On May 18, 2020, the National Information Technology Development Agency of Nigeria (“NITDA”) issued ‘Guidelines for the Management of Personal Data by Public Institutions in Nigeria’ (the “Guidelines”). It is aimed at directing public institutions in securely managing personal data in accordance with the Nigeria Data Protection Regulation, 2019 (“NDPR”).

This development is in line with the Nigerian Government’s National Digital Economy Policy and Strategy launched in November, 2019, particularly the E-Governance Initiative aimed at digitizing the provision of public services. A key provision in the Guidelines is a requirement for all Public Institutions holding or processing personal data to securely digitize its database within 60 days from the issuance of the Guidelines. In addition to this, below are highlights from the Guidelines:

1. Which institution does it apply to? It regulates all Public Institutions in Nigeria (“PI”), including ministries, agencies and incorporated entities with government shareholding.
2. How does the NDPR fit in with the Guidelines? The NDPR is the primary data protection regulation and remains binding on PIs. The Guidelines clarify the intent of the NDPR and should be read together.
3. What duty of protection is placed on PIs? PIs are obligated to protect all personal data they process. Processing means any operation which is performed on personal data by PIs, whether or not automated.
4. Whose data is protected? Personal data of a Nigerian citizen (resident and non-resident) which PIs have access to, whether through direct interaction or in furtherance of its statutory or administrative purpose.
5. How can PIs process personal data lawfully? In addition to the 5 lawful basis for processing Personal Data set out in the NDPR (consent, contractual obligation, vital interest, public interest and legal obligation), the Guidelines include legitimate interest as the 6th lawful ground for processing by PIs. Legitimate interest is, however, not defined.
6. Are there additional conditions attached to lawful processing? Yes, all processing by PIs must fall within any of these 3 categories; public interest, legal obligation and vital interest.
7. How is sensitive personal data to be handled by PIs? PIs are to apply a higher standard to Sensitive Personal Data. They are to directly and unambiguously request for consent from Data Subjects prior to processing it. Sensitive Data includes data on health, ethnicity, biometric and sexual orientation.
8. Are there exceptions to the rule? Yes, it appears that consent would not be required for Health Emergency, National Security and Crime Prevention.
9. What Information Security Standard should be adopted when processing personal data from another institution? PIs seeking to process personal data from another institution (private or public) are to show compliance with international information security standards such as ISO 27001:2013 or any similar standard, amongst other conditions.
10. Does a PI require a Data Protection Compliance Organisation (“DPCO”)? Yes, a DPCO is to be appointed to train and audit PIs.
11. Is there a consequence for non-compliance? Non-compliance by the PI would be an offence under the NITDA Act and NDPR; and the consequences for such offence would be applied.