Section 37 of the Nigerian Constitution (1999) provides that; “[pullquote]
The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”
[/pullquote] Unfortunately, there is currently not one comprehensive data privacy or personal information protection law in Nigeria that sets out detailed provisions on the protection of the privacy of individuals and citizens. This calls for the passing of a law dealing specifically with issues of data privacy and the protection of the Nigerian citizen’s private information and details of such required law have been made to the Nigerian legislature.
Given current technological trends the world over, and such that has been adapted within Nigeria, it is clear that Section 37 of the Nigerian Constitution as a stand-alone right without strict rules of engagement on how these rights can be protected and exercised is no longer enough protection for citizens.
The following is a 3-part article that will deal with this topic exhaustively.
Unknown to many Nigerians (both individual and a few corporate entities) industry specific regulations, rules of professional conduct and case law exists which provide privacy related protections for Nigerian citizens. These are examined below;
INDUSTRY SPECIFIC REGULATIONS
- The Consumer Code of Practice Regulations 2007: This code of practice is issued by the Nigerian Communications Commission (NCC), which is the body charged with the regulation of the communications industry in Nigeria. The NCC code provides that all licensees (all Telecommunication service providers) must take reasonable steps to protect customer information against “improper or accidental disclosure” and must ensure that such information is securely stored. It also provides further that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”.
Note that the application of the NCC Regulations is not restricted to Nigerian citizens alone; the regulation applies to customer information relating to customers of any nationality that use a licensee’s network, drawing similarity with Section 3 of the South African POPI Act which states that the application of the POPI Act will cover not only situations where the responsible party is domiciled in South Africa but also where the responsible party is not domiciled in the Republic, but makes use of automated or non-automated means in the Republic.
Unfortunately, this Consumer code of practice is only industry specific and does not apply outside of the Nigerian communications industry.
- NITDA GUIDELINES:The National Information Technology Development Agency (NITDA) is the national authority that is responsible for planning, developing and promoting the use of information technology in Nigeria. NITDA in performing this duty issue guidelines which prescribe the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information.
This is currently the only set of regulations that contains specific and detailed provisions on the protection, storage, transfer or treatment of personal data in Nigeria. The guidelines regulate all organizations or persons that control, collect, store and process personal data of Nigeria residents within and outside Nigeria for protecting of a specific category of data commonly known as Personal Data or Object Identifiable Information (OII).
The NITDA guidelines define “personal data” as: “any information relating to an identified or identifiable natural person (data subject); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”. Data controllers (defined as persons which, alone or jointly with others, determine the purposes and means of the processing of personal data) are obliged to prevent any transfer of data to any country that does not ensure an adequate level of protection within the prescribed context of the NITDA Guidelines.
The NITDA Guidelines also prescribe that in determining the adequacy of the level of protection afforded by another country in relation to the transfer of data, consideration must be given to the nature of the data
[/pullquote], the purpose and duration of the proposed processing operation(s), the rules of law, both general and sectorial, in force in the receiving country in question and the professional rules and security measures which are complied with in that country, which should not be lower than the content of the Guidelines.
Notably, Section 2.1(2) of the NITDA guidelines recommend that processing of all data collected shall not take place without the consent of the data subject i.e. The Nigerian Citizen so concerned. It should be noted that while the NITDA guidelines is currently the most comprehensive body of regulations on Data privacy and processing in Nigeria, unfortunately the guideline only applies to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems of the Federal Republic of Nigeria.
It also applies to organisations based outside Nigeria if such organisations process personal data of Nigerian residents, but is not mandatory for private companies involved in data processing and can only serve as a point of reference for such private data collectors with respect to the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls of personal data.
PLEASE NOTE: This article is for general information only. It is not offered as advice, on any particular matter, whether legal, procedural or otherwise. We’d love to read your comments in the section below, you could also send us an email via the contact page.
 Constitution of the Federal Republic of Nigeria (Promulgation) Act, Chapter C23, Laws of the Federation of Nigeria 2004 (as amended)
 Section 1.6 NITDA Guideline, Version 3.1, September 2013
 Section 2.1 NITDA Guidelines, Version 3.1, September 2013
 Section 2.1(4) NITDA Guidelines, Version 3.1, September 2013
 Note Similarity with Sections 17 & 18 of the POPI Act
 Note Similarity with Sections 19(1) of the POPI Act