Whereas, The National Information Technology Development Agency (NITDA, hereinafter referred to as the Agency) is statutorily mandated by the NITDA Act of 2007 to, inter alia: develop Regulations for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour and other fields, where the use of electronic communication may improve the exchange of data and information;
Recognising that many public and private bodies have migrated their respective businesses and other information systems online. Information solutions in both the private and public sectors now drive service delivery in the country through digital systems. These information systems have thus become critical information infrastructure which must be safeguarded, regulated and protected against atrocious breaches;
Cognizant of emerging data protection regulations within the international community geared towards security of lives and property and fostering the integrity of commerce and industry in the volatile data economy;
Conscious of the concerns and contributions of stakeholders on the issue of privacy and protection of personal data and upon evaluation of the grave challenges of leaving personal data processing unregulated; THE AGENCY hereby issues the Nigeria Data Protection Regulation and shall come into effect on the date it is approved by the Board of NITDA.
The objectives of this Regulation are as follows:
a) to safeguard the rights of natural persons to data privacy;
b) to foster safe conduct of transactions involving the exchange of personal data;
c) to prevent manipulation of personal data and
d) to ensure that Nigerian businesses remain competitive in international trade; through the safeguards afforded by a just and equitable legal regulatory framework on data protection and which regulatory framework is in tune with global best practices.
Scope of the regulation
a) this Regulation applies to all transactions intended for the processing of personal data and to actual processing of personal data notwithstanding the means by which the data processing is being conducted or intended to be conducted and in respect of natural persons in Nigeria;
b) this Regulation applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent and
c) this Regulation shall not operate to deny any Nigerian or any natural person the privacy rights he is entitled to under any law, regulation, policy, contract, for the time being in force in Nigeria or in any foreign jurisdiction.
In this Regulation, unless the context otherwise requires:
a) “Act” means the National Information Technology Development Agency Act of 2007;
b) “Computer” means Information Technology systems and devices, whether networked or not;
c) “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
d) “Data” means characters, symbols and binary on which operations are performed by a computer. Which may be stored or transmitted in the form of electronic signals is stored in any format or any device;
e) “Database” means a collection of data organised in a manner that allows access, retrieval, deletion and procession of that data; it includes but not limited to structured, unstructured, cached and file system type databases;
f) “Data Administrator “means a persons or organisation that processes data
g) “Data Controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed;
h) “Database Management System” means software that allows a computer to create a database, add, change or delete data in the database; allows data in the database to be processed, sorted or retrieved;
i) “Data Portability” means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format;
j) Data Protection Compliance Organisation (DPCO) means any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria;
k) “Data Subject means an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
l) “Data Subject Access Request” means the mechanism for an individual to request a copy of their data under a formal process and payment of a fee;
m) “filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
n) “Foreign Country” means other sovereign states, autonomous or semi- autonomous territories within the international community;
o) “Regulation” means this Regulation and its subsequent amendments and where circumstance requires it shall also mean any other Regulations on the processing of information relating to identifiable individual’s Personal Data, including the obtaining, holding, use or disclosure of such information to protect such information from inappropriate access, use, or disclosure’
p) Object Identifiable Information (OII)
q) “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others.