The exchange of Information constitutes an essential part of our daily living as humans. Personal data as information are being obtained, processed, collated and store by government agencies, business organizations, non-government organizations for their ‘legitimately recognized’ transactions with the data subject. This has led to a tug of war for control over personal data and thus has become inevitable to regulate this sphere of our living. Nigerian Information and Technology Development Agency (NITDA) pursuant to its duties has risen to protect individual citizens who have been made vulnerable as a result of the proliferation of the use of personal data by issuing the Nigeria Data Protection Regulation (NDPR) 2019. A lot has been said in introducing the novel NDPR, therefore, I would rather in this piece attempt to explore some few key concepts in Data Protection for catholic understanding.
2.0 PERSONAL DATA
Beginning, one need to understand what personal data (the hallmark of the regulation) entails and the extent of its interpretation. The term Personal data according to the NDPR means any information relating to an identified or identifiable natural person (Data Subject). This means that any information about a person whose identity is either manifestly clear or can be established from additional information will be regarded as personal data. To ascertain whether information makes a person identifiable or identifies a person, one must take into cognizance all reasonable means that are likely to be used to directly or indirectly identify the individual or make it possible to treat one person differently from another. For Council of Europe (CoE) Law, the notion of identifiable does not only refer to the individual’s civil or legal identity as such, but also to what may allow
one person to be individualized or singled out from others, and as a result, potentially treated differently. The definition of personal data by the NDPR is in tune with the General Data Protection Regulation (GDPR) which is applicable to European countries.
Under the European Law and the CoE Law, information contains data about a person if;
a. An individual is identified or identifiable by this information; or
b. An individual, while not identified, can be singled out by this information in a way which makes it possible to find out who the data subject is by conducting further research.
Therefore, for European data protection law, there is no need for actual identification of the data subject; it suffices that the person concerned be identifiable. The benchmark according to Recital 26 of the GDPR is whether it is likely that reasonable means for identification will be available and administered by the foreseeable users of the information. As such, it is noteworthy that the ascertainment of reasonableness for the means of identification is limited to all objective factors, such as the cost of and the amount of time required for identification, taking into consideration the available technology at the time of processing and technological developments.
The NDPR under article 1.3 (xix) stipulates that a natural person can be identifiable when he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; it can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to Mac address, IP address, IMEI number, IMSI number, SIM, Personal identifiable information (PII) and others.
The list not be limited, by the definition of the NDPR, any kind of information can be personal data provided that it relates to an identified or identifiable person. Information pertaining to the private life of a person, which also includes
professional activities, as well as information about his public life constitute personal data. Identification thus requires elements which describes a person in such a way that he or she is distinguishable from all other persons and recognizable as an individual. It therefore holds that without even enquiring about the name and address of an individual, it is possible to categorize this person on the basis of socio-economic, psychological, philosophical or other criteria and attribute certain decisions to him or her since the individual’s contact point (the computer) no longer requires the disclosure of his or her identity in the narrow sense.
The NDPR’s definition of personal data is broad and adequate enough to cover a large degree of identifiability. However, direct or indirect identifiability of individuals requires continuous assessment, taking into consideration the available technology at the time of the processing and technology developments.
3.0 DATA SUBJECT
Recall that personal data are information that identifies a data subject. The question that easily comes to mind is, who then is a data subject? The NDPR under Article 1.3 (xiv) states that a Data subject is any Person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. There are two types of persons recognizable in law, viz; Natural Person and Artificial Person. A natural person is an individual with attributes of a living being. While artificial person on the other is a creation of law and therefore enjoys only legal attributes also enjoyed by a Natural person (For example incorporated companies, government agencies etc.).
By the expansive gamut of the definition of a data subject by the NDPR, one can easily conclude that both Natural and Artificial persons are covered by the Data Protections Rules of Nigeria as provided in the NDPR. However, a combined reading of Article 1.2 (b) which provides that “this Regulation applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria” and Article 1.3 (xiv) of the NDPR already stated above, it would be understood that natural persons (living beings) are the only beneficiaries of data
protection rules and therefore protected by the Nigerian Data Protection Regulation.
4.0 DATA CONTROLLER
Since the transaction of personal data involves more than one party, it is pertinent also for us to know whom the party on the other side is. This is the Data controller. According Article 1.3 (x) of the NDPR, a Data controller is a person or an organization that processes data or in common with other persons or a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed. The most important consequence of being a data controller is the legal responsibility for complying with the respective obligations under the NDPR. A Data controller may be a natural or legal person in the private sector, while in the public it is usually an authority. It need be understood that there is a significant distinction between a data controller and a data processor: while both can be natural or legal persons, the data processor processes data on behalf of a data controller following strict instructions. This distinction however is more prevalent in the GDPR because the NDPR is silent as to the person of a data processor. In any event, where there is a non-compliance with the provision of the Nigerian Regulation in respect to protection of data, the data controller is to be held accountable.
5.0 DATA PROCESSING
Having explained personal data and who a data subject is, it is pertinent to know what constitutes data processing, in essence, understanding when a personal data which could identify a data subject would be said to be processed. Under the NDPR, the term processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclose by transmission, dissemination or otherwise making available, alignment of combination, restriction, erasure or destruction. By the above definition, it would be right to conclude that data processing concerns any operation performed on personal data. There are basically two methods of processing personal data, and they include; automated and nonautomated processing of data.
Automated data processing concerns any operations performed on personal data wholly or partly by automated means. This may include a mobile device, a computer, a router etc.
On the other divide, processing of personal data is nonautomated when the processing is down manually without the aid of a machine. Therefore, where personal data is processed through a structured filing system wherein a set of personal data are made accessible according to certain criteria still constitute processing covered by the NDPR.
This wide coverage of protection of personal data by the regulation is commendable since paper files can be structured in a way which makes finding information quick and easy, giving rise to a possible misuse of personal data to the detriment of the data subject. This position of the NDPR on what constitutes data processing is also akin to the GDPR and the EU law.
5.0 RIGHTS OF DATA SUBJECTS
With the issuance of the NDPR which is aimed at the safeguard of the rights of natural persons to data privacy, to foster safe conduct for transactions involving the exchange of personal data and to prevent manipulation of personal data, entities that deal with process personal data will have to increase their data protection efforts to comply with the data subject’s rights. These rights of a data subject under the NDPR are;
5.1 Right to transparency information relating to processing of personal data
A data subject has the right to be provided with any information relating to data processing activities in a transparent and intelligible manner to permit such data subject to effectively exercise their rights. This is because only an informed individual will be in the position to exercise control over or influence the treatment of his personal data. In order to be able to communicate appropriately with the data subjects the controller is obliged to create suitable information measures. The NDPR under Article 3.1 (1) requires that such information shall be concise, transparent, intelligible, easily accessible and in clear and plain language; in this sense, the NDPR makes a special case for children. The manner of providing any such information for the data subject shall not be restricted to a particular form, it should rather be governed by an increased transparency and comprehensibility principle. Communication via electronic means is especially appropriate where personal data is processed by electronic mean or obtained online. The NDPR stipulates that any such information may be provided orally.
5.2 Right to be informed prior to processing of data
Irrespective of whether personal data is directly collected from the data subject or whether it has been obtained from another source, a controller must provide minimum information on processing to the data subject prior to carrying out any processing activities on the personal data. This is inline with the principle of fairness and transparency which requires that the data subject shall be informed of the existence of any processing operations on its personal data and also their legal basis and purposes among others. Article 3.1 (7) of the NDPR goes further to enumerate certain information the data controller must provide to the data subject prior to processing of personal data which includes;
a) The identity and contact details of the controller
b) The contact details of the Data Protection officer
c) The purposes of and the legal basis for processing and if processing shall be based upon the prevailing legitimate interest of the controller.
d) The recipient/categories of recipients of the personal data
e) Where applicable, the controller’s intention to transfer the personal data to a third country. Etc.
It is pertinent to note that where the controller intends to change the initial purpose for which data was processed, it is obligated to provide the data subject prior to that further processing with information on said purpose and other necessary information as this is in line with the principles of lawfulness, fairness and transparency of processing. Under Article 3.1 (8), the NDPR also provides that where personal data are to be transferred to a foreign country or to an international organization, the data subject has the right to be informed of the appropriate safeguards for data protection in the foreign country.
5.3 Right of Response to Data Subject’s Requests
As already said, where an individual is unaware of the fact that and how his personal data is processed, he will be unable to exercise his resulting rights in relation to the data, such as right to erasure or rectification. Therefore, for the effective enforcement of any right of the data subject under the NDPR, the controller is obliged to respond to any request for information from a data subject relating to them. This has been provided for pursuant to Article 3.1 (1) – (6) of the NDPR. Any information provided to the data subject pursuant to these provisions shall be free of charge except where requests by the data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller is permitted to charge a reasonable fee taking into account its administrative costs or even refuse to as on the request.
The controller is required to provide the data subject with information on actions taken upon it request without undue delay and in any event within 1 (one) month of receipt of the request. Where the controller however does not intend to comply with the data subject’s requests and decides to take no action, it shall inform the data subject without undue delay of the reasons for his decision. Such response of disapproval of request is required by the NDPR to also inform the data subject of the possibility of lodging a complaint with a supervisory authority.
5.4 Right to Access
In addition to the comprehensive information rights of the data subjects and the corresponding obligations of the controllers, the data subject has right to access their personal data. This said right to access permits the data subject to verify the lawfulness of processing activities that is performed on their personal data and well thus ultimately help to effectively enforce the data subject’s right under the NDPR. The right to access increases the fairness and transparency principles of data processing. Beyond obliging the data subject of general information on data processing activities, the right to access entitles that there should be possibility for the data subject to demand more in-depth information on processing in order to permit it to further access the lawfulness of processing. Article 3.1 (14) of the NDPR in line with the right to access provides that the Data subject shall have the right to receive personal data concerning him or her which has been provided in a structured, commonly used and machine-readable format. Upon reception of the personal data from the controller, the controller shall not hinder in any way the transmission of such personal data to another controller.
5.5 Right to Erasure, Rectification and Restriction
Pursuant to Article 3.1 (8) – (13) of the NDPR, adequate provisions are made for the data subject’s right to erasure, rectification or restriction of processing personal data relating to the data subject. It is settled that data processing can negatively impair the rights and freedoms of data subjects, especially where it is unlawful or involves incorrect or incomplete data, thus the NDPR empowers a data subject to determine and limit or influence processing activities carried out by the controller in relation to their personal data. Where a data subject wishes for a comprehensive erasure of the personal data, it must implicitly state same and the consequence shall be that any controller processing the personal data in issue should be addressed by its request. Although not defined by the NDPR and GDPR, erasure should be understood to consists of making data unusable in a way that prevent the controller, the processor or any third party from accessing, reading out and processing the data irrespective of whether it consists of physically destroying or technically deleting the data. It is not stipulated by the NDPR for how long personal data of an individual can be retained before erasure after the purpose of processing such data has been served. It is only Sec 38 of the Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 which provides 2 (two) years as a period of retention.
Going further, the right of rectification specifies the principle of accuracy of personal data. It implies that the data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and make same to reflect reality at any given time. Inaccuracy exists where personal data do not reflect reality so that the information they disclose is untrue. The right to rectification is only exercisable by the data subject for its own personal data and not that of a third party.
Restriction of processing under the NDPR is geared towards a reconciliation of interests between, on one hand the data subject’s interest in rectification or erasure of its personal data and, on the other hand, the controller’s interest in continuing to process the concerned personal data. Restriction of processing requires that the
concerned personal data is prevented from and marked in a way that prevents it from being subject to processing activities. For instance, temporarily moving the selected data to another processing system, temporarily removing published data form a website or making a selected personal data unavailable to users. Before personal data of which processing has been restricted can be processed, the consent of Data subject must be obtained. Restriction of processing does not relate to the storage of the concerned personal data. It is worthy of note however that the request of a data subject for restriction of processing is not subject to any formal requirements but must indicate the data subject’s demand in a sufficiently clear manner.
5.6 Right to Data Portability
According to Article 3.1 (15) of the NDPR, a data subject shall have the right to have the personal data transmitted directly from on controller to another, where technically feasible. Provided that this right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right entails the economic flexibility granted to a data subject to facilitate their ability to move, copy or transmit personal data easily form one IT environment to another. In essence, allowing a data subject to change service providers as simply as possible.
The right to data portability strengthens the competition among service providers for customers and in doing so, foster the development of privacy friendly technologies and interoperable data formats. However, the transmission of personal data on the request of the data subject is not absolute. It is subject to whether the such transmission is technically feasible. The Regulation further provides that such right shall be exercised subject to the any processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In a nutshell, the disaster of uncontrolled or mismanaged data are enormous (especially with the increase in the use of technology) as it could cause a lot of injure on the data subject thereby affecting their rights. For instance, incorrect processing of personal data could lead to career/professional issues for the data subject. At other times, personal data in the wrong hands has caused individuals their life, money, good health etc. Also, the leak of personal data has caused companies significant damage to their reputation, finance and resources etc. Therefore, the Nigerian Data Protection Regulation 2019 with its 4 (four) points objectives has commendably come in to hold responsible, reckless and negligent processing of personal information which identifies a natural person.
Emmanuel T Okpara Esq.
Legal Practitioner, NBA Ikeja Branch, Lagos State.