The world is faced with one of the most serious global health security threats in decades – COVID-19. As we struggle to seek remedies, companies, organisations and governments have begun to make decisions to restructure their processes to fight against its continuous spread.
Amidst these mitigating measures, the need for compliance with privacy laws have never been more crucial. In Nigeria for instance, many of these measures involve the collecting and processing of personal information of Nigerian Citizens including sensitive information (such as health data). Data Privacy regulations seek to compliment rather than hinder the management of public health for the purpose of fostering openness of affected patients.
Companies, health care givers, journalists and governmental organisations who are concerned with implementing those mitigating steps (“Data Controllers”), should consider the following as they implement their safeguards to curb the spread of COVID-19 within Nigeria:
Collecting and Processing
At the point of collection of personal information, the consent of the individual (‘Data Subject”) should be obtained. However, the Nigeria Data Protection Regulation (NDPR) permits that where consent cannot be obtained, the data may be collected where there is a legal obligation to do so or in the interest of the general public.
In other words, to lawfully process the data obtained from a Data Subject, the Data Subject should have consented to the processing. However, where the Data Subject restricts processing of his data, the NDPR permits that the data be processed for the purpose of “public interest” in Nigeria. In addition, the Data Controller is expected to adopt a transparency policy by disclosing to the Data Subjects, the purpose of obtaining their data and details of all third parties who will be processing the information. Only data which is necessary for the purpose of achieving the objective should be collected and processed.
Information such as name, age and gender collected by the Data Controller are to be protected. The NDPR places an obligation on the Data Controller to maintain the confidentiality of the information acquired and to minimize the access to the data. Thus, hospitals and employers of patients for example, should refrain from disclosing the identities of patients to third parties without their consent.
Where any Data Controller is negligent which leads to a data breach, the Data Controller who obtained the information from the Data Subject, shall be accountable to the Data Subject. Where the Data Subject suffers any form of damage, he may bring an action and complaint against the Data Controller both in the court of law and before the National Information Technology Development Agency (NITDA). Therefore, Hospitals, government agencies and employers in the context of dealing with information of patients, have a duty to be accountable to them, in the event of a data breach.
The data obtained by the Data Controller must not be kept longer than required. The information is expected to be properly discarded once processing has been completed and where it is no longer necessary to continue to store that data.
There is a need to create a balance between public interest and privacy rights of individuals for the effective combat of COVID-19 and other diseases. Amidst health risks, the NDPR remains operational to ensure the protection of the privacy of everyone affected.