June 3, 2020
On 18th May, 2020 the National Information Technology Development Agency (NITDA) issued Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020 (“the Guidelines”). The Guidelines govern the roles and responsibility of public officers and public institutions with regards to the processing and management of personal data in compliance with the Nigeria Data Protection Regulation, 2019 (NDPR).
NITDA issued the NDPR on 25th January, 2019, as a framework for the protection and regulation of the collection, processing and management of personal data of individuals who are Nigerian citizens and persons resident in Nigeria while the Guidelines were issued pursuant to Section 6 (a & c) of the National Information Technology Development Agency Act 2007 (NITDA Act) and the NDPR, 2019.
The Guidelines seek to provide guidance to Public Officers on how to handle and manage personal information in compliance with the NDPR and it applies to all Public Institutions in Nigeria including Ministries, Departments, Agencies, Institutions, Public Corporations, publicly funded ventures and incorporated entities with government shareholding at Federal, State or Local Government level.
Specifically, the Guidelines impose several compliance obligations on public institutions, including the following:
The Guidelines further stipulate the obligations of Data Controllers with respect to sharing of personal data with a public institution and processing personal data on behalf of a public institution.
Failure to comply with the provisions of the Guidelines is an offence under the NITDA Act and the NDPR. In this regard, principal officers of public institutions who breach the provisions of the Guidelines will be personally liable for the breach or misuse of information shared from personal data, either while in office or after expiration of their term of office. The Guidelines, however, provide that parties may approach the Administrative Redress Panel established under the NDPR to seek redress following a determination of breach by NITDA
The issuance of the Guidelines indicates NITDA’s commitment to enforcing the provisions of the NDPR in both the private and public sectors and makes it imperative for all public institutions in Nigeria to immediately comply with the provisions of the NDPR and the Guidelines.
The COVID-19 Pandemic has created a new reality, where government officials now have to work from home and utilise different technology platforms for their official duties. There is therefore a heightened urgency to ensure that all government data and especially personal data is handled with care and in line with the provisions of the NDPR and the Guidelines. The imposition of personal liability on principal officers of a defaulting Ministry, Department or Agency of Government (including publicly funded ventures and companies with Government shareholding) during or after their term in office gives NITDA wide powers of enforcement which means principal officers should be particularly interested in ensuring their institutions comply with the relevant provisions of the NDPR and the Guidelines. Given the above, all public institutions covered under the NDPR and the Guidelines and engaged in the collection, storage and use of personal data of individuals in Nigeria should urgently put in place steps to ensure compliance by engaging a DPCO that will advise them on the required compliance steps within the relevant timelines. This will enable them to better understand their compliance obligations under the NDPR/Guidelines as required by NITDA and avoid any misuse of government or personal data in their possession.