By David Oluranti
This is a two part article which highlights various relevant regulations and laws within the Nigerian legal framework which help to ensure the sanctity of private personal data and information usage within public domains.
Aside, Section 37 of the Nigerian Constitution(1999) which provides that; "The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected" there is currently no one comprehensive data privacy or personal information protection law in Nigeria that sets out detailed provisions on the protection of the privacy of individuals and citizens.
This is sad and calls for the passing of a law dealing specifically with issues of data privacy and the protection of the Nigerian citizen's private information and details have been made to the Nigerian legislature.
Given current technological trends all over the world and such has been adapted within Nigeria, it is clear that Section 37 of the Nigerian Constitution as a stand alone right without strict rules of engagement on how these rights can be protected and exercised is no longer enough protection for citizens.
Unknown to many Nigerians (both individual and a few corporate entities) industry specific regulations, rules of professional conduct and case law exists which provide privacy related protections for Nigerian citizens. These are examined below;
A. INDUSTRY SPECIFIC REGULATIONS:
1. The Consumer Code of Practice Regulations 2007: This code of practice is issued by the Nigerian Communications Commission (NCC), which is the body charged with the regulation of the communications industry in Nigeria.
The NCC code provides that all licensees (all Telecommunication service providers) must take reasonable steps to protect customer information against "improper or accidental disclosure" and must ensure that such information is securely stored.
It also provides further that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”.
Note that the application of the NCC Regulations is not restricted to Nigerian citizens alone; the regulation applies to customer information relating to customers of any nationality that use a licensee’s network, drawing a certain similarity with the Section 3 of the South African POPI Act which states that the application of the POPI Act will cover not only situations where the responsible party is domiciled in South Africa but also where the responsible party is not domiciled in the Republic, but makes use of automated or non-automated means in the Republic.
Unfortunately however, this Consumer code of practice is only industry specific and does not apply outside of the Nigerian communications industry.
2. NITDA GUIDELINES: The National Information Technology Development Agency (NITDA) is the national authority that is responsible for planning, developing and promoting the use of information technology in Nigeria.
NITDA in performing this duty issue guidelines which prescribe the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information. This is currently the only set of regulations that contains specific and detailed provisions on the protection, storage, transfer or treatment of personal data in Nigeria.
The guidelines regulate all organizations or persons that control, collect, store andprocess personal data of Nigeria residents within and outside Nigeria for protecting of a specific category of data commonly known as Personal Data or Object Identifiable Information (OII).
The NITDA guidelines define “personal data” as: “any information relating to an identified or identifiable natural person (data subject); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”
Data controllers (defined as persons which, alone or jointly with others, determine the purposes and means of the processing of personal data are obliged to prevent any transfer of data to any country that does not ensure an adequate level of protection within the prescribed context of the NITDA Guidelines.
The NITDA Guidelines also prescribe that in determining the adequacy of the level of protection afforded by another country in relation to the transfer of data, consideration must be given to the nature of the data, the purpose and duration of the proposed processing operation(s), the rules of law, both general and sectorial, in force in the receiving country in question and the professional rules and security measures which are complied with in that country, which should not be lower than the content of the Guidelines
Notably, Section 2.1(2) of the NITDA guidelines recommend that processing of all data collected shall not take place without the consent of the data subject i.e. The Nigerian Citizen so concerned.
It should be noted that while the NITDA guidelines is currently the most comprehensive body of regulations on Data privacy and processing in Nigeria, unfortunately the guideline only applies to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems of the Federal Republic of Nigeria.
It also applies to organisations based outside Nigeria if such organisations process personal data of Nigerian residents, but is not mandatory for private companies involved in data processing and can only serve as a point of reference for such private data collectors with respect to the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls of personal data.
3. The Nigerian Telecommunications Commission RTS Regulation 2011: The Nigerian Telecommunications Commission is the Nigerian telecommunications sector regulator, charged with oversight functions on the industry. In line with this duty, it issued the Registration of Telephone Subscribers Regulation (RTS Regulation) in 2011.
The regulation attempts some protection of the data collected, collated, retained and managed by telecommunication companies operating in Nigeria and independent registration agents in view of their obligations to collate and retain data of subscribers under the Regulation.
As such, Section 11 of the RTS Regulation 2011 titled “Data Protection” states as follows:
“(1) in furtherance of the rights guaranteed by virtue of section 37 of the Constitution of the Federal Republic of Nigeria 1999 and subject to any reasonable guidelines, terms and conditions that may from time to time be issued by either the Commission or License, any Subscriber whose Personal Information is stored in the Central Database , shall be entitled to view the said information and to request updates and amendments thereto.
(2) The Subscriber information contained in the Central Database shall be held on a strictly confidential basis and no persons or entities shall be allowed access to any Subscriber information in the Central Database, except as provided in paragraph 1 above and in paragraph 5 of section 10 of these regulations or by any Act of the National Assembly. Licensees, Independent Registration Agents, and Subscriber Registration Solution Providers shall not under any circumstance, retain, deal in or make copies of any Subscriber Information or store in whatever form any copies of the Subscriber Information for any purpose other than as stipulated in these Regulations or an Act of the National Assembly.
Section 11(4) of the Regulation, states that Licensees shall utilize Personal Information pursuant to the regulations, solely for their operations and in accordance with the provisions of Part V of the General Consumer code Practice for Telecommunications Services and any other instruments of the Commission or any Act of the National Assembly issued from time to time to regulate the specific purposes for which the Personal Information may be used, while Section 11(7) provides a blanket rule that the subscribers’ information shall not be transferred outside the Federal Republic of Nigeria much unlike under the NITDA guidelines.
The General Consumer code Practice for Telecommunications Services referred to above in the RTS Regulation 2011 also set out certain data protection mechanism for consumers of telecommunication services in Nigeria.
Specifically, Section 35 of the General Consumer Code Practice for Telecommunications Services which provides that a Licensee may collect and maintain information on individual consumers reasonably required for its business purposes.
However, such collection and maintenance of information on individual Consumers shall be-
(a) Fairly and lawfully collected and processed;
(b) Processed for limited and identified purposes;
(c) Relevant and not excessive;
(d) Accurate;
(e) Not kept longer than necessary;
(f) Processed in accordance with the Consumer’s other rights;
(g) Protected against improper or accidental disclosure; and
(h) Not transferred to any party except as permitted by any terms and conditions agreed with the Consumer, as permitted by any permission or approval of the Commission, or as otherwise permitted or required by other applicable laws or regulations.
A Licensee is required under Section 35 (2) of the code to meet generally accepted fair information principles including;
(a) Providing notice as to that individual Consumer Information they collect and its use or disclosure;
(b) The Choices Consumers have with regard to the collection, use and, disclosure of that information;
(c) The access Consumers have to that information, including to ensure its accuracy; and
(d) The security measures taken to protect the information and the enforcement and redress mechanisms that are in place to remedy any failure to observe these measures.
Please note that these rules apply to individual Consumer information whether initially provided verbally or in written form, so long as that information is retained by the Licensee in any recorded form.
It is unfortunate to note that failure of Licensees, Independent Registration Agents or any such other entities to comply with the data protection provisions of the Regulation are only treated as a breach of the regulations. The penalty for non-compliance is a fine which could range from N200, 000 – N1, 000,000 and perhaps forfeiture of the commercial benefit derived from the unauthorized use of such Subscriber Information. The Regulations do not treat such breach of the data protection measures as a violation of the individual subscriber’s right to privacy, which is actionable at the instance of the affected Subscriber. Undoubtedly, this diminishes the potency of the data protection provision of the RTS regulation 2011 and renders it nugatory.
In the same vein, the provisions of the Consumer Codes can only be enforced in accordance with the “Administrative Fines” set out in Chapter IV of the Nigerian Communications’ (Enforcement Process) Regulation 2005 . The administrative fine against such an erring Licensee is a paltry sum of N500,000 and a further sum of N500,000 per day after the expiration of the notice for as long as the contravention persists .
The above positions reflect the neglect shown towards Data Privacy and Personal Information regulation in Nigeria. An ideal data protection law should be created that guarantees the right of citizens to seek adequate redress in Court for any breach occasioned by an act or omission of operators in the sector, including the Commission itself.
To be continued...
Aside, Section 37 of the Nigerian Constitution(1999) which provides that; "The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected" there is currently no one comprehensive data privacy or personal information protection law in Nigeria that sets out detailed provisions on the protection of the privacy of individuals and citizens.
This is sad and calls for the passing of a law dealing specifically with issues of data privacy and the protection of the Nigerian citizen's private information and details have been made to the Nigerian legislature.
Given current technological trends all over the world and such has been adapted within Nigeria, it is clear that Section 37 of the Nigerian Constitution as a stand alone right without strict rules of engagement on how these rights can be protected and exercised is no longer enough protection for citizens.
Unknown to many Nigerians (both individual and a few corporate entities) industry specific regulations, rules of professional conduct and case law exists which provide privacy related protections for Nigerian citizens. These are examined below;
A. INDUSTRY SPECIFIC REGULATIONS:
1. The Consumer Code of Practice Regulations 2007: This code of practice is issued by the Nigerian Communications Commission (NCC), which is the body charged with the regulation of the communications industry in Nigeria.
The NCC code provides that all licensees (all Telecommunication service providers) must take reasonable steps to protect customer information against "improper or accidental disclosure" and must ensure that such information is securely stored.
It also provides further that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”.
Note that the application of the NCC Regulations is not restricted to Nigerian citizens alone; the regulation applies to customer information relating to customers of any nationality that use a licensee’s network, drawing a certain similarity with the Section 3 of the South African POPI Act which states that the application of the POPI Act will cover not only situations where the responsible party is domiciled in South Africa but also where the responsible party is not domiciled in the Republic, but makes use of automated or non-automated means in the Republic.
Unfortunately however, this Consumer code of practice is only industry specific and does not apply outside of the Nigerian communications industry.
2. NITDA GUIDELINES: The National Information Technology Development Agency (NITDA) is the national authority that is responsible for planning, developing and promoting the use of information technology in Nigeria.
NITDA in performing this duty issue guidelines which prescribe the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information. This is currently the only set of regulations that contains specific and detailed provisions on the protection, storage, transfer or treatment of personal data in Nigeria.
The guidelines regulate all organizations or persons that control, collect, store andprocess personal data of Nigeria residents within and outside Nigeria for protecting of a specific category of data commonly known as Personal Data or Object Identifiable Information (OII).
The NITDA guidelines define “personal data” as: “any information relating to an identified or identifiable natural person (data subject); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”
Data controllers (defined as persons which, alone or jointly with others, determine the purposes and means of the processing of personal data are obliged to prevent any transfer of data to any country that does not ensure an adequate level of protection within the prescribed context of the NITDA Guidelines.
The NITDA Guidelines also prescribe that in determining the adequacy of the level of protection afforded by another country in relation to the transfer of data, consideration must be given to the nature of the data, the purpose and duration of the proposed processing operation(s), the rules of law, both general and sectorial, in force in the receiving country in question and the professional rules and security measures which are complied with in that country, which should not be lower than the content of the Guidelines
Notably, Section 2.1(2) of the NITDA guidelines recommend that processing of all data collected shall not take place without the consent of the data subject i.e. The Nigerian Citizen so concerned.
It should be noted that while the NITDA guidelines is currently the most comprehensive body of regulations on Data privacy and processing in Nigeria, unfortunately the guideline only applies to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems of the Federal Republic of Nigeria.
It also applies to organisations based outside Nigeria if such organisations process personal data of Nigerian residents, but is not mandatory for private companies involved in data processing and can only serve as a point of reference for such private data collectors with respect to the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls of personal data.
3. The Nigerian Telecommunications Commission RTS Regulation 2011: The Nigerian Telecommunications Commission is the Nigerian telecommunications sector regulator, charged with oversight functions on the industry. In line with this duty, it issued the Registration of Telephone Subscribers Regulation (RTS Regulation) in 2011.
The regulation attempts some protection of the data collected, collated, retained and managed by telecommunication companies operating in Nigeria and independent registration agents in view of their obligations to collate and retain data of subscribers under the Regulation.
As such, Section 11 of the RTS Regulation 2011 titled “Data Protection” states as follows:
“(1) in furtherance of the rights guaranteed by virtue of section 37 of the Constitution of the Federal Republic of Nigeria 1999 and subject to any reasonable guidelines, terms and conditions that may from time to time be issued by either the Commission or License, any Subscriber whose Personal Information is stored in the Central Database , shall be entitled to view the said information and to request updates and amendments thereto.
(2) The Subscriber information contained in the Central Database shall be held on a strictly confidential basis and no persons or entities shall be allowed access to any Subscriber information in the Central Database, except as provided in paragraph 1 above and in paragraph 5 of section 10 of these regulations or by any Act of the National Assembly. Licensees, Independent Registration Agents, and Subscriber Registration Solution Providers shall not under any circumstance, retain, deal in or make copies of any Subscriber Information or store in whatever form any copies of the Subscriber Information for any purpose other than as stipulated in these Regulations or an Act of the National Assembly.
Section 11(4) of the Regulation, states that Licensees shall utilize Personal Information pursuant to the regulations, solely for their operations and in accordance with the provisions of Part V of the General Consumer code Practice for Telecommunications Services and any other instruments of the Commission or any Act of the National Assembly issued from time to time to regulate the specific purposes for which the Personal Information may be used, while Section 11(7) provides a blanket rule that the subscribers’ information shall not be transferred outside the Federal Republic of Nigeria much unlike under the NITDA guidelines.
The General Consumer code Practice for Telecommunications Services referred to above in the RTS Regulation 2011 also set out certain data protection mechanism for consumers of telecommunication services in Nigeria.
Specifically, Section 35 of the General Consumer Code Practice for Telecommunications Services which provides that a Licensee may collect and maintain information on individual consumers reasonably required for its business purposes.
However, such collection and maintenance of information on individual Consumers shall be-
(a) Fairly and lawfully collected and processed;
(b) Processed for limited and identified purposes;
(c) Relevant and not excessive;
(d) Accurate;
(e) Not kept longer than necessary;
(f) Processed in accordance with the Consumer’s other rights;
(g) Protected against improper or accidental disclosure; and
(h) Not transferred to any party except as permitted by any terms and conditions agreed with the Consumer, as permitted by any permission or approval of the Commission, or as otherwise permitted or required by other applicable laws or regulations.
A Licensee is required under Section 35 (2) of the code to meet generally accepted fair information principles including;
(a) Providing notice as to that individual Consumer Information they collect and its use or disclosure;
(b) The Choices Consumers have with regard to the collection, use and, disclosure of that information;
(c) The access Consumers have to that information, including to ensure its accuracy; and
(d) The security measures taken to protect the information and the enforcement and redress mechanisms that are in place to remedy any failure to observe these measures.
Please note that these rules apply to individual Consumer information whether initially provided verbally or in written form, so long as that information is retained by the Licensee in any recorded form.
It is unfortunate to note that failure of Licensees, Independent Registration Agents or any such other entities to comply with the data protection provisions of the Regulation are only treated as a breach of the regulations. The penalty for non-compliance is a fine which could range from N200, 000 – N1, 000,000 and perhaps forfeiture of the commercial benefit derived from the unauthorized use of such Subscriber Information. The Regulations do not treat such breach of the data protection measures as a violation of the individual subscriber’s right to privacy, which is actionable at the instance of the affected Subscriber. Undoubtedly, this diminishes the potency of the data protection provision of the RTS regulation 2011 and renders it nugatory.
In the same vein, the provisions of the Consumer Codes can only be enforced in accordance with the “Administrative Fines” set out in Chapter IV of the Nigerian Communications’ (Enforcement Process) Regulation 2005 . The administrative fine against such an erring Licensee is a paltry sum of N500,000 and a further sum of N500,000 per day after the expiration of the notice for as long as the contravention persists .
The above positions reflect the neglect shown towards Data Privacy and Personal Information regulation in Nigeria. An ideal data protection law should be created that guarantees the right of citizens to seek adequate redress in Court for any breach occasioned by an act or omission of operators in the sector, including the Commission itself.
To be continued...
No comments:
Post a Comment