RIGHTS OF DATA SUBJECT UNDER THE NIGERIA DATA PROTECTION ACT,2023
Joseph Mtemdoo Gbagyo
Lawyer/Arbitrator/Author
Introduction
In the increasingly data- driven world, the protection of personal information has become a paramount concern. Recognizing the need to safeguard the privacy and rights of individuals, president Bola Ahamed Tinubu signed into law, the Data Protection Act, 2023, thereby establishing by statute, the Nigeria Data Protection Commission; which is entrusted with the power to make and enforce regulations for the protection and security of the personal data of data subjects in Nigeria. The objectives of this groundbreaking legislation include not only the establishing of a comprehensive framework for Data protection, but also granting significant rights to data subjects. As the custodians of their data, individuals in Nigeria now have the power to control how their information is collected, processed, and shared.
Aim of Safeguarding the Rights
The aim of the Nigeria Data Protection Act 2023 (hereafter referred to as the NDP Act) is designed to, among other things, safeguard the right to privacy in accordance with Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (hereafter referred to as the 1999 Constitution), and to foster the trusted use of data in building a sustainable digital economy and the citizens right.
Who is a Data Subject?
Section 66 of the NDPA 2023 defines a “data subject” as an individual to whom personal data relates. Therefore, in context of data protection and privacy regulation, a data subject is a person whose personal information is being collected, processed, or stored by an organization or entity. This can include customers, employees, website users, or any individual whose personal data is being handled by an organization. A data subject has the right to claim damages from anyone who infringes on or violates their data protection rights.
The key data subject rights and the need for protection.
Data subject Rights (DRS) are the legal rights created by data protection laws that individuals posses over their data usage. They guarantee individuals control over the processing of their data. These rights are found under part VI of the Nigeria Data protection Act. They include:
The right to be informed: section 34
Data subjects have the right to know how much of their data is being held by an organization and for what purpose. This is why most organizations have privacy policies that outline the type of data they collect, why they collect it, how long they keep it, how they handle it, and so on. Data subjects have the right to access this information and know what data is being collected about them. This right also comes into play if the organization wants to use the data for additional purposes beyond the original reason for collecting it. In such cases, the data subject can enforce their right to be informed and have control over how their data is used.
The right to access: section 34
Data subjects have the right to reach out to any organization that is handling their personal information and ask for essential details. This includes finding out if the organization processes their data and getting information about how the data is being processed. This information can include the purpose for processing, the type of data being processed, who the data is being shared with, how long the data will be stored, the rights that data subjects have regarding their data. And the measures in place to protect the data if it is transferred to another country. Essentially, data subjects have the right to be informed about how their personal information is being handled by an organization.
The right to rectification: section 35 (1) (a) (v)
If a data subject finds out that the information an organization has about them is incorrect or missing important details, they have the right to ask the organization to fix or update their data. This right is crucial because accuracy can be both subjective and objective. For instance, if a data subject gets married or changes their name, they can request the organization to update their records accordingly, this right holds the same level of importance as other rights under the Nigeria Data Protection Act (NDPA). In situations where it is not possible to correct inaccurate, incomplete, or misleading data, the NDPA allows for the data to be deleted instead.
The right to erasure or deletion: Also termed the right to be forgotten or right to de-referencing, section 34(1) (d) (NDPA)
It relates to a data subject’s right to demand erasure or deletion of personal data from a controller. This right is exercisable where:
the data is no longer necessary in relation to the purpose for which it was collected;
the data subject withdraws the consent upon which the processing is based;
the personal data have been unlawfully processed and the data subject objects to continued processing of such data
the data controller processes data without lawful basis.
However, individuals have the right to ask organizations to delete their data from their systems under certain circumstances. This can be when the data is no longer needed when it was processed unlawfully, or when it no longer serves the original purpose for which it was collected. This applies to both physical and digital storage of data, and organizations are required by law to comply with such requests within a specific timeframe. However, it is important to note that the right to data erasure is not absolute. See Article 39 of General Application and Implementation Directive (GAID) 2024, which has expanded the scope of application of the NDPA to the processing of personal data of Nigerians residing in a foreign country, taking into consideration the provisions of international law rules. The Directive also applies to data subjects within Nigeria, regardless of nationality and migration status; data subject whose personal data has being transferred or is in transit through Nigeria. Therefore, organizations can refuse the request on various grounds, including if there is a legal obligation to retain the data for a specific period. For instance, financial service providers may need to retain transaction data for a certain period as mandated by Anti-Money Laundering Laws
The right to restrict processing: section 34 (NDPA)
Individuals can request that organisation’s limit the way their personal data is used. It is an alternative to requesting the erasure of data, and might be used when the individual contests the accuracy of their personal data or when the individual no longer needs the information but the organisation requires it to establish, exercise or defend a legal claim.
The right to data portability: section 38(1) (2) (NDPA)
The right to data portability comprises three separate requests. First, the data subject has the right to request that their data be given to them in a structured, commonly used, and machine-readable format without undue delay. Second, the data subject can transmit the data obtained in a readable format to another organisation without any hindrance. Lastly, the data subject can request for the data to be transmitted directly to another organisation where it is technically possible to do so. The Nigeria Data Protection Commission (NDPC) is empowered under the Act to prescribe conditions and circumstances under which the right to data portability may be exercised and obligations to be imposed on data controllers or data processors in relation to costs and timing.
The right to object: section 36 (NDPA)
Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defense of legal claims. The NDPA also allows a data subject to object to the processing of personal data for marketing purposes at any time, and such an objection is absolute.
Rights related to automated decision-making including profiling: section 37 (NDPA)
This right is new under the NDPA. The NDPA only provided that notice of the use of automated decision-making should be given to the data subject and also as a basis for invoking the right to data portability. The NDPA provides that individuals now have the power to object to decisions that are made solely based on automated processing of their personal data, such as profiling, without any human intervention, if these decisions have a legal effect on them. For instance, if a bank uses automated algorithms to determine creditworthiness and denies a loan application solely based on this automated decision, the data subject has the right to object. However, it is important to note that automated decision-making is permissible if it is necessary for fulfilling a contract between the data controller and the data subject. In this case, the data subject’s rights and interests must be protected by laws or written rules, and their explicit permission should be obtained for such automated decisions to be made.
Under section 37 (1) of NDPA, a data subject has the right not to be subject to a decision based solely on automated processing of personal data. This includes profiling, which produces a legal or similar significant effects concerning the data subject. By prohibiting robots from determining rights and liabilities of a data subject, it ensures that human will is not vitiated in obtaining consent and that fundamental rights remain safeguard. However, the NDPA provides exceptions to automated decision-making. Automated decision making will not apply where it is:
Necessary for entering into or for the performance of a contract between the data subject and a data controller;
Authorized by a written law, which establishes suitable measures to safeguard the fundamental rights and freedoms;
In the interest of the data subject; or
Authorized by the consent of the data subject.
Right to lodge a complaint: section 34 (1) (a) (vi) (NDPA)
Where a data subject is dissatisfied with the decision, action, or inaction of a data controller or data processor, they have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) for remedial action. Data subjects may also institute civil proceedings for damages against a data controller or data processor for any wrong or loss suffered by a data subject as a result of the violation of the Act. In addition, the NDPA includes the right to receive compensation for breaches of any of the rights provided by law.
Right to withdraw consent: section 35 (NDPA)
Where consent is the legal basis for processing personal data, the NDPA empowers the data subject to withdraw such consent at any time. The Act also requires an organisation to make the withdrawal of consent as easy as when it is obtained. In other words, where the data subject has given consent in a simple format, the data controller must ensure the withdrawal of consent is equally easy without additional barriers. It is important to note that withdrawal of consent does not affect the lawfulness of processing by a data controller undertaken on the basis of consent before the data subject withdrew his consent.
CONCLUSION
Responding to data subject rights requests is not just a legal obligation, it is absolutely crucial for organizations to establish and maintain an effective procedure for handling these requests. It is essential to provide specific role training for all staff members involved in processing data, as they are often the first point of contact for data subjects. While waiting for the Commission to develop an implementation framework for the NDPA, which will provide further guidance, following the steps discussed in this article can greatly benefit your organization. Building an effective system requires constant practice and experience. However, the compelling need to foster a coherent, national adequacy of data protection which adequacy is a condition precedent to effective data flows for transactions including but not limitedto those involving security, economy, migration, finance, international and inter-state trade.
