchange of data and information. These powers are elaborated in the NDPR with the primary aim of protecting and promoting the data subject’s rights to the ownership and control of his or her personal data. These rights particularly become relevant when the personal data is being processed by data controllers.
Pursuant to the NDPR, all data controllers that processed the personal data of more than 1,000 data subjects within 6 months from NDPR’s commencement are due to file Initial Data Protection Audit (DPA) Reports through a Data Protection Compliance Organization (DPCO). Accordingly, data controllers/administrators were expected to file their respective initial DPAs on or before 25 July, 2019. However, the July 25, 2019 due date was subsequently moved forward by NITDA to October 25, 2019 and currently 30th June 2020. Hence, for all intents and purposes, the deadline for filing the initial DPA Report is the 30th June, 2020.
Who are Data Subjects?
The NDPR defines a data subject as an identified or identifiable living natural person who is a Nigerian citizen, regardless of where he or she lives; or lives in Nigeria, regardless of his or her nationality. From this definition, it is clear that the provisions of the NDPR are applicable to all Nigerian Citizens wherever they are resident, as well as all residents in Nigeria. Instructively, artificial persons such as companies and non-living persons are excluded from the definition of data subjects and cannot claim the protections afforded under the NDPR; the only exception being a deceased person’s estate, where the personal data relates to a data subject such as a beneficiary of the estate.
What is Personal Data?
By virtue of the NDPR, personal data is information unique to a data subject that can be used to identify the data subject. In other words, by the nature of the personal data, the data subject must easily be identified or identifiable, whether directly or indirectly. Accordingly, personal data could include information such as: a name, address, photograph, bank details, identification number, location data, an online identifier, the physical, physiological, genetic, mental, economic, cultural or social identity of the data subject, posts on social networking websites, medical information, and other unique identifiers such as but not limited to MAC address, IP address, IMEI number, IMSI number and others.
Who is a Data Controller?
A Data Controller is an organization or individual that processes personal data usually after having received the consent of the data subject. Upon collecting personal data from the data subject, the data controller as an organization or individual determines the purposes for and the manner in which personal data is processed or is to be processed. A data controller may be a private or public institution, including individuals who collect personal data of data subjects irrespective of the location of the data controller. Hence, it is not necessary for a company to have a physical office in Nigeria before being bound by the provisions of the NDPR.
A data controller is obligated under the NDPR to uphold certain principles such as lawfulness, specificity, adequacy, accuracy, storage and security in the course of processing personal data. In addition to the initial DPA Report, Data Controllers who process the Personal Data of a minimum of 2,000 Data Subjects in the preceding year are required to file an annual DPA Report through a DPCO. The Annual DPA Report is required to be filed on or before March 15 of the following year.
The content of the DPA Report should include the nature of the Personal Data collected by the Data Controller; purpose for which Personal Data is being collected; form and details of the notices given to Data Subjects on the processing of their Personal Data; nature of the access that will be given to Data Subjects; form of consent obtained from the Data Subject; form of consent obtained from the Data Subject; policies and practices of the Data Controller or Data Administrator for the proper use (including privacy and protection), monitoring and reporting of Personal Data breaches.
Conclusion
The protection of personal data is a recondite issue in the world today and of vital importance to all in view of the far-reaching implications of any breach or misuse such may portend for the owner of such data. In Nigeria, there has been a renewed vigor by the Government in affording adequate protection to the privacy and personal data of its citizens, culminating in the issuance of the NDPR by NITDA last year. Hence, it is expected that NITDA, being the supervising agency designated to enforce the provisions of the NDPR, will be keen and resolute in ensuring full compliance by all persons including companies operating in the Internet space and whose business involves directly or indirectly collecting the personal data of Nigerian citizens.
We at Renaissance Practice are deeply versed in the nuances and practicalities of data protection regulations in Nigeria, and eager to provide reliable and sterling advisory services on compliance with statutory requirements on the subject.
Article by Olayinka Alao – Managing Partner of Renaissance Practice. Olayinka Alao can be reached via email: o.alao@renaissancepractice.com
posted 15 hours ago
posted 15 hours ago
posted 16 hours ago
posted 4 days ago
posted 4 days ago
posted 5 days ago
posted 5 days ago
posted 5 days ago
posted 5 days ago
No results available
ResetFind the right Legal Expert for your business
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.