Data Protection Rights and Obligations in an Employer – Employee Relationship in Nigeria1

Introduction

The Nigerian Data Protection Regulation("NDPR" or "Regulation")2 was introduced by the National Information Technology Development Agency ("NITDA" or "Agency") to safeguard, regulate and protect against personal data breaches and also ensure Nigerian businesses remain competitive in international trade.3 Since the introduction of the Regulation, organisations that process personal data have had to make necessary adjustments to the way personal data are collected and processed to ensure conformity with the requirements stipulated in the NDPR.4

The scope of the Regulation is broad as it applies to all kinds of transactions including transactions that involve employees intended for data processing.5 The Regulation extends to employer-employee relationships and the activities of both employers and employees in respect of data processing are subject to the NDPR.

Employee Data Protection Rights

Employees are regarded as data subjects and entitled to the rights attributed to data subjects in the NDPR. These rights must be consistent with the principles of protection and enforcement of fundamental rights in the Constitution of the Federal Republic of Nigeria.6 Some of the rights are highlighted below:

a. To object to the processing of their personal data and to be informed of the procedure for objecting to data processing.7

b. To receive information regarding their personal data including any communication and actions taken by the employer.8

c. To be informed of the appropriate safeguards for data protection adopted in a foreign country where their personal data are to be transferred.9

d. To obtain from their employers without undue delay the rectification of inaccurate personal data concerning them.10

e. To request that employers delete their personal data without delay.11

f. To receive personal data concerning them in a structured, commonly used and machine-readable format.12 They also have the right to transmit the data to another controller without hindrance from their employers to which personal data had been given.13

However, the Freedom of information Act (FOIA)14 allows the disclosure of information regarding employees of public institutions, some of which may be regarded as personal information under the NDPR, without the need to obtain their consent prior to the disclosure. Specifically, the FOIA requires public institutions to publish the names, salaries, titles and dates of employment of their employees and officers.15 In addition, the FOIA mandates public institutions to deny applications for access to a record or information that contains personal information, unless the prior consent of the individual to whom such information relates has been obtained or, alternatively, if the information is otherwise publicly available.16 The FOIA also exempts requests for personnel files and personal information of employees, appointees or elected officials of any public institution or applicants for such positions.17

Employer Data Processing Obligations

Employers are subject to the Regulation in processing their employees' personal data. They owe a duty of care to their employees and will be held accountable for their acts and omissions in relation to processing the said data.18 The Regulation provides standards and principles which employers must comply with in processing all personal data in their custody including employees' data.19

Where an employer who deals with more than 10,000 data subjects is found to be in breach of their privacy rights, the employer would be held liable, in addition to any other criminal liability, to the payment of the fine of 2% of its annual gross revenue of the preceding year or the payment of 10 million Naira, whichever is greater. In the case of an employer who deals with less than 10,000 data subjects, the employer will be held liable to pay 1% of its annual gross revenue of the preceding year or the sum of 2 million Naira, whichever is greater.20 Some of the obligations of employers in respect of data protection are highlighted below:

a. Procuring Consent

Employers are required to procure consent prior to processing their employees' personal data and ensure that the data are obtained without fraud, coercion, or undue influence.21 However, consent is only one of the legal grounds for processing personal data and personal data may be processed based on the fulfilment of a contract, compliance with a legal obligation, to protect the vital interests of a data subject or of another natural person, the performance of a task carried out in the public interest or in exercise of official public mandate.22

Prior to obtaining consent, employees must be informed of their rights and the methods for withdrawal of consent.23 In addition, employers must provide their employees with their identity and contact details, the contact details of their Data Protection Officer, purpose(s) of the processing as well as the legal basis for the processing.24 However, the requirement for procurement of consent prior to disclosure of employees' personal data to the public or a third party might not be applicable in public institutions in certain circumstances, based on the provisions in the FOIA.25

It has been opined that there is no need to rely on consent for most processing of employees personal data as employers may rely on legitimate interests because an employer-employee relationship is generally considered an imbalanced relationship in which the employer wields more power than the employee.26 Considering consent has to be given freely and there appears to be an imbalanced relationship between employees and employers, employers in most cases cannot rely on consent alone to process data concerning employees.27

b. Privacy Policy

Employers are required to display a simple and conspicuous privacy policy where personal data is being collected or processed to enable the category of employees targeted comprehend the information.28 The privacy policy must stipulate what constitutes the data subject's consent, the description of collectable personal information, the purpose of collection and technical methods used to collect and store personal information among others.29

c. Filing Annual Audit Report

Employers were required to conduct a detailed audit of their privacy and data protection practices within six months after the date of issuance of the NDPR.30 Employers who process the personal data of more than 2000 data subjects including employees, in a period of 12 months are now required to file the summary of their data protection audit annually not later than the 15th of March of the following year.31

Ensuring Compliance with the Obligations of an Employer in the NDPR

To ensure maximum compliance with their data protection obligations and secure personal data of data subjects, it is paramount that employers ensure their employees comply with the relevant obligations. In addition to the strategies employers are required to adopt to ensure the protection and security of personal data,32 it may also be necessary to get employees to sign data protection contracts, insert data protection clauses in employment contracts or issue privacy notices to them. These measures are essential in fulfilling their data protection obligations to employees as they can be utilized to inform employees about the specific reasons for the processing of their data, prior to obtaining consent. These measures are discussed below:

a. Signing Data Protection Contracts and/or Including Data Protection Clauses in Employment Contracts

Employers may take steps to ensure employees sign data protection contracts or insert data protection clauses in their employment contracts, which would set out the parties' rights and obligations regarding data processing. This would serve as a means of informing the employees of their obligations in ensuring the safety and non-disclosure of personal data which they may have access to by virtue of their position in the organization. Where these measures are not utilized, employees might not be conscious of their obligations and possible data breaches may occur which may be detrimental to the business of employers and the privacy of data subjects. Examples of data protection clauses include the following:

"The employee shall comply with the data protection policy when handling personal data in the course of employment including personal data relating to any employee, client, patient, supplier or agent of the practice."33

"By signing this agreement, the employee confirms that they have read and understood the practice's data protection policy, a copy of which is contained in the staff handbook. The practice may change its data protection policy at any time and will notify employees in writing of any changes."34

Data protection contracts including clauses in employment contracts may also be utilized to obtain written consent from employees to process their data. An example of such clause is "By signing this Agreement the Employee consents to the Company collecting, retaining and processing personal information about the Employee." However, it appears that the Regulation places a restriction on consent clauses in contracts meant for other purposes. Art 2.3(b) of the Regulation provides that if the Data Subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. It further provides that any part of such a declaration which constitutes an infringement of this Regulation shall not be binding on the data subject. This restriction is also stipulated in Article 7(2) of the General Data Protection Regulation (GDPR).35 Therefore, if employment contracts are to be utilized, the clauses on request for consent must be presented clearly and distinguished from other matters in the agreement. Employers should not rely on the general signature of employees as their response to the request for consent and there should be a separate response box for the clauses on consent.

It is debatable whether written consent obtained through employment contracts are legitimate as it may be argued that consent cannot be freely given if employees are mandated to sign prior to the commencement of their employment.36 It has been said that employees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship.37 Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer."38 Art 2.3(2)(d) of the Regulation provides that when assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of Personal Data that is not necessary (or excessive) for the performance of that contract. Consent should be separately requested and not conditioned upon or connected to commencement of employment. It should be presented in a manner which is clearly distinguishable from the other matters, in an easily accessible form, with clear and plain language.

Employers may not need to seek employees' consent as consent obtained within an employment contract is unlikely to be GDPR compliant.39

b. Issuing Privacy Notices

Privacy notices may also be issued as an alternative to signing contracts. It is recommended that rather than provide consent clauses in a contract of employment or a separate contract due to the difficulty of freely giving consent, employers may have a non-contractual privacy notice for all employees to comply with the Regulation. Privacy notices do not rely on consent as a lawful basis for processing employee's data and other basis of processing data will be adopted with the use of this method.40

Conclusion

Employers and employees are subject to the NDPR of which compliance is mandatory. Failure to adopt necessary measures to ensure employees' compliance with the Regulation may result in the employer being fined or sanctioned. Employers may include data protection clauses in employment contracts, provide separate data protection contracts or issue privacy notices in addition to the measures provided in the Regulation, to ensure employees protect personal data which they have access to due to their position as employees. Issuing privacy notices appear to be the preferred option at the point of collection of personal data of employees where other lawful means of processing their data can be relied on.

Additionally, even though public institutions can publish certain personal information of their employees, it is recommended that they preserve sensitive information of their employees at every opportunity in order to maintain the privacy of these individuals as provided in the constitution of the Federal Republic of Nigeria41 and envisaged in the Freedom of Information Act. On the other hand, the FOIA may need to be amended to impose more precise restrictions on the publication of sensitive data.

Footnotes

1. Bisola Scott, Associate Intellectual Property Department and Oreoluwa Adebayo, Associate Corporate Finance & Capital Market, SPA Ajibade & Co., Lagos, Nigeria.

2. 2019, available at https://nitda.gov.ng/wp-ontent/uploads/2020/11/NigeriaDataProtectionRegulation11.pdf, accessed on 5th December 2020.

3. Ibid.

4. Some of the adjustments these organisations have made include ensuring security of personal data against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements, personal data collected and processed are adequate, accurate and without prejudice to the dignity of human person, personal data are collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject and submission of data protection audit report to NITDA.

5. Article 2.1 (a) and (b) NDPR. The Regulation also applies to natural persons residing in Nigeria or residing outside Nigeria but who are citizens of Nigeria.

6. Article 3.1(16) NDPR.

7. Article 2.6(b).

8. Article 3.1(3).

9. Article 3.1(8).

10. Ibid.

11. Article 3.1(9). According to the Regulation, the Controller shall delete Personal Data where one of the following grounds applies: a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or processed; b) the Data Subject withdraws consent on which the processing is based; c) the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing; d) the Personal Data have been unlawfully processed; and e) the Personal Data must be erased for compliance with a legal obligation in Nigeria.

12. Article 3.1(14).

13. Ibid. This right can be exercised where the processing is based on consent, or on a contract, or it is carried out by automated means.

14 2011, available at https://www.cbn.gov.ng/FOI/Freedom%20Of%20Information%20Act.pdf, accessed on 31st December 2020.

15. Section 2(3)(c)(vi) FOIA.

16 Section 14(2) (a) and (b). Personal information is defined in the FOIA as any official information held about an identifiable person but does not include information that bears on the public duties of public employees and officials. See section 31 FOIA.

17. Section 14(1)(b) FOIA.

18. Article 2.1 (2) and (3).

19. See Article 2.1 and 2.2.

20. Article 2.10(a) and (b).

21. See Art 2.1(a) and 2.2(a). According to the NDPR, "consent of the data subject" means any freely given, specific (relating to such separate purpose) informed and unambiguous indication of the data subject's wishes by which he, by statement or by clear affirmative action, signifies agreement to the processing of personal.

22. Article 2.2(b)-(e).

23. Article 2.3(c).

24. See Article 3.1(7). Other information required include the legitimate interests pursued by the Controller or by a third party, the recipients or categories of recipients of the Personal Data, if any, where applicable, the fact that the Controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by The Agency, the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period etc.

25. Supra n. 15.

26. European Commission, 'Can an employer require me to give my consent to use my personal data?', available at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/can-my-employer-require-me-give-my-consent-use-my-personal-data_en, accessed on 2nd December 2020.

27. Ibid.

28. Article 2.5.

29. Article 2.5(a)-(I).

30. Article 4.1(6).

31. Article 4.1(7).

32 These measures include storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protecting emailing systems and continuous capacity building for staff. See Article 2.6.

33. MDDUS, GDPR Clause for your Employment Contracts, available at

https://www.mddus.com/resources/resource-library/employment-law-update/2019/march/gdpr-clause-for-your-employment-contracts, accessed on 12th December 2020.

34. Ibid.

35. GDPR provides that which provides that if the Data Subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. See https://www.activemind.legal/legislation/gdpr/article-7/, accessed on 1st December 2020.

36. Matthew Hattersley, GDPR FAQS-Employment Contracts- Do they need to be Updated? available at

https://www.clarionsolicitors.com/articles/gdpr-faqs-employment-contracts-do-they-need-to-be-updated, accessed on 11th November 2020. Art 1.3(iii) of the Regulation provides that consent must be freely given.

37. This was the opinion of the independent European Advisory Body on Data Protection and Privacy, which was set up under Article 29 of the EU Directive on Data Protection. See Nicole Gabryk, Employers Beware: POPIA and Consequent Liabilities for Employers, available at https://www.lexology.com/17651/author/Nicole _Gabryk/, accessed on 10th November 2020.

38. Ibid.

39. Supra, n. 36.

40. Simply-Docs, Privacy Notice for Employees and Contractors, available at https://simply-docs.co.uk/ Employment-Contracts-and-Privacy-Notice-GDPR/Privacy-Notice-for-Employees-and-Contractors-GDPR, accessed on 2nd December 2020.

41 See section 37 Constitution of the Federal Republic of Nigeria, Cap. C23 Laws of the Federation of Nigeria 2004.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.