A REVIEW OF THE LAGOS STATE DATA PROTECTION BILL
Before the Lagos
State House of Assembly, is “a
bill for a law to promote the protection of personal information processed by
public and private bodies, establish minimum requirements for the processing
and protection of personal information, establish the data protection
commission and for connected purposes”.
In this briefing note, we highlight a
summary of the key provisions of the Bill:
A.
Features of the Bill:
Short Title:
Lagos State Data
Protection Bill, 2021.
Principal Purpose:
The Bill is largely designed to protect
individuals from having their personal information misused, exploited or
mishandled.
Application:
Lagos State.
No. of Sections:
65
Number of parts:
10
Number of Schedules:
2
B.
Summary of Major Provisions of the Bill and Remarks:
The relevant provisions are as
follows:
S/N
The Principal
Act
The Bill
Remarks
PART 1- PRELIMINARY PROVISIONS
1.
Section 2
– Application
This Law applies to the processing of data entered in a record
by making use of automated or non-automated means provided that when the recorded
data is processed by non-automated means it forms or is intended to form part
of a filing system. The law shall also
apply where the data controller is domiciled in the State or
not domiciled in the State but makes
use of automated or non-automated means
in the State,
unless those means
are used only to
forward personal data through the State.
The Bill regulates the
automated or non-automated means of processing Data by or on behalf of a data
controller who is either domiciled in Lagos State or not domiciled but makes
use of automated or non-automated means in the State.
In terms of scope, the
proposed Bill seem to apply to not only to personal data but data in general.
Personal Data is defined
by the Bill as:
“(a) data
which relate to an identified or identifiable person; or
(b) data or
other information, including an opinion forming part of a database, whether
or not recorded in a material form, about an individual whose identity is
apparent or can reasonably be ascertained from the data, information or opinion.”
Data is defined by the
Bill as:
“information in a form which is capable of being processed through any
equipment operating automatically in response to instructions given for that
purpose and is recorded-
(a)
with
the intent of being processed
by such equipment; or
(b)
as
part of a relevant filing system or intended to be part of a relevant filing
system;
The language of Section
2(1)(a) of the Bill seem to suggest that the Law does not apply to personal
data processed by non-automated means which does not form or intended to form
part of a filing system.
PART II – ESTABLISHMENT OF THE DATA PROTECTION COMMISSION
2.
Section 3 – Establishment of the Data
Protection Commission
There shall be a body
established to be known as Data Protection Commission and it shall be a body
Corporate, sue and can be sued in its name, hold, acquire and dispose of
movable and immovable property amongst others.
3.
Section 4
– Functions of the Agency
Some significant functions of the Agency include to:
· take measures to ensure that personal data is collected, held or
processed in a manner as not to infringe on the privacy of a data subject;
· ensure compliance with the provisions of this Law, and any
regulations made under the Law;
· open and maintain a register of all data controllers and data
processors;
· regulate data processing activities,
and verify whether the processing of data is in accordance
with this Law or
regulations made under it;
· promote
self-regulation among data controllers
and data processors;
· investigate any complaint
or information which give rise to a suspicion that an offence, under this Law may have been, is being or is
about to be committed;
· sensitize the general public about the provisions of this Law;
· undertake research, and monitor developments in data processing, data–matching, data linkage and information, including communication technologies, and ensure that there are no significant risks of any adverse effects of those developments on the privacy of individuals;
· examine proposals for any data matching
procedure or data linkage that may involve
an interference
with, or otherwise have adverse
effects on
the
privacy of
individuals and,
ensure
that
any adverse effects
of such proposal on the privacy of individuals are minimised;
·
co–operate with supervisory authorities within and
outside the state, to the extent necessary for the performance of its
functions under this Law; and
·
carry
out any other function that may be necessary to the attainment of the
objectives of this Law.
The Commission shall be
responsible for the administration of the Bill. The Commission shall regulate
data protection activities in a bid to ensure the rights and obligations of
data subjects and data controllers are adequately provided for.
The Bill while seeking to
establish the Commission as the supervisory authority will be saddled with
the function amongst other things to (i) open and maintain a register for
data controllers and data processors. It will be interesting to see how the
supervisory authority will be able to achieve this bearing in the mind the
number of data controllers and processors within the state. Perhaps the
Commission may need to consider having a threshold before a data controller
or processor will “qualify” for registration as it may be administratively
challenging to ask all categories or types of data controllers or processors
to register bearing in mind that almost every person processes data on a
daily basis.
With respect to promotion
of self regulation among data controllers and processors, it remains to be
seen how the Commission will perform this function.
4.
Section 5
– Powers of the Commission
The Powers of the Commission includes to:
·
enter into, carry out, assign or accept the
assignment of, vary or rescind, any contract, agreement or other obligation
in line with its functions under this Law;
·
accept gifts and donations, whether subject to any
trust or not, as may be required by the Commission in the performance of its
functions under this Law;
·
investigate contravention complaints and take
necessary legal steps to redress the complaints;
·
subject to the approval of the Governor, become a
member of or affiliate to any international body concerned with (whether in
whole or in part) the privacy of individuals in relation to personal data;
and
·
Exercise such other powers as are conferred under
this Law or any other Law.
5.
Section 6
– Establishment and Composition of
Governing Board
Sub-section 1 of the Law
establishes a governing board to be called “the board”.
Sub-section 2 of the Law
provides for the composition of the Board which includes:
· a Chairman who shall be a qualified Information
Technology practitioner with not less than Ten (10) years post qualification
experience;
· the Executive Secretary of the
Commission;
· the Commissioner for Science and
Technology
· a renowned Management Information
System professional;
· a Cyber Security Systems Professional;
· a retired Commissioner of Police;
· a representative of the organised
private sector; and
· the Legal Adviser of the Commission.
· The Board Members shall be appointed by the
Governor on the recommendation of the Commissioner
The Bill is vague on who qualifies as an
Information Technology practitioner, it may be useful to have some objective
criterion with regards to qualification.
6.
Section 7
– Tenure and Remuneration of members
Sub-section 1
provides that the
Chairman and members of the Board except the Executive Secretary shall be
appointed to serve as part-time members and hold office for four (4) years
and be eligible to another term of four (4) years only.
Sub-section 2 provides that the
Chairman and other members of the Board shall be paid such remuneration as
the Governor may determine.
The Board members except
the executive Secretary are entitled for a four-year term which is renewable
for another four years.
7.
Section 8
– Functions of the Board
The Board’s
functions include to:
· set up guidelines relating to
collection, processing and transfer of personal data in the State;
· make recommendations to the State
Government on matters relating to data protection and protection of privacy
of residents of the State;
· set up the security codes and minimum
requirements to be met by data controllers and processors in processing
personal information in the State; and
·
carry out such other functions as may be expedient
to give effect to the provisions of this Law.
This Section saddles the
Board with the responsibility of setting up guidelines for regulating the collection,
processing, and transfer of data in Lagos state. The guidelines shall provide
a framework and road map for the applicability of the Bill.
8.
Section 9
– Appointment of the Executive Secretary
Sub-section 1 provides
that There shall be appointed by the
Governor, an Executive Secretary who shall –
· be a person of proven integrity with
not less than Ten (10) years post qualification experience in Management
Information Systems or Information Technology;
· be the Chief Executive and Accounting
Officer of the Commission;
· be responsible for the execution of the
policy and the day to day administration of the affairs of the Commission in
accordance with the provisions of this Law; and
· hold office for a single term of five
(5) years;
Sub-section 2 provides that the terms and
conditions of appointment of the Executive Secretary shall be as specified in
the letter of appointment
In our view the qualification of the Executive Secretary
to a person with experience in Management Information Systems or Information
Technology is unduly vague and restrictive. We believe there are other
professions/professionals who have the requisite skill on data protection
issues.
PART III
– SPECIAL POWERS OF THE COMMISSION
9.
Section
12 – Power to Obtain Information
Sub-section 1 provides
that the Commission may by notice in writing
served on any person, request such information as is necessary or expedient
for the performance of its functions under this Law, in a form that is
visible, legible and easy to move.
Sub-section 2 provides that a notice
under sub-section 1 shall inform the person to whom the notice is addressed,
of the right of appeal to the Court and specify a compliance period of not
more than Twenty –one (21) days within which such person must respond to the
notice.
Sub-section 5 provides that any person,
who without reasonable excuse, fails or refuses to comply with a requirement
specified in a notice, or who furnishes to the Commission an information
known to be false or misleading in a material particular, commits an offence,
and is liable on conviction to a fine not exceeding One Million Naira (N1, 000, 000.00) or to a term not
exceeding Two (2) years or both.
This Section gives the Commission
the power to obtain information from any person by serving a notice in
writing on such person. The recipient of the notice has the option of either
complying with the Commission’s request or challenging same in Court. The recipient
of the notice is expected to either comply with the Commission’s request or
challenge same within 21 days as failure of same will attract a penalty.
10.
Section
13 – Power to delegate
The
Commission may delegate any of its investigating or enforcement powers under this Law to any person or Police officer designated
by the State Commissioner of Police.
11.
Section
14 – Complaints
This section
provides for where a complaint is made to the Commission that this Law or
any regulations made under it, has been, is being or is about to
be contravened, the
Commission shall investigate the complaint or cause it to be investigated by
an authorised officer, unless it is of the
opinion that such
complaint is frivolous or
vexatious and as soon as reasonably practicable, notify the complainant
in writing of
its decision in relation to the complaint and that the complainant may, if
he is aggrieved by the
Commission’s decision, appeal to the
Court.
The Commission by this Section has the responsibility of receiving complaints
and investigating same after which it shall communicate its decision to the
complainant. The procedure for making and addressing complaints has not been
provided in the Bill. However, a complainant has a right of appeal in the
event he or she is dissatisfied with the decision of the Commission.
12.
Section
15 – Enforcement of Notice
Sub-section 1 provides that where the Commission is of opinion that a data controller or a
data processor
has contravened, is contravening or is about to
contravene
this
Law, the Commission may serve an enforcement notice on such
data controller or data processor,
requiring the
data controller or data processor to
take such steps within such time as may be specified in
the notice.
Sub-section 2 provides that where the Commission is of the opinion that a person has committed an offence under this Law, it may investigate
the matter, or cause the matter
to be investigated.
Sub-section 6 provides that Any person who, without reasonable excuse, fails or refuses to comply with an
enforcement notice commits an
offence and is
liable on conviction, to
fine not exceeding One
Million Naira (N1,000,000.00) or to a term not exceeding
Two (2) years
or to both.
This Section provides some preventive and corrective measures for a
data controller or a data processor who has either contravened the Bill or is
in the process of contravening the Bill
13.
Section
16 – Preservation Order
The Commission may apply to the Court for an order for the expeditious preservation
of data, including traffic data,
where it has reasonable grounds to believe that such data is vulnerable to
loss or modification.
Where the Court
is satisfied that an order may be made under subsection (1), it
shall issue a preservation order
which shall be valid for a period of not be more than Ninety (90) days.
The Court may, on application made by the Commission, extend
the period specified in
subsection (2) for such time as the Court
thinks fit.
It is interesting to note that traffic
data seem to have been expressly mentioned amongst other types of data. The
reasons for this may not be far from the intention of Lagos State to use
traffic data in the prosecution of offences. That said, we see no reason why
traffic data should be expressly mentioned as the definition of data will
naturally include traffic data.
14.
Section
17 – Power to carry out prior security checks
Where the Commission is of the opinion that the processing or transfer
of data by a data controller or data processor entails specific risks to the
privacy rights of a data subject, it
may inspect and assess the security
measures taken prior to the beginning of
the processing or
transfer.
The Commission may, at any reasonable time during working hours, carry out further inspection and assessment of
the security measures imposed on a data controller or
data processor under this Law.
This Section seeks to hedge the risk of a data breach by giving the commission
the power to inspect security systems of data controllers. However, a useful
element which may be necessary as part of the law is the requirement of a
Data Protection Impact Assessment. Considering the level of risk to privacy
rights of a data subject, we believe the Law should mandate such data
controller or data processor conducts a Data Privacy Impact Assessment (DPIA)
and submit same to the Commission in addition to the requirement.
DPIA in it’s a nature is arisk assessment done to ascertain the
possible implication of certain Personal Data processing activities such as
is the case where there is a potential risk top the privacy rights of a data
subject.
15.
Section
18 – Compliance Audit
The
Commission shall carry out periodical audits of the systems of data
controllers or data processors to ensure compliance with data protection
principles specified in the First Schedule to this Law.
These provisions on compliance audits appear vague, unclear and without
structure as compared to the Nigeria Data Protection Regulations. The
provisions of the Bill do not provide for whether the compliance audits will
be periodic or whether the Commission shall utilise the services of experts
such as is the current practice by the National Information Technology
Development Agency (NITDA) using the Data Protection Compliance Organisations
(DPCOs) for the purposes of compliance audits. Perhaps the Commission may
rely on Section 19 of the Bill to request the assistance of DPCOs for the
purpose of compliance audits.
That said, the potential impact of compliance audits under the Law is the
potential impact of compliance costs on businesses with respect to two layers
of audit under the Bill and the NDPR.
16.
Section
19 – Power to Request Assistance
For purposes of gathering information
or the proper conduct of any investigation concerning compliance with this
Law, the Commission may seek the assistance of such persons or authorities,
as may be necessary and such person or authority may do such things as are
reasonably necessary to assist the Commission in the performance of its functions.
Any person assisting the Commission
under subsection (1) shall for the purposes of confidentiality and oath under
this Law, be deemed to be an officer of the Commission.
17.
Section
20 – Powers of Entry and Search
An authorised officer may enter and search any
premises for the purpose of discharging any functions or exercising any
powers under this Law.
An authorised officer shall not enter or search any
premises without providing to the owner or occupier, a warrant issued by a
Magistrate for the purpose referred to in subsection (1).
For the purpose of carrying out the duties under
this section, the authorised officer may be
accompanied by such person as the Commission thinks fit.
This Section gives the Commission through an authorised officer, the
right to search a premises for the purpose of executing its functions. However
the commission must ensure it obtains a search warrant from a magistrate Court
before it proceeds to search such a property.
It is necessary to state an authorised officer as defined by the Bill
is “an officer to whom the Executive Secretary of the Data Protection
Commisison has delegated powers”.
18.
Section
21 – Obstruction of authorised officer
Any person who ―
· obstructs or impedes an authorised
officer in the exercise of any of the powers under this Law;
· fails to provide reasonable assistance
or relevant information requested by the authorised officer;
· refuses to allow an authorised officer
or any person in the company of such officer, to enter any premises in
exercise of the functions under this Law;
· gives to an authorised officer any
information which is false and misleading in a material particular
commits an
offence and is liable on conviction to a fine not exceeding One Million Naira
(N1,000,000) or to a term not
exceeding Two (2) years or both.
19.
Section
22 – Referral police
On completion of an investigation, the
Commission shall, where the investigation reveals that an offence has been committed
under this Law or any regulations made under the Law, refer the matter to the
Police for prosecution. The Police may also conduct further investigation to
aid the prosecution of the case.
This Section gives the police power to prosecute where it has been
discovered that the Bill has been Contravened. This provision shall be
subject to the constitutional powers of the attorney General who reserves the
right to take over or discontinue any criminal matter.
PART IV – OBLIGATIONS OF A DATA CONTROLLER
20.
Section
23 – Collection of Personal Data
Sub-section 1 provides that Subject to the provisions of this Law,
a data controller shall not collect personal data unless-
· it is collected for a lawful purpose
connected with a function or activity of the data controller; and
·
the
collection of the data is necessary for that purpose.
Sub-section 2 provides
that where a data controller collects
personal data directly from a data subject, the data controller shall at the
time of collecting personal data ensure that the data subject concerned is
informed of―
· the fact that the data is being
collected;
· the purpose for which the data is being collected;
· the intended recipients of the data;
· the name and address of the data
controller;
· whether or not the supply of the data
by that data subject is voluntary or mandatory;
· the consequences for that data subject
if all or any part of the requested data is not provided;
· whether or not the data collected shall
be processed and whether or not the consent of the data subject shall be
required for such processing; and
· the data subject’s right of access to,
possibility of correction, and destruction of, the personal data to be
provided.
This Section essentially
enumerates information which ought to be contained in a privacy notice of a
data controller or processor. While the Bill simply states that the listed obligations
are obligations of a data controller, it will be necessary for the bill to
expressly include that this obligation will apply to data processors as well.
Furthermore, the Bill has
excluded the following information which we believe needs to be disclosed to
a data subject at the point of collection of his data. Such information
include:
a. technical
methods used to collect and store personal information e.g. cookies.
b. Available
remedies in the event of violation of the privacy notice.
21.
Section
25 – Processing of Personal Data
Subsection 1 provides
that Personal
data shall not be processed, unless the data controller has obtained the
express consent of the data subject.
Subsection 2 provides that
Notwithstanding subsection (1), personal data may be processed without
obtaining the express consent of the data subject where the processing is
necessary-
· for the performance of a contract to
which the data subject is actively a party to;
· in order to take steps required by the
data subject prior to entering into a contract;
· in order to protect the vital interests
of the data subject;
· for compliance with any legal
obligation to which the data controller is subject;
· for the administration of justice; or
· in the public interest.
Subsection 5 provides that silence or
inactivity shall not be construed as giving consent under this Law.
This Section enumerates
the various lawful basis for data processing and seems to inadvertently
elevate consent as a lawful basis for processing personal data. It is
necessary to state that consent as a lawful basis for personal data
processing is not necessarily superior to other lawful basis listed under
Section 25 of the Bill.
As opposed to the NDPR,
the Bill expands the lawful basis of data processing to include (I) where
processing of personal data is necessary in order to take steps required by
the data subject prior to entering into a contract and (ii) for the purposes
of administration of justice.
From a drafting
perspective the provisions of Section 25(2)(b) of the bill appears unclear as
to intention of the draughtsman. Perhaps the section should be amended by
substituting “data subject” with “data controller” to read as follows:
“in order to
take steps required by the data controller prior to entering into a
contract”.
Furthermore, the
inclusion of administration of justice is our view is surplusage as we
believe this is encompassed under the principle of public interest.
The Bill limits vital
interests to the vital interests of data subject without more. We believe the
vital interest legal basis should extend to the vital interests of another
natural person as there may be instances where the vital interests of another
natural person may be adversely affected if processing on the basis of vital
interest is limited to a particular data subject. We note that the extension of
vital interests as a basis for the processing of personal data of a natural
person apart of a data subject will only be applicable to sensitive personal
data. We believe this may be unduly restrictive.
The provision of Section
25(5) of the Bill reflects the principle of consent being clear and
unambiguous.
The Bill provides that
Sensitive Personal Data[1]
shall not be processed unless the data subject has (i) given express consent
to the processing and (ii) made the data public except where:
a. in fulfilment
of a legal obligation imposed on a data controller in relation in connection
with the datsa subject’s employment;
b. in relation
to the protection of the vital interests of the data subject or a natural
person.
c. In relation
to the protection of the vital interests of a natural person where consent by
a data subject has been unreasonably withheld.
d. Performance
of a contract to which the data subject is aparty.
22.
Section
26 – Use of Personal Data
A data controller shall ensure that
personal data is ―
· kept only for specified and lawful
purposes for which such data has been collected and processed;
· not used or disclosed in any manner
incompatible with the purposes for which such data has been collected and
processed;
· adequate, relevant and not excessive in
relation to the purposes for which such data has been collected and
processed; and
· not kept for longer than is necessary
for the purposes for which such data has been collected and processed.
23.
Section
27 – Security of Personal Data
Subsection 1 provides
that A
data controller shall
· take appropriate security and
organisational measures for the prevention of unauthorised access to,
alteration, disclosure, accidental loss, and destruction of the data in the
data controller’s control; and
· ensure that the measures provide a
level of security appropriate to the-
o
harm that might result from the unauthorised access
to, alteration, disclosure, destruction, accidental loss of the data; and
nature of the data concerned
24.
Section
28 – Personal Data relating to a child
A person shall not collect or process
personal data relating to a child unless the collection or processing is―
·
done with the prior consent of the parent or
guardian or any other person having authority to make decisions on behalf of
the child;
·
necessary to comply with the law; or
·
for
research or statistical purposes
While the NDPR does not
define a child. The NDPR implementation framework defines a child to mean
anyone under the age of 13. The Bill has not defined a child and it will be
necessary this is done for the purpose of clarity. Inspiration of the
definition of a child can be taken from the Child Rights Law of Lagos which
defines a child as a person under the age of eighteen years[2].
25.
Section
29 – Duty to destroy Personal Data
Where the purpose for keeping personal data has lapsed, the data controller shall ―
·
destroy such data not later than Seven (7) working
days from the date the purpose for keeping such data lapses; and
·
notify any data processor
holding such data
that the purpose for keeping such data has lapsed.
Any data processor who receives a notification under subsection (1) (b) shall, not later than five (5) working days
from the date the notification was received,
destroy the data specified by
the data controller.
This Section compels data controllers to
destroy such data where the purpose for which the data was collected has been
realized. This helps to minimize the risk of a data breach as data which is
no longer needed should be destroyed in record time.
That said, it is
necessary to mention that bearing in mind that the Bill does not provide for
a data retention period, there is flexibility on the part of data controllers
to keep personal data for as long as is necessary. Therefore, the obligation
to destroy personal data may not necessarily be tied to the purpose for
processing personal data but to the data retention policy of the relevant
data controller.
Also, the Bill prescribes
no punishment in the event of a breach of this obligation. However,
contractual remedies may be available with respect to data protection
agreement between a data controller and a data processor who has been
notified to destroy data.
26.
Section
30 – Unlawful Disclosure of Personal Data
Subsection 1
provides that any data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purposes for which such data has been collected commits an offence.
Subsection 2
provides that any data processor
who, without lawful excuse, discloses personal data processed, without the prior authority of the data controller on
whose behalf such data is or has been processed commits an offence.
Subsection 7 provides that Any person
that contravenes any of the provisions of this Section is liable on
conviction to a fine not exceeding Five Million Naira (N5,000,000.00) or to a
maximum term of Three (3) or to both.
In addition to
contractual liabilities, the Bill considers it an offence to disclose
personal data without lawful purpose and imposes a fine not more than
N5,000,000 or imprisonment. It is necessary to note the term of imprisonment
is not clear as it does not state whether the term will be in months or
years.
It is necessary to state
that the fine under the Bill is relatively low as compared to the NDPR. Although
it is necessary to state that the maximum fine imposed by NITDA as at the
date of this document is N10,000,000. Also, unlike
the NDPR, the Bill seeks to impose a term of imprisonment.
With respect to
imprisonment, the Bill is inelegantly drafted to state that a person shall be
liable upon conviction to a maximum term of imprisonment. Unfortunately, the
Bill is not specific as to the person capable of imprisonment where the data
controller or data processor is a company. This means that officers of a
company may not be liable to imprisonment in the event of contravention of
these provisions.
27.
Section
31 – Processing of Personal Data for Direct Marketing
Subsection 1
provides that a person may, at any time, by notice in writing, request a data
controller to stop or
not to begin, the processing of personal data in respect of which such
person is a data subject, for the purposes
of direct marketing.
Subsection 2 provides that a data controller
who receives a request under subsection (1) (a), shall not more than Fourteen (14) days after the request has been received –
· where the data are kept only for purposes of direct marketing,
erase the data; and
· where the data are kept for direct marketing and other purposes,
stop processing the data for direct marketing.
Subsections 5 & 6 provide that where a data controller fails to comply with a notice under subsection (1), the data subject may appeal to and secure an order of the
Court to comply with such notice. A data controller who fails to comply with an order of the Court
under subsection (5) commits an offence.
This Section gives data
subjects the right to restrict data processing for the purpose of direct
marketing. This Section further provides that an order of court can be
obtained to mandate a controller to cease processing of personal data and
where such data controller fails, such actions will be regarded as offence.
We note that the Bill does not prescribe the punishment for such failure. The
reasons for this may not be unconnected with the fact that failure to obey
court orders will be regarded as contempt with the courts having discretion
to prescribe the rlevant punishment.
28.
Section
32 – Processing of Personal Data for Direct Marketing by Electric means
Subsection 1
provides that the
processing of personal data of a data subject for the purpose of direct
marketing by means of any form of
electronic communication, including automatic calling machines, facsimile
machines, short message service (SMSs) or e-mail is prohibited unless the
data subject has given consent to the
processing or is, subject to
subsection (3), a customer of the data controller and has, at the prompting
of the data controller, indicated intention to remain a customer.
29.
Section
33 – Transfer of Personal Data
Subsection 1
provides that Subject to subsection (2), a data controller shall
not, except with the written authorisation of
the Commission, transfer personal data
outside the State.
Subsection 2 provides that the data protection principle specified in the First Schedule
shall not apply where ―
·
the data subject has given consent to the transfer;
·
the transfer is necessary ―
o for the performance of a contract between the data subject and the data controller, or
for the taking of steps at the request of the data subject with a view to entering
into a contract with the data controller;
o for the conclusion of a contract between the data controller and a person, other than the data subject, which is entered at the request of the data subject, or is in the interest of the data subject, or for the performance
of such a contract; and
o in the public interest, to safeguard public security or
national security,
·
the transfer is made on such terms as may be approved by the Commission as
ensuring the adequate safeguards for the protection of the rights of the data subject.
Subsection 3 provides that For the
purpose of subsection
(2)(c), the adequacy of the level of protection of the State
shall be assessed in the light of all the circumstances
surrounding the
data transfer, having regard
in particular to ―
·
the nature of
the data;
·
the purpose and duration of
the proposed processing;
·
the State or country of origin and State or country of final destination;
·
the rules of law, both general and sectoral, existing in the
State or country in question; and
·
any relevant codes of conduct or other rules and security
measures which are complied with in that State
or country.
This provision is similar
to provisons of the NDPR as it relates to the transfer of personal data to a
foreign country. The Bill subjects any form of transfer of data out of Lagos
to the approval of the Commission. The Commission is expected to approve
terms of transfer by ensuring adequate safeguards for the transfer of
personal data are put in place.
The Bill without
sufficient clarity tries to create exceptions as to when transfer can be done
without approval of the Commission.
A relevant question is
whether there is a need for the approval of the Commission as it relates to
transfers within Nigeria considering the existence of the NDPR. In our view,
to the extent that it can be established that the data controller in a state
outside Lagos State is able to establish compliance with the NDPR, the
requirement for approval such not be necessary. This is necessary to ensure
ease of business and free flow of information with minimal regulatory
bureaucracy. In addition, as with the NDPR it will be useful if the
Commisison develops a White list of countries to which data can be
transferred without the Commission’s approval. Again, it will aid the ease of
doing business.
PART
V – OBLIGATIONS OF A DATA PROCESSOR
30.
Section
35 – Obtaining authorization of Data Controller
Subsection 1 provides that a data processor may only process
personal data in accordance with the provisions of this Law and on the
written instruction of the data controller, which shall include whether or
not the data processor is permitted to transfer such personal data to another
State, Country or International organisation.
Subsection 2 provides that a data
processor shall not engage another processor without the prior specific or
general written consent of the data controller and where such consent is
given, to ensure that such processor is committed to confidentiality or is
under an appropriate statutory obligation of confidentiality.
Subsection 3 provides that where a
general written authorisation is obtained, the data controller shall be
notified of any intention by the data processor to make changes regarding
addition or replacement of any processor.
A data processor who
intends to process data on behalf of a data controller must ensure that such
data is processed in line with the agreement and the provisions of the Bill.
The data processor shall only be permitted to subcontract its rights and
obligations where it has obtained the consent of the data controller.
31.
Section
36 – Processing to be governed by contract or existing law
Processing of data for a data
controller by a data processor shall be governed by a contract specifying the
required terms of agreement made by the parties or any existing Law.
This Section mandates that
a data controller seeking to engage the services of a data processor must ensure both parties
execute a contract which spells out the rights and obligations of the parties
PART
VI – THE DATA PROTECTION REGISTER
32.
Section
37 – Register of Data Controllers and Data Processors
Subsection 1 provides that the
Commission shall open and maintain a Data Protection Register which shall contain details
of data controllers and data processors in the State.
Subsection 2 provides that a data
controller or data processor operating in the State, shall as from the commencement of this Law register
with the Commission.
Subsection 3 provides that any data controller or data processor
that keeps or processes personal data or
sensitive
personal data,
without registering with the Commission commits an offence and is liable on conviction
to a fine of Two Million Naira (₦2,000,000.00) or a term of two (2) years
or both.
.
This Section mandates
that a data controller or processor must register with the Commission as
failure of which shall constitute an offence with attendant fines and
imprisonment. Again, the law is not clear on the provisions with respect to
imprisonment as it does not state that the imprisonment will apply to
officers of corporates.
33.
Section
38 – Procedure for Registration
Subsection 1 provides that a data controller or data processor shall
submit a written application for registration, including relevant particulars
to the Commission.
Subsection 2 provides that where a data controller or data processor intends to keep or
process personal data or sensitive personal data for two (2) or more
purposes, separate
applications shall be made in respect of each of the purposes and, entries shall be made in
accordance with any such applications.
Subsection 3 provides that the Commission
shall grant an application
for
registration, and
register such applicant on payment of the prescribed fee, unless it reasonably believes that
―
·
the particulars proposed for inclusion in an entry in the register are insufficient or any other information required by the
Commission
has not been furnished, or is insufficient;
·
appropriate safeguards for the protection of the privacy of the data
subjects concerned are not being, or will not continue to be,
provided by the data controller; or
·
the person applying for registration is not a fit
and proper person.
Subsection 4 provides that where the Commission refuses an application for registration, it shall, not later than Seven (7) working days
from the date of refusal of such application, notify
the applicant in writing ―
· specifying the reasons for
the refusal; and
· informing the applicant of the right to appeal against the refusal
to the Court.
Subsection 5 provides that the
Commission may, at any time, on the request
of the person to whom an
entry in the register
relates, remove such name from the register.
The requirement for registration imposes
additional compliance obligations on data controllers and administrators. The
requirement for registration does not promote the ease of doing business.
34.
Section 39 – Particulars to be furnished by Data Controller
Subsection 1 provides that a data controller who applies for registration shall provide the following particulars –
·
name and address of the data controller;
· where a representative has been nominated for the purposes of this Law, the name and address of such
representative;
· a description of the personal data being, or to be processed by or on behalf of the data controller, and the category of data subjects,
to which the personal
data relate;
· a statement as to whether or not the
data controller holds, is likely to hold, sensitive
personal data;
· a description of the purpose for which the personal data is being or is
to be processed;
· a description of any
recipient to
whom the
data controller intends to disclose the personal data;
·
the names, or a description
of any State or Country to which the data
controller directly
or indirectly transfers, or
intends, directly
or indirectly to transfer
the data; and
·
the class of data subjects, or where
practicable the names of data
subjects, in
respect of which the data controller holds personal
data.
35.
Section 40 –
Particulars to be furnished by Data Processor
Subsection 1 provides that a data processor who applies for registration under this Law, shall provide the following particulars ―
· name and address
of the processor;
· a description of the personal
data being, or
to be processed, and the category of data subjects to
which the personal
data relate;
· the state or country to which the data processor transfers, or intends to transfer the personal
data;
· a statement
as to whether or not the data processor processes, or intends
to process, sensitive personal data; and
· such other particulars as the Commission may require.
36.
Section
43 – Duration of Registration
Registration under this Law shall be
renewable annually and at the expiration of registration, the
relevant entry shall be cancelled unless the registration is renewed.
Data controllers and Data
processors shall ensure their registration is renewed annually
PART VII –
RIGHTS OF DATA SUBJECT
37.
Section 45
– Access to Personal Data
Subsection 1 provides that a data controller shall on the written request
of a data subject or a relevant person-
· inform the data subject or
the relevant person –
o whether the data kept by the data controller include personal data
relating to the data subject;
o the purposes for which the data are being or are to be
processed;
o
the recipients or classes
of recipients to whom they
are or may be disclosed; and
· supply the data subject or the relevant person with a copy of any data referred to in paragraph (a) on payment
of the prescribed fee.
We believe the right to
access personal data by data subject of his or her data is an inherent right
and should not be subject to the payment of fees save in cases where the
demands of the data subject is excessive.
38.
Section 46
– Denial of Access to Personal Data
Subsection 1 provides that a data controller may refuse a request for access where –
· there is insufficient information to the identify the person
making the request, and to locate the information
being sought;
· compliance with such request will be in contravention with the confidentiality obligation imposed under any other
law.
Subsection 2 provides that where compliance with a request for access will lead to disclosing personal data
relating to
a third party, such data controller
may refuse the request unless–
·
the third party has consented to the disclosure
of such personal data to the person making the request; or
·
person making the request, obtains the written approval of the Commission.
Subsection 3 provides that In considering a request under subsection (2)(b), the Commission shall have regard in
particular, to―
· any duty of
confidentiality owed to the third party;
·
any steps taken
by the data controller with a view to seeking the
consent of such third party;
· whether the third-party individual is capable of giving consent; and
· any express refusal of
consent
by the third party.
Subsection 4 provides that where a data
controller has previously complied with a request for access by a data
subject, the data controller is not obliged to comply with a subsequent
identical or similar request from such data subject unless a reasonable
interval has elapsed between compliance with the previous request and the
making of the current request.
Subsection 5 provide that in determining, for the purposes of subsection (4) whether requests for access are made at reasonable intervals,
regard shall be had to ―
· the nature of
the data;
· the purpose for which the data are processed;
and
· the frequency with which the data are altered.
Subsection 6 provides that a data controller shall not comply with a request for access where-
· the request is in respect of information given or to be given in confidence for
the purposes of
–
o
the education, training
or employment, or prospective education, training or employment, of the data subject;
o
the appointment, or prospective appointment, of the data subject
to any office; or
o
the provision, or prospective provision, by the data subject of any service;
· the personal data requested consist of information recorded by
candidates during
an academic, professional
or other examination;
and
· such compliance would, by revealing evidence of the commission of any offence
other than an offence
under this Law, expose data controller to proceedings for
that offence.
This Section provides for
instances where the data subject’s access to its personal information may be
qualified or denied.
With respect to denial on
the basis of confidentiality, it is necessary to mention that this provision
may not apply to a request made by a data subject with respect to his or her
personal data. The right of access by a data subject to his or her data
should not be denied on the basis of confidentiality.
Furthermore, a data
controller is not obliged to grant access to personal data where the
information is given in confidence for the purpose of employment or training
of data subjects.
39.
Section 47
– Inaccurate Personal Data
Subsection 1 provides that a data
controller shall, on
being informed of the
inaccurateness of personal data, by a
data subject to
whom such data pertains, cause
such data to be rectified, blocked,
erased or destroyed, as
appropriate.
Subsection 2 provides that where a data controller is aware
that a third
party holds inaccurate personal data, such
data controller shall, as not
later than seven (7) working days, require the third party to rectify, block, erase or destroy the data, as
appropriate.
PART VIII –
EXEMPTIONS
40.
Section –
National Security
Subsection 1 provides that personal data are exempt from any provision of this
Law where the non–application of such provision will, in the opinion
of the Governor be required for the purpose of safeguarding
State or national
security.
Subsection 2 provides that in any proceedings in which the non–application of
the provisions of
this Law on grounds of
national security is in question, a
certificate under the hand of the Governor referred in subsection (1) certifying that such is the case, shall be conclusive evidence of
that fact.
This Section connotes
that the safeguards and measures put in place by this Bill for processing of
Personal Data, shall not apply in situations where in the opinion of the Governor
there appears to be a need to safeguard the State or national security.
Therefore, the enforcement of the rights of a data subject shall be made
subject to National Security issues.
41.
Section 49
– Crime and Tax related Data
The processing of
personal data for the purposes
of ―
· the prevention or detection of crime;
· the apprehension or
prosecution of offenders; or
· the assessment
or collection of any tax, duty or any imposition of a similar nature shall be exempt from –
- the second, third, fourth
and eighth data protection principles;
- the
provisions of Sections 24 to 26 of this Law; and
- Part VII of this
Law in respect of blocking
personal
data,
to the extent
to which
the application of such provisions will
be likely
to prejudice any of
the matters specified in paragraphs
(a) to (c).
This section expressly ensures
that when processing personal data for the purpose of crime prevention and
control the investigative and prosecutorial authorities shall have the rights
to process data which may be excessive or outdated as the case may be. The
manner in which data has been obtained shall not be queried or put to
question and the investigative or prosecutorial authority shall have the
right to transfer data without obtaining the consent of the data subject.
42.
Section 50
– Health and Social work-related Data
Subsection
1 provides that a data controller is not
bound to grant access to personal data where such personal
data to which access
is being sought relates to the physical or
mental health of
the data subject and the grant of access to such personal data is likely to cause serious harm to the physical or
mental health of the data subject or
of, any other person.
Subsection 2 provides that the Governor
may, by notice
in the Gazette or by regulations, waive the obligation to grant access to personal data, on a
public
authority, voluntary organisation and any other similar body as
may be prescribed, where such public authority, voluntary organisation or
other body carries out social work in relation to a data subject or
any other individual, and the application of that section is likely to
prejudice the carrying out of the social work.
This Section restricts
the right of a data subject to request for medical records relating to the
physical or mental health of a data subject where the disclosure of same will
put the data subject in harms way. This provision ensures that such data
which is likely to cause harm to the physical or mental health (Shock) of a data
subject shall only be accessed with the aid of a professional i.e social
worker.
43.
Data for
Journalistic, literary and artistic purposes
Subsection 1 provides that the processing of personal data for journalistic, literary and artistic purposes shall be exempt from the provisions specified in subsection (2) where ―
·
such processing is undertaken
with a view to the publication of any journalistic, literary or artistic material;
·
the data
controller involved
in such processing is of the opinion that –
o the publication will be in the public interest; and
o compliance
with any
such provisions will be incompatible with such purposes.
44.
Section 52
– Educational and Sensational Data
Subsection 1 Provides personal data which
are
processed only for educational, research, historical or statistical purposes shall be exempt from the fifth data protection principle.
Subsection 2 provides that the exemption shall not be applicable
where
·
such personal data are not processed to support measures or
decisions with respect to particular individuals; and
·
such personal data are not processed in a way that will substantially damage or distress
any data subject or
will likely cause such damage or
distress.
This Section gives a data
controller the right to keep Educational and Sensational Data for as long as
it is deemed necessary.
45.
Section 53
– Information available to the Public under a Law
Where personal data consists of information which the data controller is obliged
under a
Law to make available to the
public, such data shall be
exempt from
·
the second, third, fourth, fifth
and eighth data protection
principles;
·
Sections 25 to 30; and
·
Part VII in respect of blocking personal data.
This Section mandates
data controllers to make information (including personal data) available to
the public where a law mandates such data controller to make information
available to the public. This provision tacitly recognises the role of the
Freedom of Information Act which mandates government establishments to make
information available to the public.
46.
Section 54
– Disclosure required by Law or in Connection with Legal Proceedings
Personal data are exempt from
·
the second,
third, fourth and
fifth data protection principles;
·
Sections 24 to 29; and
·
Part VII in respect of blocking personal data, where –
o the disclosure
of such data
is required under
any Law or by a Court order;
o the disclosure of such data is necessary for the purpose
of, or in connection with, any on-going or prospective legal
proceedings;
o the disclosure of such data is necessary for the purpose
of obtaining legal advice; or
o the disclosure is otherwise necessary for the purpose of establishing, exercising or defending legal rights.
This Section dispenses
with the rights afforded to a data subject whose data are required by Law in
connection with any legal proceeding.
47.
Section 55
– Legal Professional Priviledge
Personal data are exempt from
–
· the second, third, fourth and fifth data protection principles; and
· Section 25,
where the data consist of information in respect of which a claim to legal professional privilege or
confidentiality as between client and legal practitioner
could
be maintained
in legal proceedings,
including prospective legal proceedings
This section dispenses
with the need of a data controller to obtain consent from a data subject in
situations and circumstances where a claim to legal professional privilege
between a client and legal practitioner can be maintained.
48.
Section 56
– Domestic Purposes
Personal data processed by an individual are exempt from
· the data protection principles; and
· Part VI and Part VII,
where such processing is only for the purposes of that individual’s personal,
family or
household affairs or
for recreational purposes
This Bill shall not apply
to data processed for an individual’s domestic, personal, and recreational purpose.
PART IX
MISCELLANEOUS
49.
Section 61
– Offences and Penalties
Subsection 1 provides that any
person who unlawfully destroys, deletes, misrepresents, conceals or alters
personal data commits an offence and is liable on conviction to a fine not
exceeding Two Million Naira (N2,000,000.000) or maximum term of three (3)
years or both.
Subsection 2 provides that any person who contravenes any provision of this Law for which
no specific penalty is provided commits an offence and is liable on conviction, to a fine not exceeding Two
Million Naira (N2,000,000.00) or to a
term not exceeding three (3) years or to both.
This Section penalizes
the unlawful destruction, deletion, misrepresentation and concealment of
data. It also penalizes anyone who contravenes the provisions of the Bill for
which no specific penalty has been provided for.
50.
Section 62
– Forfeiture
In addition to any penalty, the Court may –
·
order the forfeiture of any equipment or any article used or connected in any way with the commission an offence;
·
order or
prohibit the doing of any act to stop continuing contravention.
The Commission in
addition to other reliefs has the option of requesting the Court to order a
forfeiture of any equipment used in the commission of an offence.
[1] Please note that
under the Bill, Sensitive Personal Data means
personal information concerning a data subject and includes information as to –
(a)
the racial or ethnic origin;
(b)
political opinion or adherence;
(c)
religious or other similar beliefs;
(d)
membership to a trade union;
(e)
physical or mental health;
(f)
sexual preferences or practices;
(g)
the commission or alleged commission of an offence; or
(h)
any
proceedings for an
offence committed or
alleged to have
been committed, the disposal of such proceedings or the sentence of any
court in such proceedings; or
(i)
any other sensitive personal information that is
reasonably permissible;
[2] Section 262 of the Child’s Rights Law of Lagos State 2007
Before the Lagos
State House of Assembly, is “a
bill for a law to promote the protection of personal information processed by
public and private bodies, establish minimum requirements for the processing
and protection of personal information, establish the data protection
commission and for connected purposes”.
In this briefing note, we highlight a
summary of the key provisions of the Bill:
A.
Features of the Bill: |
|
Short Title: |
Lagos State Data
Protection Bill, 2021. |
Principal Purpose: |
The Bill is largely designed to protect
individuals from having their personal information misused, exploited or
mishandled. |
Application: |
Lagos State. |
No. of Sections: |
65 |
Number of parts: |
10 |
Number of Schedules: |
2 |
B.
Summary of Major Provisions of the Bill and Remarks: |
The relevant provisions are as
follows:
S/N |
The Principal
Act |
The Bill |
Remarks |
PART 1- PRELIMINARY PROVISIONS |
|||
1. |
Section 2
– Application |
This Law applies to the processing of data entered in a record
by making use of automated or non-automated means provided that when the recorded
data is processed by non-automated means it forms or is intended to form part
of a filing system. The law shall also
apply where the data controller is domiciled in the State or
not domiciled in the State but makes
use of automated or non-automated means
in the State,
unless those means
are used only to
forward personal data through the State.
|
The Bill regulates the
automated or non-automated means of processing Data by or on behalf of a data
controller who is either domiciled in Lagos State or not domiciled but makes
use of automated or non-automated means in the State.
In terms of scope, the
proposed Bill seem to apply to not only to personal data but data in general.
Personal Data is defined
by the Bill as: “(a) data
which relate to an identified or identifiable person; or (b) data or
other information, including an opinion forming part of a database, whether
or not recorded in a material form, about an individual whose identity is
apparent or can reasonably be ascertained from the data, information or opinion.”
Data is defined by the
Bill as: “information in a form which is capable of being processed through any
equipment operating automatically in response to instructions given for that
purpose and is recorded- (a)
with
the intent of being processed
by such equipment; or (b)
as
part of a relevant filing system or intended to be part of a relevant filing
system;
The language of Section
2(1)(a) of the Bill seem to suggest that the Law does not apply to personal
data processed by non-automated means which does not form or intended to form
part of a filing system. |
PART II – ESTABLISHMENT OF THE DATA PROTECTION COMMISSION |
|||
2. |
Section 3 – Establishment of the Data
Protection Commission
|
There shall be a body
established to be known as Data Protection Commission and it shall be a body
Corporate, sue and can be sued in its name, hold, acquire and dispose of
movable and immovable property amongst others. |
|
3. |
Section 4
– Functions of the Agency |
Some significant functions of the Agency include to: · take measures to ensure that personal data is collected, held or
processed in a manner as not to infringe on the privacy of a data subject; · ensure compliance with the provisions of this Law, and any
regulations made under the Law; · open and maintain a register of all data controllers and data
processors; · regulate data processing activities,
and verify whether the processing of data is in accordance
with this Law or
regulations made under it; · promote
self-regulation among data controllers
and data processors; · investigate any complaint
or information which give rise to a suspicion that an offence, under this Law may have been, is being or is
about to be committed; · sensitize the general public about the provisions of this Law; · undertake research, and monitor developments in data processing, data–matching, data linkage and information, including communication technologies, and ensure that there are no significant risks of any adverse effects of those developments on the privacy of individuals; · examine proposals for any data matching
procedure or data linkage that may involve
an interference
with, or otherwise have adverse
effects on
the
privacy of
individuals and,
ensure
that
any adverse effects
of such proposal on the privacy of individuals are minimised; ·
co–operate with supervisory authorities within and
outside the state, to the extent necessary for the performance of its
functions under this Law; and ·
carry
out any other function that may be necessary to the attainment of the
objectives of this Law.
|
The Commission shall be
responsible for the administration of the Bill. The Commission shall regulate
data protection activities in a bid to ensure the rights and obligations of
data subjects and data controllers are adequately provided for.
The Bill while seeking to
establish the Commission as the supervisory authority will be saddled with
the function amongst other things to (i) open and maintain a register for
data controllers and data processors. It will be interesting to see how the
supervisory authority will be able to achieve this bearing in the mind the
number of data controllers and processors within the state. Perhaps the
Commission may need to consider having a threshold before a data controller
or processor will “qualify” for registration as it may be administratively
challenging to ask all categories or types of data controllers or processors
to register bearing in mind that almost every person processes data on a
daily basis.
With respect to promotion
of self regulation among data controllers and processors, it remains to be
seen how the Commission will perform this function.
|
4. |
Section 5
– Powers of the Commission |
The Powers of the Commission includes to: ·
enter into, carry out, assign or accept the
assignment of, vary or rescind, any contract, agreement or other obligation
in line with its functions under this Law;
·
accept gifts and donations, whether subject to any
trust or not, as may be required by the Commission in the performance of its
functions under this Law;
·
investigate contravention complaints and take
necessary legal steps to redress the complaints;
·
subject to the approval of the Governor, become a
member of or affiliate to any international body concerned with (whether in
whole or in part) the privacy of individuals in relation to personal data;
and ·
Exercise such other powers as are conferred under
this Law or any other Law.
|
|
5. |
Section 6
– Establishment and Composition of
Governing Board |
Sub-section 1 of the Law
establishes a governing board to be called “the board”.
Sub-section 2 of the Law
provides for the composition of the Board which includes: · a Chairman who shall be a qualified Information
Technology practitioner with not less than Ten (10) years post qualification
experience; · the Executive Secretary of the
Commission; · the Commissioner for Science and
Technology · a renowned Management Information
System professional; · a Cyber Security Systems Professional; · a retired Commissioner of Police; · a representative of the organised
private sector; and · the Legal Adviser of the Commission.
· The Board Members shall be appointed by the
Governor on the recommendation of the Commissioner |
The Bill is vague on who qualifies as an
Information Technology practitioner, it may be useful to have some objective
criterion with regards to qualification. |
6. |
Section 7
– Tenure and Remuneration of members |
Sub-section 1
provides that the
Chairman and members of the Board except the Executive Secretary shall be
appointed to serve as part-time members and hold office for four (4) years
and be eligible to another term of four (4) years only. Sub-section 2 provides that the
Chairman and other members of the Board shall be paid such remuneration as
the Governor may determine.
|
The Board members except
the executive Secretary are entitled for a four-year term which is renewable
for another four years. |
7. |
Section 8
– Functions of the Board |
The Board’s
functions include to: · set up guidelines relating to
collection, processing and transfer of personal data in the State; · make recommendations to the State
Government on matters relating to data protection and protection of privacy
of residents of the State; · set up the security codes and minimum
requirements to be met by data controllers and processors in processing
personal information in the State; and ·
carry out such other functions as may be expedient
to give effect to the provisions of this Law. |
This Section saddles the
Board with the responsibility of setting up guidelines for regulating the collection,
processing, and transfer of data in Lagos state. The guidelines shall provide
a framework and road map for the applicability of the Bill. |
8. |
Section 9
– Appointment of the Executive Secretary |
Sub-section 1 provides
that There shall be appointed by the
Governor, an Executive Secretary who shall – · be a person of proven integrity with
not less than Ten (10) years post qualification experience in Management
Information Systems or Information Technology; · be the Chief Executive and Accounting
Officer of the Commission; · be responsible for the execution of the
policy and the day to day administration of the affairs of the Commission in
accordance with the provisions of this Law; and · hold office for a single term of five
(5) years;
Sub-section 2 provides that the terms and
conditions of appointment of the Executive Secretary shall be as specified in
the letter of appointment |
In our view the qualification of the Executive Secretary
to a person with experience in Management Information Systems or Information
Technology is unduly vague and restrictive. We believe there are other
professions/professionals who have the requisite skill on data protection
issues. |
PART III
– SPECIAL POWERS OF THE COMMISSION |
|||
9. |
Section
12 – Power to Obtain Information |
Sub-section 1 provides
that the Commission may by notice in writing
served on any person, request such information as is necessary or expedient
for the performance of its functions under this Law, in a form that is
visible, legible and easy to move.
Sub-section 2 provides that a notice
under sub-section 1 shall inform the person to whom the notice is addressed,
of the right of appeal to the Court and specify a compliance period of not
more than Twenty –one (21) days within which such person must respond to the
notice.
Sub-section 5 provides that any person,
who without reasonable excuse, fails or refuses to comply with a requirement
specified in a notice, or who furnishes to the Commission an information
known to be false or misleading in a material particular, commits an offence,
and is liable on conviction to a fine not exceeding One Million Naira (
|
This Section gives the Commission
the power to obtain information from any person by serving a notice in
writing on such person. The recipient of the notice has the option of either
complying with the Commission’s request or challenging same in Court. The recipient
of the notice is expected to either comply with the Commission’s request or
challenge same within 21 days as failure of same will attract a penalty. |
10. |
Section
13 – Power to delegate |
The
Commission may delegate any of its investigating or enforcement powers under this Law to any person or Police officer designated
by the State Commissioner of Police. |
|
11. |
Section
14 – Complaints |
This section
provides for where a complaint is made to the Commission that this Law or
any regulations made under it, has been, is being or is about to
be contravened, the
Commission shall investigate the complaint or cause it to be investigated by
an authorised officer, unless it is of the
opinion that such
complaint is frivolous or
vexatious and as soon as reasonably practicable, notify the complainant
in writing of
its decision in relation to the complaint and that the complainant may, if
he is aggrieved by the
Commission’s decision, appeal to the
Court.
|
The Commission by this Section has the responsibility of receiving complaints
and investigating same after which it shall communicate its decision to the
complainant. The procedure for making and addressing complaints has not been
provided in the Bill. However, a complainant has a right of appeal in the
event he or she is dissatisfied with the decision of the Commission. |
12. |
Section
15 – Enforcement of Notice |
Sub-section 1 provides that where the Commission is of opinion that a data controller or a
data processor
has contravened, is contravening or is about to
contravene
this
Law, the Commission may serve an enforcement notice on such
data controller or data processor,
requiring the
data controller or data processor to
take such steps within such time as may be specified in
the notice.
Sub-section 2 provides that where the Commission is of the opinion that a person has committed an offence under this Law, it may investigate
the matter, or cause the matter
to be investigated.
Sub-section 6 provides that Any person who, without reasonable excuse, fails or refuses to comply with an
enforcement notice commits an
offence and is
liable on conviction, to
fine not exceeding One
Million Naira (
|
This Section provides some preventive and corrective measures for a
data controller or a data processor who has either contravened the Bill or is
in the process of contravening the Bill |
13. |
Section
16 – Preservation Order |
The Commission may apply to the Court for an order for the expeditious preservation
of data, including traffic data,
where it has reasonable grounds to believe that such data is vulnerable to
loss or modification. Where the Court
is satisfied that an order may be made under subsection (1), it
shall issue a preservation order
which shall be valid for a period of not be more than Ninety (90) days. The Court may, on application made by the Commission, extend
the period specified in
subsection (2) for such time as the Court
thinks fit. |
It is interesting to note that traffic
data seem to have been expressly mentioned amongst other types of data. The
reasons for this may not be far from the intention of Lagos State to use
traffic data in the prosecution of offences. That said, we see no reason why
traffic data should be expressly mentioned as the definition of data will
naturally include traffic data. |
14. |
Section
17 – Power to carry out prior security checks |
Where the Commission is of the opinion that the processing or transfer
of data by a data controller or data processor entails specific risks to the
privacy rights of a data subject, it
may inspect and assess the security
measures taken prior to the beginning of
the processing or
transfer.
The Commission may, at any reasonable time during working hours, carry out further inspection and assessment of
the security measures imposed on a data controller or
data processor under this Law.
|
This Section seeks to hedge the risk of a data breach by giving the commission
the power to inspect security systems of data controllers. However, a useful
element which may be necessary as part of the law is the requirement of a
Data Protection Impact Assessment. Considering the level of risk to privacy
rights of a data subject, we believe the Law should mandate such data
controller or data processor conducts a Data Privacy Impact Assessment (DPIA)
and submit same to the Commission in addition to the requirement.
DPIA in it’s a nature is arisk assessment done to ascertain the
possible implication of certain Personal Data processing activities such as
is the case where there is a potential risk top the privacy rights of a data
subject.
|
15. |
Section
18 – Compliance Audit |
The
Commission shall carry out periodical audits of the systems of data
controllers or data processors to ensure compliance with data protection
principles specified in the First Schedule to this Law. |
These provisions on compliance audits appear vague, unclear and without
structure as compared to the Nigeria Data Protection Regulations. The
provisions of the Bill do not provide for whether the compliance audits will
be periodic or whether the Commission shall utilise the services of experts
such as is the current practice by the National Information Technology
Development Agency (NITDA) using the Data Protection Compliance Organisations
(DPCOs) for the purposes of compliance audits. Perhaps the Commission may
rely on Section 19 of the Bill to request the assistance of DPCOs for the
purpose of compliance audits.
That said, the potential impact of compliance audits under the Law is the
potential impact of compliance costs on businesses with respect to two layers
of audit under the Bill and the NDPR. |
16. |
Section
19 – Power to Request Assistance |
For purposes of gathering information
or the proper conduct of any investigation concerning compliance with this
Law, the Commission may seek the assistance of such persons or authorities,
as may be necessary and such person or authority may do such things as are
reasonably necessary to assist the Commission in the performance of its functions.
Any person assisting the Commission
under subsection (1) shall for the purposes of confidentiality and oath under
this Law, be deemed to be an officer of the Commission.
|
|
17. |
Section
20 – Powers of Entry and Search |
An authorised officer may enter and search any
premises for the purpose of discharging any functions or exercising any
powers under this Law. An authorised officer shall not enter or search any
premises without providing to the owner or occupier, a warrant issued by a
Magistrate for the purpose referred to in subsection (1). For the purpose of carrying out the duties under
this section, the authorised officer may be
accompanied by such person as the Commission thinks fit.
|
This Section gives the Commission through an authorised officer, the
right to search a premises for the purpose of executing its functions. However
the commission must ensure it obtains a search warrant from a magistrate Court
before it proceeds to search such a property.
It is necessary to state an authorised officer as defined by the Bill
is “an officer to whom the Executive Secretary of the Data Protection
Commisison has delegated powers”. |
18. |
Section
21 – Obstruction of authorised officer |
Any person who ― · obstructs or impedes an authorised
officer in the exercise of any of the powers under this Law; · fails to provide reasonable assistance
or relevant information requested by the authorised officer; · refuses to allow an authorised officer
or any person in the company of such officer, to enter any premises in
exercise of the functions under this Law; · gives to an authorised officer any
information which is false and misleading in a material particular commits an
offence and is liable on conviction to a fine not exceeding One Million Naira
(
|
|
19. |
Section
22 – Referral police |
On completion of an investigation, the
Commission shall, where the investigation reveals that an offence has been committed
under this Law or any regulations made under the Law, refer the matter to the
Police for prosecution. The Police may also conduct further investigation to
aid the prosecution of the case.
|
This Section gives the police power to prosecute where it has been
discovered that the Bill has been Contravened. This provision shall be
subject to the constitutional powers of the attorney General who reserves the
right to take over or discontinue any criminal matter. |
PART IV – OBLIGATIONS OF A DATA CONTROLLER |
|||
20. |
Section
23 – Collection of Personal Data |
Sub-section 1 provides that Subject to the provisions of this Law,
a data controller shall not collect personal data unless- · it is collected for a lawful purpose
connected with a function or activity of the data controller; and ·
the
collection of the data is necessary for that purpose.
Sub-section 2 provides
that where a data controller collects
personal data directly from a data subject, the data controller shall at the
time of collecting personal data ensure that the data subject concerned is
informed of― · the fact that the data is being
collected; · the purpose for which the data is being collected; · the intended recipients of the data; · the name and address of the data
controller; · whether or not the supply of the data
by that data subject is voluntary or mandatory; · the consequences for that data subject
if all or any part of the requested data is not provided; · whether or not the data collected shall
be processed and whether or not the consent of the data subject shall be
required for such processing; and · the data subject’s right of access to,
possibility of correction, and destruction of, the personal data to be
provided.
|
This Section essentially
enumerates information which ought to be contained in a privacy notice of a
data controller or processor. While the Bill simply states that the listed obligations
are obligations of a data controller, it will be necessary for the bill to
expressly include that this obligation will apply to data processors as well.
Furthermore, the Bill has
excluded the following information which we believe needs to be disclosed to
a data subject at the point of collection of his data. Such information
include: a. technical
methods used to collect and store personal information e.g. cookies. b. Available
remedies in the event of violation of the privacy notice.
|
21. |
Section
25 – Processing of Personal Data |
Subsection 1 provides
that Personal
data shall not be processed, unless the data controller has obtained the
express consent of the data subject.
Subsection 2 provides that
Notwithstanding subsection (1), personal data may be processed without
obtaining the express consent of the data subject where the processing is
necessary- · for the performance of a contract to
which the data subject is actively a party to; · in order to take steps required by the
data subject prior to entering into a contract; · in order to protect the vital interests
of the data subject; · for compliance with any legal
obligation to which the data controller is subject; · for the administration of justice; or · in the public interest. Subsection 5 provides that silence or
inactivity shall not be construed as giving consent under this Law. |
This Section enumerates
the various lawful basis for data processing and seems to inadvertently
elevate consent as a lawful basis for processing personal data. It is
necessary to state that consent as a lawful basis for personal data
processing is not necessarily superior to other lawful basis listed under
Section 25 of the Bill.
As opposed to the NDPR,
the Bill expands the lawful basis of data processing to include (I) where
processing of personal data is necessary in order to take steps required by
the data subject prior to entering into a contract and (ii) for the purposes
of administration of justice.
From a drafting
perspective the provisions of Section 25(2)(b) of the bill appears unclear as
to intention of the draughtsman. Perhaps the section should be amended by
substituting “data subject” with “data controller” to read as follows: “in order to
take steps required by the data controller prior to entering into a
contract”.
Furthermore, the
inclusion of administration of justice is our view is surplusage as we
believe this is encompassed under the principle of public interest.
The Bill limits vital
interests to the vital interests of data subject without more. We believe the
vital interest legal basis should extend to the vital interests of another
natural person as there may be instances where the vital interests of another
natural person may be adversely affected if processing on the basis of vital
interest is limited to a particular data subject. We note that the extension of
vital interests as a basis for the processing of personal data of a natural
person apart of a data subject will only be applicable to sensitive personal
data. We believe this may be unduly restrictive.
The provision of Section
25(5) of the Bill reflects the principle of consent being clear and
unambiguous.
The Bill provides that
Sensitive Personal Data[1]
shall not be processed unless the data subject has (i) given express consent
to the processing and (ii) made the data public except where: a. in fulfilment
of a legal obligation imposed on a data controller in relation in connection
with the datsa subject’s employment; b. in relation
to the protection of the vital interests of the data subject or a natural
person. c. In relation
to the protection of the vital interests of a natural person where consent by
a data subject has been unreasonably withheld. d. Performance
of a contract to which the data subject is aparty.
|
22. |
Section
26 – Use of Personal Data |
A data controller shall ensure that
personal data is ― · kept only for specified and lawful
purposes for which such data has been collected and processed; · not used or disclosed in any manner
incompatible with the purposes for which such data has been collected and
processed; · adequate, relevant and not excessive in
relation to the purposes for which such data has been collected and
processed; and · not kept for longer than is necessary
for the purposes for which such data has been collected and processed.
|
|
23. |
Section
27 – Security of Personal Data |
Subsection 1 provides
that A
data controller shall · take appropriate security and
organisational measures for the prevention of unauthorised access to,
alteration, disclosure, accidental loss, and destruction of the data in the
data controller’s control; and · ensure that the measures provide a
level of security appropriate to the- o
harm that might result from the unauthorised access
to, alteration, disclosure, destruction, accidental loss of the data; and
nature of the data concerned |
|
24. |
Section
28 – Personal Data relating to a child |
A person shall not collect or process
personal data relating to a child unless the collection or processing is― ·
done with the prior consent of the parent or
guardian or any other person having authority to make decisions on behalf of
the child; ·
necessary to comply with the law; or ·
for
research or statistical purposes |
While the NDPR does not
define a child. The NDPR implementation framework defines a child to mean
anyone under the age of 13. The Bill has not defined a child and it will be
necessary this is done for the purpose of clarity. Inspiration of the
definition of a child can be taken from the Child Rights Law of Lagos which
defines a child as a person under the age of eighteen years[2]. |
25. |
Section
29 – Duty to destroy Personal Data |
Where the purpose for keeping personal data has lapsed, the data controller shall ― ·
destroy such data not later than Seven (7) working
days from the date the purpose for keeping such data lapses; and
·
notify any data processor
holding such data
that the purpose for keeping such data has lapsed.
Any data processor who receives a notification under subsection (1) (b) shall, not later than five (5) working days
from the date the notification was received,
destroy the data specified by
the data controller.
|
This Section compels data controllers to
destroy such data where the purpose for which the data was collected has been
realized. This helps to minimize the risk of a data breach as data which is
no longer needed should be destroyed in record time.
That said, it is
necessary to mention that bearing in mind that the Bill does not provide for
a data retention period, there is flexibility on the part of data controllers
to keep personal data for as long as is necessary. Therefore, the obligation
to destroy personal data may not necessarily be tied to the purpose for
processing personal data but to the data retention policy of the relevant
data controller.
Also, the Bill prescribes
no punishment in the event of a breach of this obligation. However,
contractual remedies may be available with respect to data protection
agreement between a data controller and a data processor who has been
notified to destroy data. |
26. |
Section
30 – Unlawful Disclosure of Personal Data |
Subsection 1
provides that any data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purposes for which such data has been collected commits an offence.
Subsection 2
provides that any data processor
who, without lawful excuse, discloses personal data processed, without the prior authority of the data controller on
whose behalf such data is or has been processed commits an offence.
Subsection 7 provides that Any person
that contravenes any of the provisions of this Section is liable on
conviction to a fine not exceeding Five Million Naira (N5,000,000.00) or to a
maximum term of Three (3) or to both.
|
In addition to
contractual liabilities, the Bill considers it an offence to disclose
personal data without lawful purpose and imposes a fine not more than
N5,000,000 or imprisonment. It is necessary to note the term of imprisonment
is not clear as it does not state whether the term will be in months or
years.
It is necessary to state
that the fine under the Bill is relatively low as compared to the NDPR. Although
it is necessary to state that the maximum fine imposed by NITDA as at the
date of this document is
With respect to
imprisonment, the Bill is inelegantly drafted to state that a person shall be
liable upon conviction to a maximum term of imprisonment. Unfortunately, the
Bill is not specific as to the person capable of imprisonment where the data
controller or data processor is a company. This means that officers of a
company may not be liable to imprisonment in the event of contravention of
these provisions. |
27. |
Section
31 – Processing of Personal Data for Direct Marketing |
Subsection 1
provides that a person may, at any time, by notice in writing, request a data
controller to stop or
not to begin, the processing of personal data in respect of which such
person is a data subject, for the purposes
of direct marketing.
Subsection 2 provides that a data controller
who receives a request under subsection (1) (a), shall not more than Fourteen (14) days after the request has been received –
· where the data are kept only for purposes of direct marketing,
erase the data; and · where the data are kept for direct marketing and other purposes,
stop processing the data for direct marketing.
Subsections 5 & 6 provide that where a data controller fails to comply with a notice under subsection (1), the data subject may appeal to and secure an order of the
Court to comply with such notice. A data controller who fails to comply with an order of the Court
under subsection (5) commits an offence. |
This Section gives data
subjects the right to restrict data processing for the purpose of direct
marketing. This Section further provides that an order of court can be
obtained to mandate a controller to cease processing of personal data and
where such data controller fails, such actions will be regarded as offence.
We note that the Bill does not prescribe the punishment for such failure. The
reasons for this may not be unconnected with the fact that failure to obey
court orders will be regarded as contempt with the courts having discretion
to prescribe the rlevant punishment. |
28. |
Section
32 – Processing of Personal Data for Direct Marketing by Electric means |
Subsection 1
provides that the
processing of personal data of a data subject for the purpose of direct
marketing by means of any form of
electronic communication, including automatic calling machines, facsimile
machines, short message service (SMSs) or e-mail is prohibited unless the
data subject has given consent to the
processing or is, subject to
subsection (3), a customer of the data controller and has, at the prompting
of the data controller, indicated intention to remain a customer.
|
|
29. |
Section
33 – Transfer of Personal Data |
Subsection 1
provides that Subject to subsection (2), a data controller shall
not, except with the written authorisation of
the Commission, transfer personal data
outside the State.
Subsection 2 provides that the data protection principle specified in the First Schedule
shall not apply where ―
·
the data subject has given consent to the transfer; ·
the transfer is necessary ― o for the performance of a contract between the data subject and the data controller, or
for the taking of steps at the request of the data subject with a view to entering
into a contract with the data controller;
o for the conclusion of a contract between the data controller and a person, other than the data subject, which is entered at the request of the data subject, or is in the interest of the data subject, or for the performance
of such a contract; and o in the public interest, to safeguard public security or
national security,
·
the transfer is made on such terms as may be approved by the Commission as
ensuring the adequate safeguards for the protection of the rights of the data subject.
Subsection 3 provides that For the
purpose of subsection
(2)(c), the adequacy of the level of protection of the State
shall be assessed in the light of all the circumstances
surrounding the
data transfer, having regard
in particular to ― ·
the nature of
the data; ·
the purpose and duration of
the proposed processing; ·
the State or country of origin and State or country of final destination; ·
the rules of law, both general and sectoral, existing in the
State or country in question; and ·
any relevant codes of conduct or other rules and security
measures which are complied with in that State
or country. |
This provision is similar
to provisons of the NDPR as it relates to the transfer of personal data to a
foreign country. The Bill subjects any form of transfer of data out of Lagos
to the approval of the Commission. The Commission is expected to approve
terms of transfer by ensuring adequate safeguards for the transfer of
personal data are put in place.
The Bill without
sufficient clarity tries to create exceptions as to when transfer can be done
without approval of the Commission.
A relevant question is
whether there is a need for the approval of the Commission as it relates to
transfers within Nigeria considering the existence of the NDPR. In our view,
to the extent that it can be established that the data controller in a state
outside Lagos State is able to establish compliance with the NDPR, the
requirement for approval such not be necessary. This is necessary to ensure
ease of business and free flow of information with minimal regulatory
bureaucracy. In addition, as with the NDPR it will be useful if the
Commisison develops a White list of countries to which data can be
transferred without the Commission’s approval. Again, it will aid the ease of
doing business. |
PART
V – OBLIGATIONS OF A DATA PROCESSOR |
|||
30. |
Section
35 – Obtaining authorization of Data Controller |
Subsection 1 provides that a data processor may only process
personal data in accordance with the provisions of this Law and on the
written instruction of the data controller, which shall include whether or
not the data processor is permitted to transfer such personal data to another
State, Country or International organisation.
Subsection 2 provides that a data
processor shall not engage another processor without the prior specific or
general written consent of the data controller and where such consent is
given, to ensure that such processor is committed to confidentiality or is
under an appropriate statutory obligation of confidentiality. Subsection 3 provides that where a
general written authorisation is obtained, the data controller shall be
notified of any intention by the data processor to make changes regarding
addition or replacement of any processor. |
A data processor who
intends to process data on behalf of a data controller must ensure that such
data is processed in line with the agreement and the provisions of the Bill.
The data processor shall only be permitted to subcontract its rights and
obligations where it has obtained the consent of the data controller. |
31. |
Section
36 – Processing to be governed by contract or existing law |
Processing of data for a data
controller by a data processor shall be governed by a contract specifying the
required terms of agreement made by the parties or any existing Law. |
This Section mandates that
a data controller seeking to engage the services of a data processor must ensure both parties
execute a contract which spells out the rights and obligations of the parties |
PART
VI – THE DATA PROTECTION REGISTER |
|||
32. |
Section
37 – Register of Data Controllers and Data Processors |
Subsection 1 provides that the
Commission shall open and maintain a Data Protection Register which shall contain details
of data controllers and data processors in the State. Subsection 2 provides that a data
controller or data processor operating in the State, shall as from the commencement of this Law register
with the Commission.
Subsection 3 provides that any data controller or data processor
that keeps or processes personal data or
sensitive
personal data,
without registering with the Commission commits an offence and is liable on conviction
to a fine of Two Million Naira (₦2,000,000.00) or a term of two (2) years
or both. . |
This Section mandates
that a data controller or processor must register with the Commission as
failure of which shall constitute an offence with attendant fines and
imprisonment. Again, the law is not clear on the provisions with respect to
imprisonment as it does not state that the imprisonment will apply to
officers of corporates. |
33. |
Section
38 – Procedure for Registration |
Subsection 1 provides that a data controller or data processor shall
submit a written application for registration, including relevant particulars
to the Commission.
Subsection 2 provides that where a data controller or data processor intends to keep or
process personal data or sensitive personal data for two (2) or more
purposes, separate
applications shall be made in respect of each of the purposes and, entries shall be made in
accordance with any such applications.
Subsection 3 provides that the Commission
shall grant an application
for
registration, and
register such applicant on payment of the prescribed fee, unless it reasonably believes that
―
·
the particulars proposed for inclusion in an entry in the register are insufficient or any other information required by the
Commission
has not been furnished, or is insufficient; ·
appropriate safeguards for the protection of the privacy of the data
subjects concerned are not being, or will not continue to be,
provided by the data controller; or ·
the person applying for registration is not a fit
and proper person.
Subsection 4 provides that where the Commission refuses an application for registration, it shall, not later than Seven (7) working days
from the date of refusal of such application, notify
the applicant in writing ― · specifying the reasons for
the refusal; and · informing the applicant of the right to appeal against the refusal
to the Court.
Subsection 5 provides that the
Commission may, at any time, on the request
of the person to whom an
entry in the register
relates, remove such name from the register. |
The requirement for registration imposes
additional compliance obligations on data controllers and administrators. The
requirement for registration does not promote the ease of doing business. |
34. |
Section 39 – Particulars to be furnished by Data Controller |
Subsection 1 provides that a data controller who applies for registration shall provide the following particulars – ·
name and address of the data controller; · where a representative has been nominated for the purposes of this Law, the name and address of such
representative; · a description of the personal data being, or to be processed by or on behalf of the data controller, and the category of data subjects,
to which the personal
data relate; · a statement as to whether or not the
data controller holds, is likely to hold, sensitive
personal data; · a description of the purpose for which the personal data is being or is
to be processed; · a description of any
recipient to
whom the
data controller intends to disclose the personal data; ·
the names, or a description
of any State or Country to which the data
controller directly
or indirectly transfers, or
intends, directly
or indirectly to transfer
the data; and ·
the class of data subjects, or where
practicable the names of data
subjects, in
respect of which the data controller holds personal
data.
|
|
35. |
Section 40 –
Particulars to be furnished by Data Processor |
Subsection 1 provides that a data processor who applies for registration under this Law, shall provide the following particulars ― · name and address
of the processor; · a description of the personal
data being, or
to be processed, and the category of data subjects to
which the personal
data relate; · the state or country to which the data processor transfers, or intends to transfer the personal
data; · a statement
as to whether or not the data processor processes, or intends
to process, sensitive personal data; and · such other particulars as the Commission may require. |
|
36. |
Section
43 – Duration of Registration |
Registration under this Law shall be
renewable annually and at the expiration of registration, the
relevant entry shall be cancelled unless the registration is renewed. |
Data controllers and Data
processors shall ensure their registration is renewed annually |
PART VII –
RIGHTS OF DATA SUBJECT |
|||
37. |
Section 45
– Access to Personal Data |
Subsection 1 provides that a data controller shall on the written request
of a data subject or a relevant person- · inform the data subject or
the relevant person – o whether the data kept by the data controller include personal data
relating to the data subject; o the purposes for which the data are being or are to be
processed; o
the recipients or classes
of recipients to whom they
are or may be disclosed; and · supply the data subject or the relevant person with a copy of any data referred to in paragraph (a) on payment
of the prescribed fee.
|
We believe the right to
access personal data by data subject of his or her data is an inherent right
and should not be subject to the payment of fees save in cases where the
demands of the data subject is excessive. |
38. |
Section 46
– Denial of Access to Personal Data |
Subsection 1 provides that a data controller may refuse a request for access where – · there is insufficient information to the identify the person
making the request, and to locate the information
being sought; · compliance with such request will be in contravention with the confidentiality obligation imposed under any other
law.
Subsection 2 provides that where compliance with a request for access will lead to disclosing personal data
relating to
a third party, such data controller
may refuse the request unless– ·
the third party has consented to the disclosure
of such personal data to the person making the request; or ·
person making the request, obtains the written approval of the Commission.
Subsection 3 provides that In considering a request under subsection (2)(b), the Commission shall have regard in
particular, to―
· any duty of
confidentiality owed to the third party;
·
any steps taken
by the data controller with a view to seeking the
consent of such third party; · whether the third-party individual is capable of giving consent; and
· any express refusal of
consent
by the third party.
Subsection 4 provides that where a data
controller has previously complied with a request for access by a data
subject, the data controller is not obliged to comply with a subsequent
identical or similar request from such data subject unless a reasonable
interval has elapsed between compliance with the previous request and the
making of the current request.
Subsection 5 provide that in determining, for the purposes of subsection (4) whether requests for access are made at reasonable intervals,
regard shall be had to ― · the nature of
the data; · the purpose for which the data are processed;
and · the frequency with which the data are altered.
Subsection 6 provides that a data controller shall not comply with a request for access where-
· the request is in respect of information given or to be given in confidence for
the purposes of
– o
the education, training
or employment, or prospective education, training or employment, of the data subject; o
the appointment, or prospective appointment, of the data subject
to any office; or o
the provision, or prospective provision, by the data subject of any service; · the personal data requested consist of information recorded by
candidates during
an academic, professional
or other examination;
and · such compliance would, by revealing evidence of the commission of any offence
other than an offence
under this Law, expose data controller to proceedings for
that offence. |
This Section provides for
instances where the data subject’s access to its personal information may be
qualified or denied.
With respect to denial on
the basis of confidentiality, it is necessary to mention that this provision
may not apply to a request made by a data subject with respect to his or her
personal data. The right of access by a data subject to his or her data
should not be denied on the basis of confidentiality.
Furthermore, a data
controller is not obliged to grant access to personal data where the
information is given in confidence for the purpose of employment or training
of data subjects. |
39. |
Section 47
– Inaccurate Personal Data |
Subsection 1 provides that a data
controller shall, on
being informed of the
inaccurateness of personal data, by a
data subject to
whom such data pertains, cause
such data to be rectified, blocked,
erased or destroyed, as
appropriate.
Subsection 2 provides that where a data controller is aware
that a third
party holds inaccurate personal data, such
data controller shall, as not
later than seven (7) working days, require the third party to rectify, block, erase or destroy the data, as
appropriate.
|
|
PART VIII –
EXEMPTIONS |
|||
40. |
Section –
National Security |
Subsection 1 provides that personal data are exempt from any provision of this
Law where the non–application of such provision will, in the opinion
of the Governor be required for the purpose of safeguarding
State or national
security.
Subsection 2 provides that in any proceedings in which the non–application of
the provisions of
this Law on grounds of
national security is in question, a
certificate under the hand of the Governor referred in subsection (1) certifying that such is the case, shall be conclusive evidence of
that fact.
|
This Section connotes
that the safeguards and measures put in place by this Bill for processing of
Personal Data, shall not apply in situations where in the opinion of the Governor
there appears to be a need to safeguard the State or national security.
Therefore, the enforcement of the rights of a data subject shall be made
subject to National Security issues. |
41. |
Section 49
– Crime and Tax related Data |
The processing of
personal data for the purposes
of ―
· the prevention or detection of crime;
· the apprehension or
prosecution of offenders; or · the assessment
or collection of any tax, duty or any imposition of a similar nature shall be exempt from –
to the extent
to which
the application of such provisions will
be likely
to prejudice any of
the matters specified in paragraphs
(a) to (c).
|
This section expressly ensures
that when processing personal data for the purpose of crime prevention and
control the investigative and prosecutorial authorities shall have the rights
to process data which may be excessive or outdated as the case may be. The
manner in which data has been obtained shall not be queried or put to
question and the investigative or prosecutorial authority shall have the
right to transfer data without obtaining the consent of the data subject. |
42. |
Section 50
– Health and Social work-related Data |
Subsection
1 provides that a data controller is not
bound to grant access to personal data where such personal
data to which access
is being sought relates to the physical or
mental health of
the data subject and the grant of access to such personal data is likely to cause serious harm to the physical or
mental health of the data subject or
of, any other person.
Subsection 2 provides that the Governor
may, by notice
in the Gazette or by regulations, waive the obligation to grant access to personal data, on a
public
authority, voluntary organisation and any other similar body as
may be prescribed, where such public authority, voluntary organisation or
other body carries out social work in relation to a data subject or
any other individual, and the application of that section is likely to
prejudice the carrying out of the social work. |
This Section restricts
the right of a data subject to request for medical records relating to the
physical or mental health of a data subject where the disclosure of same will
put the data subject in harms way. This provision ensures that such data
which is likely to cause harm to the physical or mental health (Shock) of a data
subject shall only be accessed with the aid of a professional i.e social
worker. |
43. |
Data for
Journalistic, literary and artistic purposes |
Subsection 1 provides that the processing of personal data for journalistic, literary and artistic purposes shall be exempt from the provisions specified in subsection (2) where ―
·
such processing is undertaken
with a view to the publication of any journalistic, literary or artistic material;
·
the data
controller involved
in such processing is of the opinion that – o the publication will be in the public interest; and
o compliance
with any
such provisions will be incompatible with such purposes. |
|
44. |
Section 52
– Educational and Sensational Data |
Subsection 1 Provides personal data which
are
processed only for educational, research, historical or statistical purposes shall be exempt from the fifth data protection principle. Subsection 2 provides that the exemption shall not be applicable
where ·
such personal data are not processed to support measures or
decisions with respect to particular individuals; and ·
such personal data are not processed in a way that will substantially damage or distress
any data subject or
will likely cause such damage or
distress.
|
This Section gives a data
controller the right to keep Educational and Sensational Data for as long as
it is deemed necessary. |
45. |
Section 53
– Information available to the Public under a Law |
Where personal data consists of information which the data controller is obliged
under a
Law to make available to the
public, such data shall be
exempt from ·
the second, third, fourth, fifth
and eighth data protection
principles; ·
Sections 25 to 30; and ·
Part VII in respect of blocking personal data.
|
This Section mandates
data controllers to make information (including personal data) available to
the public where a law mandates such data controller to make information
available to the public. This provision tacitly recognises the role of the
Freedom of Information Act which mandates government establishments to make
information available to the public. |
46. |
Section 54
– Disclosure required by Law or in Connection with Legal Proceedings |
Personal data are exempt from ·
the second,
third, fourth and
fifth data protection principles; ·
Sections 24 to 29; and ·
Part VII in respect of blocking personal data, where – o the disclosure
of such data
is required under
any Law or by a Court order; o the disclosure of such data is necessary for the purpose
of, or in connection with, any on-going or prospective legal
proceedings; o the disclosure of such data is necessary for the purpose
of obtaining legal advice; or o the disclosure is otherwise necessary for the purpose of establishing, exercising or defending legal rights.
|
This Section dispenses
with the rights afforded to a data subject whose data are required by Law in
connection with any legal proceeding. |
47. |
Section 55
– Legal Professional Priviledge |
Personal data are exempt from
– · the second, third, fourth and fifth data protection principles; and
· Section 25,
where the data consist of information in respect of which a claim to legal professional privilege or
confidentiality as between client and legal practitioner
could
be maintained
in legal proceedings,
including prospective legal proceedings |
This section dispenses
with the need of a data controller to obtain consent from a data subject in
situations and circumstances where a claim to legal professional privilege
between a client and legal practitioner can be maintained. |
48. |
Section 56
– Domestic Purposes |
Personal data processed by an individual are exempt from · the data protection principles; and · Part VI and Part VII,
where such processing is only for the purposes of that individual’s personal,
family or
household affairs or
for recreational purposes |
This Bill shall not apply
to data processed for an individual’s domestic, personal, and recreational purpose.
|
PART IX
MISCELLANEOUS |
|||
49. |
Section 61
– Offences and Penalties |
Subsection 1 provides that any
person who unlawfully destroys, deletes, misrepresents, conceals or alters
personal data commits an offence and is liable on conviction to a fine not
exceeding Two Million Naira (N2,000,000.000) or maximum term of three (3)
years or both. Subsection 2 provides that any person who contravenes any provision of this Law for which
no specific penalty is provided commits an offence and is liable on conviction, to a fine not exceeding Two
Million Naira (N2,000,000.00) or to a
term not exceeding three (3) years or to both. |
This Section penalizes
the unlawful destruction, deletion, misrepresentation and concealment of
data. It also penalizes anyone who contravenes the provisions of the Bill for
which no specific penalty has been provided for. |
50. |
Section 62
– Forfeiture |
In addition to any penalty, the Court may – ·
order the forfeiture of any equipment or any article used or connected in any way with the commission an offence;
·
order or
prohibit the doing of any act to stop continuing contravention. |
The Commission in
addition to other reliefs has the option of requesting the Court to order a
forfeiture of any equipment used in the commission of an offence. |
[1] Please note that
under the Bill, Sensitive Personal Data means
personal information concerning a data subject and includes information as to –
(a)
the racial or ethnic origin;
(b)
political opinion or adherence;
(c)
religious or other similar beliefs;
(d)
membership to a trade union;
(e)
physical or mental health;
(f)
sexual preferences or practices;
(g)
the commission or alleged commission of an offence; or
(h)
any
proceedings for an
offence committed or
alleged to have
been committed, the disposal of such proceedings or the sentence of any
court in such proceedings; or
(i)
any other sensitive personal information that is
reasonably permissible;
[2] Section 262 of the Child’s Rights Law of Lagos State 2007