COVID-19, PRIVACY AND DATA PROTECTION IN NIGERIA: MATTERS ARISING
The Coronavirus (Covid-19) pandemic continues to chart a devastating course on the globe, leaving in its wake, a trail of illness, death, overwhelmed health institutions and crumbling economies. Governments, organisations and individuals are increasingly constrained to deploy strategies to mitigate its impact. Nigeria is not spared as President Muhammadu Buhari on 30th March 2020 announced a two week lockdown in states that have recorded the highest numbers of coronavirus cases till date, at the lapse of which was immediately extended for a further two-week period.[i] Organisations have also been forced to suspend physical operations and resort to remote working, thus altering the commercial landscape. The processing of vital personal information for the purpose of managing risks, identifying infected persons and contact tracing, is important in the fight against the pandemic. Hence, the privacy and data protection implications of the situation cannot be ignored.
In view of the toughening regime for the processing of personal data, there are concerns as to whether the high standards of compliance created in the operative privacy framework, is likely to preclude the optimal implementation of requisite measures. Stakeholders[ii] are wary of requesting and processing certain sensitive data in pursuit of anti-coronavirus objectives without running afoul of the law. Some of the issues that have been highlighted include but are not limited to whether employers can: (i) request specifics about employees’ travel histories, illnesses or current symptoms or compel them to fill health status questionnaires; (ii) demand for medical certificates to augment responses to health related questions; (iii) disclose the health status of employees to colleagues, third parties or the authorities; (iv) send workers home on suspicions or confirmation of infection; (v) respond to data subjects’ requests within the stipulated timelines given the closure of physical office spaces; and (vi) whether hospitals and health workers can disclose the confidential information of patients to third parties and the authorities.
It is important to address these issues because while privacy and data protection laws do not stand in the way of the management of public health, there are important points that should be considered when handling personal data in these contexts, particularly health and other sensitive data.
The Legal Framework
The processing of personal data in Nigeria falls within the purview of a rapidly developing Privacy Framework strengthened by the coming into force of the Nigerian Data Protection Regulation (NDPR) in 2019, and comprising other sectoral laws. While the NDPR is not in itself a superintending and exhaustive data protection law, it is a modest attempt to raise the Nigerian data protection framework to global standards and was inspired by its European counterpart, the General Data Protection Regulation of May 2018 (GDPR). It pushes entities to unprecedented standards of compliance and avails to the benefit of Nigerians, irrespective of their geographic locations. In addition to the stated objectives of the law[iii], it is engendering transparency in the processing of personal data, and granting to Nigerians, control over how their personal data is requested and processed.
The NDPR defines “Personal Data” as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”[iv].
“Sensitive Personal Data” is identified as:
Data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information;
“Processing” is described as:
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”[v].
It would appear from the above definitions that any personal information collected by an entity from a data subject for the purpose of devising and implementing requisite measures against the coronavirus pandemic would fall under the scope of the NDPR. For health related matters, supplemental provisions relating to the processing of personal data are contained in the National Health Act[vi].
The NDPR identifies five (5) independent conditions on the basis of which an organisation can lawfully process personal data[vii]. These derive from the principle of lawful processing and are commonly referred to as legal bases. They are:
- Consent of the data subject for a specified purpose(s). Such consent must not have been obtained with fraud, coercion or undue influence[viii]
- Necessary for the performance of a contract to which the data subject is a party
- Compliance with a legal obligation of which the controller is a subject
- Protection of the vital interests of the data subject or other natural persons
- Performance of a task carried out in the public interest or in the exercise of official public mandate
In addition to the above, relevant stakeholders are obliged to take into cognizance, the principles enshrined in the NDPR i.e. data processing must accord with a specific and legitimate purpose (purpose limitation); it must be conducted adequately (minimization) and accurately (accuracy); data collected must be stored for a reasonable period (storage limitation); and must be protected from foreseeable hazards (confidentiality & integrity). Data Processing also creates a fiduciary relationship between the controller and the data subject (duty of care), with the former being obliged to demonstrate compliance with these principles (accountability). It should be noted that while personal data can be processed on the strength of at least one legal basis, the principles in the NDPR are cumulative and must all be complied with for valid processing.
Can employers request specifics about employees’ travel histories, illnesses or current symptoms or compel them to fill questionnaires revealing these information?
Employers have an immutable obligation to provide a safe working environment and protect the health of their employees. In the pursuit of these objectives, the collection and processing of personal data relating to health and travel histories would be justified provided they are premised on one or more legal bases. If employees’ consent is sought to be relied upon, such consent must be specific, informed and freely given, and the employee must be informed of his right to to withdraw this consent at any time[ix]. The use of additional measures e.g. a questionnaire, would have to be justified, taking into consideration the evaluation of risk and the necessity and proportionality of the measure.
Alternately, the protection of the vital interest of the data subject or other natural persons, compliance with a legal obligation by the controller and public interest concerns[x] can be conveniently relied upon as legal bases for processing personal information in the circumstance.
Can employers demand for medical reports to augment responses to health related questions?
The obligation of employers to protect the health of employees also extends to other persons who may have legitimate reasons to be present in the workplace. Requesting a medical report to augment health related responses of employees’ in this circumstance would therefore fall within the scope of this objective as to justify such demand. However, cognizance must be taken of the confidentiality obligation foisted on any entity who may be in possession of a document of this nature[xi], the waiver of which can only be justified on the grounds of consent, order of court and public interest[xii].
Can data controllers disclose health status of employees to colleagues, third parties or the authorities?
Health information is classified as “sensitive personal data” which requires a high degree of confidentiality. Therefore, while an employer may notify its staff of a suspected case of coronavirus in the organisation, the identity of the affected individual must not be disclosed without a legal basis otherwise the employer would be in breach of privacy laws and in extension, the confidentiality clause in the employee’s terms of employment, where applicable. Similarly, disclosure to third parties and the authorities should only be effected in reliance on one or more of the legal bases indicated in the NDPR and the National Health Act.
Can employers send employees home on suspicions or confirmation of infection?
In the protection of employees’ health, employers reserve the discretion to control access to the working premises. In a situation where there is a suspicion or confirmation of coronavirus, the employer can lawfully restrict the employee from gaining access to the premises. In any event, this issue would seem to fall within the scope of labour and employment laws, and not data protection law, and may impact on the status of the employee’s job, remuneration and sickness benefits as per the contractual terms of engagement.
Can data controllers respond to data subjects’ requests beyond the stipulated timelines in view of closure of physical office spaces?
The NDPR creates a mechanism for individuals to request a copy of their data under a formal process. The Controller is bound to accede to this request in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It is understandable that the ongoing global health crises may impede the capacity of organisations to process data subjects’ requests promptly given the challenges of operating remotely. However, in the event of inability or failure to take action in respect of any such request, the data controller must, not later than one month from the date of the request, inform the data subject of the reasons for default and a right to recourse to supervisory authorities[xiii]. Given that the NDPR does not expressly provide a specific timeline within which a data subject’s request must be processed, it is unclear what the consequences for breach would be.
Can hospitals can disclose the confidential information of patients to third parties and the authorities?
The National Health Act cloaks the medical records of all patients with confidentiality and further imposes a strict obligation of non-disclosure to third parties. However, confidentiality can be waived where the patient has consented in writing to the disclosure of such medical records, or a court of competent jurisdiction has ordered the disclosure of same, or non-disclosure would constitute a grave threat to public health. In addition, a public health worker who may be in possession of such confidential records may disclose same if it is necessary for a legitimate purpose within the ordinary course and scope of his or her duties where such disclosure is in the interest of the patient[xiv].
It should be reiterated that privacy and data protection laws aim to encourage transparency in the processing of personal data and grant control to individuals over how their personal data is to be requested and processed. While their construction primarily serves the purpose of advancing the interest of data subjects, they will not operate to impede measures necessary for the protection of public interest or health. Hence, the existence of varied independent legal bases for processing personal data other than the consent of the data subject. The severity of the coronavirus pandemic is undoubtedly of public concern. Hence, protection of data subjects’ interests, public interest and legal obligation(s) of data controllers can conveniently avail as legal bases for processing, in the absence of the data subject’s consent.
Nevertheless, an organisation seeking to request and process personal data in reliance on one or more legal bases, must necessarily apply the fundamental principles enshrined in the NDPR. It must ensure that the legal basis on which it seeks to rely lawfully avails it in the circumstances and must show specificity of purpose. The collected data should be limited to what is required and must be protected from breach and unauthorized disclosure. The controller must refrain from abusing the existent fiduciary relationship and must be able to clearly demonstrate compliance with its obligations under the law, failure of which could incur liability for breach and sanctions[xv].
[ii] Data Controllers, Data Administrators, Recipients and Third Parties – see Article 1.3 of the NDPR
[iii] Section 1.0
[iv] Section 1.3(q) NDPRß
[v] Section 1.3(r)
[vi] National Health Act, 2014 (Act No. 8 of 2014)
[vii] Section 2.1(1)-(3)
[viii] Section 2.3(ii) of the NDPR
[ix] Section 2.3(ii)(c) of the NDPR
[x] See Section 26(2)(e) of the National Health Act
[xi] Section 26(1) of the National Health Act
[xii] Section 26(2)(a)-(e) of the National Health Act
[xiii] Section 2.13.2 of the NDPR
[xiv] Section 27 of the National Health Act
[xv] Section 2.10 NDPR
[i] Temitayo Ogunmokun is a Regulatory Compliance, Corporate Governance and Privacy Counsel. He is an Advanced LLM Candidate of International & European Law with specialization in Data Law at the Institute of European Studies, Vrije Universiteit Brussels, Member of the Internet Society (Belgium Chapter), Consultant for TechHive Advisory (Official Training Partner of the IAPP in Nigeria) and a Volunteer at the Brussels Privacy Hub. He writes from Brussels, Belgium.