Nigerian Data Protection Regulation: Practical Guide for the Construction
On 25 January 2019, the National Information Technology Development Agency (the “NITDA”) issued the Nigerian Data Protection Regulation (the “NDPR”) to regulate organizations that collect and process personal data (“Data Controllers”). The NDPR requires Data Controllers to conduct a mandatory data protection audit of their organizations and file an audit report with the NITDA through a Data Protection Compliance Organization (“DPCO”) within six months from the issuance of the NDPR. Nigeria Data Protection Regulation affects construction projects. The ‘Data Controller’ is defined as a person who, either alone or in collaboration with other persons or statutory bodies, determines the purpose for and the way personal data is processed.
Non-compliance with the data privacy rights, under the Nigerian data protection regulation, is a criminal offense that, upon conviction, attracts the imposition of sanction/ fine. If the Data Controller is dealing with more than 10,000 Data Subjects, the fine imposed is the payment of 2% of the Annual Gross Revenue of the preceding year or the sum of N10,000,000.00 (Ten Million Naira), whichever is greater. If the Data Controller deals with less than 10,000 Data Subjects, the fine imposed is 1% of the Annual Gross Revenue of the preceding year or the sum of N2,000,000.00 (Two Million Naira), whichever is greater.
Since the Nigerian government introduced the Nigerian data protection regulation DPR, there has been a rush for businesses to comply with the NDPR. This article considers the relevance of the NDPR to the Nigerian construction industry.
Nigeria Data Protection Authority
The National Information Technology Development Agency (NITDA) is currently the main regulator where data protection is concerned in Nigeria. However, sector-specific regulatory agencies including the Nigerian Communications Commission and the Central Bank of Nigeria provide services relating to the protection of data.
NDPR was issued in January 2019 pursuant to Section 6 (a,c) of the NITDA Act 2007. The Regulation is the current national law on data protection in Nigeria, which applies to public and private sector processing of personal data within and outside Nigeria. The Regulation is aimed at protecting the right to privacy, creating the right environment for digital transactions, job creation, and improving information management practices in Nigeria.
NITDA as the Regulatory Authority for Data Protection aims at innovating data protection management in Africa through inclusive regulatory strategies, partnerships, and continuous improvement. The Agency represents Nigeria (as Deputy Chair of the Data Protection and Localisation Working Group) at the African Union Policy and Regulatory Initiative for Digital Africa (AU-PRIDA).
Nigeria Data Protection Framework
Nigerian data protection is a constitutional right founded on Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) (‘the Constitution’). The Nigerian Data Protection Regulation, 2019 (‘NDPR’) is the main data protection regulation in Nigeria. The NDPR was issued by the NITDA. The NDPR expounded on the concept of Nigerian data protection under the constitution. The NDPR makes provisions for the rights of data subjects, the obligations of data controllers and data processors, transfer of data to a foreign territory among others. Although other legislations, as mentioned below, made some provisions for data protection, the NDPR is the starting point for understanding Nigeria’s data protection landscape.
Data Protection Compliance Organizations (DPCOs)
Article 1(3j) of the Nigerian Data Protection Regulation provides that a Data Protection Compliance Organization (DPCO) is any entity duly licensed by NITDA for the purpose of training, auditing, consulting, and rendering services aimed at ensuring compliance with this Regulation or any foreign Data Protection law or regulation having an effect in Nigeria.
A DPCO may be one or more of the following;
- Professional Service Consultancy firm
- IT Service Provider
- Audit firm
- Law firm
DPCOs also provide data protection and privacy training, advisory services; draft regulation contracts, Data Protection Impact Assessment, etc. The list of licensed DPCOs can be accessed on the NITDA website.
Data Protection Officers(DPOs)
The Nigerian Data Protection Regulations require Data Controllers to designate a Data Protection Officer responsible for ensuring compliance with the NDPR and other applicable data protection directives. The data controller may outsource this responsibility to a verifiably competent firm or person.
Privacy Policies of NIDTA
- Your Privacy Rights
- Your Personal Information
- What do we do with your personal information
- How we protect your personal information
- How We Share your information within NITDA and other users
- Data Confidentiality Rights
- Links to Other Websites and Premises
Data Protection Impact Assessment(DPIA)
Under the NDPR 2019, one of the governance mechanisms recommended by the NITDA as part of being accountable in data processing operations is the Data Protection Impact Assessment or DPIA, a tool for identifying and minimizing data protection risks. According to NITDA only data processing operations involving the intense use of personal data should be subjected to a DPIA. On this basis, I argue that online profiling including Online Behavioral Advertising, or OBA is an intensive data processing operation and is thus eligible for a DPIA.
What Are the Implications for Businesses?
The NDPR governs the use of ‘personal data by businesses. It applies to all transactions for the processing of personal data, notwithstanding the means by which the data is processed. Personal data is defined in a broad sense and essentially translates as any information relating to an identified or identifiable natural person, otherwise referred to as the “Data Subject.”
It can be anything from a name, address, a photo, an e-mail address, bank details, posts on social networking websites, medical information, and another unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others. However, in a work context, particularly a construction context, this could be information about employees, their salary, performance, and qualifications; just a reference to their employee number is enough to constitute personal data.
The NDPR sets out a set of governing principles that Companies must comply with within the processing of data. The governing principles require that data must be:
- collected for specific and legitimate purposes;
- processed lawfully;
- kept for no longer than is necessary;
- accurate, whereby companies must take reasonable steps to rectify data that is inaccurate;
- adequate and kept up to date;
- kept secure.
Inventory Processing of Activities
Nigeria has remained at the forefront of responding to its obligations to the United Nations Framework Convention on Climate Change (UNFCCC) since the ratification of the Convention. The UNFCCC stipulates that NonAnnex 1 countries are required to submit inventory reports every two years as part of their Biennial Update Report (BUR) or as a component in their National Communication (NC) report. With a National GHG Inventory Management System (NGHGIMS) established in 2018, an institutional arrangement made up of Sectorial Working Groups – Data Compilers, and providers from relevant Ministries, Departments, and Agencies of Government was put in place.
What Are the Implications for the Construction Sector?
Since the introduction of the NDPR, there have been questions about the relevance of the NDPR to the construction industry. The construction industry feels it is somewhat removed from the data-heavy, consumer-facing sectors, and as such, the NDPR will have no effect on its operations.
However, this statement is not entirely correct, as the security threat posed by a data breach is just as real as in other data-heavy sectors, and the impact could be just as damaging due to the construction industry’s unique proximity to and collaboration with, other businesses and sectors.
Its proximity to other businesses makes it a target for security breaches being a gateway to the personal details of its client and other businesses with which it regularly engages with. Also, if the company is involved in critical and sensitive infrastructure projects, it could be a target for security breaches.
Therefore, it is important to consider how the Nigerian data protection regulation is likely to impact operations within the construction industry both in a general sense and on a project-specific basis.
In the general sense, Companies that employ labor would need to comply with the NDPR. Even though it is common in the construction industry not to engage labor directly but as contract staff through a third-party, construction companies are likely to deal with the personal data of individuals even where the labor is procured by third parties.
Also, construction companies do engage labor directly and may maintain buildings where personal data may be collected through site access cards and CCTV. In the general sense, construction companies must ensure that personal data collected are processed in compliance with the NDPR provisions.
On a project-specific basis, it is important to ensure that the project is NDPR compliant where applicable. A typical construction project will usually involve the frequent exchange of sensitive data with multiple third-party project partners, such as the architect, civil, mechanical, and structural engineers, planning consultants, project managers, contractors, insurers, and financiers.
The data exchanged may include personal data relating to the contractor, sub-contractor, supply chain, or individuals forming part of the project team. It may also involve sensitive personal data relating to accidents or health issues that need to be noted while an individual is on-site or personal data required to be provided to regulatory authorities with respect to on-site operations.
Another aspect of a construction project that must be considered is smart asset management which involves the implementation of digital processes in the design, construction, operation, and management of the built asset. The use of digital processes in the construction and management of an asset usually facilitates an increase in data collection, including personal data.
The use of technology ensures increased data collection and enhanced data analysis, thereby improving the asset life and the overall performance of the asset. If the design of the asset involves the use of technologies such as Building Information Modelling (“BIM”), the passing of developed models for purposes of managing the asset must comply with the NDPR requirement.
The NDPR will play a critical role in smartly built assets, and project owners must ensure that such projects are NDPR compliant.
Practical Guide Towards Implementing the Nigerian Data Protection Regulations Provisions
It is important that parties to a construction contract always consider whether Nigerian Data Protection Regulations may apply in some way. This will involve carrying out an audit exercise across the organization to determine aspects of the company’s operations requiring the collection and use of personal data. The audit will detail the nature of the data, how it is used, to whom is it shared, how it is accessed, and by what means it is transferred.
In circumstances where personal data is used by the company, and a third party is engaged to process such data on its behalf, the relevant contract, be it a construction contract, consultancy agreement, operation, and maintenance contract, or supply agreement, should contain robust provisions requiring compliance with the Nigerian Data Protection Regulations provisions.
The NDPR makes it mandatory for contractual agreements with third-party to incorporate obligatory clauses requiring compliance with the NDPR. The Nigerian Data Protection Regulations also impose an obligation on parties to such a contract to carry out proper due diligence to ensure that the co-contracting party does not have a record of violating the NDPR and is otherwise accountable under the NDPR.
Therefore, it is no longer enough to deploy standard forms of a construction contract, but deliberate consideration should be given to the implementation of the project and how it interacts with the NDPR provisions in negotiating and drafting construction contract clauses. Engaging construction law expert with a good understanding of the construction process and operations during the negotiation and implementation of the contract clauses is therefore important to ensure full regulatory compliance, including the NDPR.
Besides incorporating data protection clauses in relevant contracts, practical measures must be put in place. These measures include ensuring that appropriate practices and protocols are in place and well known so that if there are requests for access to or transfers of personal data, they are undertaken with the necessary consideration and have put in place appropriate protections.
These measures involve automating the data protection protocols using appropriate software, establishing a data protection policy, designating a Data Protection Officer for the purpose of ensuring adherence to the Nigerian Data Protection Regulations, continuous capacity building for Data Protection Officers, and the generality of personnel involved in any form of data processing, and engaging a Data Protection Compliance Organization (“DPCO”) to assist in auditing the operations.
Concluding Remarks about the Nigerian Data Protection Regulation
Even though the Nigerian data protection regulation affects construction companies in a general sense, whether it will apply in any given project will depend on the nature of the specific project and if the project involves the exchange of personal data.
It is, therefore, important for construction companies to consider each project on a case-by-case basis and, where applicable, ensure that the project is NDPR compliant by engaging professional advice during the contract procurement and project delivery phases.
Also, non-compliant companies and projects should take immediate steps to comply with averting regulatory enforcement and the imposition of sanctions.
Do you have legal issues or want to know more about Nigeria? Read the articles below: