An Overview of The Nigeria Data Protection Act
On June 12, 2023, the Nigerian government took a bold step towards achieving maximum data protection. The country enacted the Nigeria Data Protection Act to provide a comprehensive legal framework for data protection. While the European Union (EU) was miles ahead, this decision placed Nigeria on the same journey towards the protection of data. Prior to this, the Nigerian government made several attempts to protect personal data, one of which is the NDPR The NDPR, which stands for Nigerian Data Protection Regulation, was issued in February 2019 and established by the NITDA (Nigerian Information Technology Development Agency). But there wasn’t much regard for it. Why? A major shortcoming of the NDPR is that it’s subsidiary legislation and lacks vital provisions expected of a comprehensive law. For example, NITDA lacked the statutory authority to establish a commission with wide powers to deal with data privacy issues in Nigeria. This created a problem between foreign organisations and the Nigerian market, as the former could not trust the latter. So, the NDPA came into play as the principal data legislation in Nigeria. This article will provide an overview of the NDPA, its objectives, basic terminology, scope of application, principles, and penalties. Objectives of the Nigerian Data Protection Act (NDPA) There’s something about data that’s invaluable. A look at the estimated amount of data generated worldwide—2.5 quintillion bytes—proves how much the world uses data. While individuals can pretend to not need data, companies dare not say so. They need data to run promotions, for market expansions, product diversification and most importantly, digital marketing Now, companies are not the only users of data; cybercriminals obsess over it too. And they don’t care about who/what gets hurt. So, Organizations have to implement data protection systems against unauthorized access, loss, or compromise of data. So, how does the NDPA help out? The primary objective of the NDPA is to safeguard the fundamental rights and freedom of privacy as guaranteed under the constitution of the Federal Republic of Nigeria. The objectives of the NDPA in detail are: To protect the rights of data subjects by making sure personal data is processed in a lawful, fair, and transparent manner. This aligns with the basic principles of data protection. To provide a legal framework for the regulation and protection of personal data. Also a means of rectifying the rights of data subjects breached. To ensure data controllers and processors comply with their obligations to data subjects To promote data security and privacy in data processing activities in Nigeria. To ensure the inclusion of Nigeria in the regional and global economies through trusted use of personal data. Basic terminologies in NDPA. The Nigerian Data Protection Act has unique terminology. Here are some definitions to help you get started. Data controller Is an individual, private entity, public commission, agency, or any other body that, alone or jointly with others, determines the purpose and means of processing data. Data Processor The act describes a data processor as an individual, private entity, public authority, or any other body who processes data on behalf of a data controller or another data processor. Personal data Any information that relates directly or indirectly to an identified or identifiable individual by reference to an identifier, e.g., name, age, identity number, location ID, factors specific to the physical, psychological, cultural, social, or economic state of the individual. Sensitive personal data The act defined sensitive data as personal data relating to an individual’s Genetic and biometric data Ethnic origin Religious or similar beliefs, such as philosophy or conscience,. Sex life Health status Political opinion Trade union membership And other information deemed sensitive by the commission. Scope and Application of the Nigerian Data Protection Act The NDPA applies to the processing of personal data by data controllers and processors belonging to data subjects in Nigeria. The NDPA mandatorily applies in the following instances: Where the data processing takes place is Nigeria. The organisation processing data is not located in the country but processes data belonging to a Nigerian citizen. The data controller or processor is resident, domiciled, or operating in Nigeria. It’s important to note that the location of the controller or processor doesn’t matter as long as the data subject is in Nigeria; the NDPA applies. However, the Nigeria Data Protection Act has limitations. The Nigerian Data Protection Act does not apply to the processing of personal data carried out by one or more persons solely for personal or household purposes. Also, it’s important to know that this exemption applies when such processing doesn’t violate the fundamental rights of a data subject. Additionally, the NDPA will not apply if the processing of personal data is carried out by a competent authority for any of the following purposes: the prevention, investigation, detection, prosecution, or adjudication of a criminal offense or to execute a criminal penalty in accordance with any applicable law; to prevent or control a national public health emergency; for national security; in respect of publication in the public interest for journalism, educational, artistic and literary purposes to the extent that such obligations and rights are incompatible with such purposes; or necessary to establish, exercise, or defend legal claims, whether in court proceedings or in an administrative or out-of-court procedure Basic Principles of the Nigerian Data Protection Act (NDPA) Just like most data protection regulations around the world, the NDPA has principles guiding organisations to compliance. Consent Organisations must get the full consent of the data subjects before collecting, processing, and storing data. The subjects must give consent freely with no trace of foul play. The data subjects also have the right to withdraw their consent. Now, data processing is lawful without consent when carried out: To protect the interests of the data subject or another person, where the subject is physically or legally incapable of giving consent. To establish, defend a legal claim, get legal advice, or carry out a legal proceeding. To carry out a contract to which the data subject is a third party. To conduct a task of public interest.
