Data Protection: IT Regulator issues 60-day deadline to public sector

The Federal Government has directed public institutions to implement data protection for personal data they hold within 60 days or risk sanctions.

Nigeria's IT industry regulator, the National Information Technology Development Agency (NITDA) says that public sector institutions must securely digitize personal data held in their databases.

According to the IT regulator, the deadline was issued to enforce the Guideline for Management of Personal Data by Public Institutions in Nigeria, 2020 that supplements the Nigeria Data Protection Regulation (NDPR), 2019 .

Mrs. Hadiza Umar, Head, Corporate Affairs and External Relations, NITDA, who announced the deadline says that "all the principles and provisions of the NDPR remain valid and applicable to all Nigerians including public institutions."

"The COVID-19 pandemic, for example, has brought up the need for more personal data use to limit the spread of the virus. While we recognise the existence of constitutional limitations on privacy rights in the interest of public health and safety, yet such limitations must be based on defined frameworks. NITDA, therefore, implores all concerned parties to comply strictly with the requirements of these Guidelines and seek professional guidance from licensed Data Protection Compliance Organisations (DPCO) for the purpose of compliance."

-Mrs. Hadiza Umar, Head, Corporate Affairs and External Relations, National Information Technology Development Agency (NITDA)

Kashifu Abdullahi, Director-General, National Information Technology Development Agency (NITDA)

Data Protection: Who is affected?

NITDA's Head, Corporate Affairs and External Relations says that "all Public Institutions holding or processing personal data are required to securely digitize all personal databases within 60 days from the issuance of the Guidelines. Similarly, all such public institutions are required to maintain the highest level of information security to guarantee confidentiality, integrity, availability and resilience of all databases within their control."

According to the IT regulator , the Guideline requires all public institutions and any entity co-owned by the Government to process all personal data of Nigerians and Data Subjects in Nigeria in line with best practices and in conformity with the highest standards.

"It takes cognisance of the fact that some public sector data processing may be founded on Vital or Public interest. This position of trust, therefore, requires public data controllers and processors to apply the highest ethical and professional standards in processing such data", Mrs Umar says.

NITDA says its issuance of a public-sector specific Guideline "is another trailblazing effort made in consonance with the emerging global data regulatory models."

The Guideline also mandates the use of secure technology and automated processes for personal data by Public Institutions, in line with the requirements of the National Digital Economy Policy and Strategy ( NDEPS ) promoted by Dr. Isa Ali Ibrahim, Minister of Communications and Digital Economy.

A mobile phone user seen on her device. The Nigerian IT regulator wants public institutions and any entity co-owned by the Government to process all personal data of Nigerians and Data Subjects in Nigeria in line with best practices and in conformity with the highest standards.

Data Protection: What is the sanction?

For government agencies that fail to comply, NITDA "shall not hesitate to invoke the punitive sanctions provided in the NITDA Act 2007 and NDPR in the event of breach or abuse of personal data of Nigerians. We urge all concerned parties to study these Guidelines diligently and apply them accordingly. We also encourage all parties to reach out to the Agency and seek clarifications or guidance when needed."

According to the NITDA spokesperson, "NITDA will not relent in its surveillance to ensure adequate compliance with the NDPR and these Guidelines."

According to her, the IT regulator "recognizes the need for collaboration in some cases between the public and private sector to tackle emergencies or other state-led interventions for the benefit of citizens. Therefore, the Guideline provides a strict framework for these types of collaborations to ensure that the privacy of Nigerians is not unduly infringed."

According to NITDA, "The COVID-19 pandemic, for example, has brought up the need for more personal data use to limit the spread of the virus. While we recognise the existence of constitutional limitations on privacy rights in the interest of public health and safety, yet such limitations must be based on defined frameworks. NITDA, therefore, implores all concerned parties to comply strictly with the requirements of these Guidelines and seek professional guidance from licensed Data Protection Compliance Organisations (DPCO) for the purpose of compliance."

The Nigerian IT regulator says it derives its powers from Section 6(c) of the NITDA Act 2007 to develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions in Nigeria.

"The Agency issued the NDPR in 2019 as Nigeria’s first comprehensive framework for the protection of personal data. The NDPR provides the principles and framework for the protection and processing of personal data of Nigerians and residents", Mrs Umar says.