Article

Safeguarding Information in the Digital Age: A Legal Perspective on Data Protection in Nigeria

By: Favour Owhuvwie, Esq.
Introduction

In light of the indispensability of the collection, storage and usage of data, it becomes imperative to delve into the critical realm of data protection, a subject of growing importance in today’s digital landscape. The advent of technology has transformed the way information is created, stored, and shared, necessitating a robust legal framework to safeguard individuals and organizations from potential privacy breaches. This article explores the significance of data protection in Nigeria and sheds light on the legal aspects that underpin this essential component of our digital existence.

The Nigerian Data Protection Landscape

Nigeria, like many other countries, recognizes the need to protect personal data in the digital age. The primary legislation governing data protection in Nigeria is the Nigeria Data Protection Act (NDPA) of 2023, administered by the Nigeria Data Protection Commission (NDPC). The NDPA establishes a comprehensive framework for the lawful processing of personal data, outlining the rights and obligations of data controllers and processors, and data subjects.

Definitions of Key Terms
Who is a data controller?

The Act defines a data controller as any “individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data.”[i]

[i] Section 65 of the NDPA

Who is a data processor?

A data processor is a natural or juristic person who processes personal data on behalf of or on the direction of a data controller or another data processor.

Who is a data subject?

In Nigeria, a data subject refers to an individual who is the subject of personal data. Personal data is defined under the Nigerian Data Protection Act (NDPA)[i]  as any information relating to an identified or identifiable natural person. This includes but is not limited to names, addresses, phone numbers, email addresses, biometric data, financial information, medical records, and any other data that can be used to directly or indirectly identify a person. Therefore, any Nigerian citizen or resident whose personal information is being collected, processed, or stored by an organization or entity falls under the category of a data subject.

[i] supra

Key Principles of Data Protection
1. Lawfulness and Fairness:

   – Data processing must be lawful, and individuals must be informed about the purpose and legal basis for collecting their data.

2. Purpose Limitation:

   – Personal data should only be processed for specified and legitimate purposes, and not further processed in a manner incompatible with those purposes.

3. Data Minimization:

   – Organizations should only collect and process the data that is necessary for the intended purpose.

4. Accuracy:

– Data controllers are obligated to ensure the accuracy of the data they process and take steps to rectify inaccuracies.

5. Storage Limitation:

   – Personal data should not be kept for longer than is necessary for the purpose for which it was collected.

6. Integrity and Confidentiality:

   – Organizations must implement security measures to protect personal data from unauthorized access, disclosure, alteration, and destruction.