1. Introduction
The Nigeria Data Protection Act 2023 (NDPA) was signed into law in Nigeria. The Act provides for the protection of personal data. It is the first law enacted to address specifically the protection of personal data in Nigeria after repeated attempts by past administrations to enact legislation on data protection. These attempts led to the issuance of the Nigeria Data Protection Regulations 2019 by the National Information Technology Development Agency. Although only subsidiary legislation, the Nigeria Data Protection Regulations laid the basic foundation for protecting personal data in an era where protecting personal data has become more critical.
The Nigeria Data Protection Act seeks to ensure uniformity in the processing of personal data, while also safeguarding the fundamental human rights, freedoms, and interests of data subjects as provided for under the 1999 Constitution, and providing remedies for breach of data.1
The Act has implications for different sectors of the economy. One key sector to consider is the health sector. The health sector is composed of myriad actors who deal with a variety of data, such as collectors and processors. These include public and private hospitals, pharmacies, laboratories, public health insurance schemes, health maintenance organisations, and clinical research organisations. It also includes government agencies such as the National Public Health Institute or surveillance agencies working as part of the government, health regulatory bodies, and professional health regulatory agencies. Furthermore, it includes digital healthcare businesses providing electronic medical records (EMR) solutions, telemedicine virtual consulting platforms, and other services. Each of these entities has many opportunities for collection, use, processing, and storage of data. Each of these has obligations with respect to the protection of personal data. It is therefore critical to identify and understand the implications of the Acton the operations of these actors. This will not only help clarify roles and responsibilities but ultimately improve health outcomes while protecting patient/user information.
2. Overview of the Nigeria Data Protection Act
Interestingly, the Nigeria Data Protection Act does not repeal the Nigeria Data Protection Regulation 2019 (NDPR). Section 64 (2)(f) provides an avenue for the continuing existence of the NDPR, expressly providing that all regulations, rules, etc, made by the Nigeria Information Technology Agency or the Nigeria Data Protection Bureau on data protection continue to remain in effect until they have been repealed. Though the Nigeria Data Protection Regulations 2019 remain in force, where there are inconsistencies between the provisions of the Act and the Regulations, the Act shall take precedence.2 This goes without saying that provisions of the NDPR that are not inconsistent with the provisions of the Act remain applicable and enforceable.3
The Act also makes provisions relating to the processing of personal data, principles of processing personal data, rights of data subjects,4 the appointment of data protection officers 5, and data privacy impact assessment in cases where the processing of personal data will likely result in a breach of personal data of data subjects, etc.6 Data controllers/ processors are required to establish a lawful basis for processing personal data, some of the lawful bases provided by the Act include: When the data subject has given and not withdrawn consent, For compliance with a legal obligation to which a data controller/processor is subject,7 For the performance of a task carried out in the public interest.8 Data controllers/processors are also required to process personal data following laid down principles for processing personal data, some of these include the requirement that: The data must be processed in a fair, lawful transparent manner; The data collected must be for a legitimate purpose, and should not be processed in any manner incompatible to that purpose; The processing of the data must be adequate, relevant and limited to the minimum necessary, etc9
3. Selected Relevant Provisions of the NDPA on Health
The Act makes specific provisions for personal data processing in relation to public health and health care. We set out some of these provisions below.
i. Exemption from obligations under Part (V) of the Act, of Data Processed During Pubic Health Emergencies by Competent Authorities.
The NDPA provides for certain exemptions from the lawful basis governing the processing of data. Key amongst them is data processed by competent authorities for the purpose of prevention or control of national public health emergencies,10 such as the COVID-19 pandemic, or the epidemics of Lassa Fever and Cholera faced almost yearly in Nigeria. The competent authority is defined under the interpretation section to mean "Government of the Federal Republic of Nigeria or any Foreign Government, or any State government, statutory authority, government authority, institution, agency, department, board, commission, or organization within or outside Nigeria exercising either executive, legislative, judicial, investigative, regulatory, or administrative functions."11 This would include agencies such as the Nigeria Centre for Disease Control and Prevention which, in the exercise of its mandate and under the provisions of the Act, can lawfully process data free from certain obligations under Part V of the Act. Some of the obligations exempted include; The burden of proof placed on data controllers when there is a question, as regards whether consent was freely or intentionally given,12 The requirement to undertake a data privacy impact assessment, where the processing of personal data will likely result in a high risk to the rights and freedom of data subject,13 The requirement to obtain consent from a parent or legal guardian of children under the age of 18 years,14 The right of data subject.15
Processing of personal data by competent authorities in times of public health emergencies is however subject to certain restrictions, which the competent authority must comply with. These include; Section 24 which deals with (Principles of Personal Data Processing), Section 25 which deals with (Lawful Basics of Personal Data Processing), Section 32 which deals with (Data Protection Officers)and Section 40 which deals with (Personal Data Breaches). These sections will apply to the processing of personal data by competent authorities. For example, a lawful basis for processing personal data must be established. Such lawful basis for processing personal data during public health emergencies may include grounds of public interest. The competent authority is also required to appoint a data protection officer, and in line with section 40 report any personal data breaches to the Commission within 72 hours of becoming aware of the breach.
ii. The requirement For Registration of Data Controllers of Major importance
The Act introduces a certain class of data controllers and data processors different from normal data controllers (DC) and data processors (DP) named "Data Controllers of Major Importance and Data Processors of Major Importance"16 (DCMIs and DPMIs). The DCMIs and DPMIs are required to register with the Commission17 and are subject to stricter fines than those imposed on regular DCs and DPs. DCMIs and DPMIs are subject to a fine of over10,000,000 or 2% of their annual gross revenue in the preceding financial year, whichever is higher,18 while DCs and DPs are subject to a fine of over 2,000,000or 2% of their annual gross revenue in the preceding financial year, whichever is higher.19 The fine kicks in when they are adjudged by the Commission to have violated the Act or any subsidiary legislation. Regulations fall under subsidiary legislation which data controllers and data processors should avoid breaching.
Data Controllers of Major Importance and Data Processors of Major Importance are not fully defined, with the Act creating room for the Commission to do so by regulation.20 The Commission in February 2024, clarified who constitutes 'data controllers of major importance and data processors of major importance through a Guidance Notice. According to the Guidance Notice,21 a data controller or data controller will be deemed to be of major importance if it (a) processes the personal data of more than 200 (Two- Hundred) data subjects within the span of six months, or (b) carries out ICT services through the use of any digital device having storage capacity, and belonging to another individual, or (c) processes personal data either as an organization or a service provider in the Financial, Communication, Health, Education, Insurance, Export sectors etc.22 Data Controllers or Processors who are under a fiduciary duty with a data subject for which the duty of keeping confidential information is crucial are also regarded as Data Controllers or Processors of Major Importance.23
Reviewing the Guidance Notice, it seems fairly clear that most if not all healthcare stakeholders are likely to fall under data controllers of major importance (DCMIs) or data processors of major importance (DPMIs). At any rate, the majority of healthcare stakeholders will fall under (c) as organizations or service providers in the health sector who process personal data. Healthcare providers like telehealth companies, digital health businesses, hospitals, and other stakeholders like health insurance companies, among other healthcare entities, are required to register as DCMIs or DPMIs.24
Furthermore, the Guidance provides for registration by DCMIs and DPMIs, and to aid the registration process, classifies DCMIs and DPMIs into three categories 25 namely: Major Data Processing Ultra Level (MDP-UHL), Major Data Processing- Extra High Level (MDP-EHL), Major Data Processing-Ordinary High Level (MDPOHL). Insurance companies which will include health insurance companies may be classified as Major Data Processing Ultra High Level (MDP-UHL) and are required to pay a non-refundable fee of N250,000 (Two Hundred and Fifty Thousand Naira) for registration.26 The Ministry of Health as a ministry of the government, hospitals providing tertiary or secondary medical services are classified as Major Data Processing-Extra High Level (MDP-EHL) and are required to pay a nonrefundable fee of N100,000 (One Hundred Thousand) for registration.27
Primary Health Centres are classified as Major Data Processing -Ordinary High Level (MDP-OHL) and are required to pay a non-refundable fee of N10,000 (Ten Thousand Naira) for registration.28 DCMI's and DPMI's in line with section 44(1) of the Act29and the guidance notice are required to register on or before the 30th of June 202430 failing which shall be deemed a default under the Act and liable to a penalty stipulated under the Act. 31 The penalties have been highlighted in this Article.
To view the full article please click here.
Footnotes
1 Section 1 of the NDPA.
2 Section 63 of the NDPA
3 The provisions of the NDPR as it relates to the qualities of a DPO (though not mandatory) remains applicable
4 Section 34-38 of the NDPA
5 Section 32 of the NDPA
6 Section 28 of the NDPA
7 Court Order, for instance can fall under this ground
8 Section 25 of the NDPA
9 Section 24 of the NDPA
10 Section 3(2)b of the NDPA
11 Section 65 of the NDPA
12 Section 26 of the NDPA
13 Section 28 of the NDPA
14 Section 31 of the NDPA
15 Section 34-38 of the NDPA
16 Section 44(1) of the NDPA
17 The Act requires the DCMIs and DPMIs to register with the Commission within 6 months after the commencement of the Act or on becoming a data controller of major importance or processor of major importance
18 Section 48(3)(a) and (4) of the NDPA
19 Section 48 3(b) and (5) of the NDPAi
20 The Act defines data controller or data processors of major importance to be " data controller or data processors of major importance domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other classes of data controllers or data processors that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate". See Section 65 of the Act
21 paragraph 1 of the Guidance Notice
22 https://ndpc.gov.ng/Files/registration.pdf
23 ibid Nigeria
24 ibid
25 Paragraph 2 of the Guidance Notice
26 Paragraph 3(1)(a) of the Guidance Notice
27 Paragraph 3(1)(c) of the Guidance Notice
28 Paragraph 3(1)(e) of the Guidance Notice
29 Act requires DCMI's and DMPI's to register within 6 months of the commencement of the Act or within 6
months of becoming a DCMIs or DPMis
30 Paragraph 3(2) of the Guidance Notice
31 Paragraph 3(3) of the Guidance Notice
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
