Background:
Nigeria’s National Information Technology Development Agency (NITDA) released its 2020 Guidelines for the management of personal data by public institutions in Nigeria on May 18, 2020 (the Guidelines). NITDA while acknowledging that governments at all levels are the biggest processors of Personal Data of Nigerians and in Nigeria, states that the purpose of the Guidelines is to provide guidance to public officers on how to handle and manage personal data in compliance with the NDPR. In this Briefing Note, we highlight, summarize and make relevant remarks on the key points of the Guidelines.
The Guidelines:
Our Thoughts in Conclusion:
Nigeria
is a Federation of an estimated +812 governments operating at 3 different
levels: 1 Federal Government; 37 States’ Governments including that of the
Federal Capital Territory, Abuja; and 774 constitutionally recognized Local
Governments, excluding the various Local Council Development Areas created by
some States. The word “government” in Nigeria is indeed a big and complex organization,
such that it is imperative that the import of personal data protection
practices be specially addressed to Nigeria’s many governments by a data
protection authority. The duo of Nigeria’s 1year old e-Government Masterplan
2020 (e-GM Document) and 5 months old 2020 – 2030 National Digital
Economy Policy and Strategy (NDEPS Document) are policy documents of the
Federal Government that underscore the increasing need for Nigeria’s
governments to adopt the best of personal data protection practices, seeing the
increasing risk of the breach of privacy rights as governments increase their
services delivery through digital or automated means.
The
Guidelines could not have come any later than it has. Nigeria’s governments
must lead from the front. They must demonstrate what they preach. Indeed, a
higher level of responsibility is placed on governments by virtue of their
leadership. Although a document by the Federal Government, the Guidelines
should be of general application to all governments in Nigeria; the +811 of
them. This is not in a core-constitutional sense, as the Federal Government
cannot legislate on the privacy rights practices of other governments; but
rather in the sense of some other legal imperatives. Section 37 of Nigeria’s
1999 Constitution guarantees the protection of citizen’s right to privacy;
Articles 2 and 6 of the 2010 ECOWAS Supplementary Act on Personal Data
Protection mandates Nigeria and a data protection authority like NITDA to
establish a legal framework for personal data processing and protection
generally and specifically for public services; Article 8 of the
yet-to-be-ratified 2014 African Union Convention on Cyber Security and Personal
Data Protection places an obligation on Member States to establish a legal
framework, that also punishes violations, for personal data protection; both the 1948 Universal Declaration of Human
Rights and the 1966 International Covenant on Civil and Political Rights
recognize privacy rights as a human right. There is a legal imperative for this
discourse.
The
Guidelines clearly places on public institutions, the twin obligations of
protecting personal data and enforcing the rights of data subjects. With such
provisions as, the mandatory requirement to appoint a DPO; obligation to obtain
the consent of the data subject in specific instances, including in the event
personal data is to be used for other purposes other than which informed the
collection in the first place; the personal liability of the leadership of the
public institution; a level of obligation that is higher than those on most
private organizations, have been laid on public institutions by the Guidelines. Very important to note is the
attempt to regulate the imbalance of power between public institutions and data
subjects with the Guidelines stipulating that data subjects should not be
denied their legal privileges or rights on the basis of their refusal to
provide personal data except the denial is expressly backed by law. Public
institutions are indeed encouraged to comply with the provisions of the
Guidelines particularly with regards to engagement of DPCOs to provide the
necessary compliance support with the ultimate objective of complying with the
provisions of the NDPR and world class data protection practices generally.
Similar
with all laws, the enforcement of the Guidelines and the NDPR remains the
elephant in the room. NITDA needs to do more on enforcement if it is to ensure
the impact of its marked recognition as Nigeria’s data protection authority.
Whether by itself or working with private organisations, including civil
society, and or public institutions like the Federal Competition and Consumer
Protection Commission of Nigeria or the Office of the National Security
Adviser; NITDA needs to work out a regime that allows data subjects, especially
indigent ones, to freely lay complaints on breach of their data subjects rights
and effectively seek redress following an efficient and effective investigation
process. The constitution, functions and impact of NITDA’s Administrative Redress
Panel need to be publicly felt to underscore the seriousness of Nigeria’s data
protection regime. The commerce to this discourse should not be lost on us;
Nigeria and indeed all its governments need to demonstrate to the world that
Nigeria is a safe place for business in the global knowledge or digital economy
– especially where the interchange of personal data is concerned, which is the
case with almost every business or organization and the public institutions,
starting with NITDA, most notably.
For
further information on the foregoing (none of which should be taken as legal
advice), please contact:
Kitan Kola-Adefemi
Oyeyemi Oke
Bidemi Olumide
bidemi.olumide@ao2law.com
with
the subject: “NITDA’s Guidelines for Management of Personal
Data by Public Institutions in Nigeria”.
