In 2019, the National Information Technology Development Agency (NITDA) published the Nigeria Data Protection Regulation (NDPR). It serves as Nigeria’s primary data protection regulation and framework. To control how public institutions in Nigeria process personal data, the NITDA also released an Implementation Framework in 2020 for the NDPR and Guidelines for the Management of Personal Data by Public Institutions in Nigeria.
Nigeria Data Protection Regulation
The NDPR is the first regulation governing the use of personal data in Nigeria. The personal and territorial scope of the NDPR is defined by citizenship and physical presence. It applies to residents of Nigeria, as well as Nigerian citizens abroad. The NDPR provides legal safeguards for the processing of personal data. Under the NDPR, personal data must be processed according to the Data Subject’s specific, legitimate and lawful purpose.
Implementation Framework for the Nigeria Data Protection Regulation
The NDPR is Nigeria’s first law of its kind that governs the use of personal data. Citizenship and physical presence determine the NDPR’s territorial and personal reach. Both Nigerian citizens overseas and Nigerian residents are covered. The NDPR provides legal protections for the handling of personal data. According to the NDPR, the processing of personal data must be done for a defined, legal, and authorised purpose with the data subject’s consent.
Guidelines for the Management of Personal Data by Public Institutions in Nigeria
To regulate the handling of personal data by public institutions in Nigeria, NITDA published the Guidelines for the Management of Personal Data by Public Institutions in Nigeria (the Guidelines) in 2020. The Guidelines apply to all public institutions (PIs) in Nigeria, including federal, state, and local governments, as well as Ministries, Departments, Agencies, Institutions, Public Corporations, publicly sponsored initiatives, and corporations with government ownership. The Guidelines require all PIs to safeguard personal information whenever it is processed. Processing in this context retains the same meaning it has under the NDPR. All forms of personal data of a Nigerian citizen, resident or non-Nigerian individual that has interactions with PIs or personal data PIs have access to in furtherance of a statutory or administrative purpose are to be protected in accordance with the NDPR or any other law or regulation in force in Nigeria.
In addition to the principal legislation mentioned, the Constitution of the Federal Republic of Nigeria and various sector-specific laws make different provisions for privacy and data protection matters. These laws are examined below.
Constitution of the Federal Republic of Nigeria 1999 (As Amended)
The fundamental right to privacy is guaranteed under the Nigerian Constitution. Citizens are entitled to privacy safeguards in their homes, mail, phone calls, and telegraphic communications under Section 37 of the Constitution. The Constitution does not clearly define “privacy” or specific privacy protections.
Child Rights Act 2003
The Child Rights Act 2003 reiterates the constitutional right to privacy regarding children. Section 8 of the Act guarantees a child’s right to privacy subject to parent or guardian rights to exercise supervision and control of their child’s conduct. Some Nigerian states have also enacted Child Rights Laws.
Consumer Code of Practice Regulations 2007 (NCC Regulations)
The Nigerian Communications Commission (NCC) issued the NCC Regulations, which require all licensees to take reasonable steps to protect customer information against improper or accidental disclosure and ensure that such information is securely stored and not kept longer than necessary. The NCC Regulations further prohibit transferring customer information to any party except to the extent agreed with the customer, as permitted or required by the NCC or other applicable laws or regulations.
Consumer Protection Framework 2016 (Framework)
The Consumer Protection Framework 2016 was enacted according to the Central Bank of Nigeria Act 2007. The Framework includes provisions prohibiting financial institutions from disclosing customers’ personal information. The Framework further requires that financial institutions have appropriate data protection measures and staff training programs to prevent unauthorised access, alteration, disclosure, accidental loss or destruction of customer data. Financial services providers must obtain consumer consent before personal data is shared with a third party or used for promotional offers.
Credit Reporting Act 2017
The Credit Reporting Act establishes a legal and regulatory framework for credit reporting by Credit Bureaus. Section 5 of the Credit Reporting Act requires Credit Bureaus to maintain credit information for at least six years from the date that such information is obtained, after which the information must be archived for ten years before its destruction. Section 9 of the Credit Reporting Act provides the rights of data subjects (i.e. persons whose credit data are held by a Credit Bureau) to privacy, confidentiality and protection of their credit information. Section 9 further prescribes conditions under which the credit information of the data subject may be disclosed.
Cybercrimes (Prohibition, Prevention etc.) Act 2015
The Cybercrimes (Prohibition, Prevention etc.) Act provides a legal and regulatory framework that prohibits, prevents, detects, prosecutes and punishes cybercrimes in Nigeria. The Act requires financial institutions to retain and protect data and criminalises the interception of electronic communications.
Freedom of Information Act, 2011 (FOI Act)
The FOI Act seeks to protect personal privacy. Section 14 of the FOI Act provides that a public institution is obliged to deny an application for information that contains personal data unless the individual involved consents to the disclosure or where such information is publicly available. Section 16 of the FOI Act provides that a public institution may deny an application for disclosure of information subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc.).
National Identity Management Commission (NIMC) Act 2007
The National Identity Management Commission (NIMC) is established by the NIMC Act to build and oversee a National Identity Management System (NIMS). The NIMC is responsible for registering citizens and legal residents, setting up and running a national identity database, and issuing U.N.I.D.s to eligible citizens and residents. No person or corporate entity may access data or information in the Database about a registered individual without the NIMC’s consent, according to Section 26 of the NIMC Act. Suppose it is in the interest of national security. In that case, the NIMC is authorised to disclose the information in a database entry on an individual to a third party without the subject’s agreement.
National Health Act 2014 (NHA)
Healthcare professionals and patients have rights and responsibilities under the NH Act. Every person who uses health services has a record of their health that must be kept secret by health facilities under the NH Act. The NH Act imposes further limitations on the disclosure of user information. Those in charge of healthcare facilities must implement control mechanisms to prevent unauthorised access to information. The NH Act covers all data about a patient’s health state, care, and admission to a medical facility. It also covers DNA samples taken by a medical facility.
Nigerian Communications Commission (registration of telephone subscribers) Regulation 2011
Section 9 and 10 of the Nigerian Communications Commission Regulation provide confidentiality for telephone subscriber records maintained in the NCC’s central database. The Regulation further provides telephone subscribers with a right to view and update personal information held in the NCC’s central database of a telecommunication company in camera.
The Data Protection Bills
The Nigerian Constitution does not include data protection or privacy as one of the exclusive, concurrent, or residual legislative lists (as amended). This implies that the Federal and State legislatures have the authority to enact laws governing data protection in the nation. A Federal Data Protection Bill was published in 2019 as a result of this. The Bill’s principal goal is to provide a framework for protecting personal data and to control how information about all people, regardless of nationality, is processed. Additionally, it aims to uphold the constitutionally guaranteed freedoms and rights to privacy.
The Federal Ministry of Communications and Digital Economy recently published a request for expressions of interest, inviting interested law firms and data protection practitioners to submit proposals regarding drafting a comprehensive data protection law for the Country. As a result, it is currently unknown where this Bill stands.
Lagos State is another state that has thought about passing its data protection laws in addition to the ones mentioned above. The Lagos State House of Assembly has released a data protection bill with the primary goal of promoting the protection of personal information processed by both public and private organisations in Lagos State and establishing minimum standards for the processing and safety of personal data within the state. The Lagos State Bill has moved on to the House Committee stage after passing the second reading. After discussions about its aspects, stakeholders have recommended amendments to the bill’s contents. The ultimate form, shape, and condition of the various.