HB 02: Data Protection Bill, 2015

Bill Analysis:

SHORT TITLE

Data Protection Bill, 2015

OBJECTIVE OF THE BILL

The Bill seeks to make provision for the regulation of the processing of information relating to individuals

NUMBER OF CLAUSES/PARTS

The Bill has 11 Clauses including citation and explanatory memorandum

APPLICATION

The Bill applies to:

• Fairly and lawfully processed personal data for one or more specified and lawful purpose(s).

In the application of the Bill, the data obtained:

• Shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed;
• Shall be accurate and where necessary kept up to date;
• Shall be processed in accordance with rights of data subjects under this Bill (when it becomes law);
• Shall not be kept longer than necessary for any purpose;

IMPLICATIONS OF THE BILL

When this Bill is passed,

1. Personal data shall not be transferred to a country or territory outside Nigeria, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data (Clause 1(4));
2. A data controller shall not be obliged to comply with a request to supply any data unless he is availed adequate information as he may reasonably require in order to identify the person making the request and to locate information which that person seeks

GENERAL PROVISIONS OF THE BILL

1.         Right of Access to Personal Data: -

Clause 2 provides that an individual is entitled, where such individual is a data subject:

• to be informed by any data controller whether personal data is being processed by or on behalf of that data controller;
• to be given the description of –
  • the personal data which is being sought
  • the purpose for which they are being sought, and
  • the recipient or classes of recipients to whom they may be disclosed
• to be communicated to in an intelligible form the information constituting personal data of which that individual is the data subject, and any information available to the data controller as to the source of the data;
• to be informed by the data collector of the logic involved in any decision-taking, which is likely to constitute the sole basis of any decision significantly affecting his creditworthiness, his reliability or conduct for the purpose of evaluating matters relating to him

2.       Obligation of a Data Controller: -

A data controller is not obligated to provide information on a data subject unless he has received a request in writing and in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.

Furthermore, a data controller is not obliged to comply with a request to supply information on a data subject, unless he is provided with information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information being sought.

A data controller is not obliged to comply with the request of disclosing information relating to an individual where the disclosure will involve information relating to another individual unless –

• The other individual has consented to the disclosure of the information, or
• It is reasonable in all circumstances to comply with the request without the consent of the other individual

3.         Compliance without Consent: -

Where a data controller complies with a request to release information without the consent of the other individual concerned, regard shall be had to –

• Any duty of confidentiality
• Any steps taken by the data controller with a view to seeking the consent of the other individual;
• Whether the other individual is capable of giving consent; and
• Any express refusal of consent by the other individual.

An individual making a request in such case may specify that his request is limited to personal data of any prescribed description.  A data controller shall comply with a request in this regard and in the event before the end of the prescribed period beginning with the relevant day.

4.          Application to a Court due to Failure to Comply: -

Any person who has made a request may apply to a court to compel the data controller to comply. Where the court is satisfied on the application of any person who has made a request that the data controller failed to comply with the request in contravention of the provisions of this Bill (when it becomes law), the court may order him to comply

5.          Right to Prevent Processing Likely to Cause Damage: -

According to Clause 3, an individual is entitled by notice in writing to the data controller to require the data controller to cease, or not to begin processing, for a specific reason or in a certain manner, any personal data in respect of which he is the data subject on the grounds that –

• The processing of those data would cause or is likely to cause substantial damage or distress to him or to another; and
• The damage or distress would be unwarranted

The data controller shall within 21 days of receiving the writing notice (“the data subject notice”) provide to the data subject in writing a notice:

• stating that he has complied or intends to comply with the data subject notice
• stating his reasons for regarding the data subject notice to any extent and the extent to which he has complied or intends to comply with it.

The failure of the data subject to exercise this right does not affect any other right conferred on him under this Bill (when it becomes law).

6.       Right to Prevent Processing for Purposes of Direct Marketing: -

A data subject is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstance to cease, or not to begin, processing for the purposes of direct marketing his personal data (Clause 4). The term “direct marketing” means the communication of any advertising or marketing material, which is directed to particular individuals.

7.        Rights in relation to Automated Decision-Making: -

A data subject is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller, which significantly affects that individual is based solely on the processing by automatic means of his personal data (Clause 5).

Where however, no notice was issued and a decision which significantly affects the data subject was taken based solely on such processing, the data controller must as soon as reasonably practicable notify the data subject that a decision was taken on that basis.

The data subject is entitled, within 21 days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or take a new decision otherwise than on that basis.

In response, the data controller must within 21 days of receiving a notice from the data subject, give the data subject a written notice specifying the steps that he intends to take to comply with the data subject notice.

If a court is satisfied on the application of a data subject that a person taking a decision in respect of him (“responsible person”) has failed to comply with the written notice, the court may order the responsible person to reconsider the decision or take a new decision, which is not based solely on such processing.

8.       Compensation for Failure to Comply with Certain Requirements

Anyone who suffers damage or distress by reason of any contravention by a data controller of any requirements of this Bill (when it becomes law) is entitled to compensation from the data controller for that damage or distress (Clause 6). Provided that the individual suffered damage by reason of the contravention relating to the processing of personal data

As a defense, the responsible person can prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

9.        Rectification, Blocking, Erasure and Destruction: -

If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy the data and any other personal data in respect of which he is the data controller, and which contains an expression of opinion which appears to the court to be based on the inaccurate data.

The court order shall apply whether or not the data accurately records information obtained by the data controller from the data subject or a third party.

10.      Unlawful Access to Personal Data

A person must not knowingly or recklessly, without consent of the data controller -

• obtain or disclose personal data or the information contained in personal data; or
• procure the disclosure to another person of the information contained in personal data.

This rule does not apply to a person who shows that the disclosure or procurement of the data was necessary for the purpose of preventing or detecting crime, and it was required or authorized by or under any enactment, by any rule of law or by the order of a court (Clause 8).

Another exception is that the person accessing or disclosing the data acted in reasonable belief that he would have had the consent of the data controller if the data controller had known of the disclosure or procurement of the data and circumstances of it, or that in the particular circumstances, accessing the data, procuring or disclosing it, was justified as being in the public interest.

11.        Offences Under the Bill: -

Anyone who unlawfully obtains, discloses or procures personal data is guilty of an offence under this Bill (when it becomes law). Anyone who sells personal data is guilty of an offense if he has obtained the data unlawfully. A person who offers to sell personal data is guilty of an offence if he obtains or subsequently obtains it unlawfully.

12.         Prohibition of Requirements for Production of Certain Records: -

According to Clause 9, a person must not, in connection with the recruitment of another person as an employee, the continued employment of another person or any contract for the provision of services to him by another person require that a 3rd party supply him with relevant record or provide a relevant record to him.

A person concerned with the provision of goods, facilities or services to the public or a section of the public must not as a condition of providing or offering to provide any goods, services or facilities to another person to supply/provide him with a relevant record.

However, the above rules do not apply to a person who shows that imposition of a requirement was needed or authorized by law or an order of the court; or that imposition of a requirement was justified as being in the interest of the public.

Anyone who contravenes Clause 9 of this Bill (when it becomes law) shall be guilty of an offence

CHALLENGES OF THE BILL

The Bill is filled with numbering errors –

• Clause 2(1) contains paragraphs (a) to (f); however, paragraphs (e) and (f) are numbered numerically with (2) and (3) respectively. This would make citation confusing. Furthermore, Sub-clauses (5) – (10) appear after the paragraphs under Clause 2(1), which is not serial.
• Clause 5 has sub-clauses (1) to (5), but without sub-clause (3). There was an omission in the numbering

SUMMARY

The Bill seeks to provide personal data protection to regulate the processing of information relating to individuals. In seeking to protect personal data, the Bill seeks to guarantee the right of an individual (data subject) whose data resides in the custody of another person (data controller) to seek redress in a court of law. Though the Bill is silent on which court should be the court of first instance, it provides the nature conducts that constitute offences under Clause 8(3) – (5) and Clause 9(4).

This Bill has been passed by the House of Representatives and is currently at the Committee stage in the Senate. Passage of the Bill would provide more protection to personal data and confidential information.

Infographic: