The principal legislation governing the protection of data in Nigeria is the Nigeria Data Protection Regulation 2019 (“NDPR”). The NDPR was issued pursuant to Section 32 of the NITDA Act 2007 as subsidiary legislation to the NITDA Act 2007. The Act establishes the Agency, the official Government body that develops and regulates information technology in Nigeria.
Other laws and legislations that affect data protection in Nigeria include:
- The Constitution of the Federal Republic of Nigeria, 1999 (as amended);
- The Nigerian Communications Commission (NCC) Act, 2003;
- The Cybercrime (Prohibition, Prevention, etc) Act 2015;
- The Freedom of Information Act 2011;
- The National Identity Management Commission (“NIMC”) Act 2007;
- The Child’s Right Act 2003; and
- The HIV and AIDS (Anti-Discrimination) Act 2014.
The NDPR defines key terminologies of data protection such as personal data, data processing, data controller, data subject, sensitive personal data, data breach, data subject access request, data portability, third party and consent.
In the processing of personal data, there are key principles that apply, these principles include:
- Lawful basis for processing;
- Purpose limitation;
- Data minimization;
- Retention; and
- Data security.
A data controller is defined by the NDPR as a person who either alone, jointly with other persons or in common with other persons or a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed. The NDPR provides that a data controller who processes the personal data of more than two thousand (2000) data subjects in a period of 12 months shall submit a summary of its data protection audit to NITDA not later than 15th of March of the following year.
Individuals also have certain rights in relation to the processing of their personal data. These rights include:
- The right to their data or copies of their personal data
- The right to rectify errors in their personal data
- The right to object to the processing of their personal data
- The right to have their personal data transferred to them in a portable form
- The right to have their personal data deleted or erased
- The right to restrict the processing of their personal data
- The right to object to their personal data being processed for marketing purposes
- The right to withdraw consent to the processing of their personal information, where such consent had been given
- The right to complain to the relevant data protection authority in cases of breach and also seek redress
- The right to receive their data in a machine-readable format
- The right to receive information relating to their personal data free of charge.
The authorities responsible for data protection in Nigeria are the NITDA, the NCC, the NIMC, the CBN and the Federal Ministry of Health.
We hope that you find this paper useful. Please do not hesitate to let us know if there is any aspect of this paper that requires clarification.