The COVID-19 pandemic has resulted in the increased processing of health data globally. We have discussed below some data privacy issues organisation should be considering in light of the COVID-19 crisis in Nigeria.
What type of information can be collected from individuals relating to COVID-19 that is likely to be considered personal data under Nigerian law?
To manage the COVID-19 crisis, organisations may collect information relating to a person’s name, address, phone number, sex, age, medical history, body temperature or genetic information. All this information is categorised as personal data under the Nigeria Data Protection Regulation 2019 (the “NDPR”).
Under the NDPR, data relating to health is categorised as sensitive personal data. Therefore, health data collected during the COVID-19 crisis will be categorised as sensitive personal data, which requires specific higher consent method as provided under the draft NDPR Implementation Framework (the “Framework”) (which is yet to be operational). A tick of a box will not suffice. Although the NDPR and Framework do not give examples of what constitutes a “specific higher consent”, we expect that when the National Information Technology Development Agency (NITDA) provides examples it will not be a departure from international best practices which requires such consent to be clear and documented in writing.