A REVIEW OF THE LAGOS STATE DATA PROTECTION BILL

Before the Lagos State House of Assembly, is “a bill for a law to promote the protection of personal information processed by public and private bodies, establish minimum requirements for the processing and protection of personal information, establish the data protection commission and for connected purposes”.

 

In this briefing note, we highlight a summary of the key provisions of the Bill:

 

A.   Features of the Bill:
Short Title:	Lagos State Data Protection Bill, 2021.
Principal Purpose:	The Bill is largely designed to protect individuals from having their personal information misused, exploited or mishandled.
Application:	Lagos State.
No. of Sections:	65
Number of parts:	10
Number of Schedules:	2
B.   Summary of Major Provisions of the Bill and Remarks:

The relevant provisions are as follows: 

S/N

The Principal Act

The Bill

Remarks

 

PART 1- PRELIMINARY PROVISIONS
1.	Section 2 – Application	This Law applies to the processing of data entered in a record by making use of automated or non-automated means provided that when the recorded data is processed by non-automated means it forms or is intended to form part of a filing system. The law shall also apply where the data controller is domiciled in the State or not domiciled in the State but makes use of automated or non-automated means in the State, unless those means are used only to forward personal data through the State.	The Bill regulates the automated or non-automated means of processing Data by or on behalf of a data controller who is either domiciled in Lagos State or not domiciled but makes use of automated or non-automated means in the State.   In terms of scope, the proposed Bill seem to apply to not only to personal data but data in general.   Personal Data is defined by the Bill as: “(a) data which relate to an identified or identifiable person; or (b) data or other information, including an opinion forming part of a database, whether or not recorded in a material form, about an individual whose identity is apparent or can reasonably be ascertained from the data, information or opinion.”   Data is defined by the Bill as: “information in a form which is capable of being processed through any equipment operating automatically in response to instructions given for that purpose and is recorded- (a)           with the intent of  being  processed  by  such equipment; or (b)           as part of a relevant filing system or intended to be part of a relevant filing system;   The language of Section 2(1)(a) of the Bill seem to suggest that the Law does not apply to personal data processed by non-automated means which does not form or intended to form part of a filing system.
PART II – ESTABLISHMENT OF THE DATA PROTECTION COMMISSION
2.	Section 3 – Establishment of the Data Protection Commission	There shall be a body established to be known as Data Protection Commission and it shall be a body Corporate, sue and can be sued in its name, hold, acquire and dispose of movable and immovable property amongst others.
3.	Section 4 – Functions of the Agency	Some significant functions of the Agency include to: ·       take measures to ensure that personal data is collected, held or processed in a manner as not to infringe on the privacy of a data subject; ·       ensure compliance with the provisions of this Law, and any regulations made under the Law; ·       open and maintain a register of all data controllers and data processors; ·       regulate data processing activities, and verify whether the processing of data is in accordance with this Law or regulations made under it; ·       promote self-regulation among data controllers and data processors; ·       investigate any complaint or information which give rise to a suspicion that an offence, under this Law may have been, is being or is about to be committed; ·       sensitize the general public about the provisions of this Law; ·       undertake research, and monitor developments in data processing, data–matching, data linkage and information, including communication technologies, and ensure that there are no significant risks of any adverse effects of those developments on the privacy of individuals; ·       examine proposals for any data matching procedure or data linkage that may involve an interference with, or otherwise have adverse effects on the privacy  of  individuals  and,  ensure  that  any  adverse  effects  of  such proposal on the privacy of individuals are minimised; ·       co–operate with supervisory authorities within and outside the state, to the extent necessary for the performance of its functions under this Law; and ·       carry out any other function that may be necessary to the attainment of the objectives  of this Law.	The Commission shall be responsible for the administration of the Bill. The Commission shall regulate data protection activities in a bid to ensure the rights and obligations of data subjects and data controllers are adequately provided for.   The Bill while seeking to establish the Commission as the supervisory authority will be saddled with the function amongst other things to (i) open and maintain a register for data controllers and data processors. It will be interesting to see how the supervisory authority will be able to achieve this bearing in the mind the number of data controllers and processors within the state. Perhaps the Commission may need to consider having a threshold before a data controller or processor will “qualify” for registration as it may be administratively challenging to ask all categories or types of data controllers or processors to register bearing in mind that almost every person processes data on a daily basis.   With respect to promotion of self regulation among data controllers and processors, it remains to be seen how the Commission will perform this function.
4.	Section 5 – Powers of the Commission	The Powers of the Commission includes to: ·       enter into, carry out, assign or accept the assignment of, vary or rescind, any contract, agreement or other obligation in line with its functions under this Law;   ·       accept gifts and donations, whether subject to any trust or not, as may be required by the Commission in the performance of its functions under this Law;   ·       investigate contravention complaints and take necessary legal steps to redress the complaints;   ·       subject to the approval of the Governor, become a member of or affiliate to any international body concerned with (whether in whole or in part) the privacy of individuals in relation to personal data; and ·       Exercise such other powers as are conferred under this Law or any other Law.
5.	Section 6 – Establishment and Composition of Governing Board	Sub-section 1 of the Law establishes a governing board to be called “the board”.   Sub-section 2 of the Law provides for the composition of the Board which includes: ·       a Chairman who shall be a qualified Information Technology practitioner with not less than Ten (10) years post qualification experience; ·       the Executive Secretary of the Commission; ·       the Commissioner for Science and Technology ·       a renowned Management Information System professional; ·       a Cyber Security Systems Professional; ·       a retired Commissioner of Police; ·       a representative of the organised private sector; and ·       the Legal Adviser of the Commission.   ·       The Board Members shall be appointed by the Governor on the recommendation of the Commissioner	The Bill is vague on who qualifies as an Information Technology practitioner, it may be useful to have some objective criterion with regards to qualification.
6.	Section 7 – Tenure and Remuneration of members	Sub-section 1 provides that the Chairman and members of the Board except the Executive Secretary shall be appointed to serve as part-time members and hold office for four (4) years and be eligible to another term of four (4) years only. Sub-section 2 provides that the Chairman and other members of the Board shall be paid such remuneration as the Governor may determine.	The Board members except the executive Secretary are entitled for a four-year term which is renewable for another four years.
7.	Section 8 – Functions of the Board	The Board’s functions include to: ·       set up guidelines relating to collection, processing and transfer of personal data in the State; ·       make recommendations to the State Government on matters relating to data protection and protection of privacy of residents of the State; ·       set up the security codes and minimum requirements to be met by data controllers and processors in processing personal information in the State; and ·       carry out such other functions as may be expedient to give effect to the provisions of this Law.	This Section saddles the Board with the responsibility of setting up guidelines for regulating the collection, processing, and transfer of data in Lagos state. The guidelines shall provide a framework and road map for the applicability of the Bill.
8.	Section 9 – Appointment of the Executive Secretary	Sub-section 1 provides that There shall be appointed by the Governor, an Executive Secretary who shall –       ·       be a person of proven integrity with not less than Ten (10) years post qualification experience in Management Information Systems or Information Technology; ·       be the Chief Executive and Accounting Officer of the Commission; ·       be responsible for the execution of the policy and the day to day administration of the affairs of the Commission in accordance with the provisions of this Law; and ·       hold office for a single term of five (5) years;   Sub-section 2 provides that the terms and conditions of appointment of the Executive Secretary shall be as specified in the letter of appointment	In our view the qualification of the Executive Secretary to a person with experience in Management Information Systems or Information Technology is unduly vague and restrictive. We believe there are other professions/professionals who have the requisite skill on data protection issues.
PART III – SPECIAL POWERS OF THE COMMISSION
9.	Section 12 – Power to Obtain Information	Sub-section 1 provides that the Commission may by notice in writing served on any person, request such information as is necessary or expedient for the performance of its functions under this Law, in a form that is visible, legible and easy to move.   Sub-section 2 provides that a notice under sub-section 1 shall inform the person to whom the notice is addressed, of the right of appeal to the Court and specify a compliance period of not more than Twenty –one (21) days within which such person must respond to the notice.   Sub-section 5 provides that any person, who without reasonable excuse, fails or refuses to comply with a requirement specified in a notice, or who furnishes to the Commission an information known to be false or misleading in a material particular, commits an offence, and is liable on conviction to a fine not exceeding One Million Naira (N1, 000, 000.00) or to a term not exceeding Two (2) years or both.	This Section gives the Commission the power to obtain information from any person by serving a notice in writing on such person. The recipient of the notice has the option of either complying with the Commission’s request or challenging same in Court. The recipient of the notice is expected to either comply with the Commission’s request or challenge same within 21 days as failure of same will attract a penalty.
10.	Section 13 – Power to delegate	The Commission may delegate any of its investigating or enforcement powers under this Law to any person or Police officer designated by the State Commissioner of Police.
11.	Section 14 – Complaints	This section provides for where a complaint is made to the Commission that this Law or any regulations made under it, has been, is being or is about to be contravened, the Commission shall investigate the complaint or cause it to be investigated by an authorised officer, unless it is of the opinion that such complaint is frivolous or vexatious and as soon as reasonably practicable, notify the complainant in writing of its  decision in relation to the complaint and that the complainant may, if he is aggrieved by the Commission’s decision, appeal to the Court.	The Commission by this Section has the responsibility of receiving complaints and investigating same after which it shall communicate its decision to the complainant. The procedure for making and addressing complaints has not been provided in the Bill. However, a complainant has a right of appeal in the event he or she is dissatisfied with the decision of the Commission.
12.	Section 15 – Enforcement of Notice	Sub-section 1 provides that where the Commission is of opinion that a data controller or a data processor has contravened, is contravening or is about to contravene this Law, the Commission may serve an enforcement notice on such data controller or data processor, requiring the data controller or data processor to take such steps within such time as may be specified in the notice.   Sub-section 2 provides that where the Commission is of the opinion that a person has committed an offence under this Law, it may investigate the matter, or cause the matter to be investigated.   Sub-section 6 provides that Any person who, without reasonable excuse, fails or refuses to comply with an enforcement notice commits an offence and is liable on conviction, to fine not exceeding One Million Naira (N1,000,000.00) or to a term not exceeding Two (2) years or to both.	This Section provides some preventive and corrective measures for a data controller or a data processor who has either contravened the Bill or is in the process of contravening the Bill
13.	Section 16 – Preservation Order	The Commission may apply to the Court for an order for the expeditious preservation of data, including traffic data, where it has reasonable grounds to believe that such data is vulnerable to loss or modification. Where the Court is satisfied that an order may be made under subsection (1), it shall issue a preservation order which shall be valid for a period of not be more than Ninety (90) days. The Court may, on application made by the Commission, extend the period specified in subsection (2) for such time as the Court thinks fit.	It is interesting to note that traffic data seem to have been expressly mentioned amongst other types of data. The reasons for this may not be far from the intention of Lagos State to use traffic data in the prosecution of offences. That said, we see no reason why traffic data should be expressly mentioned as the definition of data will naturally include traffic data.
14.	Section 17 – Power to carry out prior security checks	Where the Commission is of the opinion that the processing or transfer of data by a data controller or data processor entails specific risks to the privacy rights of a data subject, it may inspect and assess the security measures taken prior to the beginning of the processing or transfer.   The Commission may, at any reasonable time during working hours, carry out further inspection and assessment of the security measures imposed on a data controller or data processor under this Law.	This Section seeks to hedge the risk of a data breach by giving the commission the power to inspect security systems of data controllers. However, a useful element which may be necessary as part of the law is the requirement of a Data Protection Impact Assessment. Considering the level of risk to privacy rights of a data subject, we believe the Law should mandate such data controller or data processor conducts a Data Privacy Impact Assessment (DPIA) and submit same to the Commission in addition to the requirement.   DPIA in it’s a nature is arisk assessment done to ascertain the possible implication of certain Personal Data processing activities such as is the case where there is a potential risk top the privacy rights of a data subject.
15.	Section 18 – Compliance Audit	The Commission shall carry out periodical audits of the systems of data controllers or data processors to ensure compliance with data protection principles specified in the First Schedule to this Law.	These provisions on compliance audits appear vague, unclear and without structure as compared to the Nigeria Data Protection Regulations. The provisions of the Bill do not provide for whether the compliance audits will be periodic or whether the Commission shall utilise the services of experts such as is the current practice by the National Information Technology Development Agency (NITDA) using the Data Protection Compliance Organisations (DPCOs) for the purposes of compliance audits. Perhaps the Commission may rely on Section 19 of the Bill to request the assistance of DPCOs for the purpose of compliance audits.   That said, the potential impact of compliance audits under the Law is the potential impact of compliance costs on businesses with respect to two layers of audit under the Bill and the NDPR.
16.	Section 19 – Power to Request Assistance	For purposes of gathering information or the proper conduct of any investigation concerning compliance with this Law, the Commission may seek the assistance of such persons or authorities, as may be necessary and such person or authority may do such things as are reasonably necessary to assist the Commission in the performance of   its functions.   Any person assisting the Commission under subsection (1) shall for the purposes of confidentiality and oath under this Law, be deemed to be an officer of the Commission.
17.	Section 20 – Powers of Entry and Search	An authorised officer may enter and search any premises for the purpose of discharging any functions or exercising any powers under this Law. An authorised officer shall not enter or search any premises without providing to the owner or occupier, a warrant issued by a Magistrate for the purpose referred to in subsection (1). For the purpose of carrying out the duties under this section, the authorised officer may be        accompanied by such person as the Commission thinks fit.	This Section gives the Commission through an authorised officer, the right to search a premises for the purpose of executing its functions. However the commission must ensure it obtains a search warrant from a magistrate Court before it proceeds to search such a property.   It is necessary to state an authorised officer as defined by the Bill is “an officer to whom the Executive Secretary of the Data Protection Commisison has delegated powers”.
18.	Section 21 – Obstruction of authorised officer	Any person who ― ·       obstructs or impedes an authorised officer in the exercise of any of the powers under this Law; ·       fails to provide reasonable assistance or relevant information requested by the authorised officer; ·       refuses to allow an authorised officer or any person in the company of such officer, to enter any premises  in  exercise of the functions under this Law; ·       gives to an authorised officer any information which is false and misleading in a material particular  commits an offence and is liable on conviction to a fine not exceeding One Million Naira (N1,000,000) or to a term not exceeding Two (2) years or both.
19.	Section 22 – Referral police	On completion of an investigation, the Commission shall, where the investigation reveals that an offence has been committed under this Law or any regulations made under the Law, refer the matter to the Police for prosecution. The Police may also conduct further investigation to aid the prosecution of the case.	This Section gives the police power to prosecute where it has been discovered that the Bill has been Contravened. This provision shall be subject to the constitutional powers of the attorney General who reserves the right to take over or discontinue any criminal matter.
PART IV – OBLIGATIONS OF A DATA CONTROLLER
20.	Section 23 – Collection of Personal Data	Sub-section 1 provides that Subject to the provisions of this Law, a data controller shall not collect personal data unless- ·       it is collected for a lawful purpose connected with a function or activity of the data controller; and ·        the collection of the data is necessary for that purpose.   Sub-section 2 provides that where a data controller collects personal data directly from a data subject, the data controller shall at the time of collecting personal data ensure that the data subject concerned is informed of― ·       the fact that the data is being collected; ·       the purpose  for which the data is being collected; ·       the intended recipients of the data; ·       the name and address of the data controller; ·       whether or not the supply of the data by that data subject is voluntary or mandatory; ·       the consequences for that data subject if all or any part of the requested data is not provided; ·       whether or not the data collected shall be processed and whether or not the consent of the data subject shall be required for such processing; and ·       the data subject’s right of access to, possibility of correction, and destruction of, the personal data to be provided.	This Section essentially enumerates information which ought to be contained in a privacy notice of a data controller or processor. While the Bill simply states that the listed obligations are obligations of a data controller, it will be necessary for the bill to expressly include that this obligation will apply to data processors as well.   Furthermore, the Bill has excluded the following information which we believe needs to be disclosed to a data subject at the point of collection of his data. Such information include: a.    technical methods used to collect and store personal information e.g. cookies. b.    Available remedies in the event of violation of the privacy notice.
21.	Section 25 – Processing of Personal Data	Subsection 1 provides that Personal data shall not be processed, unless the data controller has obtained the express consent of the data subject.   Subsection 2 provides that Notwithstanding subsection (1), personal data may be processed without obtaining the express consent of the data subject where the processing is necessary- ·       for the performance of a contract to which the data subject is actively a party to; ·       in order to take steps required by the data subject prior to entering into a contract; ·       in order to protect the vital interests of the data subject; ·       for compliance with any legal obligation to which the data controller is subject; ·       for the administration of justice; or ·       in the public interest. Subsection 5 provides that silence or inactivity shall not be construed as giving consent under this Law.	This Section enumerates the various lawful basis for data processing and seems to inadvertently elevate consent as a lawful basis for processing personal data. It is necessary to state that consent as a lawful basis for personal data processing is not necessarily superior to other lawful basis listed under Section 25 of the Bill.   As opposed to the NDPR, the Bill expands the lawful basis of data processing to include (I) where processing of personal data is necessary in order to take steps required by the data subject prior to entering into a contract and (ii) for the purposes of administration of justice.   From a drafting perspective the provisions of Section 25(2)(b) of the bill appears unclear as to intention of the draughtsman. Perhaps the section should be amended by substituting “data subject” with “data controller” to read as follows: “in order to take steps required by the data controller prior to entering into a contract”.   Furthermore, the inclusion of administration of justice is our view is surplusage as we believe this is encompassed under the principle of public interest.   The Bill limits vital interests to the vital interests of data subject without more. We believe the vital interest legal basis should extend to the vital interests of another natural person as there may be instances where the vital interests of another natural person may be adversely affected if processing on the basis of vital interest is limited to a particular data subject. We note that the extension of vital interests as a basis for the processing of personal data of a natural person apart of a data subject will only be applicable to sensitive personal data. We believe this may be unduly restrictive.   The provision of Section 25(5) of the Bill reflects the principle of consent being clear and unambiguous.   The Bill provides that Sensitive Personal Data[1] shall not be processed unless the data subject has (i) given express consent to the processing and (ii) made the data public except where: a.    in fulfilment of a legal obligation imposed on a data controller in relation in connection with the datsa subject’s employment; b.    in relation to the protection of the vital interests of the data subject or a natural person. c.     In relation to the protection of the vital interests of a natural person where consent by a data subject has been unreasonably withheld. d.    Performance of a contract to which the data subject is aparty.
22.	Section 26 – Use of Personal Data	A data controller shall ensure that personal data is ― ·       kept only for specified and lawful purposes for which such data has been collected and processed; ·       not used or disclosed in any manner incompatible with the purposes for which such data has been collected and processed; ·       adequate, relevant and not excessive in relation to the purposes for which such data has been collected and processed; and ·       not kept for longer than is necessary for the purposes for which such data has been collected and processed.
23.	Section 27 – Security of Personal Data	Subsection 1 provides that A data controller shall ·       take appropriate security and organisational measures for the prevention of unauthorised access to, alteration, disclosure, accidental loss, and destruction of the data in the data controller’s control; and ·       ensure that the measures provide a level of security appropriate to the- o   harm that might result from the unauthorised access to, alteration, disclosure, destruction, accidental loss of the data; and nature of the data concerned
24.	Section 28 – Personal Data relating to a child	A person shall not collect or process personal data relating to a child unless the collection or processing is― ·       done with the prior consent of the parent or guardian or any other person having authority to make decisions on behalf of the child; ·       necessary to comply with the law; or ·       for research or statistical purposes	While the NDPR does not define a child. The NDPR implementation framework defines a child to mean anyone under the age of 13. The Bill has not defined a child and it will be necessary this is done for the purpose of clarity. Inspiration of the definition of a child can be taken from the Child Rights Law of Lagos which defines a child as a person under the age of eighteen years[2].
25.	Section 29 – Duty to destroy Personal Data	Where the purpose for keeping personal data has lapsed, the data controller shall ― ·       destroy such data not later than Seven (7) working days from the date the purpose for keeping such data lapses; and   ·       notify any data processor holding such data that the purpose for keeping such data has lapsed.   Any data processor who receives a notification under subsection (1) (b) shall, not later than five (5) working days from the date the notification was received, destroy the data specified by the data controller.	This Section compels data controllers to destroy such data where the purpose for which the data was collected has been realized. This helps to minimize the risk of a data breach as data which is no longer needed should be destroyed in record time.   That said, it is necessary to mention that bearing in mind that the Bill does not provide for a data retention period, there is flexibility on the part of data controllers to keep personal data for as long as is necessary. Therefore, the obligation to destroy personal data may not necessarily be tied to the purpose for processing personal data but to the data retention policy of the relevant data controller.   Also, the Bill prescribes no punishment in the event of a breach of this obligation. However, contractual remedies may be available with respect to data protection agreement between a data controller and a data processor who has been notified to destroy data.
26.	Section 30 – Unlawful Disclosure of Personal Data	Subsection 1 provides that any data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purposes for which such data has been collected commits an offence.   Subsection 2 provides that any data processor who, without lawful excuse, discloses personal data processed, without the prior authority of the data controller on whose behalf such data is or has been processed commits an offence.   Subsection 7 provides that Any person that contravenes any of the provisions of this Section is liable on conviction to a fine not exceeding Five Million Naira (N5,000,000.00) or to a maximum term of Three (3) or to both.	In addition to contractual liabilities, the Bill considers it an offence to disclose personal data without lawful purpose and imposes a fine not more than N5,000,000 or imprisonment. It is necessary to note the term of imprisonment is not clear as it does not state whether the term will be in months or years.   It is necessary to state that the fine under the Bill is relatively low as compared to the NDPR. Although it is necessary to state that the maximum fine imposed by NITDA as at the date of this document is N10,000,000. Also, unlike the NDPR, the Bill seeks to impose a term of imprisonment.   With respect to imprisonment, the Bill is inelegantly drafted to state that a person shall be liable upon conviction to a maximum term of imprisonment. Unfortunately, the Bill is not specific as to the person capable of imprisonment where the data controller or data processor is a company. This means that officers of a company may not be liable to imprisonment in the event of contravention of these provisions.
27.	Section 31 – Processing of Personal Data for Direct Marketing	Subsection 1 provides that a person may, at any time, by notice in writing, request a data controller to stop or not to begin, the processing of personal data in respect of which such person is a data subject, for the purposes of direct marketing.   Subsection 2 provides that a data controller who receives a request under subsection (1) (a), shall not more than Fourteen (14) days after the request has been received –   ·   where the data are kept only for purposes of direct marketing, erase the data; and ·   where the data are kept for direct marketing and other purposes, stop processing the data for direct marketing.   Subsections 5 & 6 provide that where a data controller fails to comply with a notice under subsection (1), the data subject may appeal to and secure an order of the Court to comply with such notice. A data controller who fails to comply with an order of the Court under subsection (5) commits an offence.	This Section gives data subjects the right to restrict data processing for the purpose of direct marketing. This Section further provides that an order of court can be obtained to mandate a controller to cease processing of personal data and where such data controller fails, such actions will be regarded as offence. We note that the Bill does not prescribe the punishment for such failure. The reasons for this may not be unconnected with the fact that failure to obey court orders will be regarded as contempt with the courts having discretion to prescribe the rlevant punishment.
28.	Section 32 – Processing of Personal Data for Direct Marketing by Electric means	Subsection 1 provides that the processing of personal data of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, short message service (SMSs) or e-mail is prohibited unless the data subject has given consent to the processing or is, subject to subsection (3), a customer of the data controller and has, at the prompting of the data controller, indicated intention to remain a customer.
29.	Section 33 – Transfer of Personal Data	Subsection 1 provides that Subject to subsection (2), a data controller shall not, except with the written authorisation of the Commission, transfer personal data outside the State.   Subsection 2 provides that the data protection principle specified in the First Schedule shall not apply where ―   ·       the data subject has given consent to the transfer; ·       the transfer is necessary ― o   for the performance of a contract between the data subject and the data controller, or for the taking of steps at the request of the data subject with a view to entering into a contract with the data controller;   o   for the conclusion of a contract between the data controller and a person, other than the data subject, which is entered at the request of the data subject, or is in the interest of the data subject, or for the performance of such a contract; and o   in the public interest, to safeguard public security or national security,   ·       the transfer is made on such terms as may be approved by the Commission as ensuring the adequate safeguards for the protection of the rights of the data subject.   Subsection 3 provides that For the purpose of subsection (2)(c), the adequacy of the level of protection of  the State shall be assessed in the light of all the circumstances surrounding the data transfer, having regard in particular to ― ·       the nature of the data; ·       the purpose and duration of the proposed processing; ·       the State or country of origin and State or country of final destination; ·       the rules of law, both general and sectoral, existing in the State or country in question; and ·       any relevant codes of conduct or other rules and security measures which are complied with in that State or country.	This provision is similar to provisons of the NDPR as it relates to the transfer of personal data to a foreign country. The Bill subjects any form of transfer of data out of Lagos to the approval of the Commission. The Commission is expected to approve terms of transfer by ensuring adequate safeguards for the transfer of personal data are put in place.   The Bill without sufficient clarity tries to create exceptions as to when transfer can be done without approval of the Commission.   A relevant question is whether there is a need for the approval of the Commission as it relates to transfers within Nigeria considering the existence of the NDPR. In our view, to the extent that it can be established that the data controller in a state outside Lagos State is able to establish compliance with the NDPR, the requirement for approval such not be necessary. This is necessary to ensure ease of business and free flow of information with minimal regulatory bureaucracy. In addition, as with the NDPR it will be useful if the Commisison develops a White list of countries to which data can be transferred without the Commission’s approval. Again, it will aid the ease of doing business.
PART V – OBLIGATIONS OF A DATA PROCESSOR
30.	Section 35 – Obtaining authorization of Data Controller	Subsection 1 provides that a data processor may only process personal data in accordance with the provisions of this Law and on the written instruction of the data controller, which shall include whether or not the data processor is permitted to transfer such personal data to another State, Country or International organisation.   Subsection 2 provides that a data processor shall not engage another processor without the prior specific or general written consent of the data controller and where such consent is given, to ensure that such processor is committed to confidentiality or is under an appropriate statutory obligation of confidentiality. Subsection 3 provides that where a general written authorisation is obtained, the data controller shall be notified of any intention by the data processor to make changes regarding addition or replacement of any processor.	A data processor who intends to process data on behalf of a data controller must ensure that such data is processed in line with the agreement and the provisions of the Bill. The data processor shall only be permitted to subcontract its rights and obligations where it has obtained the consent of the data controller.
31.	Section 36 – Processing to be governed by contract or existing law	Processing of data for a data controller by a data processor shall be governed by a contract specifying the required terms of agreement made by the parties or any existing Law.	This Section mandates that a data controller seeking to engage the services of  a data processor must ensure both parties execute a contract which spells out the rights and obligations of the parties
PART VI – THE DATA PROTECTION REGISTER
32.	Section 37 – Register of Data Controllers and Data Processors	Subsection 1 provides that the Commission shall open and maintain a Data Protection Register which shall contain details of data controllers and data processors in the State.        Subsection 2 provides that a data controller or data processor operating in the State, shall as from the commencement of this Law register with the Commission.   Subsection 3 provides that any data controller or data processor that keeps or processes personal data or sensitive personal data, without registering with the Commission commits an offence and is liable on conviction to a fine of Two Million Naira (₦2,000,000.00) or a term of two (2) years or both. .	This Section mandates that a data controller or processor must register with the Commission as failure of which shall constitute an offence with attendant fines and imprisonment. Again, the law is not clear on the provisions with respect to imprisonment as it does not state that the imprisonment will apply to officers of corporates.
33.	Section 38 – Procedure for Registration	Subsection 1 provides that a data controller or data processor shall submit a written application for registration, including relevant particulars to the Commission.   Subsection 2 provides that where a data controller or data processor intends to keep or process personal data or sensitive personal data for two (2) or more purposes, separate applications shall be made in respect of each of the purposes and, entries shall be made in accordance with any such applications.   Subsection 3 provides that the Commission shall grant an application for registration, and register such applicant on payment of the prescribed fee, unless it reasonably believes that ―   ·       the particulars proposed for inclusion in an entry in the register are insufficient or any other information required by the Commission  has not been furnished, or is insufficient; ·       appropriate safeguards for the protection of the privacy of the data subjects concerned are not being, or will not continue to be, provided by the data controller; or ·       the person applying for registration is not a fit and proper person.   Subsection 4 provides that where the Commission refuses an application for registration, it shall, not later than Seven (7) working days from the date of refusal of such application, notify the applicant in writing ― ·       specifying the reasons for the refusal; and ·       informing the applicant of the right to appeal against the refusal to the Court.   Subsection 5 provides that the Commission may, at any time, on the request of the person to whom an entry in the register relates, remove such name from the register.	The requirement for registration imposes additional compliance obligations on data controllers and administrators. The requirement for registration does not promote the ease of doing business.
34.	Section 39 – Particulars to be furnished by Data Controller	Subsection 1 provides that a data controller who applies for registration shall provide the following particulars – ·       name and address of the data controller; ·       where a representative has been nominated for the purposes of this Law, the name and address of such representative; ·       a description of the personal data being, or to be processed by or on behalf of the data controller, and  the category of data subjects, to which the personal data relate; ·       a statement as to whether or not the data controller holds, is likely to hold, sensitive personal data; ·       a description of the purpose for which the personal data is being or is to be processed; ·       a description of any recipient to whom the data controller intends to disclose the personal data; ·       the names, or a description of any State or Country to which the data controller directly or indirectly transfers, or intends, directly or indirectly to transfer the data; and ·       the class of data subjects, or where practicable the names of data subjects, in respect of which the data controller holds personal data.
35.	Section 40 – Particulars to be furnished by Data Processor	Subsection 1 provides that a data processor who applies for registration under this Law, shall provide the following particulars ― ·       name and address of the processor; ·       a description of the personal data being, or to be processed, and the category of data subjects to which the personal data relate; ·       the state or country to which the data processor transfers, or intends to transfer the personal data; ·       a statement as to whether or not the data processor processes, or intends to process, sensitive personal data; and ·       such other particulars as the Commission may require.
36.	Section 43 – Duration of Registration	Registration under this Law shall be renewable annually and at the expiration of registration, the relevant entry shall be cancelled unless the registration is renewed.	Data controllers and Data processors shall ensure their registration is renewed annually
PART VII – RIGHTS OF DATA SUBJECT
37.	Section 45 – Access to Personal Data	Subsection 1 provides that a data controller shall on the written request of a data subject or a relevant person- ·       inform the data subject or the relevant person – o   whether the data kept by the data controller include personal data relating to the data subject; o   the purposes for which the data are being or are to be processed; o   the recipients or classes of recipients to whom they are or may be disclosed; and ·       supply the data subject or the relevant person with a copy of any data referred to in paragraph (a) on payment of the prescribed fee.	We believe the right to access personal data by data subject of his or her data is an inherent right and should not be subject to the payment of fees save in cases where the demands of the data subject is excessive.
38.	Section 46 – Denial of Access to Personal Data	Subsection 1 provides that a data controller may refuse a request for access where – ·       there is insufficient information to the identify the person making the request, and to locate the information being sought; ·       compliance with such request will be in contravention with the confidentiality obligation imposed under any other law.   Subsection 2 provides that where compliance with a request for access will lead to disclosing personal data relating to a third party, such data controller may refuse the request unless– ·      the third party has consented to the disclosure of such personal data to the person making the request; or ·       person making the request, obtains the written approval of the Commission.   Subsection 3 provides that In considering a request under subsection (2)(b), the Commission shall have regard in particular, to―   ·       any duty of confidentiality owed to the third party;   ·       any steps taken by the data controller with a view to seeking the consent of such third party; ·       whether the third-party individual is capable of giving consent; and   ·       any express refusal of consent by the third party.     Subsection 4 provides that where a data controller has previously complied with a request for access by a data subject, the data controller is not obliged to comply with a subsequent identical or similar request from such data subject unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.   Subsection 5 provide that in determining, for the purposes of subsection (4) whether requests for access are made at reasonable intervals, regard shall be had to ― ·  the nature of the data; ·  the purpose for which the data are processed; and ·  the frequency with which the data are altered.   Subsection 6 provides that a data controller shall not comply with a request for access where-   ·       the request is in respect of information given or to be given in confidence for the purposes of – o   the education, training or employment, or prospective education, training or employment, of the data subject; o   the appointment, or prospective appointment, of the data subject to any office; or o   the provision, or prospective provision, by the data subject of any service; ·       the personal data requested consist of information recorded by candidates during an academic, professional or other examination; and ·       such compliance would, by revealing evidence of the commission of any offence other than an offence under this Law, expose  data controller to proceedings for that offence.	This Section provides for instances where the data subject’s access to its personal information may be qualified or denied.   With respect to denial on the basis of confidentiality, it is necessary to mention that this provision may not apply to a request made by a data subject with respect to his or her personal data. The right of access by a data subject to his or her data should not be denied on the basis of confidentiality.   Furthermore, a data controller is not obliged to grant access to personal data where the information is given in confidence for the purpose of employment or training of data subjects.
39.	Section 47 – Inaccurate Personal Data	Subsection 1 provides that a data controller shall, on being informed of the inaccurateness of personal data, by a data subject to whom such data pertains, cause such data to be rectified, blocked, erased or destroyed, as appropriate.   Subsection 2 provides that where a data controller is aware that a third party holds inaccurate personal data, such data controller shall, as not later than seven (7) working days, require the third party to rectify, block, erase or destroy the data, as appropriate.
PART VIII – EXEMPTIONS
40.	Section – National Security	Subsection 1 provides that personal data are exempt from any provision of this Law where the non–application of such provision will, in the opinion of the Governor be required for the purpose of safeguarding State or national security.   Subsection 2 provides that in any proceedings in which the non–application of the provisions of this Law on grounds of national security is in question, a certificate under the hand of the Governor referred in subsection (1) certifying that such is the case, shall be conclusive evidence of that fact.	This Section connotes that the safeguards and measures put in place by this Bill for processing of Personal Data, shall not apply in situations where in the opinion of the Governor there appears to be a need to safeguard the State or national security. Therefore, the enforcement of the rights of a data subject shall be made subject to National Security issues.
41.	Section 49 – Crime and Tax related Data	The processing of personal data for the purposes of ―   ·       the prevention or detection of crime;   ·       the apprehension or prosecution of offenders; or ·       the assessment or collection of any tax, duty or any imposition of a similar nature shall be exempt from – the second, third, fourth and eighth data protection principles; the provisions of Sections 24 to 26 of this Law; and Part VII of this Law in respect of blocking personal data, to the extent to which the application of such provisions will be likely to prejudice any of the matters specified in paragraphs (a) to (c).	This section expressly ensures that when processing personal data for the purpose of crime prevention and control the investigative and prosecutorial authorities shall have the rights to process data which may be excessive or outdated as the case may be. The manner in which data has been obtained shall not be queried or put to question and the investigative or prosecutorial authority shall have the right to transfer data without obtaining the consent of the data subject.
42.	Section 50 – Health and Social work-related Data	Subsection 1 provides that a data controller is not bound to grant access to personal data where such personal data to which access is being sought relates to the physical or mental health of the data subject and the grant of access to such personal data is likely to cause serious harm to the physical or mental health of the data subject or of, any other person.   Subsection 2 provides that the Governor may, by notice in the Gazette or by regulations, waive the obligation to grant access to personal data, on a public authority, voluntary organisation and any other similar body as may be prescribed, where such public authority, voluntary organisation or other body carries out social work in relation to a data subject or any other individual, and the application of that section is likely to prejudice the carrying out of the social work.	This Section restricts the right of a data subject to request for medical records relating to the physical or mental health of a data subject where the disclosure of same will put the data subject in harms way. This provision ensures that such data which is likely to cause harm to the physical or mental health (Shock) of a data subject shall only be accessed with the aid of a professional i.e social worker.
43.	Data for Journalistic, literary and artistic purposes	Subsection 1 provides that the processing of personal data for journalistic, literary and artistic purposes shall be exempt from the provisions specified in subsection (2) where ―   ·       such processing is undertaken with a view to the publication of any journalistic, literary or artistic material;   ·       the data controller involved in such processing is of the opinion that – o   the publication will be in the public interest; and   o   compliance with any such provisions will be incompatible with such purposes.
44.	Section 52 – Educational and Sensational Data	Subsection 1 Provides personal data which are processed only for educational, research, historical or statistical purposes shall be exempt from the fifth data protection principle. Subsection 2 provides that the exemption shall not be applicable where ·           such personal data are not processed to support measures or decisions with respect to particular individuals; and ·           such personal data are not processed in a way that will substantially damage or distress any data subject or will likely cause such damage or distress.	This Section gives a data controller the right to keep Educational and Sensational Data for as long as it is deemed necessary.
45.	Section 53 – Information available to the Public under a Law	Where personal data consists of information which the data controller is obliged under a Law to make available to the public, such data shall be exempt from ·       the second, third, fourth, fifth and eighth data protection principles; ·       Sections 25 to 30; and ·       Part VII in respect of blocking personal data.	This Section mandates data controllers to make information (including personal data) available to the public where a law mandates such data controller to make information available to the public. This provision tacitly recognises the role of the Freedom of Information Act which mandates government establishments to make information available to the public.
46.	Section 54 – Disclosure required by Law or in Connection with Legal Proceedings	Personal data are exempt from ·       the second, third, fourth and fifth data protection principles; ·       Sections 24 to 29; and ·       Part VII in respect of blocking personal data, where – o   the disclosure of such data is required under any Law or by a Court order; o   the disclosure of such data is necessary for the purpose of, or in connection with, any on-going or prospective legal proceedings; o   the disclosure of such data is necessary for the purpose of obtaining legal advice; or o   the disclosure is otherwise necessary for the purpose of establishing, exercising or defending legal rights.	This Section dispenses with the rights afforded to a data subject whose data are required by Law in connection with any legal proceeding.
47.	Section 55 – Legal Professional Priviledge	Personal data are exempt from – ·       the second, third, fourth and fifth data protection principles; and   ·       Section 25, where the data consist of information in respect of which a claim to legal professional privilege or confidentiality as between client and legal practitioner could be maintained in legal proceedings, including prospective legal proceedings	This section dispenses with the need of a data controller to obtain consent from a data subject in situations and circumstances where a claim to legal professional privilege between a client and legal practitioner can be maintained.
48.	Section 56 – Domestic Purposes	Personal data processed by an individual are exempt from ·       the data protection principles; and ·       Part VI and Part VII,   where such processing is only for the purposes of that individual’s personal, family or household affairs or for recreational purposes	This Bill shall not apply to data processed for an individual’s domestic, personal, and recreational purpose.
PART IX MISCELLANEOUS
49.	Section 61 – Offences and Penalties	Subsection 1 provides that any person who unlawfully destroys, deletes, misrepresents, conceals or alters personal data commits an offence and is liable on conviction to a fine not exceeding Two Million Naira (N2,000,000.000) or maximum term of three (3) years or both.              Subsection 2 provides that any person who contravenes any provision of this Law for which no specific penalty is provided commits an offence and is liable  on conviction, to a fine not exceeding Two Million Naira (N2,000,000.00) or to  a term not exceeding three (3) years or to both.	This Section penalizes the unlawful destruction, deletion, misrepresentation and concealment of data. It also penalizes anyone who contravenes the provisions of the Bill for which no specific penalty has been provided for.
50.	Section 62 – Forfeiture	In addition to any penalty, the Court may –        ·       order the forfeiture of any equipment or any article used or connected in any way with the commission an offence;   ·       order or prohibit the doing of any act to stop continuing contravention.	The Commission in addition to other reliefs has the option of requesting the Court to order a forfeiture of any equipment used in the commission of an offence.

---

[1] Please note that under the Bill, Sensitive Personal Data means personal information concerning a data subject and includes information as to –

(a)            the racial or ethnic origin;

(b)            political opinion or adherence;

(c)             religious or other similar beliefs;

(d)            membership to a trade union;

(e)             physical or mental health;

(f)              sexual preferences or practices;

(g)            the commission or alleged commission of an offence; or

(h)            any  proceedings  for  an  offence  committed  or  alleged  to  have  been committed, the disposal of such proceedings or the sentence of any court in such proceedings; or

(i)              any other sensitive personal information that is reasonably permissible;

 

[2] Section 262 of the Child’s Rights Law of  Lagos State 2007