THE OUTBREAK OF COVID-19 AND THE PROCESSING OF PERSONAL DATA(PHONE NUMBERS) OF DATA SUBJECTS (NIGERIA CITIZENS)

Scenario: Mr Sunday Akor just concluded a business  transaction with his business partner and is expecting an alert which should be received any moment from now. His mobile phone beeps and he excitedly checks it expecting to see an alert. But to his surprise, be sees a message from NCDC telling him of the existence of Covid-19 and how its spread can be prevented. He wonders how they got his phone number  as he doesn’t remember giving them his number or asking anybody with it to give it out. He is aggrieved with whatever body that gave out his number without his authorisation and more aggrieved because the message came at a time he was expecting something ‘different and better’.   

INTRODUCTION: Nigeria has for long recognised the need to ensure that any data that identifies her citizens are protected from unlawful processing.  S. 37 of the 1999 constitution of Nigeria (as amended) provides that the privacy of citizens,their homes correspondences,their telephone conversation and telegraphic communications are guaranteed and protected.

 The Data Protection Regulation(2019),—made by the National Information Technology Development Agency (NITDA) on whom there’s a statutory mandate by the NITDA Act to inter alia, make regulations for electronic governance and monitor the use of electronic data interchange,— broadened the Rights of Nigeria citizens, home and abroad, to enjoy the right to data privacy provided by S. 37 of the 1999 constitution of the Federal Republic of Nigeria (as amended). This is clearly shown by one of the objectives of the Data Protection Regulation in S. 1(a) which is to safeguard the rights of natural persons to data privacy. The Regulation further provided the legal basis on which these data — which range from all manners of personal data including names, address, phone number, etc to all manner of sensitive personal data which include sexual orientation, religious beliefs, etc— can be processed and transferred to a third party known as the recipient. 

This work seeks to inquire if there’s any or if there are legal basis on which the data (phone numbers) of citizens of Nigeria which are the data subjects were given out by Nigeria Communication Commission (NCC) to Nigeria Centre for Disease control. Is NCC in Personal data breach for giving out the personal data under her database of data subjects or are they justified?

Nigeria in her data protection regulation recognises the need for citizens to freely consent to the processing of their data for use provided it is used only  for the process which the consent is sought and given. This is contained in S.6(a) of the Data Protection Regulation(hereinafter referred to as The Regulation). Consent is defined in S. 4(c) of The Regulation as it pertains to the Data Subject to mean any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which she or he, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.  S. 7 of The Regulation further provides that no data shall be obtained except  the specific purpose of collection is made known to the data subject. 

Narrowing it down to the Nigeria situation during the outbreak of the pandemic  which warranted the NCC to process the personal data (phone numbers) of citizens (Data Subjects), it is clear that before the processing was done and given to the recipients which in this case is NCDC,  the consent of the Data Subjects were not sought,thereby going against the provisions of The Regulation on consent. 

However, there are other basis on which lawful processing can be done. So, despite the fact that the consent of Nigeria citizens were not procured before their phone numbers were given out, there are other basis on which this ‘un-consented’ processing can be justified. 

First, S.6(d) of The Regulation provides that processing can be lawful if it is done in order protect the vital interest of the data subject or of another natural person. 

This provision is very clear and unambiguous. Consent can be done away with if the purpose of processing is to protect the interest of the data subject (health inclusive) or that of another person (which must be a natural person i.e a human being). The phone numbers of Nigerians were processed so as to  convey relevant pieces of information on how the entire citizenry can protect themselves and others and prevent  the spread of Covid-19. Almost on daily basis, NCDC sends text messages to Nigerians to create awareness on the existence of Covid-19, how the virus can be contracted and how it can be prevented. This is clearly for the interest of the data subject and also for the interest of others as the messages also educate citizens who are already infected with this virus on how they can prevent the spread i.e for the interest of other citizens. 

Also, The Regulation in S.6(e) provides that processing is lawful if it is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in the controller. 

This provision is disjunctive and thus, one part of it alone is sufficient to absolve from liability. The first part of this provision which deals with performance of a task carried out in public interest is important here. This limb has at its background the Utilitarian school of law which provides for the consideration of the public interest before individual rights. A task is said to be carried out in public interest if it is beneficial to a larger part of the populace.  Applying it, it is clear that it is necessary, for the interest of public as a whole, which include their health, that awareness is created on how to prevent the spread of the coronavirus pandemic. 

In conclusion, it is clear that consent is not the only bases on which personal  data of data subjects  can be processed. There are other grounds on which this can be done without attracting any liability to the data controller or even processor. The opening part of S. 6 of The Regulation states that “…Processing shall be lawful if ATLEAST (emphasis mine) one of the following applies.” This means that any one ,without more, of the Legal basis set out for lawful processing is sufficient. So, a citizen (data subject) who is aggrieved with NCC for processing his/her phone number for NCDC’s purpose of educating the entire citizens on the prevention of coronavirus might have no legal remedy as this processing was done for his/her interest and that of the public as a whole. 

ABOUT THE AUTHOR

Okpara Matthew is a student of the faculty of law, Nnamdi Azikiwe University, Awka. He is a legal researcher and writer. 

                              Copyright Reserved

For knowledge and Justice