Introduction

The Nigerian Data Protection Regulation ("NDPR" or "Regulation") was introduced in 2019 by the National Information Technology Development Agency ("NITDA" or "Agency") to safeguard, regulate, and protect against personal data breaches and ensure all Nigerian businesses in all sectors including the health sector remain competitive in international sphere. Since the introduction of the Regulation, organisations that process personal data have had to make necessary adjustments to the way personal data are collected and processed to ensure conformity with the requirements stipulated in the NDPR. Hospitals and healthcare organisations are not left out in the bid for conformity as they deal with large volume of personal data on daily basis.  The scope of the Regulation is broad as it applies to all kinds of transactions including doctor-patient relationship, employer-employee relationships, manager-client relationship etc.

Hospitals and healthcare organisations are subject to this Regulation as it gives impetus to Section 24 of the National Health Act, 2014, which provides generally for confidentiality and states thus "All information concerning a user including information relating to his or her health status, treatment or stay in a health establishment is confidential".

Furthermore, Section 29 (1) of the National Health Act also makes it mandatory for patients/clients' personal data to be protected from unauthorised access. The wordings of the Act are as follows:

"The person in charge of in charge of a health establishment who is in possession of a user's health records shall set up control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept".

Every Hospital and healthcare organisations owe a duty of care to their patients/clients to ensure that the personal data of their patients/clients are properly stored and protected as provided by the law and will be held accountable for their acts and omissions in relation to processing the said data if any breach occurs. The Regulation provides standards and principles which organisations must comply with in processing all personal data in their custody including employees' data.

Compliance with data protection under the NDPR

Compliance with data protection laws improves the trust between businesses and their customers especially in the health sector where hospitals and healthcare organisation handle very sensitive information on daily basis such as patients' personal contact, health status, medical history, etc. It also prevents the organisation from incurring expensive costs in forms of fines, litigation expenses, public embarrassment, and a bad reputation. Data protection compliance involves understanding not only a company's policies, contracts, and legal engagements, it also requires an understanding of the company's information technology, security, audit, and operational system.

The NDPR imposes several responsibilities on data controllers and processors to enable them lawfully obtain and process data. A Data Controller or Processor according to the Regulation, means a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed. For a data controller or processor to successfully comply with the provisions of the NDPR, they must take into cognizance the following amongst others:

  1. a) Consent: Data controllers and processors must first seek the consent of the data subject without undue influence, fraud, and coercion which is usually obtained through clear, unambiguous data privacy policies to which the data subject has consented. Hospitals and healthcare organisations should ensure that consent is clearly given as implied consent is no consent.
  2. b) Data Protection Audit: The NDPR mandates all organizations that process the personal data of more than 1000 data subjects in a period of 6 months and 2000 Data Subjects in a period of 12 months to submit a Data Protection Audit report to NITDA not later than 15thMarch every year. This involves the organization's audit of its data privacy and protection practices. These organisations must engage the services of a licensed Data Protection Compliance Organisation to comply with these regulatory requirement as they are not allowed to deal directly with NITDA. Audits are meant to show that the data controller or processor complies with the law. If your organisation does not process the required amount of data needed to file an annual data audit report with NITDA, (1000 data subjects in six (6) months or more than 2000 data subjects in twelve (12) months), your organisation is still expected to comply with certain requirements provided in the NDPR, to prevent statutory fines and reputational damage.
  3. c) Data Protection Compliance Organisations (DPCOs): DPCOs such as SPA Ajibade & Co, are a new crop of data protection professionals established by the NDPR.They are very integral in ensuring compliance to the NDPR amongst organizations. DPCOs are licensed professionals to provide auditing and compliance services for data controllers. They also provide data protection and privacy trainings, advisory services, draft regulation contracts, Data Protection Impact Assessment, etc.
  4. d) Data Protection Officers (DPOs): The regulation also mandates every data controller of which hospitals and healthcare organisations are, to employ a Data Protection Officer within its organization or outsource this role to a verifiably competent firm or person to ensure adherence to the NDPR, relevant data privacy instruments and data protection directives of the data controller.
  5. e) Privacy Policies (Notices): Every data controller or processor must ensure it has clear and unambiguous privacy policies that are accessible and comprehensible by the data subject. These policies are to be cautiously drafted to meet the requirements in Art. 2.5 of the NDPR.
  6. f) Conduct Internal Data Protection Training: To ensure data protection compliance amongst their members of staff, organizations should ensure their members of staff are professionally trained in the field of data privacy and protection. They may organize data protection trainings for them, which may require inviting DPCOs in the process. This way, their employees, especially those specifically responsible for processing data e.g., the H.R personnel, Nurses, Doctors, Front-desk officers etc. would be enlightened on how to protect and manage personal data and prevent data breaches

Conclusion

The importance of an organisation's compliance with the NDPR and other data protection laws transcends the statutory requirements for compliance. The value and reputation of the organisation is equally at stake in the event of a data breach. Therefore, it is pertinent that organisations particularly in the health sector take data protection compliance seriously. More so, apart from preventing patients and employees' data from falling into the wrong hands, compliance helps to maintain the investors and public's trust in the organization as patients will be unwilling to disclose key personal information due to previous history.

If an organisation is in breach of any of the provisions of the NDPR, NITDA may issue an order for compliance with the relevant provisions to curtail further breach. These sanctions may be in form of monetary fine following an administrative process that complies with principles of fair hearing and judicial safeguards. NITDA may also issue other administrative sanctions such as; suspension of service pending further investigations, order for parties in breach to appear before a panel to determine liability of officers, issue public notice to warn the public to desist from patronizing or doing business with the affected party; and refer the matter to appropriate professional bodies for possible sanction of its members involved in the breach. NITDA may also decide to prosecute officers of the organisation as provided in Section 17(1) and (3) of the NITDA Act 2007.

NITDA has penalized some organisations for non-compliance with the NDPR. For instance, after postponing the deadline for mandatory Data Compliance Audit from July 2019 to October 2019, NITDA issued non-compliance notices to 100 defaulting companies in December 2019. In 2020, NITDA sanctioned the Lagos Internal Revenue Service (LIRS) by imposing a fine of One million Naira (1m) for exposing taxpayers' identity online via its website where personal information of taxpayers of Lagos State was viewed by the general public in breach of the Nigeria Data Protection Regulation (NDPR), 2019.

Just recently, in August 2021, NITDA issued a fine of ten million naira (10m) to a microloan company Soko Loans Company Limited for invasion of privacy by illegally tampering with users' private data. NITDA also directed the Company to refrain from sending privacy invading messages to Nigerian until its full compliance with the NDPR.

SPA Ajibade & Co. is a Data Protection Compliance Organisation (DPCO), licensed by the National Information Technology Development Agency (NITDA) to audit, conduct training and provide data protection compliance services to public and private entities in line with the Nigerian Data Protection Regulation (NDPR) 2019. Some of the services we can provide to your organisation include; Audit of regulatory compliance of the client's current business practices, Preparation and filing of Data Audit Report, Data protection training and awareness services, Data regulations contracts drafting, review and advisory, Data protection regulatory compliance and advisory services, Breach management services, Data privacy breach impact assessment, Data protection and privacy Due Diligence Investigation, Outsourced Data Protection Officer services, Regular monitoring of forthcoming legislative changes, Full implementation support, Representation before National Information Technology Development Agency ("NITDA"), Interfacing with NITDA regarding regulatory compliance issues; and Other services for the purpose of compliance with the NDPR or any foreign Data Protection laws or regulations having effect in Nigeria.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.