by David Oluranti
This is a two-part article which highlights various relevant regulations and laws that help to ensure the sanctity of personal data and information usage within public domains.
Aside section 37 of the Nigerian Constitution (1999) which provides that “[t]he privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”, there is currently no comprehensive data privacy or personal information protection law in Nigeria that sets out detailed provisions on the protection of the privacy of individuals and citizens. This is unfortunate.
This calls for the passing of a law dealing specifically with issues of data privacy and the protection of the Nigerian citizen’s private information. Though details of such required law have been made to the Nigerian legislature, there has been no development in this regard.
Given current technological trends the world over and the level at which these trends are being adopted in Nigeria, section 37 of the Nigerian Constitution—as a stand-alone right without strict rules of engagement on how the right can be protected and exercised—is no longer enough protection for citizens.
Unknown to many Nigerians (both individuals and a few corporate entities), industry-specific regulations, rules of professional conduct, and case law exist which provide privacy-related protections for Nigerian citizens. These are examined below;
- Industry Specific Regulation
a. The Consumer Code of Practice Regulations 2007: This code of practice is issued by the Nigerian Communications Commission (NCC), the body charged with the regulation of the communications industry in Nigeria.
The NCC Code provides that all licensees (all telecommunication service providers) must take reasonable steps to protect customer information against “improper or accidental disclosure” and must ensure that such information is securely stored.
It also provides that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”.
Note that the application of the NCC Regulations is not restricted to Nigerian citizens alone, The regulations apply to customer information relating to customers of any nationality that use a licensee’s network, drawing a certain similarity with the section 3 of the South African Protection of Personal Information Act (POPI Act). The POPI Act states that the application of the Act will cover not only situations where the responsible party is domiciled in South Africa but also where the responsible party is not domiciled in the Republic, but makes use of automated or non-automated means in the Republic.
Unfortunately, this Consumer Code of Practice is only industry specific and does not apply outside of the Nigerian communications industry.
b. NITDA Guidelines: The National Information Technology Development Agency (NITDA) is the national authority that is responsible for planning, developing, and promoting the use of information technology in Nigeria.
NITDA, in performing this duty, issues guidelines which prescribe the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information. The Guidelines is currently the only set of regulations that contains specific and detailed provisions on the protection, storage, transfer, or treatment of personal data in Nigeria.
The Guidelines regulate all organizations or persons that control, collect, store and process personal data of Nigeria residents within and outside Nigeria for protecting of a specific category of data commonly known as Personal Data or Object Identifiable Information (OII).
The NITDA Guidelines define personal data as “any information relating to an identified or identifiable natural person (data subject); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”.
Data controllers (defined as persons which, alone or jointly with others, determine the purposes and means of the processing of personal data) are obliged to prevent any transfer of data to any country that does not ensure an adequate level of protection within the prescribed context of the NITDA Guidelines.
Apart from providing for data controllers, the NITDA Guidelines prescribe that in determining the adequacy of the level of protection afforded by another country in relation to the transfer of data, consideration must be given to the nature of the data, the purpose and duration of the proposed processing operation(s), the rules of law, both general and sectorial, in force in the receiving country in question, and the professional rules and security measures which are complied with in that country, which should not be lower than the content of the Guidelines.
Notably, section 2.1(2) of the NITDA Guidelines recommend that processing of all data collected shall not take place without the consent of the data subject i.e. the Nigerian citizen so concerned.
It should be noted that while the NITDA guidelines is currently the most comprehensive body of regulations on data privacy and processing in Nigeria, unfortunately the Guidelines only apply to federal, state, and local government agencies and institutions as well as private-sector organisations that own, use, or deploy information systems of the Federal Republic of Nigeria. Similarly unfortunate is that the NITDA Guidelines have remained a draft since 2013 and therefore is not presently operational.
It also applies to organisations based outside Nigeria if such organisations process personal data of Nigerian residents, but is not mandatory for private companies involved in data processing and can only serve as a point of reference for such private data collectors with respect to the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls of personal data.
c. The Nigerian Communications Commission RTS Regulation 2011: The Nigerian Communications Commission is charged with oversight functions on the telecommunications industry. In line with this duty, it issued the Registration of Telephone Subscribers Regulation (RTS Regulation) in 2011.
The Regulation attempts some protection of the data collected, collated, retained, and managed by telecommunication companies operating in Nigeria and independent registration agents in view of their obligations to collate and retain data of subscribers under the Regulation.
For the purpose above, section 11 of the RTS Regulation 2011, titled “Data Protection”, states as follows:
“(1) in furtherance of the rights guaranteed by virtue of section 37 of the Constitution of the Federal Republic of Nigeria 1999 and subject to any reasonable guidelines, terms and conditions that may from time to time be issued by either the Commission or License, any Subscriber whose Personal Information is stored in the Central Database, shall be entitled to view the said information and to request updates and amendments thereto.
(2) The Subscriber information contained in the Central Database shall be held on a strictly confidential basis and no persons or entities shall be allowed access to any Subscriber information in the Central Database, except as provided in paragraph 1 above and in paragraph 5 of section 10 of these regulations or by any Act of the National Assembly. Licensees, Independent Registration Agents, and Subscriber Registration Solution Providers shall not under any circumstance, retain, deal in or make copies of any Subscriber Information or store in whatever form any copies of the Subscriber Information for any purpose other than as stipulated in these Regulations or an Act of the National Assembly.
Further, section 11(4) of the Regulation states that licensees shall utilize personal information in accordance with the Regulations solely for their operations and in accordance with the provisions of Part V of the General Consumer Code Practice for Telecommunications Services and any other instruments of the Commission or any Act of the National Assembly issued from time to time to regulate the specific purposes for which the Personal Information may be used. Section 11(7) then provides a blanket rule that the subscribers’ information shall not be transferred outside the Federal Republic of Nigeria, unlike the requirement under the NITDA Guidelines.
The General Consumer Code Practice for Telecommunications Services referred to above in the RTS Regulation 2011 also set out certain data protection mechanism for consumers of telecommunication services in Nigeria.
Specifically, section 35 of the General Consumer Code Practice for Telecommunications Services provides that a licensee may collect and maintain information on individual consumers reasonably required for its business purposes.
But such collection and maintenance of information on individual consumers shall be-
(a) Fairly and lawfully collected and processed;
(b) Processed for limited and identified purposes;
(c) Relevant and not excessive;
(e) Not kept longer than necessary;
(f) Processed in accordance with the Consumer’s other rights;
(g) Protected against improper or accidental disclosure; and
(h) Not transferred to any party except as permitted by any terms and conditions agreed with the Consumer, as permitted by any permission or approval of the Commission, or as otherwise permitted or required by other applicable laws or regulations.
A licensee is required under section 35(2) of the Code to meet generally accepted fair information principles including:
(a) Providing notice as to that individual consumer information they collect and its use or disclosure;
(b) The choices consumers have with regard to the collection, use and, disclosure of that information;
(c) The access consumers have to that information, including to ensure its accuracy; and
(d) The security measures taken to protect the information and the enforcement and redress mechanisms that are in place to remedy any failure to observe these measures.
Please note that these rules apply to individual consumer information whether initially provided verbally or in written form, so long as that information is retained by the licensee in any recorded form.
It is unfortunate to note that failure of licensees, Independent Registration Agents, or any such other entities to comply with the data protection provisions of the Regulation are only treated as a breach of the Regulations. The penalty for noncompliance is a fine which could range from N200,000–N1,000,000 and perhaps forfeiture of the commercial benefit derived from the unauthorized use of such subscriber information. The Regulations do not treat such breach of the data protection measures as a violation of the individual subscriber’s right to privacy, which is actionable at the instance of the affected subscriber. Undoubtedly, this diminishes the potency of the data protection provision of the RTS regulation 2011 and renders it nugatory.
In the same vein, the provisions of the Consumer Codes can only be enforced in accordance with the “Administrative Fines” set out in Chapter IV of the Nigerian Communications’ (Enforcement Process) Regulation 2005. The administrative fine against such an erring Licensee is a paltry sum of N500,000 and a further sum of N500,000 per day after the expiration of the notice for as long as the contravention persists.
The above positions reflect the neglect shown towards data privacy and personal information regulation in Nigeria. An ideal data protection law should be created that guarantees the right of citizens to seek adequate redress in court for any breach occasioned by an act or omission of operators in the sector, including the Nigerian Communications Commission itself.
Disclaimer: This article is for general information only. It is not offered as advice on any particular matter, whether legal, procedural, or otherwise.
David Oluranti has an LL.M (International Trade and Economic Law) from Brunel University, Uxbridge London, 2011. David has years of experience working at the River State Ministry of Justice; Criminal Defense Solicitors, Temple London; the Immigration and Asylums Tribunal, London; London Probation, Hounslow London; Strachan Partners, Lagos; and presently at PriceWaterhouseCoopers, Lagos. Data protection law, cyber law, and information technology (IT) are just a few of his areas of competence. For more of his work, visit www.barfinals.com. David is reachable via email@example.com or +234(0)703 717 9275.
 Constitution of the Federal Republic of Nigeria (Promulgation) Act (as amended), Chapter C23, Laws of the Federation of Nigeria 2004
 Section 1.6 NITDA Guideline, Version 3.1, September 2013
 Section 2.1 NITDA Guidelines, Version 3.1, September 2013
 Section 2.1(4) NITDA Guidelines, Version 3.1, September 2013
 Note Similarity with Sections 17 & 18 of the POPI Act
 Note Similarity with Sections 19(1) of the POPI Act
 Note Similarity with Section 13(1) of the POPI Act
 Section 35(3) General Consumer Code Practice for Telecommunications Services
Featured Image source: Image source: Inforrm.wordpress.com