What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The Nigeria Data Protection Regulation, which went into effect in January 2019, sets the new foundational requirements for processing personal data in the country. This Regulation includes requirements relating to the collection, storage, processing, management, operations and technical control of personal data.
Other legislation with privacy related provisions includes the:
- Constitution of the Federal Republic of Nigeria, 1999 (as amended): Under Nigeria’s Constitution “[t]he privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is… guaranteed and protected” (Sec. 37).
- Freedom of Information Act 2011: Gives public institutions the duty to make information available to any individual who applies for it. The Act excludes access to information relating to an individual’s personal or private data.
- NITDA Guidelines for Nigerian Content in Information and Communications Technology 2013: Provides a framework for the promotion/development of local skills and technology, promoting indigenous innovations in the information and communications technology sector. Includes a requirement that data and information management firms register with the NITDA and host government data locally within Nigeria, except when firms have express approval from NITDA and the Secretary to the Government of the Federation.
- Nigerian Communications Commission Consumer Code of Practice Regulations 2007: Prescribes the minimum standards for data services and consumer related practices. Those who are licensed with the Nigerian Communications Commission are required to: (a) take reasonable steps to ensure that individually identifiable consumer information is accurate, relevant and current for the purposes which the data will be used; and, (b) develop mechanisms to guarantee data quality.
- Registration of Telephone Subscribers Regulation 2011: Sets rules around telephone subscribers including the requirement that central databases with subscriber information are kept confidential and inaccessible except with the subscriber’s prior written consent.
- Central Bank of Nigeria Consumer Protection Framework: Sets standards for financial institutions to protect customer data. Under the Framework, all customers’ personal information (including those with closed accounts) must be kept in strict confidence by the financial institution, with a few exceptions.
- Regulatory Framework for Bank Verification Number Operations and Watch-List for the Nigerian Banking Industry 2017: Developed and enhanced electronic payment systems security.
- Cybercrimes Act 2015: Requires that service providers retain all traffic data and subscriber information prescribed by the Nigerian Communications Commission (NCC). Service providers are required to share retained information upon request by the NCC or law enforcement agencies. All parties with access to this information must take steps to safeguard the confidentiality of the retained/processed/retrieved data for the purpose of law enforcement.
- Credit Reporting Act 2017: Gives individuals the right to privacy, confidentiality and the protection of their credit information. It also places limitations on when credit bureaus can disclose information as well as when an individual’s consent must be obtained prior to disclosure.
- Child Rights Act 2003: Ensures the protection of children’s rights including the right to privacy of family life, home, correspondence, telephone conversation and telegraphic communications.
The current authorities responsible for enforcement of data privacy law and regulations in Nigeria is the:
National Information Technology Development Agency (NITDA)
The Central Bank of Nigeria oversees data protection relating to banks and financial institutions. The Nigerian Communications Commission oversees data protection relating to the telecommunications sector.