Privacy Of Electronic Communication In Workplaces In Nigeria

By Oyetola Muyiwa Atoyebi, SAN, FCIArb. (UK).

With Nigeria as the case study of this article, section 37 of the 1999 Constitution of the Federal Republic of Nigeria (CFRN) serves as an anchor. It only serves as a framework for the observance of this fundamental right, as the word ‘privacy’ is not explicitly defined in the CFRN. It guarantees the protection of citizens, homes, correspondence and telecommunications.

INTRODUCTION

In line with the global digitization of businesses and everything else, most exchanges are carried out online or electronically. This hastened the process of information dissemination, and as the advantages outweigh the risks, the system is definitely here to stay. However, one of the risks which this article will focus on is that of privacy and the risk of breaches in workplaces.

What Is Electronic Communication?

As the name implies, it is communication done by electronic means. It uses electronic systems to transmit information using computers, e-mail, telephone, fax, etc.[1] Communication (as defined by Oxford Languages) refers to the exchange of information by speaking, writing, or using some other medium.

What Is Privacy?

Privacy is freedom from unauthorized intrusion on one’s personal matters. With regard to the law, it is a fundamental right that embodies the presumption that individuals should have an area of autonomous interaction without unsolicited intervention from others.[2]

Electronic Communication in Workplaces:

Most workplaces make use of electronic communication (especially email, Zoom, Microsoft Teams and telephone) to disseminate information. This form of communication is necessary, especially in workplaces where swift decision-making, planning and accounting are essential for progress. Marking files as confidential, password-protecting electrical information storage devices, encrypting email systems and shredding paper copies when necessary are some of the things that must be done to conform to maintaining confidentiality, as they help protect against hackers as well.

Confidentiality and safeguarding of professional information matters for legal (being bound by statutory requirements or professional codes of conduct) and reputational reasons (respect for clients’ personal and sensitive personal data).[3] Confidential circulated information needs to be safeguarded to prevent it from being misused by third parties for fraud, such as identity theft, or competitors using it to gain leverage (trade secrets, for example).

Privacy Of Electronic Communication in Nigeria And Its Merge With Data Protection:

The rapid advancement of technology demands tighter security policies to protect information. These policies help set rules and standards for compliance to prevent leaks.

The root cause of restricting certain information in the workplace is to uphold data protection, and this cannot be done successfully without being backed by the law, as it is virtually impossible to discuss privacy and not border on data protection laws. Electronic communication includes electronic correspondence, emails, etc. which is covered by the constitution (further explained below) and as such, this topic has to be swept under that of data protection.

With Nigeria as the case study of this article, section 37 of the 1999 Constitution of the Federal Republic of Nigeria (CFRN) serves as an anchor. It only serves as a framework for the observance of this fundamental right, as the word ‘privacy’, is not explicitly defined in the CFRN. It guarantees the protection of citizens, homes, correspondence and telecommunications. One may also backtrack further to: Article 12 of the Universal Declaration of Human Rights (UDHR), Article 14 of the ECOWAS Supplementary Act on Personal Data Protection, Article 17 of the International Covenant on Civil and Political Rights (ICCPR), Sections 1 and 38 of the Cybercrime Act 2015, and Part IV of the consumer Code of Practice Regulations (Nigerian Communications Commission) all of which uphold the right to privacy, of which Nigeria is a party to.

The National Information Technology Development Agency Act, which established NITDA in 2001 to implement the country’s National Information Technology Policy (NITP) adds flesh to the constitutional provision by regulating the IT sector and providing standards for compliance. Some examples include the rights of data subjects, the requirement of consent, and the appointment of a data protection officer in public offices, etc. A subsequent establishment which is current national law on data protection is that of Nigeria Data Protection Regulation (NDPR) of 2019 pursuant to Section 6 of the NITDA Act 2007.[4] As with previous provisions, this is aimed at improving data privacy/information management in Nigeria.

Lastly, there is the NDPB (Nigeria Data Protection Bureau) established in 2022 tasked with overseeing the implementation of the NDPR. It complements the work of statutory provisions, with the common goal of safeguarding the privacy of persons.[5]

Some relevant data protection policies required under the NDPR include:[6]

1. Data Protection Impact Assessment Policy which applies to the intensive use of personal data. This is conducted periodically to identify possible areas where data breaches are at risk, and develop strategies to combat such risks.
2. A privacy policy is expected to be developed by all organizations that process personal data in any medium. It must be easily comprehensible and published on the website (for easy accessibility) business premises, and provide a copy to the data subjects.
3. Internal data protection policy, developed to help understand the organization’s mode of handling personal data. This is expected to be circulated among all members of staff and relevant third parties.
4. Information Security Policy: This policy is expected to incorporate security technologies and measures for protecting systems from hackers (such as setting up firewalls, etc.) and storing data securely. An example of such policy in practice is ‘Anti-Malware Security’, and ‘Remote Access Policy.
5. All public and private organizations in Nigeria that control the data of natural persons must publish to the general public, their respective Data Protection Policies within three months of issuance of the NITDA Regulation.[7]

Additionally, most businesses employ the use of NDAs (Non-Disclosure Agreements), to be signed before giving persons access to confidential information. This protects them from liability when a breach stems from a party’s failure to adhere to the agreement. There is also the requirement for organizations to conduct in-depth audits of the procedures put in place for data protection.[8]

The implementation of privacy policies depicts an organization’s readiness to safeguard data in its custody, and comply with data privacy laws/regulations.

Another aspect worth noting is that of the Central Bank of Nigeria’s Cybersecurity Guidelines, enacted to strengthen cyber resilience in the financial sector. This illustrates that data protection is an all-around concept, applicable to various industries in various ways.[9]

A simple but crucial line exists between total and reasonable privacy protection. Despite how important it is to safeguard from unreasonable public interference, the right to privacy is far from absolute. Some exceptions are put in place by law to help balance the scale. As seen in the Guidelines for Application of NDPR, these exceptions apply to cases of health emergency, national security and crime prevention, which are of utmost importance.[10]

CONCLUSION

As stated initially, the need for electronic communication is inevitable, especially among organizations and businesses. Therefore, as technology continues to bloom, the government and its agencies must continue to innovate policies that are adequately equipped to combat excesses presented by technological advancement so that crucial information is kept private and safe, and the dissemination of data is safeguarded as well. The government must also ensure strict implementation of its national policies to achieve the set objectives. Failure to do this puts not just the industry but the whole society in turmoil. Moreover, the right to privacy is not absolute. Exceptions have been and should continue to be put in place so that in cases of dire necessity, access to vital information is never a hindrance.

AUTHOR: Oyetola Muyiwa Atoyebi, SAN, FCIArb. (UK).

Mr. Oyetola Muyiwa Atoyebi, SAN is the Managing Partner of O. M. Atoyebi, S.A.N & Partners (OMAPLEX Law Firm) where he also doubles as the Team Lead of the Firm’s Emerging Areas of Law Practice.

Mr. Atoyebi has expertise in and a vast knowledge of Technology, Media and Telecommunications Law and this has seen him advise and represent his vast clientele in a myriad of high level transactions.  He holds the honour of being the youngest lawyer in Nigeria’s history to be conferred with the rank of a Senior Advocate of Nigeria.

He can be reached at atoyebi@omaplex.com.ng

CONTRIBUTOR: Jamilu Samaila.

Jamilu is a Team Lead in the Corporate and Commercial Team at OMAPLEX Law Firm. He also holds commendable legal expertise in Data Privacy and Data Protection.

He can be reached at jamilu.samaila@omaplex.com.ng.

[1]https://www.google.com/search?q=What+is+an+Electronic+Communication+and+Its+Types+(elprocus.com)&oq=What+is+an+Electronic+Communication+and+Its+Types+(elprocus.com)&aqs=chrome.69i57.1141j0j7&sourceid=chrome&ie=UTF-8 <Accessed 19 August 2022>

[2]https://www.google.com/search?q=CONSTITUTIONAL+HUMAN+RIGHTS+TO+PRIVACY+IN+NIGERIA+%7C+Khadfora&oq=CONSTITUTIONAL+HUMAN+RIGHTS+TO+PRIVACY+IN+NIGERIA+++%7C+Khadfora&aqs=chrome…69i57.1979j0j7&sourceid=chrome&ie=UTF-8 <Accessed 19 Augst,2022>

[3] https://www.skillsyouneed.com/lead/workplace-confidentiality.html <accessed on 16th August, 2022>

[4]https://www.google.com/search?q=%3CHome+Page+-+NDPR+(nitda.gov.ng)&oq=%3CHome+Page+ +NDPR+(nitda.gov.ng) &aqs=chrome.69i57j0i546l4.3535j0j7&sourceid=chrome&ie=UTF-8 <Accessed on 24^th August, 2022>

[5]https://ndpb.gov.ng/ <accessed 25^th August, 2022>

[6] https://www.mondaq.com/nigeria/privacy-protection/1156472/essential-data-privacy-and-protection-policies-every-organisation-in-nigeria-should-have< accessed on 25^th August, 2022>.

[7]  http://www.alliancelf.com/data-privacy-and-data-protection-law-in-nigeria <accessed on 25th  August, 2022>

[8] Ibid 6. See also Art. 4.1(5)(h) NDPR.

[9] https://www.cbn.gov.ng/Out/2022/OFISD/Letter%20to%20all%20OFIs%20Issuance%20of%20Risk-Based%20Cybersecurity%20Framework%20and%20Guidelines%20for%20Other%20Financial%20Institutions.pdf <Accessed 18 August, 2022>

[10] GuidelinesForImplementationOfNDPRInPublicInstitutionsFinal11.pdf (nitda.gov.ng) <accessed 25^th  August, 2022> or http://dx.doi.org/10.2139/ssrn.3062603< accessed on 23^rd August, 2022>