The importance of personal data to individuals, organizations, and corporate bodies cannot be over-emphasized. This has led to the implementation of data privacy and protection legislation to safeguard the personal data of individuals and organizations alike.
Although there is no principal legislation on data privacy and protection in Nigeria, what operates is subsidiary legislation which was released by the National Information Technology Development Agency (NITDA) on January 25, 2019, pursuant to its powers under section 6 (a) and (c) of its enabling Act[i], to principally safeguard, uphold and protect the personal data rights of Nigerians. This subsidiary legislation is referred to as the Nigeria Data Protection Regulation (NDPR), 2019.
Personal data is susceptible to breach. Thus, despite legislation protecting personal data, such data could still be breached due to deliberate, accidental, or other factors.
This piece aims to examine what personal data breaches are as well as the obligations of data controllers under the law in the event of such breaches.
WHAT IS PERSONAL DATA BREACH?
Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.[ii] Personal data, by their nature, are susceptible to breach, and such breaches may be accidental, intentional, or caused by other factors. Some common types of personal data breaches include confidentiality breaches, integrity breaches, utility breaches, availability breaches, and possession breaches.
OBLIGATIONS OF DATA CONTROLLERS AND PROCESSORS IN THE EVENT OF A DATA BREACH
In the event of a data breach, certain obligations are owed by the data controller to immediately report such breach to the regulator and data subject, as the case may be. Although the NDPR is silent on privacy breach notification, the Nigeria Data Protection Regulation 2019 implementation Framework 2020 contains provisions relating to it.
Paragraph 9.2 of the Implementation Framework imposes a duty on data controllers to report data breaches within 72 (Seventy-Two) hours of knowledge of the such breach. In fact, this must have been earlier documented in such data controller’s organizational privacy policy.[iii]
In complying with its obligation to a self-report data breach as highlighted above, such notification must include the following:
- A description of the circumstances of the loss or unauthorized access or disclosure;
- The date or time period during which the loss or unauthorized access or disclosure occurred;
- A description of the personal information involved in the loss or unauthorized access or disclosure;
- An assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure;
- An estimate of the number of individuals to whom there is a real risk of significant harm as a result if the loss or unauthorized access or disclosure;
- A description of steps the organization has taken to reduce the risk of harm to individuals;
- A description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure; and
- The name and contact information for a person who can answer, on behalf of the organization, NITDA’s questions about the loss of unauthorized access or disclosure.[iv]
In addition to the above, the obligation of a data controller to report to NITDA[v] also extends to the data subject in situations where the personal data breach will likely result in high risks to the freedom and rights of the data subject concerned. Thus, a data controller may not notify the data subject where the breach would not result in risks to his/her freedom and rights.
It is pertinent to point out that the above does not affect the right of data subjects, civil societies and professional organizations to report to the appropriate agencies[vi] where there is a data breach. Upon the report, the agency shall take any of the following steps:
- contact the organization for inquiry;
- review of the earlier filed annual reports (if any);
- issue a compliance query;
- commence other administrative actions; and
- report the defaulter for possible prosecution.[vii]
CONCLUSION
Compliance with breach obligations under the NDPR Implementation Framework is mandatory as organizations who fail to comply risk sanctions, criminal prosecution, etc. Thus, a major way to ensure compliance is for organizations to employ the services of a Data Protection Officer (DPO) or a Data Protection Compliance Organization (DPCO) to advise them on regulatory compliances within the industry and keep them up to date with their obligations under the law.
[i] The National Information Technology Development Agency Act, 2007
[ii] See Regulation 1.3 (xxii) of the NDPR
[iii] See generally Paragraph 9.2 of the NDPR Implementation Framework, 2020
[iv] See generally Paragraph 9.3 of the NDPR Implementation Framework
[v] Following the establishment of the Nigeria Data Protection Bureau, breach notifications are now to be reported to it and not NITDA.
[vi] The appropriate agency here refers to either NITDA or the Nigeria Data Protection Bureau (NDPB) as the case may be
[vii] See generally paragraph 9.1 of the NDPR Implementation Framework, 2020
Written by Muhiz Babatunde Adisa for The Trusted Advisors
Email us: [email protected]