OFFLINE DATA AND NIGERIAN DATA PROTECTION REGULATIONS
By : Adeyemi O. Owoade
Several times many worry on what happen to the data the companies with no website or online presence collect. Many even conclude that the data protection regulations are not necessary or not applicable to them. This may sound interesting as most data protection laws never state that the law is applicable only to online medium. The essence of this article is to clarify this stand and clear the misconceptions.
Hospital V has no website nor online presence yet due to the location of the hospital it holds sensitive personal data of almost a million person. These data are stored in files stacked up in cabinets in the central store of the hospital. Recently copies of information of certain important celebrities were discovered in a digital format online. The hospital has been sued and it is insisting it has nothing to do with the information. However, the aggrieved persons insist they only shared these sensitive data with the hospital. They have failed to protect the data committed into their hands hence a breach of data protection regulation. The hospital insists the data were never online and they have no online presence hence none of the data protection applies to them. The next paragraphs will clear this misconception about data protection laws.
First, what is data? We all acknowledge that data is another word for information notwithstanding the location or medium the data is placed. The concept of data must first be understood to get the critical examination of this article. One of the proponents of offline data not covered by the NDPR always cites the interpretation section of the regulation as a defense.
“Data” means characters, symbols, and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device;
This definition suggests that the NDPR only caters for electronic data and not information filled on papers or physical forms by companies. However, we must strategically analyze the intent of the provision to understand its stand on offline data.
Looking at the definition of personal data and sensitive data we will discover that this set of data may not necessarily be stored online alone except we want to say the drafters of the regulation lack understanding of the clime where the law is to be applied.
“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others;”
“Personal Identifiable Information (PII)” means information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in a context”
Our scenario fits in as sensitive data and it is appropriate to check the definition accordingly;
“Sensitive Personal Data” means data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information;
Having checked the interpretation section, we should look at the scope of the data protection regulations, bearing in mind that the scope of the law reveals the intent of the law. The NDPR mention any medium (quote scope of NDPR). So, if the law says any medium, it will be misinterpreted to say that the law only looks for the online medium only. If the law seeks to protect data across the board, the phrase any medium captures any kind of medium data can be stored. In essence, the NDPR seeks to deal with all data whether in the cloud, on pc, or in file cabinets.
Also, we should look at the principles of data in the data protection regulation. The NDPR recognizes the possibility of saving data in different positions, hence the provision found in Rule 2.1 of NDPR below:
(1)In addition to the procedures laid down in this Regulation or any other instrument for the time being in force, Personal Data shall be: a) collected and processed in accordance with specific, legitimate, and lawful purpose consented to by the Data Subject; provided that: i. further processing may be done only for archiving, scientific research, historical research or statistical purposes for public interest; ii. any person or entity carrying out or purporting to carry out data processing under the provision of this paragraph shall not transfer any Personal Data to any person; b) adequate, accurate and without prejudice to the dignity of the human person; c) stored only for the period within which it is reasonably needed, and d) secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
Item d above listed how the data should be protected and secured from ‘theft, damage by rain, fire or exposure to other natural elements’ reveals that the drafters of the regulation recognize the possibility of having those offline data, including the ones in your cabinets, in mind.
To say that any medium means a different online presence will be putting words in the mouth of the law as the law did not state that online media, any means any and it should consist of both offline and online. Hence, we can state that it is important that physical forms to be used in offline companies should have at the end of the paper form or at the back or in a conspicuous location, a brief statement on how data is collected, secured, data rights and how much is shared with third parties. If informing data subjects of their rights and what happened to their data is the intent of this section of the NDPR, it will be comfortable to say it is also important both on offline and online media.
It is the author’s opinion that as the GDPR is technology-neutral the NDPR is also the same. Until the NDPA is passed in the national assembly, the NDPR is still active and so the regulation seeks to protect both offline data and online data of the data subject. It does not matter whether the company only operates offline alone and has no social media platform or website, all that matters is that they collect data and so they are subject to the provision of the regulation.
If we go through other parts of the regulation, and we cannot find a provision that specifies that offline data is in scope, should we then forget about it? We can assume that the mention of the medium can implicitly contain any offline data. Also, the confidentiality status of sensitive data will mean that such must be extremely protected not only in line with NDPR but far more than that. In some professions, such as the health sector, it will be an unfortunate situation to leave sensitive data unprotected. Using lack of an explicit mention of fiduciary duty in regulation as an excuse to fail the fiduciary relationship is not permitted anywhere. In the case of your company running total offline operations and no online data. The following are some of my recommendations:
- DATA SECURITY AWARENESS: Notwithstanding any existence of data protection regulation, a company should find a way to secure the data it collects from his clients. Of course, cyber security is majorly for online data there are so many data security tips for companies that keep data onsite. It is important to engage the members of staff on certain information security measures and teach them to ensure that when they have access to clients’ data they will not manhandle the data.
- SECURE THE INFRASTRUCTURE: A location where personal ( sensitive) data is kept must be properly secured. It is important to reduce access to locker rooms and give access to certain trusted employees in the company. Implement advanced lock system on all file cabinets.
- PROTECT ALL COMPUTERS: Ensure that if you use computers on site, you should restrict access to the computers. Do not allow anyhow flash drives. Use secured and original antivirus. As you keep the data offline in the computer ensure that you prevent unauthorized devices to be connected to the office computers.
- CONDUCT PERIODIC DATA ASSESSMENT: Even if you have no data online but resident in computers and file cabinets alone. Ensure that you carry out periodic data assessments to know the status of all data and even the security of such infrastructures the data are kept. If you discover that the personal data of some clients have been missing or breached you should report to NITDA. Note that an offline data breach may mean that the file cabinet has been broken into. Failure to report a breach when it affects
The aim of any law is to protect the people. Hence, the NDPR seeks to protect the personal and sensitive data of Nigerians. It will be too shallow to say such a law is active when it comes to protecting online but passive offline. It then follows that companies and parastatal (such as hospitals, prisons& correctional centres, event centers, schools, etc.) whether they have an online presence or not should endeavor to secure the data in their hold. They must also imbibe data security measures that fit their medium of data collection. It will be bad to wait till NITDA fine your organization or your local business before you take data protection compliance seriously.
Adeyemi Owoade is a legal practitioner interested in Data Protection, Privacy, Cyber Law and emerging technologies. He is a member of the Association for Data and Cyber Governance. He is also a OneTrust Certified Privacy Professional, OneTrust Certified GRC Professional and ICSI Certified Network Security Specialist. For consultation and enquiries, contact him via email: firstname.lastname@example.org