Access to Information and Protection of Privacy Act (Chapter 10:27);
Banking Act (Chapter 24:20);
Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04);
Consumer Protection Act (Chapter 14:44);
Census and Statistics Act (Chapter 10:29);
Cyber and Data Protection Act (Chapter 12:07);
Interception of Communications Act (Chapter 11:20); and,
National Registration Act (Chapter 10:17);
Communication Technology (“ICT Policy”).
Principal regulation
Data Protection Act
The Act has been enacted to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria. Among other things, the objective of the Act include: the protection of personal information; establishing the Nigeria Data Protection commission for the regulation of the processing of personal information; promoting data processing practices that safeguard the security of personal data and privacy of data subjects; protect data subjects’ rights, and provide means of recourse and remedies, in the event of the breach of the data subject’s rights; and strengthening the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data etc. The Data Protection Act received Presidential assent on 13 June 2023.
Subsidiary legislation
Nigeria Data Protection Regulation
The personal and territorial scope of the NDPR is defined by citizenship and physical presence. It applies to residents of Nigeria, as well as Nigerian citizens abroad. The NDPR provides legal safeguards for the processing of personal data. Under the NDPR, Personal Data must be processed in accordance with a specific, legitimate and lawful purpose consented to by the Data Subject.
Implementation Framework for the Nigeria Data Protection Regulation
The Framework builds on the NDPR to ensure a tailored implementation of the data protection regime in Nigeria. It serves as a guide to data controllers and administrators / processors to understand the standards required for compliance within their organisations. The Framework is to be read in conjunction with the NDPR and does not supersede the NDPR.
Guidelines for the Management of Personal Data by Public Institutions in Nigeria
The Guidelines apply to all public institutions (PIs) in Nigeria, including ministries, departments, agencies, institutions, public corporations, publicly funded ventures, and incorporated entities with government shareholding, either at the Federal, State or Local levels, that process the personal data of a data subject. The Guidelines mandate all PIs to protect personal data in any incidence of processing of such data. Processing in this context retains the same meaning it has under the NDPR. All forms of personal data of a Nigerian citizen, resident or non-Nigerian individual that has interactions with PIs, or such PIs have access to the personal data in furtherance of a statutory or administrative purpose, are to be protected in accordance with the NDPR or any other law or regulation in force in Nigeria.
Sectoral laws
In addition to the principal legislation mentioned, the Constitution of the Federal Republic of Nigeria and various sector-specific laws make different provisions for privacy and data protection matters. Key provisions in the mentioned laws are outlined hereunder:
The laws
Constitution of the Federal Republic of Nigeria 1999 (As Amended)
The Nigerian Constitution provides Nigerian citizens with a fundamental right to privacy. Section 37 of the Constitution guarantees privacy protections to citizens in their homes, correspondence, telephone conversations and telegraphic communications. The Constitution does not define the scope of “privacy” or contain detailed privacy provisions.
Child Rights Act 2003
The Child Rights Act 2003 reiterates the constitutional right to privacy as relates to children. Section 8 of the Act guarantees a child’s right to privacy subject to parent or guardian rights to exercise supervision and control of their child’s conduct. Some Nigerian states have also enacted Child Rights Laws. Under the Act / Laws, age of a child is any person under the age of 18.
Consumer Code of Practice Regulations 2007 (NCC Regulations)
The Nigerian Communications Commission (NCC) issued the NCC Regulations which requires all licensees to take reasonable steps to protect customer information against improper or accidental disclosure, and ensure that such information is securely stored and not kept longer than necessary. The NCC Regulations further prohibit the transfer of customer information to any party except to the extent agreed with the customer, as permitted or required by the NCC or other applicable laws or regulations.
Consumer Protection Framework 2016 (Framework)
The Consumer Protection Framework 2016 was enacted pursuant to the Central Bank of Nigeria Act 2007. The Framework includes provisions that prohibit financial institutions from disclosing customers’ personal information. The Framework further requires that financial institutions have appropriate data protection measures and staff training programs in place to prevent unauthorized access, alteration, disclosure, accidental loss or destruction of customer data. Financial services providers must obtain written consent from consumers before personal data is shared with a third party or used for promotional offers.
Credit Reporting Act 2017
The Credit Reporting Act establishes a legal and regulatory framework for credit reporting by Credit Bureaus. Section 5 of the Act requires Credit Bureaus to maintain credit information for at least 6 years from the date that such information is obtained, after which the information must be archived for a 10-year period prior to its destruction. Section 9 of the Act provides the rights of data subjects (i.e. persons whose credit data are held by a Credit Bureau) to privacy, confidentiality and protection of their credit information. Section 9 further prescribes conditions under which the credit information of the data subject may be disclosed.
Cybercrimes (Prohibition, Prevention Etc) Act 2015
The Cybercrimes (Prohibition, Prevention Etc) Act provides a legal and regulatory framework that prohibits, prevents, detects, prosecutes and punishes cybercrimes in Nigeria. The Act requires financial institutions to retain and protect data and criminalizes the interception of electronic communications.
Freedom of Information Act, 2011 (FOI Act)
The FOI Act seeks to protect personal privacy. Section 14 of the FOI Act provides that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available. Section 16 of the FOI Act provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc.).
National Identity Management Commission (NIMC) Act 2007
The NIMC Act creates the National Identity Management Commission (NIMC) to establish and manage a National Identity Management System (NIMS). The NIMC is responsible for enrolling citizens and legal residents, creating and operating a National Identity Database and issuing Unique National Identification Numbers to qualified citizens and legal residents. Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information in the Database with respect to a registered individual without authorization from the NIMC. The NIMC is empowered to provide a third party with information recorded in an individual’s Database entry without the individual’s consent, provided it is in the interest of National Security.
National Health (NH) Act 2014
The NH Act provides rights and obligations for health users and healthcare personnel. Under the NH Act, health establishments are required to maintain health records for every user of health services and maintain the confidentiality of such records. The NH Act further imposes restrictions on the disclosure of user information, and requires persons in charge of health establishments to set up control measures for preventing unauthorized access to information. The NH Act applies to all information relating to patient health status, treatment, admittance into a health establishment, and further applies to DNA samples collected by a health establishment.
Nigerian Communications Commission (registration of telephone subscribers) Regulation 2011
Section 9 and 10 of the Nigerian Communications Commission Regulation provides confidentiality for telephone subscribers
records maintained in the NCC’s central database. The Regulation further provides telephone subscribers with a right to view and update personal information held in the NCC’s central database of a telecommunication company in camera.
Access to Information and Protection of Privacy Act (Chapter 10:27);
Banking Act (Chapter 24:20);
Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04);
Consumer Protection Act (Chapter 14:44);
Census and Statistics Act (Chapter 10:29);
Cyber and Data Protection Act (Chapter 12:07);
Interception of Communications Act (Chapter 11:20); and,
National Registration Act (Chapter 10:17);
Communication Technology (“ICT Policy”).
Definition of personal data
The Access to Information and Protection of Privacy Act defines personal information as recorded information about an identifiable person which includes:
- The person's name, address, or telephone number;
- The person's race, national or ethnic origin, religious or political beliefs or associations;
- The person's age, sex, sexual orientation, marital status, or family status;
- An identifying number, symbol or other particulars assigned to that person;
- Fingerprints, blood type or inheritable characteristics;
- Information about a person's healthcare history, including a physical or mental disability;
- Information about educational, financial, criminal or employment history;
- A third party's opinions about the individual;
- The individual's personal views or opinions (except if they are about someone else); and,
- Personal correspondence with home or family.
Definition of sensitive personal data
There is no law that defines Sensitive Personal Data. However, in terms of the Data Protection Act sensitive data refers to:
- information or any opinion about an individual which reveals or contains the following:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sex life;
- criminal educational, financial or employment history;
- gender, age, marital status, or family status;
- health information about an individual;
- genetic information about an individual; or
- any information which may be considered as presenting a major risk to the rights of the data subject;
In terms of the Data Protection Act, the Postal and Telecommunication Regulatory Authority established in terms of section 5 of the Postal and Telecommunications Act [Chapter 12:05]; is the recognised National Data Protection Authority. The Authority has the responsibility to promote and enforce the fair processing of personal data and advise the Minister of Information Communication Technology on matters relating to privacy rights. The Authority is mandated to conduct inquiries and investigations either on its own accord or on the request of any interested person in relation to data protection rights.
Under the recently enacted Draft Protection Act, a data protection officer must be appointed to ensure the compliance with all obligations provided for in the Data Protection Act.
The Zimbabwe Media Commission's mandate does the following:
- Ensures that the people of Zimbabwe have equitable and wide access to information;
- Comments on the implications of proposed legislation or programs of public bodies on access to information and protection of privacy; and,
- Comments on the implications of automated systems for collection, storage, analysis, or transfer of information or for the access to information or protection of privacy.
The Revised ICT Policy proposes the establishment of a quasi-government entity to monitor Internet traffic. It states that all Internet gateways and infrastructure will be controlled by a single company, while a National Data Centre to support both public and high security services and information will be established.
There is no law that requires the registration of databases.
In terms of the Data Protection Act, a Data Protection Officer refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act.
There are no specific provisions for the collectors of personal data to obtain the prior approval of data subjects for the processing of their personal data. However, when collecting data the controller or the controller’s representative shall provide the data subject with at least the following information:
- the name and address of the controller and of his or her representative, if any;
- the purposes of the processing;
- the existence of the right to object, by request and free of charge, to the intended processing of data relating to him or her, if it is obtained for the purposes of direct marketing;
- whether compliance with the request for information is compulsory or not, as well as what the consequences of the failure to comply are;
- taking into account the specific circumstances in which the data is collected, any supporting information, as necessary to ensure fair processing for the data subject, such as:
- the recipients or categories of recipients of the data;
- whether it is compulsory to reply, and what the possible consequences of the failure to reply are;
- the existence of the right to access and rectify the data relating to him or her except where such additional information, taking into account the specific circumstances in which the data is collected is not necessary to guarantee accurate processing.
- other information dependent on the specific nature of the processing, as specified by the Authority.
For purposes of processing the information Section 13 of the Data Protection Act is quite instructive. In terms of that Section every data controller or data processor shall ensure that personal information is:
- processed in accordance with the right to privacy of the data subject;
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
The Census and Statistics Act contains provisions which restrict the use and disclosure of information obtained during the conducting of a census exercise. Under this Act, authorities are able to collect, compile, analyse, and abstract statistical information relating to any of the following:
- Commercial
- Industrial
- Agricultural
- Mining
- Social
- Economic
- General activities and conditions of the inhabitants of Zimbabwe and to publish such statistical information
The transfer of data to any other jurisdiction is governed in terms of Part VII of the Data Protection Act under section 28 and 29.
In terms of Section 28 of the Data Protection Act:
- a data controller may not transfer personal information about a data subject to a third party who is in a foreign country unless an adequate level of protection is ensured in the country of the recipient or within the recipient international organisation and the
data is transferred solely to allow tasks covered by the competence of the controller to be carried out. - The adequacy of the level of protection afforded by the third country or international organisation in question shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; with particular consideration being given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the recipient third country or recipient international organisation, the laws relating to data protection in force in the third country or international organisation in question and the professional rules and security measures which are complied with in that third country or international organisation.
- The Authority shall lay down the categories of processing operations for which and the circumstances in which the transfer of data to countries outside the Republic of Zimbabwe is not authorised.
- The Minister responsible for the Cyber security and Monitoring Centre in consultation with the Minister, may give directions on how to implement this section with respect to transfer of personal information outside of Zimbabwe.
Section 18 of the Data Protection Act provides guidelines for the protection of data. It states that to safeguard the security, integrity and confidentiality of the data, the controller or his or her representative, if any, or the processor, shall take the appropriate technical and organisational measures that are necessary to protect data from negligent or unauthorised destruction, negligent loss, unauthorised alteration, or access and any other unauthorised processing of the data.
Further the Section also provides that the Data Protection Authority may issue appropriate standards relating to information security for all or certain categories of processing. Since the enactment of this Act the Data Protection Authority is still to issue any appropriate standards.
The Revised ICT Policy states that there will be development, implementation and promotion of appropriate security and legal systems for e-commerce, including issues related to cybersecurity, data protection and e-transactions. The Policy states that the following laws will be enacted to cater for intellectual property rights, data protection and security, freedom of access to information, computer related and cybercrime laws:
- data protection and privacy
- intellectual property protection and copyright
- consumer protection and
- child online protection.
Breach notification
Section 19 of the Data Protection Act places a duty on the data controller to notify the Authority “within twenty-four (24) hours of any security breach affecting data he or she processes.
Mandatory breach notification
Section 19 of the Data Protection Act uses the word “shall” which makes it mandatory to notify the Authority within twenty-four (24) hours.
The Constitution mandates the Human Rights Commission (HRC) to enforce a citizen's human rights where they have been violated. The right to privacy, including the right not to have the privacy of one's communication infringed, is a basic human right and, thus, falls within the purview of the HRC. However, the Cyber Security and Monitoring of Interceptions of Communications Centre (CSMICC), established by the Interception of Communications Act, is mandated to, among other things, monitor communications made over telecommunications, radio communications and postal systems and to give technical advice to service providers. The mandate of the CSMICC does not preclude it from monitoring computer-based data for the purposes of enforcing an individual's right to privacy where it is found that such right has been infringed.
Further, the CSMICC also has the duty to oversee the enforcement of the Act to ensure that it is enforced reasonably and with due regard to fundamental human rights and freedoms.
Zimbabwe recently enacted the Consumer Protection Act (Chapter 14:44) which has introduced several measures aimed at protecting consumers from unfair trade practices.
The Consumer Protection Act does not make specific reference to electronic marketing; however, it provides certain guidelines around electronic transactions, Information to be provided by the service provider, a cooling-off period in electronic transactions and unsolicited goods, services, or communications.
There is currently no specific online privacy legislation.
