Nigeria now has a Data protection law following the signing into law of the Nigeria Data Protection Act, 2023 (DPA) President Bola Ahmed Tinubu on June 12, 2023 to replace the Nigeria Data Protection Regulation 2019 which was issued by the National Information Technology Development Agency and had poor judicial weight.
Data under this legislation refers to personal information about an identifiable person to curb breach.
The DPA not only establishes the Nigeria Data Protection Commission (NDPC), an independent body for regulating data protection matters, and enforce compliance with the provisions of the Act, it also provides the governing framework for processing personal data, sets out the rights of a data subject; addresses data security and cross-border transfer of personal data and sets out penalties for infringements.
Under the DPA, every individual responsible for using personal data has to follow strict rules called ‘data protection principles’ and make sure such information is used fairly, lawfully and transparently, used for specified, explicit purposes and in a way that is adequate, relevant and limited to only what is necessary.
Also, it stipulates that data should be accurate and, where necessary, kept up to date and for no longer than necessary while it must be handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
Under the DPA, every citizen has the right to find out what information a data controller stores about you; you must be informed about how your data is being used, access personal data and have incorrect data updated, erased, stop or restrict the processing of their data, object to how your data is processed in certain circumstances, lodge a complaint with the NDPC and recover damages in civil proceedings where there has been injury, loss, or harm due to a violation of the Act by a data controller or data processor.
When there is a breach of personal data, the data controller is required to inform the NDPC of the breach, within 72 hours of becoming aware of a breach, and where feasible provide a detailed description of the breach.
Infringement of the DPA could lead to compliance order warning the affected data controller or processor about a specific violation of the Act, enforcement order where the NDPC may make an order imposing a sanction on the data controller,
Fines, imprisonment of data controller or forfeiture where a court may make an order of forfeiture against a convicted data controller in accordance with the Proceeds of Crime (Recovery and Management) Act.
READ ALSO FROM NIGERIAN TRIBUNE
and then