AN ANALYTICAL DISCOURSE (Part 2)
COVID-19 and the rights to privacy and data protection of persons in Nigeria
The crux of the matter is that people have been receiving different text messages from organizations, individuals and governmental bodies on the measures to be taken for the prevention of the virus.
The most popular among the governmental body is the almost daily messages from the NCDC- Nigeria Centre for Disease Control. There has been the transmission of medical records for research and monitoring purposes, which is also an aspect of data privacy that is connected to the prevention of virus.
A concerned citizen will wonder how and where the NCDC got the data from. How lawful is the breach of this rights considering the effects on COVID-19 on our health?
Fundamental Human Rights are not absolute. They are qualified rights. Section 45 of the Constitution of the Federal Republic of Nigeria being the grundnorm under which rights to privacy exist states as follows:
“Nothing in sections 37, 38, 39, 40 and 41 of this Constitution shall invalidate any law that is reasonably justified in a democratic society-
In the interest of defence, public safety, public order, public morality or PUBLIC HEALTH; or
For the purpose of protecting the rights and freedom of other persons.”
Going by the provisions of section 45 of the Constitution, rights to privacy can be curtailed provided that there is a law that is reasonably justified for several purposes which PUBLIC HEALTH is not an exception. Is there any law that has been made for this purpose? Yes, there is an existence of Nigeria Data Protection Regulations, 2019.
This Regulation provides for how data can be processed through lawful and accepted modes and how and when the data can be transmitted by extension.
DATA Processing under the Nigerian Data protection regulations, 2019
Data Processing simply connotes operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing here extends to the disclosure of personal data of data subject.
There are different principles covering Data Processing under the Regulation. One of the germane principles here is that anyone who is entrusted with the personal data of a data subject or who is in possession of the personal data of a data subject owes a duty of care to the said data subject, that is the data Administrator must guide the personal data of the data subject against theft cyber-attack, viral attack, dissemination, manipulations of any kind, damaged by rain, fire or exposure to other natural elements.
There are lawful means through which the data of Nigerians can be disclosed to a third party, that is lawful means of data processing. Regulation 2.2. of the Regulation provides as follows
“…………Processing shall be lawful if at least one of the following applies:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the controller is subject;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person and
Processing is necessary for the performance of a task carried out in the PUBLIC INTEREST OR IN THE EXERCISE OF OFFICIAL PUBLIC MANDATE VESTED IN THE CONTROLLER.
The concern of this article shall be restricted to the paragraph (e) of 2.2 of the Regulation.
It is debate-free from the above provision that data can be processed(disclosed) for the purpose of public interest. Covid-19 is a global disease without respect to anyone whether rich or poor, powerful or less privileged, it is spreading and easy to contract at the slightest chance of exposure to an infected carrier or even surface.
In the application of the above exception to the disclosure of the data subject by either different telecommunication companies, financial institutions, some from our security institutions are conditionally valid. Disclosing the Nigerian Data in order to prevent the spread of the COVID-19 is for the public interest and equally public health as envisaged by section 45 of the Constitution of Federal Republic of Nigeria.
As clear as Regulation 2.2(e) of the Regulation is, there is a condition “post-cedent” after the processing of the data subject, which is a notification of the data subjects about the data processing. Regulation 2.13.1 of the Regulation provides as follows:
“The Controller shall take appropriate measures to provide any information relating to processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means”
The above provision is very clear and unambiguous and it is trite law that where the contents and words of the constitution are clear, plain and unambiguous, the literal rule of interpretation should be applicable, as it was held in OKUNGBOWA V.GOV., EDO STATE (2015)10 NWLR (PT. 1467) 365 C.A, MUHAMMED ABACHA V FEDERAL REPUBLIC OF NIGERIA (2014) 6 NWLR (PT 1402) 43 S.C.
The court holding is not different in cases of EVEMILI V. STATE (2014) 17 NWLR (PT. 1437) 421 C.A ANS DAPIANLONG V. DARIYE (2007) 8 NWLR (PT 1036). By extension, it means that the natural, grammatical and ordinary meaning of the words used in the statute should be ascribed to them was as also held in OGAGA V. UMUKORO (2011)18 NWLR (PT 1279) 924 that “no matter how, no other secondary meanings of the clear words used in the constitution or any other statute be ascribed to them.”
By Application, it is the responsibility of the Data Controller to put measures to provide any information in connection with the data processing to the data subjects and the manner through which the information can be sent to the data subjects.
This duty which the data controller has not performed is very vital but the same cannot be said to invalidate the data processing as there is no time frame within which same must be done.
Conclusion and Recommendation
From the foregoing backdrop, data privacy is one of the emerging legal issues in Nigeria. It is very obvious that the lack of a comprehensive legal framework for data privacy protection accounts for the massive data privacy infringement in the country.
Although the NDPR is a very good regulatory framework, it, however, hasn’t gained serious compliance as we have demonstrated in the crux of this article that the NCDC, an agency of the federal government has “apparently” processed data of Nigerians without due process.
There is however still an expectation of compliance with Regulation 2.13.1 of the Regulation. In the wake of the COVID-19 pandemic which of course qualifies as a “public interest and public health” factor in the justification for data processing, it is expected that the agency or the controller of these data would do the needful within a reasonable timeframe as far as notification of the data subjects about data processing is concerned.
All in all, it is recommended that concerted effort be made by the National Assembly to overhaul and promulgate comprehensive legislation for data privacy protection. In the same vein, all stakeholders like the NCC, NITDA, FCC and others should continue to create further awareness on data and privacy protection in Nigeria.
When things are done right and right things are done only then we can have good data privacy protection in Nigeria.
Similarly, it is recommended that the data already processed(disclosed) to different agencies for the prevention of the spread of the virus should be deleted from the database of these institutions after the pandemic is over, this is in compliance with Regulation 2. 6 of the Regulation.
Olasupo Habeebulah Morakinyo is a Lagos-Based Legal Practitioner. He is an Associate at M.J. ONIGBANJO & CO. He is a vibrant, solution-driven and smart legal practitioner with a strong affection for Justice, Good Governance and Development of the law. He is an alumnus of the University of Ilorin, where he graduated with a Second Class Upper and won numerous meritorious academic and unionism awards, among which is ‘THE LEGAL LUMINARY OF THE YEAR”. Morakinyo has an enduring interest in learning and understanding legal responses to social, political and economic development.
He is a team player and has disciplined communication and interpersonal skills as well as a drive to learn new things and to support colleagues and clients.