NDPR IMPLEMENTATION FRAMEWORK DRAFT
The spate at which Nigerian’s data is being breached by the service provider has assumed an epidemic rate. Daily, personally identifiable information of Nigerians is being used by unauthorized persons to further their interest without the consent of the Data Subject. The Data Protection Regulation is at present, the most robust data protection framework in Nigeria. Accordingly, stakeholders have encouraged NITDA to ensure the effective implementation and enforcement of the Regulation.
2. SUMMARY OF THE NDPR
The NDPR was issued on 25th January 2019 according to Section 6 (a,c) of the NITDA Act, 2007. The NDPR was made in recognition of the fact that many public and private bodies have migrated their respective businesses and other information systems online. These information systems have thus become critical information infrastructure that must be safeguarded, regulated and protected against atrocious breaches. The government further takes cognizance of emerging data protection regulations within the international community geared towards the security of lives and property and fostering the integrity of commerce and industry in the data economy.
The principles of the NDPR are enumerated as follows:
a) Lawfulness and Legitimacy: Article 2.1(1a) provides that Personal Data shall be collected and processed under specific, legitimate and lawful purposes consented to by the Data Subject.
b) Specific Purpose: In addition to Article 2.1(1a) cited above, Article 3.1(7c) mandates the Data Controller to expressly inform the Data Subject of the purpose(s) of the processing for which the Personal Data is intended as well as the legal basis for the processing. This has hitherto been observed in the breach. This, we believe would change as the government is poised to stem the tide of brazen breach of people’s right to privacy.
c) Data Minimization: Data Controllers are expected to collect the minimum required data and avoid unnecessary surplusage. Data that is not useful for the Controller ought not to be collected. No data shall be obtained except the specific purpose of collection is made known to the Data Subject. This principle relates also to the principle of the purpose of collection. By insisting that the purpose of collecting or further processing of a data set must be communicated to the Data Subject, the regulation has closed the door to a multitude of potential abuses.
d) Accuracy: The NDPR provides that collected and processed Personal Data shall be adequate, accurate and without prejudice to the dignity of the human person (Art. 2.1(b)). The NDPR prohibits the abuse or inaccurate representation of personally identifiable data, even if such data were given with due consent. Data Controllers and processors are required to ensure regular update of personal data in their custody to achieve this.
e) Storage and Security: Data Controllers are required to store data only for the period they are reasonably required to so do. The Regulation does not explicitly provide for some time because that detail, we believe should be left to contract agreement. However, where such is not specified, the dispute redress mechanisms can specify what would constitute a sufficient storage period. The Regulation also places the onus of security on the Data Controller and Processor. Art. 2.1(d) provides- personal data shall be secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damaged by rain, fire or exposure to other natural elements.
f) Confidentiality, Integrity, and Availability: Article 3 generally enumerates the rights of the data subject. One of the underpinning principles of the NDPR is that data control must comply with basic minimum standards of information security management. The Regulation specifies the role of the Controller and the Data subject in such cases.
Compliance and Enforcement: One of the novelties of the NDPR is its compliance structure. The Regulation creates a nouveau class of professionals- Data Protection Compliance Organisations (DPCO). A DPCO is an entity duly licensed by NITDA for training, auditing, consulting and rendering services and products for compliance with this Regulation or any foreign Data Protection Law or Regulation affecting Nigeria (See Article 1.3 (xiii)).
This Framework is, therefore, a general strategic approach to enforcement of the Regulation. The objectives of the NDPR are to-
a) to safeguard the rights of natural persons to data privacy;
b) to foster safe-conduct for transactions involving the exchange of Personal Data;
c) to prevent manipulation of Personal Data; and
d) to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practice.
The NDPR applies to every Data Controller and Data Administrator. A Data Controller is defined by the Regulation as a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and how Personal Data is processed or is to be processed. A Data Administrator is a person or an organization that processes data.