Assessing The Compliance Of Relevant Organisations With The NDPR
Introduction
The National Information and Technology Development Agency (“NITDA”) issued the Nigeria Data Protection Regulation (“NDPR”) in January 2019, with the overriding objective of safeguarding the rights of natural persons to data privacy. Although this move by NITDA is in line with world’s best practices, it has stirred a lot of conversations. What however seems most important at this point is that the NDPR has come to stay, as the Federal High Court has in the recent case of Paradigm Initiative for Information Technology v. NIMC, Suit No: FHC/ABJ/CS/58/2019, affirmed the Regulation’s legal regime over data privacy concerns. With this in mind, this paper seeks only to assess the level of compliance of authorized data handlers.
Rationale for legal obligations on data handlers:
The gathering and use of personal data has been a topical issue from time immemorial. However, it has become imminent in recent times to place more regulatory focus on its handling process due to the porous nature of the use of digital technologies. Again, data is fundamental in virtually every decisionmaking process, hence the need to regulate the process of obtaining them to avoid violations. This is considering that data obtained for one purpose may end up being used for such other purposes not
contemplated or consented for. In this regard, the NDPR is set to achieve a regime of accountability in the handling of data, to ensure that the data of individuals are deployed only for the purposes the owners have consented to and nothing more. As a result, an obligation of care and accountability is
placed on the handlers of data to the owners of the data. This is summarized in the provision of Article
2.1 (2) & (3) as follows:
“(2) Anyone who is entrusted with Personal Data of a Data Subject or who is in possession of the Personal Data of a Data Subject owes a duty of care to the said Data Subject.
(3) Anyone who is entrusted with Personal Data of a Data Subject or
who is in possession of the Personal Data of a Data Subject shall be
accountable for his acts and omissions in respect of data processing
and in accordance with the principles contained in this Regulation.”
Obligations of Data Handlers:
Under the NDPR, there are two categories of data handlers who are saddled with responsibilities: Data Controllers and Data Administrator/Processors. While the former determines the manner in which personal data is to be processed and for what use, the latter processes data. Before assessing the level of compliance of these data handlers, it is important to briefly outline their obligations.
Duties of a Data Controller
The following are the duties of a Data Controller:
- Responsible for the safety of the personal data of the data subject;
- Accountable for the use of the personal data of the data subject;
- To inform the data subject prior to giving consent, of his rights and how his consent can be withdrawn at any time;
- To obtain the freewill consent of the data subject for use for a particular purpose, including when the data is to be transferred to a third party;
- To show proof of obtention of consent;
- To ensure that any third party to be involved in the processing of the data is not in violation of the regulations and is accountable to NITDA or an equivalent agency within or without Nigeria;
- Be liable for the actions or inactions of third parties who handle the data that is in their possession;
- To provide a simple and conspicuous privacy policy that the class of targeted data subject will be able to understand. The regulations require that the policy must state what constitutes the Data Subject’s consent, give a description of collectable personal information, state the purpose of collection of Personal Data and the technical methods used to collect and store personal information, cookies, JWT, web tokens amongst other methods. It should also state whether third parties would have access to Personal Data and purpose of such access and highlight of the principles stated in Part 2 (specifically the governing principles in Article 2.1). The Policy should further state the available remedies in the event of violation of the privacy policy and the time frame for remedy; provided that no limitation clause shall avail any Data Controller who acts in breach of the principles set out in this Regulation. See Article 2.5;
- To develop security measures to protect the data from any breaches;
- To ensure the third-party processor engaged by him is in compliance with the regulations;
- To provide the data subject free-of-charge, with the appropriate mechanism for objection to any form of data processing;
- To provide upon request in a comprehensive but concise manner any information relating to the processing, to the Data Subject, within a period of one month without cost;
- To inform the data subject of his right to lodge a complaint with a supervisory authority;
- Ensure continuous capacity building for all personnel involved in processing;
- To carry out data audit;
Asides from the duties stated above, a Data Controller has an obligation to employ a Data Protection Officer (DPO) whose responsibility shall be to ensure the Data Controller’s compliance with the Regulation.
Duties of a Data Processor
The following are the duties of a Data Processor:
- To ensure that the Data Subject is aware of the purpose of processing;
- To ensure that the Data Subject has given consent for the specific purpose of processing;
- To ensure that the Data Controller is not in violation of the Regulations and is accountable to NITDA or an equivalent agency within or outside Nigeria;
- Liable for the actions or inactions of third parties who handle the data that is in their possession;
- To develop security measures to protect the data from any breaches;
- To ensure continuous capacity building for all personnel involved in processing.
From the above, the Data Controller appears to be the primary contact with personal data, hence the strict responsibilities by NDPR and express stipulation of punishment against it for non-compliance, unlike the Data Administrator. This does not mean that breaches occasioned by Data Administrators will not be subject to adequate sanctions, even though this is not expressly stated in the Regulations. It is instructive to add that an organization can however be both a Data Controller and a Data Administrator.
In addition to the above, where a data controller or administrator is a government institution, there appears to be additional obligations as further provided in the Guideline for the Management of Personal Data by Public Institutions in Nigeria, 2020, although the said guideline expands their lawful basis for processing. It is important that the guideline equally applies to controllers who deal with public institutions on data processing. Some of the additional obligations are:
- When seeking to process on the basis on public, legal or vital interest basis, the request to do so must be endorsed by a Governor, Minister or Chief Executive Officer of the public institution stating in clear terms the precise interest to be served, the output sought, proof compliance with the guideline, and an undertaking to protect the information shared to avoid identification of the data subjects.
- To mandatorily obtain consent if processing personal data; for marketing, alternate purpose different from the initial consent, of a child, extra territorial processing, sensitive personal data (higher standard of direct consent) and in automated processing which have legal effect on the data subject.
- Provide measures to continuously ensure confidentiality, integrity, and resilience regarding these data.
- When sourcing personal data from other sources (not directly from the data subject, to demonstrate compliance with international information security standards such ISO 27001:2013 or similar standards. It shall also ensure the conduct of a Data Protection Impact Assessment (DPIA) and submit to NITDA for approval.
- Retention of a Data Protection Compliance Organization (DPCO) for advise on use and compliance purposes.
- Appoint a senior level officer as DPO within 90 days (3 months) from 18 May 2020.
- Have a well-detailed and widely publicized privacy policy.
- Not deny any individual any right due him or her for failure or refusal to provide personal data.
- When seeking to access personal data stored by another public institution, in addition to obtaining a DPIA, publish a statement of intent in that regard stating the basis for such use, affected category of data subjects, its commitment to data privacy protection, means of being communicated and other relevant information as NITDA may direct upon the submission of the DPIA. This statement will then be published on 4 national daily newspapers, on the institution’s website and social media handles for a period of at least 30 days before the data is used.
- Some mandatory compliances regarding the use of technology for processing including pseudonymizing, encryption, switch to digital database, etc.
- Controllers other than public institutions who process data on behalf of public institutions for any reason shall evaluate the request to ensure its compliance with the guideline or seek clarification from NITDA within 7 days of receiving the request.
Assessing compliance
There is hardly any transaction that one would conclude nowadays without having to provide information online that can be readily traced to identify a Data Subject. In this regard, any local or international organization which obtains data that can specifically identify the physical, physiological, mental, economic, cultural or social identity of a Nigerian citizen; both home or abroad, would necessarily be regarded as a Data Controller in view of the provisions of the NDPR. In other words, information such as name, address, a photograph, an email address, bank details, ATM card details, posts on social networking websites, medical information, and other unique identifier such as, but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others, are protected by the NDPR as personal data of a Data Subject . See Article 1.3. Example of such organizations are banks and other financial service providers including insurance companies and PFA’s, telecommunication service providers, social media platforms, health care service providers, providers of professional services, IT solution providers, religious organizations, online trading platforms, educational institutions etc. Asides from private organizations, it is important to state that Government agencies such as the National Identity Management Commission – NIMC, have a bounden duty to also comply with the provisions of the Regulation.
From our careful observation, a significant number of Data Handlers are yet to comply with the provisions of the NDPR and the easiest way to investigate this is by examining the privacy policies of these organizations. Recently, an NGO commenced a civil lawsuit against the Chinese tech-company giant, Bytedance, owners of TikTok video sharing mobile application at the High Court of Ogun State (Suit No: HCT/261/2020), for not having a valid privacy policy as prescribed by the Regulation. It is important to state that the owners of the mobile application are facing multiple lawsuits globally over the related subject of data usage and breaches.
So far, it appears that only very few qualifying organizations have complied with issuing the required privacy policy and with the test Nigerian case against TikTok, it is expected that many individuals would take steps to seek redress. It is also not unlikely that NITDA would move to punish erring Data Controllers and Data Administrators alike, as other supervisory authorities are already doing in other jurisdictions.
Qualifying organizations are therefore admonished to seek necessary professional advice from relevant data protection experts and ensure swift compliance with the Regulation in order to avoid sanctions from NITDA and needless lawsuits from third parties.
Qualifying organizations are therefore admonished toseek necessary professional advice from relevant data protection experts and ensure swift compliance with the Regulation in order to avoid sanctions from NITDA and needless lawsuits from third parties.