In today’s digital age, a common notion is “Data is the new oil.” Coined by British mathematician Clive Humby in 2006, the phrase is analogous to the oil revolution in the Industrial Era and how data like oil requires refinement to have value and drive innovation and business performance. However, over the years, this comparison has evolved as more conversations on data have moved past the economic value of data to privacy, regulation, and its potential to cause harm.
As data protection concerns grow globally, many countries ensure businesses handle personal data responsibly; Nigeria is no exception. The Nigeria Data Protection Regulation (NDPR) was introduced in 2019, and the bill was signed into law by President Bola Tinubu in June 2023. This Act provides a legal framework for protecting personal information and the practice of data protection in Nigeria.
This blog delves into the Nigeria Data Protection Act, its principles, and how Cloneshouse is taking steps to comply with the Act to ensure the highest standards of data protection in its dealings.
The Nigerian Data Protection Act
The Nigeria Data Protection Regulation was enacted on 25th January 2019 according to Section 6 of the NITDA Act 2007, a legal framework that harmonizes data privacy laws across Nigeria and protects and empowers all Nigeria citizens regardless of location. After 4 years of its adoption, the NDPR was signed into law on the 12th of June, 2023.
The NDPA is similar to other international data protection laws, such as the European Union’s General Data Protection Regulation (GDPR), as it prioritizes the protection of personal data, ensuring legal obligations for privacy and data security.
The Act also establishes the Nigeria Data Protection Commission, replacing the previous Nigeria Data Protection Bureau formed under former President Buhari in February 2022. Led by a National Commissioner, this Commission oversees the regulation of personal information processing.
Principles of Processing Personal Data
The Act highlights principles that data controllers or data processors must adhere to to ensure that personal data is processed responsibly, ethically, and securely. These principles include:
- Lawfulness, Fairness, and Transparency– Personal data must be processed in a lawful, fair, and transparent manner. This means organizations should only collect data for clear, legitimate purposes and inform individuals how their data will be used.
- Purpose Limitation– Personal data must be collected for specified, explicit, and legitimate purposes. Organizations must ensure they have a valid reason for collecting the data and that it is used only for those stated purposes.
- Data Minimization– Data collected should be relevant, adequate, and limited to the purposes for which it was collected. In other words, data processors or data controllers should not collect excessive data beyond what is required to fulfill a specific need.
- Storage Limitation– Personal data must be retained only for as long as necessary to achieve the lawful purpose for which it was collected. Once the purpose is fulfilled, the data should be securely deleted or anonymized to prevent misuse or unauthorized access.
- Accuracy– Personal data must be accurate, complete, and not misleading. Additionally, organisations should put measures in place to ensure that the data is up-to-date.
- Security– Personal data must be processed to guarantee appropriate security. Organisations are required to implement technical and organisational measures, like access control, anonymisation and encryption, to protect personal data from being compromised.
In addition to these principles, the Act mandates that organisations set up appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of personal data. This means that the organisation must protect data not only against unauthorised access but also ensure it is intact, accurate, and accessible when needed by authorised personnel. Again, the Act stipulates that data controllers or data processors should demonstrate accountability for how they handle personal data, ensuring that the principles of data protection are upheld, and adhering to the requirements set out in the Act.
The Act covers a wide range of provisions, which can be further explored to gain a deeper understanding of data protection practices in Nigeria.
How Cloneshouse is Abiding
As an organisation that is deeply committed to data privacy and security, we have implemented a robust organisational data protection framework that fully aligns with the provisions of the NDPA. Here are some steps taken to ensure compliance:
Organisational Data Privacy Policy
We have a clear data privacy and protection policy that outlines how we handle personal data. This policy is shared with clients and donors, so they know exactly how their information is collected, used, and protected.
Data Collection and Consent
We make it a priority to collect personal data only with the explicit consent of our clients, customers and project participants. Our consent forms are straightforward and transparent, explaining why we collect data, how it will be used, and what rights individuals have over their own information.
Data Minimization and Purpose Limitation
We follow a data minimization approach, gathering only the information that is necessary for the services we provide. We also ensure the purpose of data collection is clearly defined and that data is only used for the stated purposes.
Data Security Measures
To protect personal data, we implement various technical and organisational security measures, including encryption, access controls, regular security audits, and continuous monitoring of our systems to prevent breaches or unauthorised access.
Training and Awareness
At Cloneshouse, we believe that data protection is not just about compliance; it is about creating a culture of awareness. The Cloneshouse Data Protection Officer conducts quarterly training for the team and clients on data privacy best practices, ensuring everyone is informed and prepared to handle data responsibly.
In conclusion, data is one of the most valuable assets a business can possess, and it comes with a sense of responsibility to protect the data and its owner. It is important for organisations to take action and ensure that their data protection practices are up to date.
About the Author
Rachael Okoronkwo is a PMD-Pro certified development practitioner with four years of experience in project planning, implementation, monitoring, evaluation, and learning for government and non-governmental organisations. Her interests span a wide spectrum of gender, education, public health, public policy advocacy and youth leadership. She holds the distinction of being a Fellow of the Friedrich Ebert Stiftung Nigeria. Additionally, Rachael is an active member of the EvalYouth Global Network, where she passionately advocates for amplifying the youth perspective and promoting informed decision-making in development initiatives through evaluations. She excels in designing robust MEL plans, conducting data collection, analysis, data protection and management, and synthesis to deliver actionable insights for enhanced project and program outcomes. She is currently the M&E officer at Cloneshouse.
