NITDA's POWER TO REGULATE NON-ELECTRONIC DATA1
In the dawn of the era of big data analytics, where large volumes of structured and unstructured data are processed, analysed and traded, data has become an invaluable asset to most organisations. Also, with the birth of the computer age and the growing pace of technological innovations across the globe, digitization of paper based data has become the new trend. Businesses are beginning to transition from purely paper based databases to diverse electronic storage systems.2 Despite this transition, a plethora of businesses, especially in Nigeria, still utilize non-electronic storage systems to process and safeguard their client's personal and sensitive data.3 While most emphasis seems to be placed on security of electronic data, a number of incidents of data security breaches across the world have resulted from the mishandling and theft of sensitive personal paper documents, thus, necessitating the need for its regulation.4 The European Union's General Data Protection Regulation ("GDPR")5 and the data protection laws of countries6 with adequate data protection laws, expressly make provisions for the regulation of non-electronic data in addition to electronic data. This inclusion enables their respective regulatory bodies to act within the contemplation of their enabling statutes. However, similar provisions are not so apparent in the Nigerian Information Technology Development Agency Act ("NITDA Act").7
The NITDA Act empowers the Nigerian Information Technology Development Agency ("NITDA") to regulate the use of electronic data interchanges and other forms of electronic communication transactions,8 including data transferred from non-electronic formats to electronic formats, but it is not so apparent that such powers includes the regulation of paper based data which are processed manually and not converted to electronic formats. The Nigeria Data Protection Regulation ("NDPR")9 issued by NITDA contains broad and provisions regarding the form of data it regulates, which suggest that its provisions extend to the regulation of non-electronic data. This begs the question whether a regulatory body can act outside the powers conferred on it by its enabling statute? We will examine the relevant provisions empowering NITDA to regulate data in Nigeria vis-à-vis international best practices.
UNDERSTANDING ELECTRONIC AND NON-ELECTRONIC DATA
Electronic data are sets of information or instructions which are converted, created, or transmitted by computer programs or software and stored on data processing devices or any other repositories of computer software which are used with electronically controlled equipment.10 It includes all electronic files, databases, documents, catalogues, memoranda, e-mails, manuals, guides, materials, plans, photographs, graphics, specifications, timelines, flow charts, comments, programs, records, and other electronic information.11
Non-electronic or paper-based data can be described as a collection of information, facts, or concepts stored or preserved manually in non-digital or non-computerized formats such as leaflets, cardboard, journals, dictionaries, catalogues, magazines, manuscripts etc.12
EXAMINATION OF THE POWERS OF NITDA TO REGULATE DATA IN NIGERIA
NITDA is the sole regulatory agency empowered by the NITDA Act to administer the provisions of the Act.13 The functions of the agency are provided in S.6 of the NITDA Act, one of which is to:
"develop regulations for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour and other fields, where the use of electronic communication may improve the exchange of data and information."14
In the exercise of this power, the NDPR was issued by NITDA and the Draft Implementation Framework15 was formulated as a strategic approach to enforce the provisions of the NDPR and further its objectives.16
According to the NDPR "the regulation applies to all transactions intended for the processing of personal data and to actual processing of personal data notwithstanding the means by which the data processing is being conducted or intended to be conducted and in respect of natural persons in Nigeria"17
From the foregoing, it is clear that NITDA's powers encompasses the regulation of electronic data and other forms of electronic communication interchanges, however, it is unclear and debatable whether such scope extends to non-electronic data regardless of the mode of processing. Would it be correct to say that the phrases; "the regulation applies to all transactions" and"processing of personal data notwithstanding the means" suggests that NITDA has the power to regulate non-electronic or paper based data in addition to electronic data, considering that communications, transactions or other data processing may be conducted through electronic and non-electronic means? If the answer is in the affirmative, would NITDA be acting outside its powers by including such wide provisions in its regulation as its enabling statute only empowers it to develop regulations for electronic governance and to monitor the use of electronic data interchange and other forms of electronic communication transactions?18
The next question that may then be asked is whether a regulatory body can act beyond the powers conferred on it by its enabling statute? In the case of Ondo State University v Folayan,19 the Supreme Court held that "where a body is a creature of statute it must act in accordance with the law creating it." Similarly in Amasike v Registrar Gen., C.A.C,20 the court held that "a public body or authority invested with statutory powers must act within the law and take care not to exceed or abuse its power.where a person, body or authority claims to have acted pursuant to power granted by statute, such person, body or authority must justify the act, if challenged, by showing that the statute applied in the circumstances, and that he or it was empowered to act under it."
A CUE FROM THE DATA PROTECTION LAWS IN OTHER JURISDICTIONS
The Draft Implementation Framework of the NDPR recognises some countries with adequate data privacy and protection laws.21 The scope of the privacy and data protection laws of some of the countries identified extend to non-electronic or paper-based data. We will examine the provisions of the privacy and data protection laws of some of these countries below.
THE EUROPEAN UNION (EU)
The EU is an international organisation that comprises of about 27 countries in Europe.22 In May 2018, the European Union issued the GDPR to unify the data protection laws across the EU countries and to afford its members better rights and protections.23 Following this trend, the NDPR was also issued and its provisions substantially mirrors the provisions of the GDPR.24 However, unlike the GDPR, the NDPR does not make express provision for the protection of non-electronic or paper based data, although debatable. The GDPR provides for the regulation of both electronic and non-electronic data. In the material scope of the GDPR, two major situations where the GDPR would be applicable were identified which include:
- The processing of personal data wholly or partly by automated means;25 and
- The processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.26
The clarity of these provisions would enable countries required to domesticate the provisions of the GDPR in their respective data protection laws to be sufficiently empowered to regulate both electronic and non-electronic personal data. The inclusion of the provision regulating non-electronic data would also provide an opportunity for data controllers and administrators within the contemplation of the regulation to smoothly comply with other relevant provisions of the GDPR in respect of paper-based data, such as the right to erasure or right to be forgotten.27 This right empowers a data subject to request the erasure of his or her personal and sensitive data from the data controller without delay.28 It would be an onerous task for a data subject to enforce this right if the data controllers were only obligated under the GDPR to erase electronic personal data of the data subjects and under no obligation to erase sensitive personal paper records. It would thus be difficult for data subjects to rely on the GDPR in order to enforce their rights to request the erasure of their personal and sensitive data from the data controller without delay, without the broad rights of processing control conferred under the GDPR.
Although the Data Protection Act of the Republic of Cape Verde ("the Act") was enacted in 2001,29 it is categorized among the most comprehensive data protection laws.30 The Act also makes express provision for processing of personal data by non-electronic means. Art. 2(1) of the Act states as follows: "the present Act/Law shall apply to the processing of personal data wholly or partly by automated means as well as to the processing of personal data other than by automated means contained in manual files or part of manual files." It further defines "Personal Data" as "any information of any type/nature and irrespective of the medium involved, including sound and image relating to an identified or identifiable person or data subject."31 It is evident from the above stated provisions that clear stipulations were made in the Act for the regulation of both electronic and non-electronic personal data. Thus, the National Data Protection Authority32 in Cape Verde would be adequately empowered to regulate both forms of data.
Recently, the National Standards Information Technology - Personal Information Security Specification ("PI Specification") came into effect in China.33 It is the most recent data privacy law in China which came into effect in May 2018. Its scope also extends to personal data recorded in non-electronic formats. Art.1 of the PI Specification states that the law applies to "the processing of PI by various entities, as well as to the supervision, administration, and assessment of PI processing activities by entities."34 The definition of Personal Information in the PI Specification also includes information recorded by electronic and other means"35 This use of "other means" could be interpreted to mean non-electronic formats and would empower the Cyberspace Administration of China36 to also regulate non-electronic data in addition to electronic data.
Unlike electronic documents, it is easier for paper-based documents to lead double or triple lives. One of the prominent threats to even the most secure electronic databases emanate from replicated copies of sensitive personal data forgotten in places accessible to the general public in the form of original paper copies, photocopies or facsimile versions, insecure disposal of documents and the activities of malicious internal actors.37 Generally, human error in dealing with paper documents could expose an organisation to data breaches and infringements, hence the need for clear provisions regulating paper-based data. In Nigeria, the paper shredding culture is poor and on a daily basis38 volumes of personal and sensitive paper documents are utilized without adequate security defences.
The power of NITDA to regulate non-electronic or paper-based personal data is questionable in light of the restrictive provisions of the NITDA Act that empowers it. In the opinion of the writers, it may be necessary to amend the provisions of the NITDA Act to expressly regulate the processing of non-electronic or paper-based data to bring it in line with international best practices or to issue a separate regulation for the protection of non-electronic data. Also, data controllers, administrators and processors need to thread carefully in dealing with non-electronic personal data because if they capitalise on the limited scope of the NITDA Act, they could be found guilty of other related offences such as breach of confidentiality, negligence etc. Organisations could also resort to creating internal rules to control access and handling of sensitive personal print data within their offices.
1. Bisola Scott and Sandra Eke, Associates, Intellectual Property & Technology Department, S.P.A. Ajibade & Co., Lagos, NIGERIA.
2. Para. 2, Preamble to the Nigeria Data Protection Regulation 2019, available at: https://nitda.gov.ng/wp-content/uploads/2019/01/NigeriaDataProtectionRegulation.pdf accessed 20th June 2020.
3. This Day, "Nigeria Must Leverage on Digital Records Storage Technology" available at: https://www.thisdaylive.com/index.php/2016/12/15/nwosu-nigeria-must-leverage-on-digital-records-storage-technology/ accessed 4 May 2020.
4. P4P, "GDPR Compliance for Paper Documents" available at: https://www.p4p.uk.com/gdpr-compliance-paper-documents/ accessed 4 May 2020.
5. EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 was approved by the European Parliament in April 2016 and the official texts and regulation of the directive were published in all of the official languages of the EU on May 2016. The legislation came into force across the European Union on 25 May 2018.
6. Like the data privacy and protection law in Australia, Cape Verde and China.
7. Act No. 28 of 2007 (published in Official Government Gazette No. 90 Vol. 94, 5th October 2007).
8. S.6(c) NITDA Act.
9. Nigeria Data Protection Regulation 2019, (Signed on the 25th January, 2019), available at: https://nitda.gov.ng/wp-content/uploads/2019/01/NigeriaDataProtectionRegulation.pdf accessed 20th June 2020.
10. Law Insider, "Definition of Electronic Data" available at: https://www.lawinsider.com/dictionary/electronic-data accessed 1 May 2020.
12. Pennsylvania State University, "Non-Electronic Database" available at: http://www.personal.psu.edu/ejp10/databases/about/nonelectronic.html accessed 1 May 2020.
13. S.1 NITDA Act.
14. S.6(c) NITDA Act.
15. Nigeria Data Protection Regulation: Implementation Framework, Version 1, July 2019, available at: https://nitda.gov.ng/wp-content/uploads/2019/07/DPFramework.docx accessed 16th June 2020.
16. Art 1.1 NDPR. Some of the objectives include: to protect the rights of natural persons to data privacy, foster safe conduct of transactions involving the exchange of personal data, prevent manipulation of personal data, ensure that Nigerian businesses remain competitive in international trade through the safeguards afforded by a just and equitable legal regulatory framework on data protection that is aligned with global best practices.
17. Art 1.2(a) NDPR.
18. Ibid n.13.
19. (1994) 7 NWLR (Pt.354) 1, p.36, para. F.
20. (2010) 13 NWLR (Pt.1211) 337.
21. These countries include; All EU countries by virtue of the GDPR, Angola, Argentina, Australia, Brazil, Canada, Cape Verde and China.
22. Britannica, "European Union" available at: https://www.britannica.com/topic/European-Union accessed 2 May 2020.
23. ZDNET, "What is GDPR? Everything you need to know about the new general data protection regulations" available at: https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/ accessed 29 April 2020.
24. Yimika Ketiku and Dolapo Bolu, "Data Protection Regulation 2019: The New Law" available at: http://www.spaajibade.com/resources/wp-content/uploads/2019/07/Data-Protection-Regulation-2019-The-New-Law-Yimika-Ketiku-and-Dolapo-Bolu.pdf accessed 29 April 2020.
25. Art. 2(1) GDPR.
27. Art.17 GDPR.
29. Data Protection Act - The Republic of Cape Verde Law 133/V/2001 of 22 January.
30. Deloitte, "Privacy is Paramount-Personal Data Protection in Africa Personal Data Protection in Africa" available at: https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/za_Privacy_is_Paramount-Personal_Data_Protection_in_Africa.pdf accessed 2 May 2020.
31. Art.5(a) Data Protection Act - The Republic of Cape Verde Law.
32. The National data protection authority in Cape Verde is the Comissão Nacional de Proteção de Dados Pessoais.
33. National Standards on Information Security Technology - Personal Information Security Specification GB/T 35273-2017. It is the most recent data privacy law in China and it came into effect in May 2018.
34. Art.1 PI Specification.
35. Art 3.1 PI Specification.
36. Cyberspace Administration of China (CAC) is the data protection authority in China.
37. Restore Digital, "GDPR - How To Make Sure Paper Doesn't Prevent You From Complying" available at: https://www.restore.co.uk/Digital/Insights/Events/gdpr-how-to-make-sure-paper-doesn39t-prevent-you-from-complying accessed 4 May 2020.
38. Sullivan J., "Trash or Treasure: Global Trade and the Accumulation of E-Waste in Lagos, Nigeria." Africa Today, vol. 61, no. 1, 2014, pp. 89-112. JSTOR, available at:www.jstor.org/stable/10.2979/africatoday.61.1.89 accessed 4 May 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.