On the 25th January 2019, the Nigeria Data Protection Regulation (NDPR) came into force. While many organisations have been ensuring their compliance in protecting personal data/information with respect to trade, customers and vendors, one crucial area that should be considered is the NDPR’s impact on the employment relationship. In this discussion, Chioma N. Duru, a labour law and dispute resolution specialist working with Work Point Service, highlights some of the implications of the NDPR for employers and employees.
Nigerian Data Protection Regulation Overview
The NDPR was launched to safeguard personal information that may be collected from data subjects. Under the regulation, data subjects refers to individuals in Nigeria, as well as Nigerian citizens in and outside of the country, who:
“can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
Where such personal information is collected in a manner that is contrary to the NDPR, the NDPR provides that the person who collects the data (the data controller) may be liable for either or both civil and criminal penalties (if any criminal act is also committed). Civil penalties can range to payment of 2 million to 10 million naira, or from 1% to 2% of an organisation’s annual gross revenue (whichever is the greater amount).
NDPR: Implications on the Employment Relationship
The regulation introduces a considerable amount of new compliance issues for employers. Primarily, as the regulation has a wide application to wherever personal data is collected, this would signify that all forms of employment relationship transactions (whether with full time, part time or casual staff within Nigeria), where the employer collects personal information that can identify such workers shall be subject to the data protection regulation. As a result, employers would have to make data protection provisions for all categories of workers.
The NDPR also introduces other operational requirements. Although Nigeria did not previously have a privacy data legislation, the NDPR replaces previous data protection practices with an aim to giving individuals stronger control over their personal data. This presents the following implications for the workplace:
1.) Stronger Framework for Obtaining Consent
The NDPR requires that consent should be specifically and separately given by a data subject to a data controller in agreement that their data can be processed. Furthermore, the regulation requires that the data subject’s consent should be freely given and be able to be freely withdrawn at any point. Therefore, this may have implication on the traditional practices of some employers to integrate a “Data protection” clause in the employment contract.
2.) Justification for Personal Data Collection
The NDPR equally requires that there must be a legal basis for acquiring and/or using any personal data. Although obtaining consent is paramount, this does not immediately mean that all an employer needs to do is obtain the consent of the worker. It is important that employers review their reasons for collecting certain personal data and whether they are for legal basis.
3.) Processing Data Without Consent
The NDPR does recognise other circumstances under which an employer can still process a worker’s personal data without the need of the worker’s consent. However, these are strictly limited circumstances and employers would have to ensure that the right to collect data strictly fall within the ambit provided by the regulation.
4.) Provide Notice of Right
The NDPR requires that data subjects should be clearly made aware, in a manner that is clear and unambiguous, of the data to be collected. The reason is to ensure that prior to giving their consent, this individual can make an informed decision as to whether they agree to it or not. As result, employers must ensure that their workers are unequivocally informed of the employer’s intention to collect and use their data.
5.) Storage of Personal Data
Under the NDPR, employers will have to ensure that data is only stored for the period within which it is reasonably needed. Although the regulation does not specifically make mention as to what will be considered a reasonable period, an employer can take certain measures to ensure that their workers are fully aware of how long a piece of information will be held.
6.) Workers’ Rights over their Data
The NDPR gives greater rights to data subjects to control their data. This includes the right to be able to request access to their personal data and the right of a data subject to withdraw their consent or request delete of personal data at any time.
In this regard, employers would be obliged to make provisions for workers who want to exercise their right or to even access their personal data, unless the employer must hold on to the information for other mandatory legal reasons.
7.) Data Security Measures
The NDPR increases data controllers’ obligations to ensure that all data subjects’ data are secured against all foreseeable hazards and breaches. Therefore, to mitigate any foreseeable harm, employers should consider the risks of how such personal information can get exposed and take necessary measures to curtail that from happening. Such measures are not exhaustive and employers need to ensure that they create evolving structures that continuously best suit their data protection compliance.
Under the NDPR, the collecting and handling of personal data has now become a legal issue with stringent penalties for defaulters. Employers and employees should be well informed and prepared to take on the challenges and opportunities presented by the new regulation.
Chioma N. Duru LLB., LLM, is a lawyer focused on labour, business law and alternative dispute resolution across Africa. She runs Work Point Service, a labour law advisory firm, guiding employers and employees to facilitate better workplace relationships.