Guest Columnist Law and Technology Nigerian Law

COVID-19 AND THE IMPORTANCE OF DATA PROTECTION – Amara Nnebedum

Any person or organization that collects, processes, or stores, such personal data in the course of its operations (data controller or processor), is charged with a duty of care.

Introduction

International and national agencies have become more conscious of data protection, as a result of the grave consequences and dangers posed by data privacy violations in our data-driven world.

In 2018, the European Union first took giant steps to unify all European data protection laws into one single law known as the General Data Protection Regulation (GDPR). It stipulated measures for handling, processing, and control of personal data of European citizens globally.

The Nigeria Data Protection Regulation (NDPR)

In 2019, the National Information Technology Development Agency (NITDA), in the same guise, issued the Nigeria Data Protection Regulation (NDPR). The regulation sets out to safeguard the rights of individuals to data privacy; to ensure the safe conduct of transactions involving the exchange of personal data; preventing unauthorized and criminal use of personal data.[1] The NDPR seeks to protect the personal data of identified or identifiable natural persons referred to as data subjects. Such personal data includes a name, photo, email address, bank details, medical information, computer Internet Protocol (IP) address and any other information specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Any person or organization that collects, processes, or stores, such personal data in the course of its operations (data controller or processor), is charged with a duty of care. Amongst other things, the organization must ensure that personal data is collected and processed by following specific, legitimate, and lawful purposes consented to by the Data Subject. It must also ensure that the data collected is secured against all foreseeable hazards and breaches such as theft, cyber-attack, dissemination, and manipulations of any kind.[2] Organizations are also mandated to conduct an audit of its privacy and data protection practices and submit a detailed audit report to NITDA[3] and ensure continuous capacity building for its employees involved in any form of data processing. The NDPR made provisions for licensed Data Protection Compliance Organisations (DPCOs), who will assist organizations with audit, training, and data protection compliance consulting.

COVID-19 and Data Protection

In the context of data protection, it is crucial to note that the COVID-19 pandemic did not eradicate rights to privacy and data protection. These rights are still very much applicable and operative. Organizations are not relieved of the legal responsibilities of data protection. More than ever now is the time to uphold the principles of privacy and data protection.

Of a truth, the outbreak of COVID-19 and its development into a global pandemic have massively disrupted business processes and slowed down or halted business operations across industries.  Organizations strive to sustain their business operations by adopting remote working strategies and online business processes. Organizations, such as hospitals, media houses, and government agencies (like Nigeria Center for Disease Control), are operative and actively involved in gathering and disseminating information to help contain the virus. So long as these activities involve the collection and processing of personal data of an individual (name, health data, status, etc.), data protection comes into play.

As many organizations are encouraging or mandating employees to work remotely, it is essential to review remote working policies. It may also be necessary to perform a risk assessment where remote working or online services are likely to result in a high risk to the privacy rights and freedoms of individuals. For instance, where an organization introduces a different means of processing personal data, (as in the case of remote working), it puts the personal data at a higher risk.

COVID-19 response activities reflect the need for data protection. As a result, data protection regulators across the world emphasize data protection during and have taken a commendable approach to data protection issues in these times. For instance, the European Data Protection Board (EDPB) released a statement on data protection in the context of COVID-19, stating that Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.  However, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of data subjects.[4]

Also, the Information Commissioner’s Office (ICO) in the UK published guidelines for enforcement of data protection obligations during the COVID-19 pandemic. The ICO decided to adopt an “empathetic and pragmatic approach.” Confirming that it will continue to recognize the rights and protections granted to people by the law, both around their personal information and their right to freedom of information; and still, be flexible enough to consider the economic and financial pressures and the burdens that organizations are going through as a result of the pandemic.[5]

In the case of Nigeria, although the (NDPR) mandates Data Controllers to conduct a data protection audit through a licensed DPCO and file an audit report with NITDA by March 15, NITDA, in response to COVID 19, extended the deadline for submission of annual data protection audit report to June 30. Thus, giving organizations more time to comply in the face of the pandemic. It is, therefore, exigent for organizations to utilize the extension granted by NITDA and avoid penalties for non-compliance.[6]

Conclusion

Insofar as the reaction to the outbreak of COVID-19 has interrupted business as usual, it is still mandatory for organizations to comply with the requirements of the NDPR. They can start by consulting a licensed DPCO to review their data collection and processing activities and take appropriate actions to comply with the NDPR as non-compliance may result to a fine of up to 10million naira or 2% of the annual turnover for the preceding year and other legal actions against the organization.

 About the Author PHOTO-2020-05-18-13-45-17-2
Amara is a competent data protection and privacy lawyer with a passion for data governance and a wealth of practical experience in the design and implementation of data protection compliance frameworks for business processes across various institutions. Specializes in advising and supporting businesses on the modalities for compliance with GDPR/NDPR.

She’s a skilled bridge builder for good business relationships as she displays excellent ability to anticipate and tactically handle potential legal issues in business relationships. She thrives on building strategic partnerships and making strategic business decisions while increasing revenues, growth in terms of business expansion, and profitability. She’s also an experienced nonprofit founder and thought leader in youth advocacy.

ENDNOTES
[1] Section 1 of the NDPR https://nitda.gov.ng/wp-content/uploads/2019/01/Nigeria%20Data%20Protection%20Regulation.pdf

[2] Section 1 of the NDPR

[3] Section 3.1.5 of the NDPR provides– within 6 months after the date of issuance of this Regulation, each organization shall conduct a detailed audit of its privacy and data protection practices. Section 3.1.6&7 further provides that where a Data Controllers processes the personal data of more than 1000 in six months and on annual basis, a data Controller who processes the personal data of more than 2000 data subjects in 12 months shall, not later than the 15th of March of the following year, submit a summary of its data protection audit to the Agency.

[4] https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf

[5] https://ico.org.uk/media/about-the-ico/policies-and-procedures/2617613/ico-regulatory-approach-during-coronavirus.pdf

[6] Section 2.10 of the NDPR provides for penalty sum of up to 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10million naira whichever is greater.

Download PDF file here COVID-19 & Data Protection

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: