Primarily, according to the Merriam Webster’s Dictionary, data consists of factual information, information in digital form that can be transmitted or processed. This could easily relate to any information whatsoever in terms of measurements, names, locations and so on. But the context within which Data is referred to in this article, is in relation to personal data. Personal Data, according to Section 65 of the Nigeria Data Protection Act, 2023 (NDPA) means any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual. This article focuses on how such data is used in compliance with the existing legal framework in Nigeria.
Data Use Compliance in Nigeria.
Data Use simply refers to the purposes of collecting data and how such data is exploited as permitted by law. A Data Subject on the other hand refers to an individual to whom personal data relates. And under the NDPA and Nigeria Data Protection Regulations, 2019 (NDPR), data processing is provided for as an umbrella term to include data use. Arguably, it can be understood that data use was contemplated within the meaning of data processing as it is expected that every processing of data should end with the use of such data. With that being said, it is noteworthy that there are no explicit provisions on how data should be used, exploited or adapted in Nigeria. This largely varies from what obtains in the United States where there are sector-based legislation providing for how specific type of data can be used- the Health Insurance Portability and Accountability Act governs how health information can be used), the Gramm-Leach-Bliley Act regulates how financial institutions handle non-public personal information, and the Children’s Online Privacy Protection Act restricts how online services and websites can use data collected from children under the age of 13.
In Nigeria, the NDPA and NDPR makes provisions laying down the guiding principles for data protection of data subjects. Hence, when the data of a person is obtained by a data processor, such data must be processed in a fair, lawful and transparent manner; collected for specified, explicit, and legitimate purposes for which the personal data was collected or further processed; retained for not longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed; must remain accurate, complete and not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed; and processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.
Additionally, section 25 of the NDPA provides that data can be used where it is necessary- for the performance of a contract of which the data subject is a party to; for compliance with a legal obligation; to protect the vital interest of the data subject or another person; for the performance of a task carried out in the public interest or in exercise of official authority vested in the data controller/data processor; for legitimate purposes pursued by the data controller/processor. Regulation 2.3 provides that no data shall be obtained except the specific purpose of collection is made known to the data subject. Regulation 2.4 provides that no consent shall be sought, given or accepted in any circumstance that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conducts. Implicitly, data cannot be obtained for use in the preceding circumstances. Emphatically, before data is being collected, the data collector must inform the data subject of amongst others, the purpose of collection of personal data , the technical methods used to collect and store personal information, cookies, JWT, web tokens, etc And where such data is to be transferred to a foreign country, such transfer must be done under the supervision of the Honourable Attorney General of the Federation bearing exceptions5.
Registration of Data Controllers/Data Processor in Nigeria.
The NDPA requires data controllers or data processors of major importance to register with the NDPC. The NDPA defines a Data Controller as an individual, private entity, public commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data. While the NDPA went further to define a Data Controller or Data processor of major importance as a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate. The requirements for registration are explicitly provided in Section 44 (2) NDPA. Such data controllers are required to register with the Nigeria Data Protection Commission by notifying the NDPC of the name and address of the data controller, description of the personal data and categories and number of data subjects to which the personal data relate; the purposes for which personal data is processed; the categories of recipients to whom the data controller intends or is likely to disclose personal data; the name and address of any representative of any data processor operating directly or on its behalf.However, the NDPC may exempt a class of data controllers or data processors of major importance from registration requirements where the NDPC considers such requirement to be unnecessary or disproportionate. Compliance and EnforcementWhere an aggrieved person has suffered a data privacy breach, such person can obtain compliance orders under Section 47 and 48 of the NDPA.
