Summary

On 18th May, 2020 the National Information Technology Development Agency (NITDA) issued Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020 ("the Guidelines"). The Guidelines govern the roles and responsibility of public officers and public institutions with regards to the processing and management of personal data in compliance with the Nigeria Data Protection Regulation, 2019 (NDPR).

Details

NITDA issued the NDPR on 25th January, 2019, as a framework for the protection and regulation of the collection, processing and management of personal data of individuals who are Nigerian citizens and persons resident in Nigeria while the Guidelines were issued pursuant to Section 6 (a & c) of the National Information Technology Development Agency Act 2007 (NITDA Act) and the NDPR, 2019.

The Guidelines seek to provide guidance to Public Officers on how to handle and manage personal information in compliance with the NDPR and it applies to all Public Institutions in Nigeria including Ministries, Departments, Agencies, Institutions, Public Corporations, publicly funded ventures and incorporated entities with government shareholding at Federal, State or Local Government level. 

Specifically, the Guidelines impose several compliance obligations on public institutions, including the following:

  • Public institutions are required to obtain consent from data subjects for processing of personal data in specified situations;
  • Every public institution that wishes to process personal data of Nigerians received from other public entities, private entities or an international organisation is required to put in place measures to demonstrate the following:
    • Compliance with International Security Standards such as ISO 27001:2013 or any similar standard;
    • Data Protection Impact Assessment and submission of same to NITDA;
    • Retension of a Data Protection Compliance Organisation (DPCO) to guide it in the use of the personal data for compliance purposes.
  • Every public institution is required to appoint a Data Protection Officer (DPO) within 90 days of the issuance of the Guidelines and to maintain a Privacy Policy with certain specified details;
  • All databases containing personal data are to be stored in digital databases with restricted or controlled access within 60 days from the issuance of the Guidelines.

The Guidelines further stipulate the obligations of Data Controllers with respect to sharing of personal data with a public institution and processing personal data on behalf of a public institution.

Failure to comply with the provisions of the Guidelines is an offence under the NITDA Act and the NDPR. In this regard, principal officers of public institutions who breach the provisions of the Guidelines will be personally liable for the breach or misuse of information shared from personal data, either while in office or after expiration of their term of office. The Guidelines, however, provide that parties may approach the Administrative Redress Panel established under the NDPR to seek redress following a determination of breach by NITDA

Implication

The issuance of the Guidelines indicates NITDA's commitment to enforcing the provisions of the NDPR in both the private and public sectors and makes it imperative for all public institutions in Nigeria to immediately comply with the provisions of the NDPR and the Guidelines. 

The COVID-19 Pandemic has created a new reality, where government officials now have to work from home and utilise different technology platforms for their official duties. There is therefore a heightened urgency to ensure that all government data and especially personal data is handled with care and in line with the provisions of the NDPR and the Guidelines. The imposition of personal liability on principal officers of a defaulting Ministry, Department or Agency of Government (including publicly funded ventures and companies with Government shareholding) during or after their term in office gives NITDA wide powers of enforcement which means principal officers should be particularly interested in ensuring their institutions comply with the relevant provisions of the NDPR and the Guidelines. Given the above, all public institutions covered under the NDPR and the Guidelines and engaged in the collection, storage and use of personal data of individuals in Nigeria should urgently put in place steps to ensure compliance by engaging a DPCO that will advise them on the required compliance steps within the relevant timelines. This will enable them to better understand their compliance obligations under the NDPR/Guidelines as required by NITDA and avoid any misuse of government or personal data in their possession.

Originally published June 3, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.