The importance of personal data to individuals, organizations and corporate entities in today’s world cannot be over-emphasised. This has led to a surge in the meticulousness often associated with handling personal data as data has evolved into a proprietary asset whose misappropriation has far-reaching consequences on both the data subjects and controllers alike. This has necessitated the need for global data privacy and protection legislation to regulate the use and processing of data which has grown popular described as “the NEW OIL”. Nigeria is not left alone in this race as the National Information Technology Development Agency (NITDA) introduced the Nigeria Data Protection Regulation (NDPR) in January 2019 to regulate the handling and processing of personal data as well as impose penalties for breach of its provisions.
PRINCIPLES OF DATA PROTECTION
It is important to state that personal data handling is governed by a number of principles without which personal data cannot be said to have been lawfully processed. These principles are:
- Lawfulness, fairness and transparency
- Purpose Limitation
- Data minimization
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
- Accountability[i]
- Lawfulness, fairness and transparency: By this principle, personal data must be processed legally, fairly and transparently. This underlines that every processing activity must always accord with extant laws. This principle has three sides to wit: lawfulness; fairness, and transparency, which will be discussed briefly below:
- Lawfulness: This is to the effect that personal data processing by controllers and processors must conform with applicable laws and must not be in violation of such laws. Also, such processing must identify and align with one of the legal bases for processing personal data.[ii]
- Fairness: This requires data controllers to process personal data in a way as to gain the trust of the data subject. It relates to the ability of the controller to strike a balance between its own interest and that of the data subject in ways that guarantee the data subject’s trust and does not infringe on his fundamental right and freedom.
- Transparency[iii]: This principle stands for openness. That is to say, data subjects must be well informed about the kind of data collected about them by a controller, the mode of collection, the use to which such data is put, the likelihood of transfer to third parties, steps to be taken in the event of a breach, etc. A major way of ensuring transparency in practice is through privacy notices. Also, allowing data subjects to know and access the data collected about them is one of the core tenets of the transparency principle.
- Purpose Limitation[iv]: This is to the effect that data controllers are to ensure that personal data processing is limited to the purpose of collection and/or processing. In other words, controllers must not process data for purposes other than for which such data was obtained from the data subject.
- Data minimization: This principle is to the effect that the data collected by a controller must be minimized for the purpose of collection. In other words, a controller is obliged to limit the amount of data collected from the subject to the minimum amount required for collection.
- Accuracy[v]: This principle underlines the need for controllers to obtain and only process correct and accurate data about the data subject. Under this principle, not only are data controllers updated to keep correct information about data subjects, they must update the data in their care where there is a change in the status of the data subject. For example, when ABC, a spinster, joins a law firm and gets married 6 months into her employment, it behoves the data controller (the employer) to ensure her name is correctly processed as ABC and updated to Mrs to reflect the change in her marital status.
- Storage Limitation[vi]: By storage limitation, personal data must not be stored for longer than is necessary for the purpose of collection. In other words, personal data must be discarded with once it has outlived its purpose. However, it is pertinent to point out that this may be subject to the dictates of different data retention laws for the controllers to comply with. In the absence of data retention legislation, controllers should specify a reasonable retention period in their privacy notices so as to prevent unnecessary handling of personal data after processing has been extinguished.
- Integrity and Confidentiality: This principle is to the effect that data controllers must adopt measures that facilitate the protection and unauthorized disclosure of personal data in their care. This could include developing measures to prevent systems from hackers, setting up firewalls, storing data securely with access to specifically authorized individuals, employing data encryption technologies, developing organizational policy for handling Personal Data, ensuring capacity building for staff, etc.[vii]
- Accountability: By this principle, data controllers entrusted with a data subject’s personal data are obligated to show accountability for any acts and omissions in respect of data processing and in accordance with the principles contained in the NDPR. This principle imposes a sense of responsibility on the data controller, who must process data in such ways as to gain the data subject’s trust, give periodic audits or accounts of processing activities to supervisory authorities, and ensure compliance with extant laws.
CONCLUSION
The above-highlighted principles are the gold standard in most countries’ data protection legislation, including the GDPR, without which personal data cannot be said to have been lawfully processed. Thus, data controllers are not only obliged but must comply with these core principles in their processing activities to avoid running afoul of the law.
[i] See Article 5 of the EU’s General Data Protection Regulation (GDPR)
[ii] See generally Regulation 2.2. of the NDPR
[iii] Although not mention as one of the data protection principles, transparency is recognised under the rights of data subjects by virtue of Regulation 3.1 (1) of the NDPR
[iv] See Regulation 2.1 (a) of the NDPR
[v] See Regulation 2.1 (b) of the NDPR
[vi] See Regulation 2.1 (c) of the NDPR
[vii] See Regulation 2.6 of the NDPR
Written by Muhiz Babatunde Adisa for The Trusted Advisors
Email us: [email protected]