In an increasingly data-driven world, the protection of personal information has become a paramount concern. Recognizing the need to safeguard the privacy and rights of individuals, President Bola Ahmed Tinubu signed into law, the Data Protection Act, 2023, thereby establishing by statute, the Nigerian Data Protection Commission; which is entrusted with the power to make and enforce regulations for the protection and security of the personal data of Data Subjects in Nigeria. The objective of this groundbreaking legislation amongst others, not only establishes a comprehensive framework for data protection but also grants significant rights to data subjects. As the custodians of their data, individuals in Nigeria now have the power to control how their information is collected, processed, and shared.
Who is a Data Subject?
In the context of data protection and privacy regulation, a data subject is a person whose personal information is being collected, processed, or stored by an organization or entity. This can include customers, employees, website users, or any individual whose personal data is being handled by an organization.
Data Subject Rights and the need for Protection
Data Subject Rights (DSR) are the legal rights created by data protection laws that individuals possess over their data usage. They guarantee individuals' control over the processing of their data. These rights are found under Part VI of the Nigeria Data Protection Act. They include:
The right to be informed: Data subjects have the right to know how much of their data is being held by an organization and for what purpose. This is why most organizations have privacy policies that outline the type of data they collect, why they collect it, how long they keep it, how they handle it, and so on. Data subjects have the right to access this information and know what data is being collected about them. This right also comes into play if the organization wants to use the data for additional purposes beyond the original reason for collecting it. In such cases, the data subject can enforce their right to be informed and have control over how their data is used.
The right to access: Data subjects have the right to reach out to any organization that is handling their personal information and ask for essential details. This includes finding out if the organization processes their data and getting information about how the data is being processed. This information can include the purpose for processing, the types of data being processed, who the data is being shared with, how long the data will be stored, the rights that data subjects have regarding their data, and the measures in place to protect the data if it is transferred to another country. Essentially, data subjects have the right to be fully informed about how their personal information is being handled by an organization.
The right to rectification: If a data subject finds out that the information an organization has about them is incorrect or missing important details, they have the right to ask the organization to fix or update their data. This right is crucial because accuracy can be both subjective and objective. For instance, if a data subject gets married or changes their name, they can request the organization to update their records accordingly. This right holds the same level of importance as other rights under the Nigeria Data Protection Act (NDPA). In situations where it's not possible to correct inaccurate, incomplete, or misleading data, the NDPA allows for the data to be deleted instead.
The right to erasure: Individuals have the right to ask organizations to delete their data from their systems under certain circumstances. This can be when the data is no longer needed when it was processed unlawfully, or when it no longer serves the original purpose for which it was collected. This applies to both physical and digital storage of data, and organizations are required by law to comply with such requests within a specific timeframe. However, it's important to note that the right to data erasure is not absolute. Organizations can refuse the request on various grounds, including if there is a legal obligation to retain the data for a specific period. For instance, financial service providers may need to retain transaction data for a certain period of time as mandated by Anti-Money Laundering Laws.
The right to restrict processing: Individuals can request that organisations limit the way their personal data is used. It’s an alternative to requesting the erasure of data, and might be used when the individual contests the accuracy of their personal data or when the individual no longer needs the information but the organisation requires it to establish, exercise or defend a legal claim.
The right to data portability: The right to data portability comprises three separate requests. First, the data subject has the right to request that their data be given to them in a structured, commonly used, and machine-readable format without undue delay. Second, the data subject can transmit the data obtained in a readable format to another organisation without any hindrance. Lastly, the data subject can request for the data to be transmitted directly to another organisation where it is technically possible to do so. The Nigeria Data Protection Commission (NDPC) is empowered under the Act to prescribe conditions and circumstances under which the right to data portability may be exercised and obligations to be imposed on data controllers or data processors in relation to costs and timing.
The right to object: Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defense of legal claims. The NDPA also allows a data subject to object to the processing of personal data for marketing purposes at any time, and such an objection is absolute.
Rights related to automated decision-making including profiling: This right is new under the NDPA. The NDPR only provided that notice of the use of automated decision-making should be given to the data subject and also as a basis for invoking the right to data portability. The NDPA provides that individuals now have the power to object to decisions that are made solely based on automated processing of their personal data, such as profiling, without any human intervention, if these decisions have a legal effect on them. For instance, if a bank uses automated algorithms to determine creditworthiness and denies a loan application solely based on this automated decision, the data subject has the right to object. However, it's important to note that automated decision-making is permissible if it is necessary for fulfilling a contract between the data controller and the data subject. In this case, the data subject's rights and interests must be protected by laws or written rules, and their explicit permission should be obtained for such automated decisions to be made.
Right to lodge a complaint: Where a data subject is dissatisfied with the decision, action, or inaction of a data controller or data processor, they have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) for remedial action. Data subjects may also institute civil proceedings for damages against a data controller or data processor for any wrong or loss suffered by a data subject as a result of the violation of the Act. In addition, the NDPA includes the right to receive compensation for breaches of any of the rights provided by law.
Right to withdraw consent: Where consent is the legal basis for processing personal data, the NDPA empowers the data subject to withdraw such consent at any time. The Act also requires an organisation to make the withdrawal of consent as easy as when it is obtained. In other words, where the data subject has given consent in a simple format, the data controller must ensure the withdrawal of consent is equally easy without additional barriers. It is important to note that withdrawal of consent does not affect the lawfulness of processing by a data controller undertaken on the basis of consent before the data subject withdrew his consent.
Right to Erasure or Deletion: Also termed the right to be forgotten or right to de-referencing, it relates to a data subject’s right to demand erasure or deletion of personal data from a controller. This right is exercisable where:
the data is no longer necessary in relation to the purpose for which it was collected;
the data subject withdraws the consent upon which the processing is based;
the personal data have been unlawfully processed and the data subject objects to continued processing of such data
the data controller processes data without lawful basis.
Responding to data subject rights requests is not just a legal obligation, it is absolutely crucial for organizations to establish and maintain an effective procedure for handling these requests. It is essential to provide specific role training for all staff members involved in processing data, as they are often the first point of contact for data subjects. While waiting for the Commission to develop an implementation framework for the NDPA, which will provide further guidance, following the steps discussed in this article can greatly benefit your organization. Building an effective system requires constant practice and experience.
However, navigating the complexities of data subject rights requests can be challenging. If you ever find yourself unsure or if you want to improve your current processes, seeking guidance from professionals in the field is a wise choice. Their expertise can bring clarity, efficiency, and assurance of compliance, ensuring that your practices align with the highest standards of data protection.
Written By:
Iquo Essien
Associate Technology, Creativity & Innovation Practice