[vc_row type=”vc_default” full_width=”stretch_row_content_no_spaces” css=”.vc_custom_1500547593342{padding-right: 100px !important;}” el_class=”noPaddinRow”][vc_column width=”1/6″ el_class=”noPaddingLeft” offset=”vc_hidden-md vc_hidden-sm vc_hidden-xs”][vc_raw_html]JTNDZGl2JTIwY2xhc3MlM0QlMjJtYWluLXN0cmlwJTIyJTNFJTBBJTNDZGl2JTIwY2xhc3MlM0QlMjJibHVlLXN0cmlwMCUyMiUzRSUzQyUyRmRpdiUzRSUwQSUzQ2RpdiUyMGNsYXNzJTNEJTIyYmx1ZS1zdHJpcDElMjIlM0UlM0MlMkZkaXYlM0UlMEElM0NkaXYlMjBjbGFzcyUzRCUyMmJsdWUtc3RyaXAyJTIyJTNFJTNDJTJGZGl2JTNFJTBBJTNDJTJGZGl2JTNF[/vc_raw_html][/vc_column][vc_column width=”5/6″ el_class=”justifyText” css=”.vc_custom_1530241908832{padding-right: 310px !important;}” offset=”vc_hidden-md vc_hidden-sm vc_hidden-xs”][vc_empty_space height=”50px”][vc_row_inner el_id=”newsletters”][vc_column_inner width=”1/6″][/vc_column_inner][vc_column_inner width=”2/3″][vc_custom_heading text=”The Emergence of Data Protection in Nigeria and the Potential Impact on Businesses” font_container=”tag:h1|font_size:22|text_align:justify|color:%236699cc|line_height:1.8″ use_theme_fonts=”yes”][/vc_column_inner][vc_column_inner width=”1/6″][/vc_column_inner][/vc_row_inner][vc_empty_space height=”25px”][vc_column_text]

With the exponential increase in the use of personal information by businesses in the technology age, data protection is at the forefront of the agendas of many countries worldwide and, for some, has been so for a number of years. In the European Union (EU), for example, the general data protection framework, which has been in place since 1995[1], is currently undergoing an upheaval, which is expected to have a significant impact on all businesses, including non-EU companies, which own, collect or use the personal information of EU citizens.
In Nigeria, it was the rapid rate of mobile penetration, climbing from approximately 1% in 2001 to 60% in 2011, which brought data protection to the fore. In 2011, the Nigerian Communications Commission issued the Registration of Telephone Subscribers Regulations, which provides for the protection of personal information, including biometric data, collected from subscribers during registration for mobile phone services. However, these Regulations are not of general application and are ineffective to curb the daily barrage of marketing messages sent directly to subscribers’ mobile phones.
The banks, payment systems companies and mobile network operators are perhaps the largest collectors of data in Nigeria by far.  If e-commerce continues to grow at the current rate of 25% annually, e-commerce companies may soon hold large databases of personal information as well.
Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Recognizing this need, the National Information Technology Development Agency (NITDA) published in 2013 draft Guidelines on Data Protection (the Guidelines). The Guidelines were the first attempt in Nigeria at establishing a data protection framework of general application. However, since their publication, there has been no indication that the Guidelines have been formally adopted.
On 3 June 2015, the 7th National Assembly passed an Electronic Transactions Bill (the Bill) which contains data protection provisions of general application. However, the Bill is one of the 46 bills passed hurriedly and allegedly in violation of legislative procedure, and is yet to receive Presidential Assent. Therefore, the Bill is not yet in force and when it eventually comes into force, its validity may be in doubt.
Nevertheless, if Presidential Assent is granted, there is no doubt that the provisions of the Bill will necessitate a change in business processes and marketing practices in Nigeria. Therefore it is timely to analyse the provisions of the Bill and discuss the likely effect the Bill will have on businesses.
Scope of Application of Part IV of the Bill
The provisions of the Bill relating to data protection are set out in Part IV of the Bill, and are supplemented by Sections 35 and 36 in Part VI which deals with Consumer Protection.
Personal data is defined as data which relates to a living individual who can be identified from such data, or from such data in combination with other information which in the possession of, or is likely to come into the possession of the data holder. The data holder is the person who determines the purpose for which and manner in which the personal data is processed.
Therefore, since personal data must relate to a living person, the Bill will not apply to information of the deceased. Furthermore, the Bill will not apply to anonymized information, which does not identify any individual.
Any business, which involves the processing of personal data whether by automated means using computers, or non-automated means where such data forms part of a filing system, must comply with Part IV of the Bill. Accordingly, businesses that own databases consisting of paper files, such as educational or medical records will also be subject to the Bill. The Bill does not apply to processing of personal data in the course of any activity concerning public safety, public defence and national security. Equally law enforcement, intelligence, and criminal prosecution agencies are not required to comply with Part IV.  Finally, processing by individuals for personal or domestic use is exempt from the application of the Bill.
Processing of Personal Data
Conditions for processing personal data
Personal data cannot be processed unless one of the conditions in Section 18 of the Bill applies, namely if the data holder obtains the prior consent of the data owner– the subject of the personal data, or if the processing is necessary,
(a)   for the performance of a contract to which the data owner is a party, or for taking steps at the request of the data owner with a view of entering into a contract;
(b) for compliance by the data holder with an obligation imposed on it by law;
(c)   to protect the vital interests of the data owner; or
(d) in the interest of the public and good governance.
These are the only circumstances in which data holders may justify the processing of personal data legitimately. Personal data cannot be processed otherwise. While a substantial part of processing of personal data by businesses will be for reasons of contractual execution and performance, this will not cover marketing to customers or potential customers. Therefore the prior consent of the data owners must be obtained.
However, Section 36 suggests that unsolicited electronic messages may be sent to consumers provided that they have the opportunity to opt out of such messages. Furthermore, section 35 also provides that where a service provider or vendor is reasonably unable to obtain consent from a consumer for collection, use or disclosure of his personal information, the service provider may obtain consent through an opt-in or opt-out process. This seems to give service providers some leeway in the timing of obtaining consent for use of personal information, such that in exceptional circumstances consent may be obtained after collection and use of the person’s information. More guidance on the circumstances in which this is permissible would be welcome.
Principles of processing personal data
Once a data holder is satisfied that it has a lawful justification for processing personal data, it must adhere to the following processing principles prescribed in Section 18.
Businesses may collect personal data only for specified and lawful purposes. These purposes can be set out in an aptly worded privacy policy[2]. Data collected for one purpose, for example sending information to a customer on Product A, cannot be used for another purpose, such as sending information on Product B.
Personal data collected must be adequate, relevant and not excessive in relation to the purposes for which it is processed. In practice, this means that data holders must not collect or hold more information than they need for their purpose. For example, an online supermarket may collect the name and address of a customer which is required to deliver the goods purchased. One may query whether the customer’s age is required, unless the sale is of alcohol for instance.
Personal data must be provided accurately and, where necessary, kept up to date. This appears to place the onus of accuracy of the data initially on the data owner, however the onus shifts to the data holder to ensure that inaccuracies, when discovered, are corrected.
As personal data must not be kept for longer than is necessary, data holders must put in place a data retention policy having regard to the purposes for holding the information. Just because a person ceases to be a customer does not necessarily mean that the person’s data should be deleted. The person’s data may be retained for some time for good governance, or used for other purposes for which they consented.
Data holders must process personal data in accordance with the rights of data owners, which are discussed in further detail below.
Finally, the transfer of personal data outside Nigeria is prohibited unless the country to which the data will be transferred provides adequate protection for the rights of data owners in respect of the processing of the data. Even loading data onto servers in a foreign country will constitute a transfer of data outside Nigeria. Therefore businesses with servers in foreign territories must ensure that the laws of those territories provide adequate protection for the personal data. What is considered adequate is not defined in the Bill, however any law which provides similar protections as the Bill is likely to suffice.
Processing of Sensitive Personal Data
Additional safeguards apply to the processing of sensitive personal data which is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sexual orientation.
With the exception of those in the medical profession, by virtue of Section 19 of the Bill, no company may process sensitive personal data unless one of the conditions set out below applies. Any processing required for preventive medicine, medical diagnosis, the provision of care or treatment or the management of health care services, which is carried out by a health professional or other person subject to an obligation of secrecy is exempt from Section 19. However, medical professionals must still comply with the provisions of Section 18.
Conditions for processing sensitive personal data
Sensitive personal data may be processed if the data owner has given his explicit consent. The requirement for explicit consent indicates thatthe consent provisions to data processing usually hidden away in company privacy policies are unlikely to suffice. Businesses seeking consent for processing of sensitive personal data should obtain it in writing or if obtained online, require the data owner to tick a box to signify his or her consent.
Employers may process sensitive personal data where it is necessary to carry out their obligations and exercise their rights under labour law and it is authorised by law. However adequate safeguards must be provided.
Processing of sensitive personal data is also permitted where it is necessary to protect the vital interests of the data owner or another person, who is physically or legally incapable of giving his consent. For instance this would cover a situation where a person is brought into the emergency room of a hospital, and his doctor who is resident at another hospital discloses his medical history to the attending doctor to assist in his care.
Foundations, associations and other not-for-profit bodies such as charities, which have a political, philosophical, religious or trade union aims may process sensitive personal data in the course of their legitimate activities, provided that the data relates to their members or persons with whom they have regular contact in connection with their aims. Also the data cannot be disclosed without the consent of the data owner.
Data holders may also process sensitive personal data which has manifestly been made public by the data owner, for example where a person publicly declares his political affiliation. Companies in dispute with a person may also process that person’s sensitive data where it is necessary for the establishment, exercise or defence of a legal claim. Finally, sensitive personal data may be processed in the interest of the public, good governance and national security.
It is important to note that the conditions in Section 19 apply in addition to those in Section 18. Therefore, companies which collect and use sensitive personal data must ensure that they also  comply with data processing principles.
Rights of Data Owners
The Bill provides for a number of rights of data owners including of access to their data, to prevent use of their data for direct marketing and to a remedy for breach of the statutory requirements.
On making a written request and payment of the required administrative fee, a data owner is entitled to be informed by a data holder of his personal data, which is being processed by or on behalf of the data holder. The data owner also has the right to know the purposes for which his data is being processed, the persons or class of persons to whom his data has been disclosed and information regarding the source of the data. However, the Bill is silent on the level of administrative fees that data holders may charge and timing for responding to such requests. If the fees are set prohibitively high or data holders delay responding to these requests, this right will be easily frustrated.
Data holders need not comply with every access request. If the data owner does not provide reasonable identification of himself, or sufficient information to allow the data holder to locate the information required, his access request may be denied. Furthermore, if complying with an access request from Individual A will entail disclosing the personal data of Individual B and the data holder is unable to obtain B’s consent for disclosure, the data holder need not comply unless it is reasonable in all circumstances to accede to the request without B’s consent. This will entail a value judgment which will vary from case to case and must be made carefully so as not to incur liability to B.
Data owners have the right to prevent by written notice to the data holder the processing of their personal data for the purposes of direct marketing[3]. A service provider or vendor that sends any unsolicited electronic message must include within the message a return address and a simple opt-out mechanism[4]. If a court is satisfied that a data holder has failed to comply with the data owner’s notice, the court may order the data holder to comply. Unlike in other jurisdictions, where aggrieved data owners may make a complaint to a regulator, the Bill specifically places the responsibility of enforcement with data owners. The reality is that a good number of data owners are unlikely to commence proceedings in court. As discussed below, NITDA potentially has a role to play in this regard.
Finally, any individual who suffers damage due to a breach by a data holder of the requirements of the Bill may seek compensation. Companies may be alarmed by this at first. However, liability for breach is not strict. To successfully claim compensation, the claimant must prove that there was a breach by the data holder, he suffered loss, and that breach caused his loss. The claimant will have the burden of proving his case by a preponderance of the evidence, and the chances of success will depend on the available evidence.
Processing Of Data by Agents
Many companies do not process the data that they hold themselves. For example as part of a targeted campaign, a company may provide part of its customer data to its marketing agency.  Section 24 of the Bill requires companies to choose processors that provide sufficient guarantees in respect of implementing and complying with technical security and organisational measures to safeguard the data during processing. Such guarantees should be set out in the contract with the processor. Data processors are not permitted to process any personal data except on the instructions of the data holder and as permitted by law.
Ultimately, since the responsibility for compliance with the Bill will rest with the data holder, it is wise to ensure that data holders have adequate contractual remedies against the processor if the processor does not implement or comply with the technical security and organisational measures or the instructions of the data holder.
Technical Security and Organisational Measures                                                        
Data holders must implement appropriate technical and organizational measures and exercise reasonable care to protect and secure personal data against accidental loss and unlawful destruction or processing, particularly where processing involves transmission of personal data over a network.
There is no ‘one size fits all’ approach to securing personal data. Therefore, the security measures that are appropriate for each business will depend on its circumstances. Businesses should adopt a risk-based approach in deciding the level of security they require, having regard to the type of data, sensitive or not, being processed, the available security systems and the costs of implementation. Many businesses in Nigeria with large databases of personal information are likely to already have such security measures in place. Data is a valuable asset. However, such measures should be kept under review and tested regularly for robustness.
It is the implementation of these measures, particularly from an organisational perspective that are likely to have the most impact on businesses. Compliance with the Bill will require the adoption of new or the review of old policies and processes. Businesses may also need to allocate human resources to ensure compliance with these policies and processes, both at management and lower levels. Some businesses are caught out by access requests, not knowing who in the organisation should handle them or how to deal with them. Data protection requires a top-down approach.
The Role of NITDA
NITDA has the power under the Bill to make rules and guidelines pertaining to data protection. As a government agency, it also has the power under Section 43 to make regulations setting standards of conduct for service providers and vendors on such matters as it requires. Such regulations must prescribe penalties for non-compliance including written warnings, stop orders and mandatory orders.  Without a regulator, the data protection provisions of the Bill would be toothless. The problem is that any government agency empowered by law to make regulations also has the power to make regulations under Section 43. This may lead to multiple layers of regulation and conflict of regulations, which is a common complaint of businesses in Nigeria.
Final Remarks
The Bill’s data protection framework provides a solid foundation for protection of the rights of data owners. However, to assist businesses in setting the boundaries, more clarity is required in certain areas, such as the circumstances in which consent may be obtained after collection, use and disclosure of personal information as envisaged under Section 35, and in which unsolicited marketing messages may be sent to consumers as implied by Section 36.
Businesses will also require guidance on the type and level of technical, security and organizational measures required to safeguard their data. It is here that the impact of the Bill is likely to be the greatest. Compliance with the Bill will require a top-down risk-based approach and may entail the adoption of new policies and processes, as well a review of standard contracts.
Finally, to avoid increasing the regulatory impact on businesses, NITDA should be designated as the primary regulator, with the power to regulate and sanction data protection breaches.

 


[1] Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The EU framework has been amended on several occasions to strengthen it. In 2002, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector was adopted. The Directive was amended in 2009 by Directive 2009/136/EC which changed the requirements for consent for the use of cookies.
[2]Section 35 in Part VI requires service providers to publish a privacy policy which must remain accessible to consumers prior commencement of the contract and whenever personal information is requested or collected.
[3] Section 21(1)
[4] Section 36

[/vc_column_text][/vc_column][/vc_row][vc_row type=”vc_default” full_width=”stretch_row_content_no_spaces” css=”.vc_custom_1500547593342{padding-right: 100px !important;}” el_class=”noPaddinRow”][vc_column el_class=”noPaddingLeft” offset=”vc_hidden-lg vc_hidden-xs”][vc_raw_html]JTNDZGl2JTIwY2xhc3MlM0QlMjJ0YWItbWFpbi1zdHJpcCUyMiUzRSUwQSUzQ2RpdiUyMGNsYXNzJTNEJTIydGFiLWJsdWUtc3RyaXAwJTIyJTNFJTNDJTJGZGl2JTNFJTBBJTNDZGl2JTIwY2xhc3MlM0QlMjJ0YWItYmx1ZS1zdHJpcDElMjIlM0UlM0MlMkZkaXYlM0UlMEElM0NkaXYlMjBjbGFzcyUzRCUyMnRhYi1ibHVlLXN0cmlwMiUyMiUzRSUzQyUyRmRpdiUzRSUwQSUzQyUyRmRpdiUzRQ==[/vc_raw_html][vc_empty_space height=”25px”][vc_row_inner][vc_column_inner width=”1/6″][/vc_column_inner][vc_column_inner width=”2/3″][vc_custom_heading text=”The Emergence of Data Protection in Nigeria and the Potential Impact on Businesses” font_container=”tag:h1|font_size:22|text_align:justify|color:%236699cc|line_height:1.8″ use_theme_fonts=”yes”][vc_column_text]

With the exponential increase in the use of personal information by businesses in the technology age, data protection is at the forefront of the agendas of many countries worldwide and, for some, has been so for a number of years. In the European Union (EU), for example, the general data protection framework, which has been in place since 1995[1], is currently undergoing an upheaval, which is expected to have a significant impact on all businesses, including non-EU companies, which own, collect or use the personal information of EU citizens.
In Nigeria, it was the rapid rate of mobile penetration, climbing from approximately 1% in 2001 to 60% in 2011, which brought data protection to the fore. In 2011, the Nigerian Communications Commission issued the Registration of Telephone Subscribers Regulations, which provides for the protection of personal information, including biometric data, collected from subscribers during registration for mobile phone services. However, these Regulations are not of general application and are ineffective to curb the daily barrage of marketing messages sent directly to subscribers’ mobile phones.
The banks, payment systems companies and mobile network operators are perhaps the largest collectors of data in Nigeria by far.  If e-commerce continues to grow at the current rate of 25% annually, e-commerce companies may soon hold large databases of personal information as well.
Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Recognizing this need, the National Information Technology Development Agency (NITDA) published in 2013 draft Guidelines on Data Protection (the Guidelines). The Guidelines were the first attempt in Nigeria at establishing a data protection framework of general application. However, since their publication, there has been no indication that the Guidelines have been formally adopted.
On 3 June 2015, the 7th National Assembly passed an Electronic Transactions Bill (the Bill) which contains data protection provisions of general application. However, the Bill is one of the 46 bills passed hurriedly and allegedly in violation of legislative procedure, and is yet to receive Presidential Assent. Therefore, the Bill is not yet in force and when it eventually comes into force, its validity may be in doubt.
Nevertheless, if Presidential Assent is granted, there is no doubt that the provisions of the Bill will necessitate a change in business processes and marketing practices in Nigeria. Therefore it is timely to analyse the provisions of the Bill and discuss the likely effect the Bill will have on businesses.
Scope of Application of Part IV of the Bill
The provisions of the Bill relating to data protection are set out in Part IV of the Bill, and are supplemented by Sections 35 and 36 in Part VI which deals with Consumer Protection.
Personal data is defined as data which relates to a living individual who can be identified from such data, or from such data in combination with other information which in the possession of, or is likely to come into the possession of the data holder. The data holder is the person who determines the purpose for which and manner in which the personal data is processed.
Therefore, since personal data must relate to a living person, the Bill will not apply to information of the deceased. Furthermore, the Bill will not apply to anonymized information, which does not identify any individual.
Any business, which involves the processing of personal data whether by automated means using computers, or non-automated means where such data forms part of a filing system, must comply with Part IV of the Bill. Accordingly, businesses that own databases consisting of paper files, such as educational or medical records will also be subject to the Bill. The Bill does not apply to processing of personal data in the course of any activity concerning public safety, public defence and national security. Equally law enforcement, intelligence, and criminal prosecution agencies are not required to comply with Part IV.  Finally, processing by individuals for personal or domestic use is exempt from the application of the Bill.
Processing of Personal Data
Conditions for processing personal data
Personal data cannot be processed unless one of the conditions in Section 18 of the Bill applies, namely if the data holder obtains the prior consent of the data owner– the subject of the personal data, or if the processing is necessary,
(a)   for the performance of a contract to which the data owner is a party, or for taking steps at the request of the data owner with a view of entering into a contract;
(b) for compliance by the data holder with an obligation imposed on it by law;
(c)   to protect the vital interests of the data owner; or
(d) in the interest of the public and good governance.
These are the only circumstances in which data holders may justify the processing of personal data legitimately. Personal data cannot be processed otherwise. While a substantial part of processing of personal data by businesses will be for reasons of contractual execution and performance, this will not cover marketing to customers or potential customers. Therefore the prior consent of the data owners must be obtained.
However, Section 36 suggests that unsolicited electronic messages may be sent to consumers provided that they have the opportunity to opt out of such messages. Furthermore, section 35 also provides that where a service provider or vendor is reasonably unable to obtain consent from a consumer for collection, use or disclosure of his personal information, the service provider may obtain consent through an opt-in or opt-out process. This seems to give service providers some leeway in the timing of obtaining consent for use of personal information, such that in exceptional circumstances consent may be obtained after collection and use of the person’s information. More guidance on the circumstances in which this is permissible would be welcome.
Principles of processing personal data
Once a data holder is satisfied that it has a lawful justification for processing personal data, it must adhere to the following processing principles prescribed in Section 18.
Businesses may collect personal data only for specified and lawful purposes. These purposes can be set out in an aptly worded privacy policy[2]. Data collected for one purpose, for example sending information to a customer on Product A, cannot be used for another purpose, such as sending information on Product B.
Personal data collected must be adequate, relevant and not excessive in relation to the purposes for which it is processed. In practice, this means that data holders must not collect or hold more information than they need for their purpose. For example, an online supermarket may collect the name and address of a customer which is required to deliver the goods purchased. One may query whether the customer’s age is required, unless the sale is of alcohol for instance.
Personal data must be provided accurately and, where necessary, kept up to date. This appears to place the onus of accuracy of the data initially on the data owner, however the onus shifts to the data holder to ensure that inaccuracies, when discovered, are corrected.
As personal data must not be kept for longer than is necessary, data holders must put in place a data retention policy having regard to the purposes for holding the information. Just because a person ceases to be a customer does not necessarily mean that the person’s data should be deleted. The person’s data may be retained for some time for good governance, or used for other purposes for which they consented.
Data holders must process personal data in accordance with the rights of data owners, which are discussed in further detail below.
Finally, the transfer of personal data outside Nigeria is prohibited unless the country to which the data will be transferred provides adequate protection for the rights of data owners in respect of the processing of the data. Even loading data onto servers in a foreign country will constitute a transfer of data outside Nigeria. Therefore businesses with servers in foreign territories must ensure that the laws of those territories provide adequate protection for the personal data. What is considered adequate is not defined in the Bill, however any law which provides similar protections as the Bill is likely to suffice.
Processing of Sensitive Personal Data
Additional safeguards apply to the processing of sensitive personal data which is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sexual orientation.
With the exception of those in the medical profession, by virtue of Section 19 of the Bill, no company may process sensitive personal data unless one of the conditions set out below applies. Any processing required for preventive medicine, medical diagnosis, the provision of care or treatment or the management of health care services, which is carried out by a health professional or other person subject to an obligation of secrecy is exempt from Section 19. However, medical professionals must still comply with the provisions of Section 18.
Conditions for processing sensitive personal data
Sensitive personal data may be processed if the data owner has given his explicit consent. The requirement for explicit consent indicates thatthe consent provisions to data processing usually hidden away in company privacy policies are unlikely to suffice. Businesses seeking consent for processing of sensitive personal data should obtain it in writing or if obtained online, require the data owner to tick a box to signify his or her consent.
Employers may process sensitive personal data where it is necessary to carry out their obligations and exercise their rights under labour law and it is authorised by law. However adequate safeguards must be provided.
Processing of sensitive personal data is also permitted where it is necessary to protect the vital interests of the data owner or another person, who is physically or legally incapable of giving his consent. For instance this would cover a situation where a person is brought into the emergency room of a hospital, and his doctor who is resident at another hospital discloses his medical history to the attending doctor to assist in his care.
Foundations, associations and other not-for-profit bodies such as charities, which have a political, philosophical, religious or trade union aims may process sensitive personal data in the course of their legitimate activities, provided that the data relates to their members or persons with whom they have regular contact in connection with their aims. Also the data cannot be disclosed without the consent of the data owner.
Data holders may also process sensitive personal data which has manifestly been made public by the data owner, for example where a person publicly declares his political affiliation. Companies in dispute with a person may also process that person’s sensitive data where it is necessary for the establishment, exercise or defence of a legal claim. Finally, sensitive personal data may be processed in the interest of the public, good governance and national security.
It is important to note that the conditions in Section 19 apply in addition to those in Section 18. Therefore, companies which collect and use sensitive personal data must ensure that they also  comply with data processing principles.
Rights of Data Owners
The Bill provides for a number of rights of data owners including of access to their data, to prevent use of their data for direct marketing and to a remedy for breach of the statutory requirements.
On making a written request and payment of the required administrative fee, a data owner is entitled to be informed by a data holder of his personal data, which is being processed by or on behalf of the data holder. The data owner also has the right to know the purposes for which his data is being processed, the persons or class of persons to whom his data has been disclosed and information regarding the source of the data. However, the Bill is silent on the level of administrative fees that data holders may charge and timing for responding to such requests. If the fees are set prohibitively high or data holders delay responding to these requests, this right will be easily frustrated.
Data holders need not comply with every access request. If the data owner does not provide reasonable identification of himself, or sufficient information to allow the data holder to locate the information required, his access request may be denied. Furthermore, if complying with an access request from Individual A will entail disclosing the personal data of Individual B and the data holder is unable to obtain B’s consent for disclosure, the data holder need not comply unless it is reasonable in all circumstances to accede to the request without B’s consent. This will entail a value judgment which will vary from case to case and must be made carefully so as not to incur liability to B.
Data owners have the right to prevent by written notice to the data holder the processing of their personal data for the purposes of direct marketing[3]. A service provider or vendor that sends any unsolicited electronic message must include within the message a return address and a simple opt-out mechanism[4]. If a court is satisfied that a data holder has failed to comply with the data owner’s notice, the court may order the data holder to comply. Unlike in other jurisdictions, where aggrieved data owners may make a complaint to a regulator, the Bill specifically places the responsibility of enforcement with data owners. The reality is that a good number of data owners are unlikely to commence proceedings in court. As discussed below, NITDA potentially has a role to play in this regard.
Finally, any individual who suffers damage due to a breach by a data holder of the requirements of the Bill may seek compensation. Companies may be alarmed by this at first. However, liability for breach is not strict. To successfully claim compensation, the claimant must prove that there was a breach by the data holder, he suffered loss, and that breach caused his loss. The claimant will have the burden of proving his case by a preponderance of the evidence, and the chances of success will depend on the available evidence.
Processing Of Data by Agents
Many companies do not process the data that they hold themselves. For example as part of a targeted campaign, a company may provide part of its customer data to its marketing agency.  Section 24 of the Bill requires companies to choose processors that provide sufficient guarantees in respect of implementing and complying with technical security and organisational measures to safeguard the data during processing. Such guarantees should be set out in the contract with the processor. Data processors are not permitted to process any personal data except on the instructions of the data holder and as permitted by law.
Ultimately, since the responsibility for compliance with the Bill will rest with the data holder, it is wise to ensure that data holders have adequate contractual remedies against the processor if the processor does not implement or comply with the technical security and organisational measures or the instructions of the data holder.
Technical Security and Organisational Measures                                                        
Data holders must implement appropriate technical and organizational measures and exercise reasonable care to protect and secure personal data against accidental loss and unlawful destruction or processing, particularly where processing involves transmission of personal data over a network.
There is no ‘one size fits all’ approach to securing personal data. Therefore, the security measures that are appropriate for each business will depend on its circumstances. Businesses should adopt a risk-based approach in deciding the level of security they require, having regard to the type of data, sensitive or not, being processed, the available security systems and the costs of implementation. Many businesses in Nigeria with large databases of personal information are likely to already have such security measures in place. Data is a valuable asset. However, such measures should be kept under review and tested regularly for robustness.
It is the implementation of these measures, particularly from an organisational perspective that are likely to have the most impact on businesses. Compliance with the Bill will require the adoption of new or the review of old policies and processes. Businesses may also need to allocate human resources to ensure compliance with these policies and processes, both at management and lower levels. Some businesses are caught out by access requests, not knowing who in the organisation should handle them or how to deal with them. Data protection requires a top-down approach.
The Role of NITDA
NITDA has the power under the Bill to make rules and guidelines pertaining to data protection. As a government agency, it also has the power under Section 43 to make regulations setting standards of conduct for service providers and vendors on such matters as it requires. Such regulations must prescribe penalties for non-compliance including written warnings, stop orders and mandatory orders.  Without a regulator, the data protection provisions of the Bill would be toothless. The problem is that any government agency empowered by law to make regulations also has the power to make regulations under Section 43. This may lead to multiple layers of regulation and conflict of regulations, which is a common complaint of businesses in Nigeria.
Final Remarks
The Bill’s data protection framework provides a solid foundation for protection of the rights of data owners. However, to assist businesses in setting the boundaries, more clarity is required in certain areas, such as the circumstances in which consent may be obtained after collection, use and disclosure of personal information as envisaged under Section 35, and in which unsolicited marketing messages may be sent to consumers as implied by Section 36.
Businesses will also require guidance on the type and level of technical, security and organizational measures required to safeguard their data. It is here that the impact of the Bill is likely to be the greatest. Compliance with the Bill will require a top-down risk-based approach and may entail the adoption of new policies and processes, as well a review of standard contracts.
Finally, to avoid increasing the regulatory impact on businesses, NITDA should be designated as the primary regulator, with the power to regulate and sanction data protection breaches.

 


[1] Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The EU framework has been amended on several occasions to strengthen it. In 2002, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector was adopted. The Directive was amended in 2009 by Directive 2009/136/EC which changed the requirements for consent for the use of cookies.
[2]Section 35 in Part VI requires service providers to publish a privacy policy which must remain accessible to consumers prior commencement of the contract and whenever personal information is requested or collected.
[3] Section 21(1)
[4] Section 36

[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/6″][/vc_column_inner][/vc_row_inner][/vc_column][/vc_row][vc_row type=”vc_default” full_width=”stretch_row_content_no_spaces” css=”.vc_custom_1500547593342{padding-right: 100px !important;}” el_class=”noPaddinRow”][vc_column el_class=”noPaddingLeft” offset=”vc_hidden-lg vc_hidden-md vc_hidden-sm” css=”.vc_custom_1530242757834{padding-right: 75px !important;padding-left: 60px !important;}”][vc_raw_html]JTNDZGl2JTIwY2xhc3MlM0QlMjJtb2ItbWFpbi1zdHJpcCUyMiUzRSUwQSUzQ2RpdiUyMGNsYXNzJTNEJTIybW9iLWJsdWUtc3RyaXAwJTIyJTNFJTNDJTJGZGl2JTNFJTBBJTNDZGl2JTIwY2xhc3MlM0QlMjJtb2ItYmx1ZS1zdHJpcDElMjIlM0UlM0MlMkZkaXYlM0UlMEElM0NkaXYlMjBjbGFzcyUzRCUyMm1vYi1ibHVlLXN0cmlwMiUyMiUzRSUzQyUyRmRpdiUzRSUwQSUzQyUyRmRpdiUzRQ==[/vc_raw_html][vc_empty_space height=”25px”][vc_row_inner][vc_column_inner width=”1/6″][/vc_column_inner][vc_column_inner width=”2/3″][vc_custom_heading text=”The Emergence of Data Protection in Nigeria and the Potential Impact on Businesses” font_container=”tag:h1|font_size:22|text_align:justify|color:%236699cc|line_height:1.8″ use_theme_fonts=”yes”][vc_column_text]

With the exponential increase in the use of personal information by businesses in the technology age, data protection is at the forefront of the agendas of many countries worldwide and, for some, has been so for a number of years. In the European Union (EU), for example, the general data protection framework, which has been in place since 1995[1], is currently undergoing an upheaval, which is expected to have a significant impact on all businesses, including non-EU companies, which own, collect or use the personal information of EU citizens.
In Nigeria, it was the rapid rate of mobile penetration, climbing from approximately 1% in 2001 to 60% in 2011, which brought data protection to the fore. In 2011, the Nigerian Communications Commission issued the Registration of Telephone Subscribers Regulations, which provides for the protection of personal information, including biometric data, collected from subscribers during registration for mobile phone services. However, these Regulations are not of general application and are ineffective to curb the daily barrage of marketing messages sent directly to subscribers’ mobile phones.
The banks, payment systems companies and mobile network operators are perhaps the largest collectors of data in Nigeria by far.  If e-commerce continues to grow at the current rate of 25% annually, e-commerce companies may soon hold large databases of personal information as well.
Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Recognizing this need, the National Information Technology Development Agency (NITDA) published in 2013 draft Guidelines on Data Protection (the Guidelines). The Guidelines were the first attempt in Nigeria at establishing a data protection framework of general application. However, since their publication, there has been no indication that the Guidelines have been formally adopted.
On 3 June 2015, the 7th National Assembly passed an Electronic Transactions Bill (the Bill) which contains data protection provisions of general application. However, the Bill is one of the 46 bills passed hurriedly and allegedly in violation of legislative procedure, and is yet to receive Presidential Assent. Therefore, the Bill is not yet in force and when it eventually comes into force, its validity may be in doubt.
Nevertheless, if Presidential Assent is granted, there is no doubt that the provisions of the Bill will necessitate a change in business processes and marketing practices in Nigeria. Therefore it is timely to analyse the provisions of the Bill and discuss the likely effect the Bill will have on businesses.
Scope of Application of Part IV of the Bill
The provisions of the Bill relating to data protection are set out in Part IV of the Bill, and are supplemented by Sections 35 and 36 in Part VI which deals with Consumer Protection.
Personal data is defined as data which relates to a living individual who can be identified from such data, or from such data in combination with other information which in the possession of, or is likely to come into the possession of the data holder. The data holder is the person who determines the purpose for which and manner in which the personal data is processed.
Therefore, since personal data must relate to a living person, the Bill will not apply to information of the deceased. Furthermore, the Bill will not apply to anonymized information, which does not identify any individual.
Any business, which involves the processing of personal data whether by automated means using computers, or non-automated means where such data forms part of a filing system, must comply with Part IV of the Bill. Accordingly, businesses that own databases consisting of paper files, such as educational or medical records will also be subject to the Bill. The Bill does not apply to processing of personal data in the course of any activity concerning public safety, public defence and national security. Equally law enforcement, intelligence, and criminal prosecution agencies are not required to comply with Part IV.  Finally, processing by individuals for personal or domestic use is exempt from the application of the Bill.
Processing of Personal Data
Conditions for processing personal data
Personal data cannot be processed unless one of the conditions in Section 18 of the Bill applies, namely if the data holder obtains the prior consent of the data owner– the subject of the personal data, or if the processing is necessary,
(a)   for the performance of a contract to which the data owner is a party, or for taking steps at the request of the data owner with a view of entering into a contract;
(b) for compliance by the data holder with an obligation imposed on it by law;
(c)   to protect the vital interests of the data owner; or
(d) in the interest of the public and good governance.
These are the only circumstances in which data holders may justify the processing of personal data legitimately. Personal data cannot be processed otherwise. While a substantial part of processing of personal data by businesses will be for reasons of contractual execution and performance, this will not cover marketing to customers or potential customers. Therefore the prior consent of the data owners must be obtained.
However, Section 36 suggests that unsolicited electronic messages may be sent to consumers provided that they have the opportunity to opt out of such messages. Furthermore, section 35 also provides that where a service provider or vendor is reasonably unable to obtain consent from a consumer for collection, use or disclosure of his personal information, the service provider may obtain consent through an opt-in or opt-out process. This seems to give service providers some leeway in the timing of obtaining consent for use of personal information, such that in exceptional circumstances consent may be obtained after collection and use of the person’s information. More guidance on the circumstances in which this is permissible would be welcome.
Principles of processing personal data
Once a data holder is satisfied that it has a lawful justification for processing personal data, it must adhere to the following processing principles prescribed in Section 18.
Businesses may collect personal data only for specified and lawful purposes. These purposes can be set out in an aptly worded privacy policy[2]. Data collected for one purpose, for example sending information to a customer on Product A, cannot be used for another purpose, such as sending information on Product B.
Personal data collected must be adequate, relevant and not excessive in relation to the purposes for which it is processed. In practice, this means that data holders must not collect or hold more information than they need for their purpose. For example, an online supermarket may collect the name and address of a customer which is required to deliver the goods purchased. One may query whether the customer’s age is required, unless the sale is of alcohol for instance.
Personal data must be provided accurately and, where necessary, kept up to date. This appears to place the onus of accuracy of the data initially on the data owner, however the onus shifts to the data holder to ensure that inaccuracies, when discovered, are corrected.
As personal data must not be kept for longer than is necessary, data holders must put in place a data retention policy having regard to the purposes for holding the information. Just because a person ceases to be a customer does not necessarily mean that the person’s data should be deleted. The person’s data may be retained for some time for good governance, or used for other purposes for which they consented.
Data holders must process personal data in accordance with the rights of data owners, which are discussed in further detail below.
Finally, the transfer of personal data outside Nigeria is prohibited unless the country to which the data will be transferred provides adequate protection for the rights of data owners in respect of the processing of the data. Even loading data onto servers in a foreign country will constitute a transfer of data outside Nigeria. Therefore businesses with servers in foreign territories must ensure that the laws of those territories provide adequate protection for the personal data. What is considered adequate is not defined in the Bill, however any law which provides similar protections as the Bill is likely to suffice.
Processing of Sensitive Personal Data
Additional safeguards apply to the processing of sensitive personal data which is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sexual orientation.
With the exception of those in the medical profession, by virtue of Section 19 of the Bill, no company may process sensitive personal data unless one of the conditions set out below applies. Any processing required for preventive medicine, medical diagnosis, the provision of care or treatment or the management of health care services, which is carried out by a health professional or other person subject to an obligation of secrecy is exempt from Section 19. However, medical professionals must still comply with the provisions of Section 18.
Conditions for processing sensitive personal data
Sensitive personal data may be processed if the data owner has given his explicit consent. The requirement for explicit consent indicates thatthe consent provisions to data processing usually hidden away in company privacy policies are unlikely to suffice. Businesses seeking consent for processing of sensitive personal data should obtain it in writing or if obtained online, require the data owner to tick a box to signify his or her consent.
Employers may process sensitive personal data where it is necessary to carry out their obligations and exercise their rights under labour law and it is authorised by law. However adequate safeguards must be provided.
Processing of sensitive personal data is also permitted where it is necessary to protect the vital interests of the data owner or another person, who is physically or legally incapable of giving his consent. For instance this would cover a situation where a person is brought into the emergency room of a hospital, and his doctor who is resident at another hospital discloses his medical history to the attending doctor to assist in his care.
Foundations, associations and other not-for-profit bodies such as charities, which have a political, philosophical, religious or trade union aims may process sensitive personal data in the course of their legitimate activities, provided that the data relates to their members or persons with whom they have regular contact in connection with their aims. Also the data cannot be disclosed without the consent of the data owner.
Data holders may also process sensitive personal data which has manifestly been made public by the data owner, for example where a person publicly declares his political affiliation. Companies in dispute with a person may also process that person’s sensitive data where it is necessary for the establishment, exercise or defence of a legal claim. Finally, sensitive personal data may be processed in the interest of the public, good governance and national security.
It is important to note that the conditions in Section 19 apply in addition to those in Section 18. Therefore, companies which collect and use sensitive personal data must ensure that they also  comply with data processing principles.
Rights of Data Owners
The Bill provides for a number of rights of data owners including of access to their data, to prevent use of their data for direct marketing and to a remedy for breach of the statutory requirements.
On making a written request and payment of the required administrative fee, a data owner is entitled to be informed by a data holder of his personal data, which is being processed by or on behalf of the data holder. The data owner also has the right to know the purposes for which his data is being processed, the persons or class of persons to whom his data has been disclosed and information regarding the source of the data. However, the Bill is silent on the level of administrative fees that data holders may charge and timing for responding to such requests. If the fees are set prohibitively high or data holders delay responding to these requests, this right will be easily frustrated.
Data holders need not comply with every access request. If the data owner does not provide reasonable identification of himself, or sufficient information to allow the data holder to locate the information required, his access request may be denied. Furthermore, if complying with an access request from Individual A will entail disclosing the personal data of Individual B and the data holder is unable to obtain B’s consent for disclosure, the data holder need not comply unless it is reasonable in all circumstances to accede to the request without B’s consent. This will entail a value judgment which will vary from case to case and must be made carefully so as not to incur liability to B.
Data owners have the right to prevent by written notice to the data holder the processing of their personal data for the purposes of direct marketing[3]. A service provider or vendor that sends any unsolicited electronic message must include within the message a return address and a simple opt-out mechanism[4]. If a court is satisfied that a data holder has failed to comply with the data owner’s notice, the court may order the data holder to comply. Unlike in other jurisdictions, where aggrieved data owners may make a complaint to a regulator, the Bill specifically places the responsibility of enforcement with data owners. The reality is that a good number of data owners are unlikely to commence proceedings in court. As discussed below, NITDA potentially has a role to play in this regard.
Finally, any individual who suffers damage due to a breach by a data holder of the requirements of the Bill may seek compensation. Companies may be alarmed by this at first. However, liability for breach is not strict. To successfully claim compensation, the claimant must prove that there was a breach by the data holder, he suffered loss, and that breach caused his loss. The claimant will have the burden of proving his case by a preponderance of the evidence, and the chances of success will depend on the available evidence.
Processing Of Data by Agents
Many companies do not process the data that they hold themselves. For example as part of a targeted campaign, a company may provide part of its customer data to its marketing agency.  Section 24 of the Bill requires companies to choose processors that provide sufficient guarantees in respect of implementing and complying with technical security and organisational measures to safeguard the data during processing. Such guarantees should be set out in the contract with the processor. Data processors are not permitted to process any personal data except on the instructions of the data holder and as permitted by law.
Ultimately, since the responsibility for compliance with the Bill will rest with the data holder, it is wise to ensure that data holders have adequate contractual remedies against the processor if the processor does not implement or comply with the technical security and organisational measures or the instructions of the data holder.
Technical Security and Organisational Measures                                                        
Data holders must implement appropriate technical and organizational measures and exercise reasonable care to protect and secure personal data against accidental loss and unlawful destruction or processing, particularly where processing involves transmission of personal data over a network.
There is no ‘one size fits all’ approach to securing personal data. Therefore, the security measures that are appropriate for each business will depend on its circumstances. Businesses should adopt a risk-based approach in deciding the level of security they require, having regard to the type of data, sensitive or not, being processed, the available security systems and the costs of implementation. Many businesses in Nigeria with large databases of personal information are likely to already have such security measures in place. Data is a valuable asset. However, such measures should be kept under review and tested regularly for robustness.
It is the implementation of these measures, particularly from an organisational perspective that are likely to have the most impact on businesses. Compliance with the Bill will require the adoption of new or the review of old policies and processes. Businesses may also need to allocate human resources to ensure compliance with these policies and processes, both at management and lower levels. Some businesses are caught out by access requests, not knowing who in the organisation should handle them or how to deal with them. Data protection requires a top-down approach.
The Role of NITDA
NITDA has the power under the Bill to make rules and guidelines pertaining to data protection. As a government agency, it also has the power under Section 43 to make regulations setting standards of conduct for service providers and vendors on such matters as it requires. Such regulations must prescribe penalties for non-compliance including written warnings, stop orders and mandatory orders.  Without a regulator, the data protection provisions of the Bill would be toothless. The problem is that any government agency empowered by law to make regulations also has the power to make regulations under Section 43. This may lead to multiple layers of regulation and conflict of regulations, which is a common complaint of businesses in Nigeria.
Final Remarks
The Bill’s data protection framework provides a solid foundation for protection of the rights of data owners. However, to assist businesses in setting the boundaries, more clarity is required in certain areas, such as the circumstances in which consent may be obtained after collection, use and disclosure of personal information as envisaged under Section 35, and in which unsolicited marketing messages may be sent to consumers as implied by Section 36.
Businesses will also require guidance on the type and level of technical, security and organizational measures required to safeguard their data. It is here that the impact of the Bill is likely to be the greatest. Compliance with the Bill will require a top-down risk-based approach and may entail the adoption of new policies and processes, as well a review of standard contracts.
Finally, to avoid increasing the regulatory impact on businesses, NITDA should be designated as the primary regulator, with the power to regulate and sanction data protection breaches.

 


[1] Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The EU framework has been amended on several occasions to strengthen it. In 2002, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector was adopted. The Directive was amended in 2009 by Directive 2009/136/EC which changed the requirements for consent for the use of cookies.
[2]Section 35 in Part VI requires service providers to publish a privacy policy which must remain accessible to consumers prior commencement of the contract and whenever personal information is requested or collected.
[3] Section 21(1)
[4] Section 36

[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/6″][/vc_column_inner][/vc_row_inner][/vc_column][/vc_row][vc_row type=”vc_default” full_width=”stretch_row” el_class=”footerWidget”][vc_column width=”1/4″][/vc_column][vc_column width=”2/4″][vc_row_inner][vc_column_inner width=”3/4″][/vc_column_inner][vc_column_inner width=”1/4″][/vc_column_inner][/vc_row_inner][/vc_column][vc_column width=”1/4″][/vc_column][/vc_row]