1. Introduction
The Nigeria Data Protection Act 2023 (NDPA) was signed into law
in Nigeria. The Act provides for the protection of personal data.
It is the first law enacted to address specifically the protection
of personal data in Nigeria after repeated attempts by past
administrations to enact legislation on data protection. These
attempts led to the issuance of the Nigeria Data Protection
Regulations 2019 by the National Information Technology Development
Agency. Although only subsidiary legislation, the Nigeria Data
Protection Regulations laid the basic foundation for protecting
personal data in an era where protecting personal data has become
more critical.
The Nigeria Data Protection Act seeks to ensure uniformity in
the processing of personal data, while also safeguarding the
fundamental human rights, freedoms, and interests of data subjects
as provided for under the 1999 Constitution, and providing remedies
for breach of data.1
The Act has implications for different sectors of the economy.
One key sector to consider is the health sector. The health sector
is composed of myriad actors who deal with a variety of data, such
as collectors and processors. These include public and private
hospitals, pharmacies, laboratories, public health insurance
schemes, health maintenance organisations, and clinical research
organisations. It also includes government agencies such as the
National Public Health Institute or surveillance agencies working
as part of the government, health regulatory bodies, and
professional health regulatory agencies. Furthermore, it includes
digital healthcare businesses providing electronic medical records
(EMR) solutions, telemedicine virtual consulting platforms, and
other services. Each of these entities has many opportunities for
collection, use, processing, and storage of data. Each of these has
obligations with respect to the protection of personal data. It is
therefore critical to identify and understand the implications of
the Acton the operations of these actors. This will not only help
clarify roles and responsibilities but ultimately improve health
outcomes while protecting patient/user information.
2. Overview of the Nigeria Data Protection
Act
Interestingly, the Nigeria Data Protection Act does not repeal
the Nigeria Data Protection Regulation 2019 (NDPR). Section 64
(2)(f) provides an avenue for the continuing existence of the NDPR,
expressly providing that all regulations, rules, etc, made by the
Nigeria Information Technology Agency or the Nigeria Data
Protection Bureau on data protection continue to remain in effect
until they have been repealed. Though the Nigeria Data Protection
Regulations 2019 remain in force, where there are inconsistencies
between the provisions of the Act and the Regulations, the Act
shall take precedence.2 This goes without saying that
provisions of the NDPR that are not inconsistent with the
provisions of the Act remain applicable and
enforceable.3
The Act also makes provisions relating to the processing of
personal data, principles of processing personal data, rights of
data subjects,4 the appointment of data protection
officers 5, and data privacy impact assessment in cases
where the processing of personal data will likely result in a
breach of personal data of data subjects, etc.6 Data
controllers/ processors are required to establish a lawful basis
for processing personal data, some of the lawful bases provided by
the Act include: When the data subject has given and not withdrawn
consent, For compliance with a legal obligation to which a data
controller/processor is subject,7 For the performance of
a task carried out in the public interest.8 Data
controllers/processors are also required to process personal data
following laid down principles for processing personal data, some
of these include the requirement that: The data must be processed
in a fair, lawful transparent manner; The data collected must be
for a legitimate purpose, and should not be processed in any manner
incompatible to that purpose; The processing of the data must be
adequate, relevant and limited to the minimum necessary,
etc9
3. Selected Relevant Provisions of the NDPA on
Health
The Act makes specific provisions for personal data processing
in relation to public health and health care. We set out some of
these provisions below.
i. Exemption from obligations under Part (V) of the
Act, of Data Processed During Pubic Health Emergencies by Competent
Authorities.
The NDPA provides for certain exemptions from the lawful basis
governing the processing of data. Key amongst them is data
processed by competent authorities for the purpose of prevention or
control of national public health emergencies,10 such as
the COVID-19 pandemic, or the epidemics of Lassa Fever and Cholera
faced almost yearly in Nigeria. The competent authority is defined
under the interpretation section to mean “Government of the
Federal Republic of Nigeria or any Foreign Government, or any State
government, statutory authority, government authority, institution,
agency, department, board, commission, or organization within or
outside Nigeria exercising either executive, legislative, judicial,
investigative, regulatory, or administrative
functions.”11 This would include agencies such as
the Nigeria Centre for Disease Control and Prevention which, in the
exercise of its mandate and under the provisions of the Act, can
lawfully process data free from certain obligations under Part V of
the Act. Some of the obligations exempted include; The burden of
proof placed on data controllers when there is a question, as
regards whether consent was freely or intentionally
given,12 The requirement to undertake a data privacy
impact assessment, where the processing of personal data will
likely result in a high risk to the rights and freedom of data
subject,13 The requirement to obtain consent from a
parent or legal guardian of children under the age of 18
years,14 The right of data subject.15
Processing of personal data by competent authorities in times of
public health emergencies is however subject to certain
restrictions, which the competent authority must comply with. These
include; Section 24 which deals with (Principles of Personal Data
Processing), Section 25 which deals with (Lawful Basics of Personal
Data Processing), Section 32 which deals with (Data Protection
Officers)and Section 40 which deals with (Personal Data Breaches).
These sections will apply to the processing of personal data by
competent authorities. For example, a lawful basis for processing
personal data must be established. Such lawful basis for processing
personal data during public health emergencies may include grounds
of public interest. The competent authority is also required to
appoint a data protection officer, and in line with section 40
report any personal data breaches to the Commission within 72 hours
of becoming aware of the breach.
ii. The requirement For Registration of Data
Controllers of Major importance
The Act introduces a certain class of data controllers and data
processors different from normal data controllers (DC) and data
processors (DP) named “Data Controllers of Major Importance
and Data Processors of Major Importance”16 (DCMIs
and DPMIs). The DCMIs and DPMIs are required to register with the
Commission17 and are subject to stricter fines than
those imposed on regular DCs and DPs. DCMIs and DPMIs are subject
to a fine of over10,000,000 or 2% of their annual gross revenue in
the preceding financial year, whichever is higher,18
while DCs and DPs are subject to a fine of over 2,000,000or 2% of
their annual gross revenue in the preceding financial year,
whichever is higher.19 The fine kicks in when they are
adjudged by the Commission to have violated the Act or any
subsidiary legislation. Regulations fall under subsidiary
legislation which data controllers and data processors should avoid
breaching.
Data Controllers of Major Importance and Data Processors of
Major Importance are not fully defined, with the Act creating room
for the Commission to do so by regulation.20 The
Commission in February 2024, clarified who constitutes ‘data
controllers of major importance and data processors of major
importance through a Guidance Notice. According to the Guidance
Notice,21 a data controller or data controller will be
deemed to be of major importance if it (a) processes the personal
data of more than 200 (Two- Hundred) data subjects within the span
of six months, or (b) carries out ICT services through the use of
any digital device having storage capacity, and belonging to
another individual, or (c) processes personal data either as an
organization or a service provider in the Financial, Communication,
Health, Education, Insurance, Export sectors etc.22 Data
Controllers or Processors who are under a fiduciary duty with a
data subject for which the duty of keeping confidential information
is crucial are also regarded as Data Controllers or Processors of
Major Importance.23
Reviewing the Guidance Notice, it seems fairly clear that most
if not all healthcare stakeholders are likely to fall under data
controllers of major importance (DCMIs) or data processors of major
importance (DPMIs). At any rate, the majority of healthcare
stakeholders will fall under (c) as organizations or service
providers in the health sector who process personal data.
Healthcare providers like telehealth companies, digital health
businesses, hospitals, and other stakeholders like health insurance
companies, among other healthcare entities, are required to
register as DCMIs or DPMIs.24
Furthermore, the Guidance provides for registration by DCMIs and
DPMIs, and to aid the registration process, classifies DCMIs and
DPMIs into three categories 25 namely: Major Data
Processing Ultra Level (MDP-UHL), Major Data Processing- Extra High
Level (MDP-EHL), Major Data Processing-Ordinary High Level
(MDPOHL). Insurance companies which will include health insurance
companies may be classified as Major Data Processing Ultra High
Level (MDP-UHL) and are required to pay a non-refundable fee of
N250,000 (Two Hundred and Fifty Thousand Naira) for
registration.26 The Ministry of Health as a ministry of
the government, hospitals providing tertiary or secondary medical
services are classified as Major Data Processing-Extra High Level
(MDP-EHL) and are required to pay a nonrefundable fee of N100,000
(One Hundred Thousand) for registration.27
Primary Health Centres are classified as Major Data Processing
-Ordinary High Level (MDP-OHL) and are required to pay a
non-refundable fee of N10,000 (Ten Thousand Naira) for
registration.28 DCMI’s and DPMI’s in line with
section 44(1) of the Act29and the guidance notice are
required to register on or before the 30th of June
202430 failing which shall be deemed a default under the
Act and liable to a penalty stipulated under the Act. 31
The penalties have been highlighted in this Article.
To view the full article please click
here.
Footnotes
1 Section 1 of the NDPA.
2 Section 63 of the NDPA
3 The provisions of the NDPR as it relates to the
qualities of a DPO (though not mandatory) remains
applicable
4 Section 34-38 of the NDPA
5 Section 32 of the NDPA
6 Section 28 of the NDPA
7 Court Order, for instance can fall under this
ground
8 Section 25 of the NDPA
9 Section 24 of the NDPA
10 Section 3(2)b of the NDPA
11 Section 65 of the NDPA
12 Section 26 of the NDPA
13 Section 28 of the NDPA
14 Section 31 of the NDPA
15 Section 34-38 of the NDPA
16 Section 44(1) of the NDPA
17 The Act requires the DCMIs and DPMIs to register with
the Commission within 6 months after the commencement of the Act or
on becoming a data controller of major importance or processor of
major importance
18 Section 48(3)(a) and (4) of the NDPA
19 Section 48 3(b) and (5) of the NDPAi
20 The Act defines data controller or data processors of
major importance to be ” data controller or data processors of
major importance domiciled, resident in, or operating in Nigeria
and processes or intends to process personal data of more than such
number of data subjects who are within Nigeria, as the Commission
may prescribe, or such other classes of data controllers or data
processors that is processing personal data of particular value or
significance to the economy, society or security of Nigeria as the
Commission may designate”. See Section 65 of the
Act
21 paragraph 1 of the Guidance Notice
22 https://ndpc.gov.ng/Files/registration.pdf
23 ibid Nigeria
24 ibid
25 Paragraph 2 of the Guidance Notice
26 Paragraph 3(1)(a) of the Guidance Notice
27 Paragraph 3(1)(c) of the Guidance Notice
28 Paragraph 3(1)(e) of the Guidance Notice
29 Act requires DCMI’s and DMPI’s to register
within 6 months of the commencement of the Act or within
6
months of becoming a DCMIs or DPMis
30 Paragraph 3(2) of the Guidance Notice
31 Paragraph 3(3) of the Guidance Notice
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Nigeria #Data #Protection #Act #Relevant #Provisions #Health #Care #Delivery #Nigeria #Data #Protection
