The National Information Technology Development Agency (the ”NITDA”) is the Nigerian agency mandated under the National Information Technology Development Act (the “Act”) to create a framework for the regulation of Information Technology whilst preserving and ensuring the privacy of Nigerians.
The NITDA, in recognition of Government agencies as the biggest processors of personal data of Nigerians, issued on the 18th of May 2020, the Guidelines for the Management of Personal Data by Public Institutions in Nigeria (the “Guidelines”).
The purpose of the Guidelines is to provide guidance to public officers on how to handle and manage personal information in compliance with the Nigeria Data Protection Regulation 2019 (the “NDPR”). The Guidelines reiterates the NDPR albeit with specific application to, public institutions. It governs the roles and responsibilities of public officers and public institutions with regards to the processing and management of personal data.
HIGHLIGHTS OF THE GUIDELINES
Processing of Personal Data
- All forms of personal data of Nigerian citizens are to be protected in any incidence of processing, when such data subject has interactions with a public institution. The Guidelines retained the definition of processing under the NDPR. The Guidelines provides for additional basis for lawful processing to include legitimate interest of the data subject.
- An endorsement or signature of the Governor of the State, a Minister of the Federal Republic of Nigeria or the chief executive officer of the public institution is required where data is to be processed by a data controller for public, legal or vital interest on behalf of a public institution.
- Public institutions are prohibited from changing or expanding the purpose for which the data was originally collected or used without an express instrument from a statutory authority or the consent of the data subject first sought and had.
- The Guidelines, whilst preserving the consent requirements of the NDPR for the purpose of processing of personal data, goes a step further to provide that the consent of data subjects is not required in cases of health emergency, national security and crime prevention. Also, processing of sensitive personal data requires a higher standard of consent.