Business organizations often find themselves in situations where they may need to collect personal data beyond that of a data subject. A common example is where a data subject is filling out a form and an employer requires the data subject to provide the name, phone number, address, and other contact details of their next of kin for emergency purposes or payment of certain benefits. The effect of this is that the employer now has personal data belonging to an employee’s next of kin without having collected it directly from the next of kin. The collection of the data of the next of kin is deemed as an indirect collection of personal data. Ideally, when processing personal data, it must be clear to the data subject that personal data concerning them are collected, used, consulted, or otherwise processed, and to what extent the personal data will be, processed.
Thus, in the example provided above where a data controller is collecting personal data indirectly, it may be difficult to comply with this requirement, for instance, the next of kin is not aware of the use and processing of its personal data. This article, therefore, offers useful insights into key considerations for the indirect collection of data and the compliance requirements under Nigerian privacy laws.
From the Nigeria Data Protection Bureau to the Nigeria Data Protection Commission
As noted above, prior to the enactment of the Act, data protection regulation was mainly carried out by the NITDA. However, on January 13, 2022, the Honourable Minister of Communications and Digital Economy was reported to have advised the president of Nigeria of “an urgent need to establish an institution that will focus on data protection and privacy for the country”. This ultimately led to the creation of the NDPB which began operations on February 4, 2022, as an offshoot of NITDA.
Indirect Collection of Personal Data
It is pertinent to note that collecting personal data through the delegate or representative of a data subject may not necessarily amount to indirect collection where it can be deemed that the data subject has consented to same through the representative. For instance, the collection of a personal data of a child from the parent or legal guardian. Indirect collection of personal data can also occur where a data controller obtains data belonging to a data subject from a third party. A typical example may be the collection/processing of data on a website or social media platform.