Are you aware of the Nigerian Data Protection regulation? On 25 January 2019, the National Information Technology Development Agency (the “NITDA”) issued the Nigerian Data Protection Regulation (the “NDPR”) to regulate organisations that collect and process personal data (“Data Controllers”). The NDPR requires Data Controllers to conduct a mandatory data protection audit of their organisations and file an audit report with the NITDA through a Data Protection Compliance Organisation (“DPCO”) within six months from the issuance of the NDPR. Nigeria Data Protection Regulation affects construction projects. The ‘Data Controller’ is defined as a person who, either alone or in collaboration with other persons or statutory body, determines the purpose for and the way personal data is processed.
Non-compliance with the data privacy rights, under the Nigerian data protection regulation, is a criminal offence which upon conviction attracts the imposition of sanction/ fine. If the Data Controller is dealing with more than 10,000 Data Subjects, the fine imposed is the payment of 2% of Annual Gross Revenue of the preceding year or the sum of N10,000,000.00 (Ten Million Naira) whichever is greater. In the case where the Data Controller deals with less than 10,000 Data Subjects, the fine imposed is 1% of the Annual Gross Revenue of the preceding year or the sum of N2,000,000.00 (Two Million Naira) whichever is greater.
Since the introduction of the Nigerian data protection regulation DPR by the Nigerian government, there has been a clamour for businesses to comply with the NDPR. This article considers the relevance of the NDPR to the Nigerian construction industry.
What are the implications for businesses?
The NDPR governs the use of ‘personal data’ by businesses. It applies to all transactions for the processing of personal data notwithstanding the means by which the data is processed. Personal data is defined in a broad sense and essentially translates as any information relating to an identified or identifiable natural person otherwise referred to as the “Data Subject”. It can be anything from a name, address, a photo, an e-mail address, bank details, posts on social networking websites, medical information and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others. However, in a work context, particularly a construction context, this could be information about employees, their salary, performance, qualifications, just a reference to their employee number is enough to constitute personal data.
The NDPR sets out a set of governing principles which Companies must comply with in the processing of data. The governing principles require that data must be:
§ collected for specific and legitimate purposes.
§ processed lawfully.
§ kept for no longer than is necessary.
§ accurate whereby companies must take reasonable steps to rectify data that is inaccurate.
§ adequate and kept up to date.
§ kept secure.
What are the implications for the construction sector?
Since the introduction of the NDPR, there has been questions on the relevance of the NDPR to the construction industry. The construction industry feels it is somewhat removed from the data-heavy, consumer-facing sectors, and as such, the NDPR will have no effect on its operations.
However, this statement is not entirely correct, as the security threat posed by a data breach is just as real as other data-heavy sectors and the impact could be just as damaging due to the construction industry’s unique proximity to, and collaboration with, other businesses and sectors. Its proximity to other businesses makes it a target for security breaches being a gateway to the personal details of its client and other businesses in which it regularly engages with. Also, if the company is involved in critical and sensitive infrastructure projects, it could be a target for security breaches.
Therefore, it is important to consider how the Nigerian data protection regulation is likely to impact operations within the construction industry both in a general sense and on a project specific basis. In the general sense, Companies that employ labour would need to comply with the NDPR. Even though it is common in the construction industry not to engage labour directly but as contract staff through a third-party, construction companies are likely to deal with the personal data of individuals even where the labour is procured by third parties. Also, construction companies do engage labour directly and may maintain building where personal data may be collected through site access cards and CCTV. In the general sense, construction companies must ensure that personal data collected are processed in compliance with the NDPR provisions.
On a project specific basis, it is important to ensure that the project is NDPR compliant where applicable. A typical construction project will usually involve the frequent exchange of sensitive data with multiple third-party project partners, such as the architect, civil, mechanical and structural engineers, planning consultants, project managers, contractors, insurers and financiers. The data exchanged may include personal data relating to the contractor, sub-contractor, supply chain or individuals forming part of the project team. It may also involve sensitive personal data relating to accidents or health issues which need to be noted while an individual is on site, or personal data required to be provided to regulatory authorities with respect to on-site operations.
Another aspect of construction project that must be considered is smart asset management which involves the implementation of digital processes in the design, construction, operation and management of the built asset. The use of digital processes in the construction and management of an asset usually facilitate an increase in data collection, including personal data. The use of technology ensures increased data collection and enhanced data analysis, thereby improving the asset life and the overall performance of the asset. If the design of the asset involves the use of technologies such as Building Information Modelling (“BIM”), the passing of developed models for purposes of managing the asset must comply with the NDPR requirement. The NDPR will play a critical role in smartly built assets and project owners must ensure that such projects are NDPR compliant.
It is important that parties to a construction contract always consider whether NDPR may apply in some way. This will involve carrying out an audit exercise across the organisation to determine aspects of the company’s operations requiring the collection and use of personal data. The audit will detail the nature of the data, how it is used, to whom is it shared with, how is it accessed and by what means is it transferred.
In circumstances where personal data is used by the company and a third party is engaged to process such data on its behalf, the relevant contract, be it a construction contract, consultancy agreement, operation and maintenance contract or supply agreement, should contain robust provisions requiring compliance with the NDPR provisions. The NDPR makes it mandatory for contractual agreement with third-party to incorporate obligatory clauses requiring compliance with the NDPR. The NDPR also imposes an obligation on parties to such contract to carry out proper due diligence to ensure that the co-contracting party does not have a record of violating the NDPR and its otherwise accountable under the NDPR.
Therefore, it is no longer enough to simply deploy standard forms construction contract, but deliberate consideration should be given to the implementation of the project and how it interacts with the NDPR provisions in negotiating and drafting construction contract clauses. Engaging construction law expert with good understanding of the construction process and operations during the negotiation and implementation of the contract clauses is therefore important to ensure full regulatory compliance, including the NDPR.
Besides incorporating data protection clauses in relevant contracts, practical measures must be put in place. These measures include ensuring that appropriate practices and protocols are in place and well known so that if there are requests for access to or transfers of personal data, they are undertaken with the necessary consideration and having put in place appropriate protections.
These measures involve automating the data protection protocols using appropriate software, establishing a data protection policy, designating a Data Protection Officer for the purpose of ensuring adherence to the NDPR, continuous capacity building for Data Protection Officers and the generality of personnel involved in any form of data processing, and engaging a Data Protection Compliance Organisation (“DPCO”) to assist in auditing the operations.
Concluding remarks about the Nigerian Data Protection Regulation
Even though the Nigerian data protection regulation affects construction company in a general sense, whether it will apply in any given project will depend on the nature of the specific project and, if the project involves the exchange of personal data. It is, therefore, important for construction companies to consider each project on a case by case basis and, where applicable, ensure that the project is NDPR compliant by engaging professional advice during the contract procurement and project delivery phases. Also, non-compliant companies and project should take immediate steps to comply to avert regulatory enforcement and the imposition of sanctions.
 Rule 1.3(x) of the Regulations
 Rule 2.10 of the Regulations
 Rule 1.2(a) of the Regulation
 Rule 1.3(xix) of the Regulation
 Rule 2.1 of the Regulation
 H. Deadman “what impact will GDPR have on the construction industry” <https://www.consultancygroup.com/blog/2017/09/what-impact-will-gdpr-have-on-the-construction-industry>
 C.B.H Nel & J.L Jooste “A Technology-Driven Asset Management Approach to Managing Physical Assets – A Literature Review and Research Agenda for Smart Asset Management” South African Journal of Industrial Engineering, December 2016 Vol 27(4), pp 50 – 65.
 Rules 2.7 of the Regulations
 Rule 2.4(b) of the Regulations
 Rule 4.1(1) of the Regulations
 Rule 4.1(2) of the Regulations
 Rule 4.1(3) of the Regulations
 Rule 4.1(4) of the Regulations