Ss081300000
“We have now seen a number of instances where clinical labs involved in testing, or major hospitals, have suffered ransomware attacks, where all their IT systems have been knocked down.” These are the words of Andre Pienaar, the founder of a venture capital firm named C5, in response to a cyber-attack on Hammersmith Medicines Research. The company, which is based in London and has been involved in clinical trials to combat the spread of Coronavirus, fell victim of the attack of hackers. It was reported that the hackers locked down a very significant number of the company’s patients’ records, by encryption, and threatened to publish them online if a ransom was not paid. It is a good thing that the company was subsequently able to strengthen its data defences, but that does not dispute the fact that the company fell victim of a breach in data. This is a pointer to the fact that data protection is a priority.
Have you ever paused to think about how data which you put out one time or the other is being processed? Also, have you ever imagined how far information about you has gone, without your knowledge? Finally, when was the last time you read through those privacy terms before you clicked the ‘accept’ button?
Funny, as they may appear, the above questions are pivotal questions that should be given consideration especially in a world that constantly takes giant strides in technological advancements.
However, it would not be out of place to give a quick definition of data protection. Data protection, in the simplest of terms, entails keeping safe important data or information, as the case may be, from loss, compromise or corruption. It involves every activity involved in trying to keep data secure and devoid of compromise. Data protection can also be referred to as information privacy or data privacy.
Techopedia has defined data protection as the process of protecting data, and further states that data protection involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy and the political and legal underpinnings surrounding that data. The aim of data protection is to create a balance between the use of data for business purposes and the privacy rights of the individual.
Data protection is not limited to particular forms of data; it applies to every form of data, whether such data is personal or corporate. There are different methods of data protection, and these methods vary based on context. Data protection could be on the personal scale, it could be in the context of businesses or public corporations, and it could be in the context of classified information which cannot be divulged, except to a selected few.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation put in place by the European Union to ensure data privacy and protection in member states of the EU and in the European Economic Area EEA. The GDPR, furthermore, oversees the transfer of personal data outside the EU and areas characterized as EEA areas. The GDPR was proposed in 2012, it was adopted on the 14th of April 2016, and it came into force on the 25th of May, 2018. It has 11 chapters and 99 articles.
Principles of GDPR
These seven principles are reflections of the broader purposes of GDPR, and they are spelt out to define how personal data should be handled. Article 5 of the regulation provides for these principles. They are as follows:
[su_list icon=”icon: chevron-right” icon_color=”#003399″]
- Lawfulness, fairness and transparency of any form of processing.
- Purpose limitation: The purpose of processing personal data should be clear and such processing should not exceed the boundaries of its purpose.
- Data minimization: Processing must be sufficient to fit into the stated purpose.
- Accuracy: Data should be devoid of errors.
- Storage limitation: Personal data must not be kept for a longer time than it is needed.
- Integrity and confidentiality: Appropriate security measures must be put in place to secure data.
- Accountability principle: Responsibility must be taken for the processing of data.
[/su_list]
Rights of the Data Subject
The data subject as defined by GDPR is an identified or identifiable natural person(s). There are eight rights which GDPR has put in place for the data subject. However, five of these rights have been in existence before now. The rights are contained in articles 15-22 of GDPR and they are:
[su_list icon=”icon: chevron-right” icon_color=”#003399″]
- The right of access to personal data or data about the processing of personal data.
- The right to rectification (correction of wrong data).
- The right to erasure: total elimination of personal data.
- The right to restrict processing
- Rights concerning automated processing and profiling: The right to human-made decisions.
- The right to data portability: the availability of copies of personal data for the individual’s use.
- The right to object to the processing of data.
- The right to be informed about the ‘how’ of data processing.
[/su_list]
Special Categories of Personal Data
GDPR, by virtue of Article 9(1), prohibits the processing of certain categories of personal data, and unless one or more of the conditions provided in article 9(2) of the regulation are met, the processing of such categories of personal data remains prohibited.
These categories of personal data include:
[su_list icon=”icon: chevron-right” icon_color=”#003399″]
- Race
- Ethnic origin
- Politics
- Religion
- Trade union membership
- Biometrics
- Health records
- Sex life
- Sexual orientation
[/su_list]
Legal Bases for Processing Personal Data
Article 9(2) of GDPR provides for six legal bases or exceptions to the provision of Article 9(1). Personal data related to the categories spelt out in paragraph one of article nine shall be processed on the following grounds:
[su_list icon=”icon: chevron-right” icon_color=”#003399″]
- Performance of a contract
- Legal obligation: data processing for the performance or function of a court or a regulatory requirement.
- Performance of a task in the public interest
- Consent: clear, unambiguous and positive which is given by the natural person without coercion. It should be capable of being withdrawn as easily as it was given.
- Legitimate interest: Such interests that do not override the fundamental rights of the natural person.
- Protection of the vital interests of an individual.
[/su_list]
Special Conditions for Children
Article 8 provides that in relation to the provision of information society services directly to a child, the processing of that child’s personal data shall be lawful if the child is not less than 16 years in age. In a situation where the child is younger than 16, the processing of the child’s personal data would depend on the consent of whosoever holds parental responsibility for the child. The provision also stipulates that member states can provide a lower age for the purpose of processing a child’s personal data, as long as the age provided is not below 13 years.
Other pivotal provisions of the GDPR include but are not limited to provisions for the controller and processor contained in chapter 4, transfers of personal data to third countries and international organizations, contained in chapter 5, and remedies, liabilities and penalties in chapter 8.
Data protection in the Nigerian context
Nigeria is not left out as regards laws that have to do with data protection. Though the state has no principal data protection law, it has data protection legislation which is subsidiary. This subsidiary legislation is the Nigerian Data Protection Regulation 2019, which in January 2019, was issued by the National Information Technology Development Agency (NITDA).
Apart from the Nigerian Data Protection Regulation, there are other individual provisions which are found in a couple of other legislations. For example, section 37 of the CFRN, 1999 (as amended), provides for the right to privacy. However, there are derogations to this right as provided by section 45 of the same constitution. Furthermore, the Child Rights Act, 2003 provides in section 8 for the right to privacy, correspondence, telephone conversations, among other rights for the child. The Nigerian Communications Act 2003, and the Cybercrimes Act 2015, are also relevant data protection laws.
Supervisory Authority
Article 51 of the GDPR provides for each state to have one or more independent authorities that would be responsible for ensuring that the regulation is applied, and to protect the rights and freedom of the natural person in relation to personal data. For example, across the United Kingdom, the Information Commissi0ner’s Office (ICO) is the supervisory authority. In the Netherlands, the GDPR supervisory authority is Autoriteit Persoonsgegevens, translated as the Dutch Data Protection Authority (DDPA) is the supervisory authority. In Italy, what applies is Garante per la Protezione dei Dati Personali, which is translated as the Italian Data Protection Authority (IDPA).
Unlike what applies in EU countries, there is no specific supervisory body for data protection in Nigeria. However, there exist a number of authorities that are responsible for data protection. The Central Bank of Nigeria, The Nigerian Communications Commission (NCC), and the Nigerian Information Technology Development Agency (NITDA), among others are supervisory bodies for data protection.
The principles and the rights of the individual that apply in GDPR are similar to those that apply in the Nigerian context. However, the fact still remains that the Nigerian legal system has not developed so much to meet up with the constant advancements in information and technology.
Cases on data protection have not really sprung up in the Nigerian context for obvious reasons. However, there exists a particular case that can’t be overlooked; the case of Emerging Market Telecommunication Services v Barr Nya Eneye (2018) LPELR-46193. In that particular case a legal practitioner, Mr Eneye, took legal action against the operators of Etisalat for sharing his telephone number with persons and companies that constantly sent him unbidden texts. He based his legal action on the provision of section 37 of the CFRN, 1999 (as amended), which provides for the right to privacy. Consequently, he was awarded damages of Eight Million Naira by the Federal High Court. The operators of Etisalat appealed the decision of the Federal High Court, but the Court of Appeal upheld the decision.
As trivial as sending unwarranted texts may seem, a man who is aware of his data privacy rights took action and was awarded damages. That is very commendable, and how beautiful it would be if more people took their data privacy rights as important.
Data protection is a very crucial aspect of the technological life of individuals and organizations at large, especially with the rate at which the world is going digital. It would not be out of place for people to be interested in this aspect, even if they do not intend to build careers out of it. Furthermore, the legislative arm of government should prioritize the enactment of primary data protection laws in response to massive global technological advancement, as this would go a long way in positively affecting the culture of data protection in the Nigerian legal system.
References
Gallagher, R. (2020). Hackers ‘Without conscience’ Target health-Care Providers. Retrieved from Bloomberg: https://www.bloomberg.com/news/articles/2020-04-01/hackers-without-conscience-demand-ransom-from-health-providers
General Data Protection Regulation. (n.d.). Retrieved from https://gdpr-info.eu/
LP, O. B. (2020). Data Protection and Privacy Challenges in Nigeria (legal issues). Retrieved from Mondaq: https://www.mondaq.com/nigeria/data-protection/901494/data-protection-and-privacy-challenges-in-nigeria-legal-issues-
Senator Ihenyen, R. A. (2019). Nigeria: Data Protection 2019. Retrieved from ICLG: https://iclg.com/practice-areas/data-protection-laws-and-regulations/nigeria
Techopedia. (2017). Data Protection. Retrieved from Techopedia: https://www.techopedia.com/definition/29406/data-protection