- ABSTRACT
Recently, there has been a growing interest in both the public and private sectors in collecting, using, and sharing data for various commercial and governmental purposes. Individual efforts to protect personal data are no longer adequate. Consequently, it has become the government's responsibility to ensure the privacy and protection of personal information and data. Over the past 40 to 50 years, there has been significant progress globally and nationally in this area, including the widespread adoption of national, sub-national, and international legislation, the development of rights-based legal frameworks, and the implementation of numerous regulatory initiatives and practical measures to safeguard 'personal data' or 'personally identifiable information.'
1.0 INTRODUCTION
In Nigeria, data privacy is predicated on the individual’s right to privacy and personal life. Section 37 of the 1999 Constitution of the Federal Republic of Nigeria provides that “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” Despite having a pride of place in the Constitution, this is one right which has not received much legal attention. Considering the myriad of our national challenges and the level of citizens’ education, one may be tempted to conclude that Nigerians do not attach much importance to the privacy and protection of their data. But this is not essentially so.
Modern computing technologies and the internet have generated the capacity to gather, manipulate, and share massive quantities of personal data. Computers today track our telephone calls, credit-card spending, plane flights, educational and employment records, medical histories, and more. Someone with access to this information could piece together a coherent picture of our lives. The shibboleth – ‘Information rules the world’ entails that personal information is an important currency in the new millennium; sometimes worthless to individual owners but invaluable to government and private entities who have spawn them into a booming trade. Personal data is a commodity which can be owned, transferred and traded for value. Many people fear the loss of their privacy in a computerized “Naked Society”. Individual who own this information (also called Data subjects) thus have a right to protect its collection, storage and use. The aim is to keep such information private and regulate its use.
DATA PRIVACY LAWS IN NIGERIA
1.1 NIGERIA DATA PROTECTION ACT 2023
The principal data protection legislation in Nigeria is the Nigeria Data Protection Act 2023 (“NDPA”) which was signed into law by President Bola Ahmed Tinubu on 12th June 2023.
The Act provides, among others, for governing framework for processing personal data; rights of a data subject; data security; cross-border transfer of personal data; requirements for data controllers and data processors of major importance; compliance, infringements, penalties, and dispute resolution; and the establishment of the Nigeria Data Protection Commission (the “Commission”), as an independent body to superintend and regulate data protection matters, and enforce compliance with the provisions of the Act.
The NDPA defines “Personal Data” as any information relating to an individual, who can be identified or is identifiable, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual.
The Act defines a “data processor” as an individual, private entity, public authority, or any other body, who processes personal data on behalf of, or at the direction of, a data controller or another data processor. It also defines a “data controller” as an individual, private entity, public commission, agency, or any other body who (alone or jointly with others) determines the purposes and means of processing of personal data.
The Act also defines “sensitive personal data” as personal data relating to an individual’s (a) genetic and biometric data, for the purpose of uniquely identifying a natural person; (b) race or ethnic origin; (c) religious or similar beliefs, such as those reflecting conscience or philosophy; (d) health status; (e) sex life; (f) political opinions or affiliations; (g) trade union memberships; or (h) other information which may be prescribed by the Commission as sensitive personal data.
AIM OF THE NIGERIAN DATA PROTECTION ACT
- protect the rights of data subjects by ensuring that personal data is processed in a fair, lawful and accountable manner;
- promote data processing practices in Nigeria that guarantee the security of personal data and ensure the privacy of data subjects;
- provide the legal framework for regulating and safeguarding personal data, and the means of recourse and remedies where the rights of data subjects have been breached;
- ensure that data controllers and data processors fulfil their obligations to data subjects;
- safeguard data subjects’ fundamental and constitutional rights, freedom and interests, and establish an impartial, independent and effective regulatory body to supervise data controllers and data processors and superintend over data protection and privacy issues; and
- strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through beneficial and trusted use of personal data.
1.2 THE CONSTITUTION OF THE FEDERAL REPUBLIC OF NIGERIA 1999 (AS AMENDED).
The Constitution of the Federal Republic of Nigeria in section 37 makes the right to privacy fundamental. That section provides thus, “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
This precise protection is apt and encompassing. The privacy of citizens extends to patients, encompassing their personal information and their health data. The Nigerian Data Protection Act, 2023 underscoring the importance of a patient’s data as it relates to health, demarcated personal data from sensitive personal data and safely designated matters pertaining to health as sensitive personal data. The Constitution by enshrining the right to privacy in section 37 extended this protection to patient’s privacy and made the breach of a patient’s right to privacy a constitutional matter.
1.3 THE NATIONAL HEALTH ACT 2014.
Another relevant statute that critically expanded and protected the patient’s right to privacy is the National Health Act. Section 26(1) of the National Health Act makes it mandatory for health care workers to maintain a patient’s privacy. This is important as most breaches to patients’ privacy is often committed in the first instance by health care workers.
Section 27 allows for exceptions in cases where the patient’s private data may be disclosed outside the scope allowed in Section 26. It provides for disclosure where same is in the principal interest of the patient.
Section 29 comprehensively provides for the protection of the patient’s records. It places the onus on the person in charge of the health institution to have a leak-proof and protected storage system to store the data of the patient. The penalty for failure to adhere by the above provision is a fine of N 250,000 or imprisonment for a term of 2 years or both. Apart from the above duty to provide a leak-proof storage system for patients’ data, the Act also provides other duties which the person in charge of the health institution must comply with:
These other duties include:
(a) duty not to falsify or allow to be falsified any record by adding to or deleting or changing any information contained in the record;
(c) duty not to create, change, or destroy a record without authority to do so;
(d) duty to create or change a record when properly required to do so;
(e) duty not to provide false information with the intent that it be included in a record;
(f) duty not to copy without authority, any part of a record;
(g) duty not to, without authority, connect the personal identification elements of a patient’s record with any element of that record that concerns the patient’s condition, treatment or history;
(h) duty to avoid unauthorized access to a record or record-keeping system, including intercepting information being transmitted from one person, or one part of a record-keeping system, to another;
1.4 HIV AND AIDS (ANTI-DISCRIMINATORY ACT), 2024
This article will be incomplete if this critical legislation is not considered. Despite its brevity at only 18 pages with 31 sections and 4 parts, this legislation is a significant relief for patients and individuals living with HIV/AIDS.
While the Act’s main objectives as encapsulated in section 1 is to eliminate any form of discrimination against HIV patients, foster a supportive environment for HIV patients, establish a safe and enabling working and learning environment for HIV patients, the Act’s focus is to eradicate all forms of stigmatization and to ensure the protection of the HIV Patient’s status and rights.
In the above regard, Section 2 of the Act stipulates the scope of the Act’s applicability. This includes all employers of labour and employees in the public and private sectors including the Armed Forces, Nigeria Police, etc. While section 3 outrightly prohibits the stigmatization of HIV Patients section 8 prohibits the compulsory request to disclose status before accessing any public or privately delivered services, employment and any other opportunity. In essence, any request to disclose status is declared an outright breach of privacy and is declared illegal. The exemption is 8 (2) which provides that in a relationship whether marital or co-habitual, a partner has the right to be informed of the other partner’s status.
Section 9 further prohibits compulsory HIV test for employment or educational purposes. However, this may be waived with respect to an employment if 2 competent medical practitioners working independently certify to a Court that failure to take such test constitutes a clear danger of HIV transmission to others. The Act further makes it clear that such testing shall be carried out with the informed consent of subject and be guided by national guidelines on confidentiality and counselling. However, subsection 5 in a rather different twist insists that it shall not be unlawful for an employer to demand medical test for fitness for work and any other responsibility as provided in any existing law. The intendment, on a whole, may be to allow employers a free hand to be able to conduct their own medical test to ascertain the suitability of a person medically for their job role, especially in physically tasking employment. Notwithstanding the foregoing, the Act can be invoked where this testing is strictly to determine the HIV status of a person without a resort to the requirements of section 9 (1) above on the double certification to the Court.
Also instructive are sections 11 and 13 respectively which provide that no person shall disclose a patient’s HIV status to a 3rd party except with the consent of the patient or where same is required by law, and that all persons living with HIV or affected by AIDS shall have the right to the protection of their health and medical records. Section 13 (2) prescribes the penalty for the breach of the confidentiality of a patient’s privacy in this regard. It stipulates a fine of N. 500,000 for an individual and N 1million for an institution or for a term of imprisonment not exceeding 2 years or both fine and imprisonment.
CONCLUSION
Therefore, it can be stated that as Nigeria further progresses in the growth of digital economy, it cannot overemphasize the need for strong Data Privacy laws. While there is already an existing framework that the Nigeria Data Protection Regulation (NDPR), there are still further points that should be worked out to bring the level of safety for personal data to another level. Therefore, as the global practices of data protection continues to develop, it is high time Nigeria reviews, improves on its legal frameworks, steps up the implementation process and educates the public. This way the country will protect the rights of its citizens and the population will also have confidence in the digital assets thereby enhancing the economic growth of the nation and an innovation tech growth due to the current advances in the field of data.
REFERENCES
1. Privacy and Data Protection Law in Nigeria is a book written by Olumide Babalola and published in 2021 by Noetico Repertum Inc
3. https://clplegal.com.ng/the-patients-right-to-privacy-in-the-digital-age-by-emmanuel-jonathan-2/