The coronavirus /COVID-19 pandemic is on the rampage and the global community has been forced to adapt to the unprecedented changes that have swept through businesses and organisations.

With the number of infected persons rising in different countries, there is increasing pressure on employers, the government and health authorities to disclose the information of infected persons. This may require the collection and dissemination of people's data. Though it may be necessary to obtain information for health and safety reasons, it still raises challenges regarding data protection and privacy of employees, patients and infected persons.

Furthermore, with businesses taking steps to enable their employees work remotely as well as the need for organisations to share information at a fast pace, it becomes necessary to consider how to protect people's data and ensure that diverse steps adopted by organisations do not affect the privacy of their employees, patients or persons infected by the coronavirus.

Data Protection -The Nigerian Data Protection Regulation

There are important terms that are defined under the Nigerian Data Protection Regulation 2019 (NDPR). Personal data is one of them and it includes a name, photo, email address, bank details, medical information, computer internet protocol (IP) address and any other information specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.1

'Personal data' is also defined as the information relating to an identified or identifiable natural person.2 In other words, the kind of data that the NDPR seeks to protect does not include corporate information except where such information relates to natural persons.

The NDPR also recognises a "data subject" (person) which is defined as the identifiable person who is identified directly or indirectly with reference to an identification number or other factors specific to his/her physical, physiological, mental, economic, cultural or social identity3. In simple terms, a data subject can be considered as any person whose personal data is being collected, held or processed.

Thus the NDPR applies to transactions that involves the processing of the personal data of natural persons4.

Conditions for lawful collection and disclosure of data

The NDPR provides situations when personal data can be collected, disclosed and shared and this comes under the general umbrella of "processing of data" which mean any action carried out on personal information5. Consequently, a data controller6 that handles/processes data must do so in accordance with the conditions provided by the NDPR or the processing of such data will be deemed to be illegal and the employer would be subjected to penalties7.

A person's data can only be collected and disclosed under any of the following conditions:

  1. where the data subject has consented to the collection and disclosure;
  2. where it is done is for the performance of a contract;
  3. when the processing is required for compliance with a legal obligation;
  4. when the processing is required for protection of the vital interest of a data subject or another natural person; or
  5. if the processing is necessary for the performance of a task carried out in the public interest.8

The inference drawn from the foregoing is that information regarding persons, such as employees or patients who have been infected by the coronavirus, can only be disclosed and disseminated when any of the above conditions have been met. We will consider some of the relevant conditions below.

Disclosure of a person's data with his consent

One of the popular provisions under the NDPR is the stipulation that a data subject must consent to the collection of his data; and such data must be processed in a lawful manner9. Furthermore, organisations may only collect, process and disclose personal data for purposes that are reasonable and only to the extent that it is necessary for meeting the purposes for which the information was collected.

The organisation may also only process the personal information for the purpose for which the information was originally collected. Consequently, when an organisation collects an employee's personal data, it must give that individual notice of the purpose of collection. It is also advisable that the employee is provided with the contact of the personnel within the organisation that can answer any questions regarding the personal data collected.

The consent must also be specific, informed and freely given. This means that the employee must be able to understand what the organisation is going to do with his data and there must be a clear indication that he consented to it. If an organisation has collected personal data for one purpose and then decides to start analysing it for completely different purposes (or makes it available for third parties to do so) then it needs to make its users aware of this, except where the data is further processed for archiving purposes (in the public interest, scientific or historical research or statistical purposes).

This is particularly important if the organisation is planning to use data for purposes that are not apparent to the individual because it is not obviously connected with the individual's use of a service.

Thus under this basis, an employee who has been infected with a disease, such as the coronavirus, can disclose information regarding his status to his employer. The employer may then disclose it to health authorities, upon fulfilling the lawful conditions for processing.

Disclosure of the status of data subjects without their consent – public interest

As stated above, one of the legal basis of disclosure is consent. Nevertheless, there are other instances when a person's status can be disclosed without his consent. In this situation, the employer, government agencies or health officials can be in a position to disclose the information on the basis of public interest10.

However, it is pertinent to note that when disclosing and sharing data on the basis of public interest, the employers should collect only necessary personal data as information regarding the health status of an individual is classified as "sensitive personal data" which must be managed carefully. Thus within the context of COVID-19 containment, the employer may collect minimum information needed to evaluate the risk that an individual carries the virus and take proportionate, risk-based measures.

Furthermore, on the basis of public interest, employers and government agencies are permitted to send public health messages to their clients, prospects and the general public as these messages are not intended for marketing purposes. Public bodies may also require additional collection and sharing of personal data to protect against serious threats to public health.

Conclusion

The COVID-19 pandemic is an outbreak, unprecedented in modern times. Even though the NDPR makes provision for organisations to seek the consent of data subjects before disclosing their data, it is evident that these are desperate times and they demand desperate measures. Consequently, there would be the need for organisations to disclose information on the basis of public interest.

Footnotes

1 Section 1.3 of the NDPR

2 Section 1.3 of the NDPR

3 Section 1.3 of the NDPR

4 Section 1.2 of the NDPR

5 Processing includes collection, recording, organisation, storage, adaptation, alteration, retrieval, use, disclosure or dissemination.

6 person who determines how personal data is processed or will be processed.

7 Section 2.10 of the NITDA Data Protection Regulation

8 Section 2.2 of the NDPR

9 Section 2.1 of the NDPR

10 Section 2.2 of the NDPR

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.