INTRODUCTION
The Nigeria Data Protection Act of 2023 (NDPA) marks a significant milestone in Nigeria's journey towards protecting personal data rights and freedom. The legislation aim to safeguard the rights and freedoms of data subjects as guaranteed under the 1999 Constitution of the Federal Republic of Nigeria1, while also regulating the processing of personal data across various sectors.2
The NDPA a landmark legislation applies to various industries engaged in data collection and processing. One sector particularly affected by this regulation is the healthcare industry, which plays a crucial role in the nation's data ecosystem. It is made up of a variety of actors who are involved in both the collection and processing of data.
These actors include public and private hospitals, laboratories and pharmacies, amongst others. Given the advancement in technology, the rise of telemedicine and the increased reliance on electronic health records, it has become pertinent to examine the key provisions addressing data protection in the healthcare sector.
AN OVERVIEW OF THE NIGERIA DATA PROTECTION ACT, 2023
The Nigeria Data Protection Act, 2023 was signed into law on 12th June 2023, as an answer to the call for a more robust legal framework for the protection of personal information in Nigeria. Prior to the enactment of the NDPA, the Nigeria Data Protection Regulation (NDPR), which came into being in 2019, regulated the processing of personal data. The NDPA applies to all forms of processing of personal data whether by automated means or not.3 This implies that the Act applies to the manual processing of personal information.
The Act establishes the principles of personal data processing and urges data controllers or processors to ensure that personal data is processed in a lawful and transparent way. The Act stipulates that personal data be collected for specified, explicit and legitimate purposes4 Furthermore, personal data collected must be processed in a way that is compatible with the purposes for which they were collected.
The Act charges data controllers and processors to use appropriate technical and organisational measures to ensure confidentiality, integrity, and availability in the processing of personal information of personal data. Additionally, the Act outlines the circumstances that would constitute the lawful basis upon which the personal data of a data subject can be processed circumstances include: where the data subject has given his or her consent for the data to be processed for specific purposes and has not withdrawn the consent; performance of a contract which the data subject is a party to; when there is need for the data controller or processor to comply with a legal opinion; when there is the need to protect the vital interest of the data subject; for the performance of a task in the interest of the public or in the exercise of an official authority vested in the data controller or data processor. The Act also stipulates the information to be provided by the data controller to the data subject before the direct collection of the personal data of the data subject.5
THE NIGERIA DATA PROTECTION ACT AND THE HEALTHCARE FACILITIES
Section 46 of the Act empowers a data subject who is aggrieved by the action or inaction of the data controller or processor, which is in contravention of the provisions of the Act, to lodge a complaint with the Nigeria Data Protection Commission.
A data subject is defined as the person to whom the personal data relates.6 Therefore, a data subject is the owner of the personal information. With regards to the health facilities, the data subject will be the patient. Consequently, where a patient suffers the wrongful use of their data, they are entitled to lodge a complaint with the Nigeria Data Protection Commission.
The Commission will then commence an investigation into the complaint. Where it finds that there has been such a violation, it may issue an appropriate compliance order against the health facility guilty of the violation. Such an order may be a warning, a directive that the health facility uphold the patient's data rights, or a cease and desist order. The Commission can also make an enforcement order requiring the health facility to remedy its violation of the patient's data rights, or pay compensation to the patient for injury suffered as a result of the violation. The health facility may also be ordered to pay a penalty or remedial fee following the modalities stipulated by the Act.7
The patient also has an option to explore civil remedies in court due to the health facility's violation of their data rights.8 Therefore, a patient can recover damages for the injury occasioned by the violation of data rights through a court action. It is important to state that the health facilities could be held liable for the acts or omissions of their agents or employees which violate the provisions of the NDPA, provided that the act or omission relates to the business of the health facilities.9
Furthermore, the NDPA 2023 requires major data controllers and data processors to register with the Nigeria Data Protection Commission (NDPC) within six months of the commencement of the NDPA or on becoming such.10
NDPA in its interpretation section11 defines a data controller or data processor of major importance to be : data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.
Pursuant to this definition, on 14th February 2024, the NDPC issued a Guidance Notice on the registration of data controllers and data processors of major importance. This Notice sets out the metrics for classifying data controllers and data processors as those of major importance and their registration requirements.
According to the Guidance Notice, a data controller or data processor shall be deemed to have particular value or significance to the economy, society or security of Nigeria and hence designated to be of major importance if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data; and: processes the personal data of more than 200 (Two-Hundred) data subjects in six months; or carries out commercial Information Communication Technology (ICT) services on any digital device which has storage capacity and belongs to another individual; or processes personal data as an organisation or a service provider in one of the following sectors: Financial, Communication, Health, Education, Insurance, Export and Import, Aviation, Tourism, Oil and Gas, Electric Power.
A data controller or data processor who is under a fiduciary relationship with a data subject, is expected to keep confidential information on behalf of the data subject shall be regarded as a data controller or processor of major importance. This classification takes into account the significant harm that may result if such entity is not subject to the obligations imposed on data controllers or processors of major importance.
From the above explanation, it is crystal clear that health facilities are data controllers and data processors of major importance for obvious reasons. Health facilities have the potential to process and store the personal data of more than 200 patients (data subjects) in six months. Further, the relationship between the health facilities and patients is hinged on confidentiality. Health facilities are required by law to set up control measures to prevent the unauthorized access to the health records of patients.12 The storage system where the records are kept is also to be protected.13
The Guidance Notice further classifies data controllers and data processors of major importance into three categories of data processing. There are: Major Data Processing-Ultra High Level (MDP-UHL), Major Data Processing-Extra High Level (MDP-EHL) and Major Data Processing-Ordinary High Level (MDP-OHL). The MDP-EHL is so classified, among other reasons, because of the sensitivity of the data assets in their care and the inherent vulnerability of data subjects they typically engage with. Hospitals providing tertiary and secondary healthcare services are classified as MDP-EHL, while primary health centers are classified as MDP-OHL.
CONCLUSION
In the light of the above stipulation of the law, it is important for health facilities to understand their responsibilities under the law regarding handling patients' data. It is also important for them to sensitize their employees on the need to avoid wrongful use of the personal data of patients to avoid vicarious liability. Overall, health facilities identified as data controllers and data processors of major importance should endeavour to meet the registration timelines and comply with the associated requirements.
Footnotes
1. As amended.
2. Section 1 of the NDPA.
3. Section 2 of the NDPA.
4. Section 24 of the NDPA
5. Section 27, NDPA 2023
6. Section 65, NDPA 2023
7. Section 48 (3) NDPA 2023
8. Section 51 NDPA 2023
9. Section 53 (2) NDPA 2023
10. Section 44 (1) NDPA Act.
11. Section 65 NDPA Act.
12. Section 29(1) National Health Act, 2014; Section 39, NDPA 2023.
13. Section 29(1) National Health Act, 2014.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.