DLA Piper Intelligence

Data Protection
Laws of the World

Law

Nigeria
Nigeria

Nigeria does not have a comprehensive legislative framework on the protection of personal data. However, there are a few industry-specific and targeted laws and regulations that provide some privacy-related protections, which include:

  • The Constitution of the Federal Republic of Nigeria, 1999 (As Amended) ('the Constitution') which provides for the fundamental rights of its citizens and upholds the right of privacy as sacrosanct. Section 37 thereof provides for the guarantee and protection of the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications.
  • The Freedom of Information Act, 2011 ('FOI Act') which seeks to protect personal privacy. Section 14 of the FOI Act provides that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available. Also, Section 16 of the FOI Act provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc).
  • The Child Rights Act No. 26 of 2003 (the 'Child Rights Act') regulates the protection of children (persons under the age of 18 years). This Act limits access to information relating to children in certain circumstances.
  • The Consumer Code of Practice Regulations 2007 ('the NCC Regulations') issued by the regulator of the telecommunications industry in Nigeria, the Nigerian Communications Commission ('NCC'). The NCC Regulations provide that all licensees must take reasonable steps to protect customer information against improper or accidental disclosure, and must ensure that such information is securely stored and not kept longer than necessary. It also provides that customer information must not be transferred to any party except to the extent agreed with the Customer, as permitted or required by the NCC or other applicable laws or regulations.
  • In 2011, the NCC issued the Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011. Section 9 of the Regulation provides that subscribers information contained in the Central Database shall be held in strict confidentiality basis and no person or entity shall be allowed access to any subscriber’s information that is on the Central Database except as prescribed by the Regulation. “Central Database” is defined in the Regulation to mean subscriber information database, containing the biometric and other registration information of all Subscribers . Section 21 of the Regulation provides penal sanctions for violators.

  • The National Information Technology Development Agency ('NITDA') which is the national authority responsible for planning, developing and promoting the use of information technology in Nigeria, and which issues the Guidelines on Data Protection ('NITDA Guidelines') pursuant to the NITDA Act 2007. The NITDA Guidelines prescribe guidelines for organisations that obtain and process personal of Nigeria residents and citizens within and outside Nigeria for protecting such personal data. The NITDA Guidelines apply to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems within the Federal Republic of Nigeria.
  • The Cybercrimes (Prohibition, Prevention Etc) Act 2015 provides a legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria. The Act provides for the retention and protection of Data by financial institutions, criminalizes the interception of electronic communications etc.

The National Identity Management Commission (NIMC) is the body empowered to establish, operate and manage the National Identity Management System (NIMS), carry out the enrolment of citizens and legal residents as provided for in the Act, create and operate a National Identity Database, issue Unique National Identification Numbers to qualified citizens and legal residents. Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information contained in the Database with respect to a registered individual entry without the authorization of the Commission. The Commission is however empowered to provide another person with information recorded in the individual’s entry in the Database without the individual’s consent. In this instance, the provision of such information is in the interest of National Security, necessary for purposes connected with the prevention or detection of crime or for any other purpose specified by the Commission in a regulation.

The Immigration Service is basically the body responsible for the modalities required for the entry and exit of persons within and outside Nigeria. The Immigration Act does not specifically provide for issues relating to data protection and privacy however its Privacy Policy deals with various subjects including Information sharing. The Policy states that personal information will not be used for commercial purposes or shared with individuals outside the Nigeria Immigration Services. However, personal information may be shared to prevent or detect fraud or technical issues; consent is obtained; there is a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law; a payment instrument has been used for payment and must be disclosed in order to process payment, such information must be given to the Immigration Service subsidiaries and affiliated companies for the purpose of processing personal information on behalf of the Immigration Service.

Last modified 26 Jan 2017
Law
Nigeria

Nigeria does not have a comprehensive legislative framework on the protection of personal data. However, there are a few industry-specific and targeted laws and regulations that provide some privacy-related protections, which include:

  • The Constitution of the Federal Republic of Nigeria, 1999 (As Amended) ('the Constitution') which provides for the fundamental rights of its citizens and upholds the right of privacy as sacrosanct. Section 37 thereof provides for the guarantee and protection of the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications.
  • The Freedom of Information Act, 2011 ('FOI Act') which seeks to protect personal privacy. Section 14 of the FOI Act provides that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available. Also, Section 16 of the FOI Act provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc).
  • The Child Rights Act No. 26 of 2003 (the 'Child Rights Act') regulates the protection of children (persons under the age of 18 years). This Act limits access to information relating to children in certain circumstances.
  • The Consumer Code of Practice Regulations 2007 ('the NCC Regulations') issued by the regulator of the telecommunications industry in Nigeria, the Nigerian Communications Commission ('NCC'). The NCC Regulations provide that all licensees must take reasonable steps to protect customer information against improper or accidental disclosure, and must ensure that such information is securely stored and not kept longer than necessary. It also provides that customer information must not be transferred to any party except to the extent agreed with the Customer, as permitted or required by the NCC or other applicable laws or regulations.
  • In 2011, the NCC issued the Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011. Section 9 of the Regulation provides that subscribers information contained in the Central Database shall be held in strict confidentiality basis and no person or entity shall be allowed access to any subscriber’s information that is on the Central Database except as prescribed by the Regulation. “Central Database” is defined in the Regulation to mean subscriber information database, containing the biometric and other registration information of all Subscribers . Section 21 of the Regulation provides penal sanctions for violators.

  • The National Information Technology Development Agency ('NITDA') which is the national authority responsible for planning, developing and promoting the use of information technology in Nigeria, and which issues the Guidelines on Data Protection ('NITDA Guidelines') pursuant to the NITDA Act 2007. The NITDA Guidelines prescribe guidelines for organisations that obtain and process personal of Nigeria residents and citizens within and outside Nigeria for protecting such personal data. The NITDA Guidelines apply to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems within the Federal Republic of Nigeria.
  • The Cybercrimes (Prohibition, Prevention Etc) Act 2015 provides a legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria. The Act provides for the retention and protection of Data by financial institutions, criminalizes the interception of electronic communications etc.

The National Identity Management Commission (NIMC) is the body empowered to establish, operate and manage the National Identity Management System (NIMS), carry out the enrolment of citizens and legal residents as provided for in the Act, create and operate a National Identity Database, issue Unique National Identification Numbers to qualified citizens and legal residents. Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information contained in the Database with respect to a registered individual entry without the authorization of the Commission. The Commission is however empowered to provide another person with information recorded in the individual’s entry in the Database without the individual’s consent. In this instance, the provision of such information is in the interest of National Security, necessary for purposes connected with the prevention or detection of crime or for any other purpose specified by the Commission in a regulation.

The Immigration Service is basically the body responsible for the modalities required for the entry and exit of persons within and outside Nigeria. The Immigration Act does not specifically provide for issues relating to data protection and privacy however its Privacy Policy deals with various subjects including Information sharing. The Policy states that personal information will not be used for commercial purposes or shared with individuals outside the Nigeria Immigration Services. However, personal information may be shared to prevent or detect fraud or technical issues; consent is obtained; there is a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law; a payment instrument has been used for payment and must be disclosed in order to process payment, such information must be given to the Immigration Service subsidiaries and affiliated companies for the purpose of processing personal information on behalf of the Immigration Service.

Last modified 26 Jan 2017
Definitions

Definition of personal data

The NITDA Guidelines define personal data as any information relating to an identified or identifiable natural person ('data subject'); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

The Registration of Telephone Subscribers Regulation 2011 provides that personal information refers to:

  • the full names (including mother’s maiden name)
  • gender
  • date of birth
  • residential address
  • nationality
  • state of origin
  • occupation and such other personal information
  • contact details of subscribers, as specified in the Registration Specifications.

Definition of sensitive personal data

The NITDA Guidelines define personal sensitive data as data relating to:

  • religious or other beliefs
  • sexual orientation
  • health
  • race
  • ethnicity
  • political views
  • trade union membership
  • criminal record.
Last modified 26 Jan 2017
Authority

There is no specific authority bestowed with the responsibility of the protection of data, however sector specific regulatory agencies including NITDA, NCC etc provide services relating to the protection of data. 

Last modified 26 Jan 2017
Registration

There is no requirement to register databases.

Last modified 26 Jan 2017
Data Protection Officers

The NITDA Guidelines provide that organisations should designate an employee as the Data Security Officer of that organisation whose duties shall include:

  • Ensuring that the organization adheres to the stated policies
  • Ensuring continued adherence to data protection and privacy policies and procedures
  • Ensuring that individual data is protected
  • Providing for effective oversight of the collection and use of individual information
  • Being responsible for effective data protection and management within that organization; and ensuring compliance with the privacy and data security policies
  • Training and education for employees to promote awareness of and compliance with the privacy and data security policies
  • Developing recommended practices and procedures to ensure compliance with the privacy and data security policies.
Last modified 26 Jan 2017
Collection & Processing

The collection and processing of personal data has to be done pursuant to the data subject’s consent or as specifically provided by law. The NITDA Guidelines establish the scope of permitted collection and processing of personal data.

Collection

1. Personal data should be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

2. Collection of personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, health or sex life can only be undertaken where:

  • the data subject has given unambiguous consent

  • the collection and processing is necessary for carrying out the obligations and specific function of the data controller in the field of employment

  • the collection and processing is necessary to protect the interest of the data subject or another person where the data subject is incapable of giving consent

  • the collection and processing relates to data which are manifestly made public by the data subject

  • the collection and processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body and on the condition that the processing relates solely to its members or persons who have regular contact with it in connection with its purposes

  • the collection and processing is necessary for the establishment, exercise or defence of legal claims.

3. Where data was not obtained from the data subject, the controller or third party should at the time of recording the personal data or if a disclosure to a third party is envisaged, provide the data subject no later than when the data are first disclosed with the following information (except where the data object already has it):

  • the identity of the controller and of the representative (if any)

  • the purposes of the processing

  • any further information such as:

    • the categories of data concerned
    • the recipients or categories of recipients
    • the existence of the mechanism for access to and the mechanism to rectify the data concerning the data subject.

Processing

1. Personal data may be processed only if the data subject has given unambiguous consent and the processing is:

  • necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

  • necessary for compliance with a legal obligation to which the controller is subject

  • necessary to protect the interest of the data subject

  • necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or third party to whom the data are disclosed

  • required for the purposes of management of health-care services subject to professional secrecy

  • related to offences or criminal convictions

  • necessary for legitimate interests pursued by the data controller or third party or parties to whom the data are disclosed, save where such interests are overridden by the interests or privacy of the data subject.

2. A complete register of criminal convictions is to be kept only under the control of official authority. Data relating to administrative sanctions or judgments in civil cases are to be processed under the control of official authority.

3. Every data subject shall be able to obtain from the controller without constraint at reasonable intervals and without excessive delay or expense:

  • confirmation as to whether or not data relating to data subject are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed

  • communication to the data subject in an intelligible form of the data undergoing processing and of any available information as to their source

  • knowledge of the logic involved in any automatic processing of data concerning data subject at least in the case of the automated decisions

  • rectification, erasure or blocking of data which does not comply with the provisions of the NITDA guidelines, in particular because of the incomplete or inaccurate nature of the data

  • notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with these guidelines.
Last modified 26 Jan 2017
Transfer

The NCC Regulations provide that customer information must not be transferred to any party except to the extent agreed with the Customer, as permitted or required by the NCC or other applicable laws or regulations.

The NITDA Guidelines provide that personal data must not be transferred outside Nigeria unless adequate provisions are in place for its protection and where the controller finds that any country does not ensure an adequate level of protection of such personal data within the requirements of the Guidelines, the controller must prevent any transfer of data to the country in question. It further states that the following must be considered if a requirement exists to send or transfer data outside Nigeria:

  • if the receiving country has adequate data protection legislation equivalent to that of Nigeria
  • if it is necessary to send the data as part of the fulfilment of a contract
  • if the data subject has consented
  • if the data is being processed outside Nigeria by another office of the same firm which is established within Nigeria
  • if there is a contract in place between the data controller and the receiving organisation which provides for the adequate protection of personal data.

The RTS Regulations make it mandatory for subscriber’s information not to be transferred outside Nigeria.

Last modified 26 Jan 2017
Security

To ensure the security of the data, the NITDA Guidelines provide that the data controller should implement technical and organizational measures to secure personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. 

Last modified 26 Jan 2017
Breach Notification

As far as we know, there is no mandatory legal requirement to report data security breaches or losses to the authorities or to data subjects.

Mandatory breach notification

Comments are the same as above.

Last modified 26 Jan 2017
Enforcement

Under the NCC Regulations, any licensee that contravenes any of the provisions of the Regulations would be in breach and would be liable to such fines, sanctions or penalties as may be determined by the Commission from time to time.

A breach of the NITDA Guidelines which was made pursuant to the NITDA Act 2007 would be considered a breach of the NITDA Act.

Last modified 26 Jan 2017
Electronic Marketing

The NCC Regulations on Consumer Code of Practice provide that no Licensee shall engage in unsolicited telemarketing unless it discloses:

  • at the beginning of the communication, the identity of the Licensee or other person on whose behalf it is made and the precise purpose of the communication

  • during the communication, the full price of any product or service that is the subject of the communication

  • that the person receiving the communication shall have an absolute right to cancel the agreement for purchase, lease or other supply of any product or service within seven (7) days of the communication, by calling a specific telephone number (without any charge, and that the Licensee shall specifically identify during the communication) unless the product or service has by that time been supplied to and used by the person receiving the communication.

Licensees are also required to conduct telemarketing in accordance with any 'call' or 'do not call' preferences recorded by the Consumer, at the time of entering into a contract for services or after, and in accordance with any other rules or guidelines issued by the Commission or any other competent authority.

The NCC Legal Guidelines for Internet Service Providers (ISP) provide that Commercial Communications ISPs must take reasonable steps to promote compliance with the following requirements for commercial email or other commercial communications transmitted using the ISP’s services:

  • the communication must be clearly identified as a commercial communication
  • the person or entity on whose behalf the communication is being sent must be clearly identified
  • the conditions to be fulfilled in order to qualify for any promotional offers, including discounts, rebates or gifts, must be clearly stated
  • promotional contests or games must be identified as such, and the rules and conditions to participate must be clearly stated
  • persons transmitting unsolicited commercial communications must take account of any written request from recipients to be removed from mailing lists, including by means of public “opt-out registers” in which people who wish to avoid unsolicited commercial communications are identified.

The Nigerian Code of Advertising Practice Sales Promotion and other Rights/Restrictions on Practice provides that:

  • All advertising and marketing communications directed to the Nigerian market using internet and other electronic media are subject to the laws regulating advertising practice in Nigeria.
  • Without prejudice to any other restrictions or obligations imposed by the Act or under the code on advertising, all advertisements directed towards the Nigerian market using the Internet or any other electronic media must comply with the following requirements:

    • The commercial nature of the communication must not be concealed or misleading, it should be made clear in the subject header.

    • There should be clarity of the terms of the offer and devices should not be used to conceal or obscure any material factor such as: the price or other sale conditions likely to influence the customers’ decision.

    • There should be clarity as to the procedure for concluding a contract.

    • Due recognition must be given to the standards of acceptable commercial behavior held by public groups before the posting of marketing communications to such groups using electronic media.

    • Unsolicited messages should not be sent except where there are reasonable grounds to believe that the consumers who received such communications will be interested in the subject matter or offer.

    • All marketing communications sent via electronic media should include a clear and transparent mechanism enabling the consumer to express the wish not to receive future solicitations.
  • In addition to respecting the consumer’s preferences, expressed either directly to the sender or through participation in a preference service programme, care should be taken to ensure that neither the marketing communication itself, nor any application used to enable consumers to open other marketing or advertising messages, interferes with the consumer’s normal usage of electronic media.
Last modified 26 Jan 2017
Online Privacy

The established rights of privacy (as guaranteed by the Constitution) apply equally to electronic media, such as mobile devices and the Internet. So, violations of these rights may be subject to civil enforcement. Furthermore the Cybercrimes (Prohibition, Prevention Etc) Act promotes cybersecurity, protects electronic communications and privacy rights.

Last modified 26 Jan 2017
Contacts
Uwa Ohiku
Uwa Ohiku
Managing Partner
T (234) 01 461 7379 (234) 01 462 6842
Last modified 26 Jan 2017