Nigeria
Definition of Data
Data is not defined
Main Focus of Document
Provides regulatory measures for electronic transactions and communications
Target Beneficiaries or Sector
consumers, businesses
Key Elements
The Bill provides a legal and regulatory framework for: the protection of rights of consumers and other parties in electronic transactions and services, the protection of personal data, conducting transactions using electronic media, and facilitating electronic commerce in Nigeria. Key details include:
Electronic Signature
11.—(1) Where the signature of a person is required, that requirement is met in relation to an electronic communication if: (a) any method is used to identify the person and to indicate the person’s approval of the information communicated; (b) having regard to all the relevant circumstances at the time the method was used, the method was as reliable as was appropriate for the purposes for which the information was communicated; and (c) the person to whom the signature is required to be given consents to that requirement being met by way of the use of the method mentioned in paragraph (a).
(2) This section does not affect the operation of any other law that makes provision for, or in relation to, requiring: (a) an electronic communication to contain an electronic signature however described; (b) an electronic communication to contain a unique identification in an electronic form; and (c) a particular method to be used in relation to an electronic communication to identify the originator of the communication and to indicate the originator’s approval of the information communicated.
(3) This section shall apply to the execution and use of the electronic signature in closed systems, unless the users of a closed system specify otherwise.
17.—(1) The provisions of this Part shall apply to the processing of personal data wholly or partly by automated means, and to the processing otherwise than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. (2) The provisions shall not apply to the processing of personal data: (a) in the course of an activity concerning public safety, defence, national security; (b) concerns the activities of law enforcement, intelligence or prosecuting agencies in areas of criminal law; (c) by a natural person in the course of personal or domestic activity.
18.—(1) Personal data shall only be processed if at least one of the following conditions are met: (a) the data owner has given his consent to the processing; (b) the processing is necessary for the performance of a contract to which the data owner is a party, or for the taking of steps at the request of the data owner with a view to entering into a contract; (c) the processing is necessary for compliance with any legal obligation to which the data holder is subject, other than an obligation imposed by contract; (d) the processing is necessary in order to protect the vital interests of the data owner; (e) the processing is necessary in the interest of the public and good governance.
(2) Personal data shall be obtained only for specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes.
(3) Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.
(4) Personal data shall be provided accurately and, where necessary, kept up to date.
(5) Personal data processed for whatever purpose, shall not be kept for longer than required.
(6) Personal data shall be processed in accordance with the rights of data owners under the laws of the Federal Republic of Nigeria.
(7) Personal data shall not be transferred to a country or territory outside the Federal Republic of Nigeria unless that country or territory provides adequate level of protection for the rights and freedoms of data owners in relation to the processing of personal data.
19.—(1) Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sexual orientation shall not be processed unless: (a) the data owner has given his explicit consent to the processing of those data; (b) processing is necessary for the purposes of carrying out the obligations and specific rights of the holder in the field of labour law and it is authorized by law and adequate safeguards are provided; (c) processing is necessary to protect the vital interests of the data owner or of another person where the data owner is physically or legally incapable of giving his consent; (d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other nonprofit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data owners; (d) any information available to the data holder as to the source of those data.
(2) The right in subsection (1) can only be exercised provided that the data owner has made a request in writing, and paid any required administrative fees.
(3) A data holder is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.
(4) Where a data holder cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless: (a) the other individual has consented to the disclosure of the information to the person making the request; and (b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
21.—(1) An individual is entitled at any time by notice in writing to a data holder to require the data holder at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing, such personal data in respect of which he is the data owner.
(2) If a court of record is satisfied, on the application of any person who has given a notice under subsection (1), that the data holder has failed to comply with the notice, the court of record may order him to take such steps for complying with the notice as the court deems fit.
(3) An individual who suffers damage by reason of any contravention by a data holder of any of the requirements of this Act is entitled to compensation from the data holder for that damage.
22. Any person acting under the authority of the holder or of the processor, including the processor himself, who has access to personal data, shall not process such data except on instructions from the holder, unless he is required to do so by law; the processing relates to data which are manifestly made public by the data owner or is necessary for the establishment, exercise or defense of legal claims; and the processing is in the interest of public policy, good governance and national security.
(2) Subsection (1) shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
20.—(1) Subject to the provisions of this Act, an individual shall be entitled to be informed by any data holder where personal data of which that individual is the data owner are being processed by or on behalf of that data holder. Such information which may be communicated in an intelligible form shall include: (a) the personal data of which that individual is the data owner; (b) the purposes for which they are being or are to be processed; and (c) the recipients or classes of recipients to whom they are or may be disclosed,
23.—(1) A data holder must implement appropriate technical and organizational measures and exercise reasonable care to protect personal data against accidental or unlawful destruction or accidental loss and against unauthorized alteration, processing, disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
(2) Having regard to the state of the art and the costs of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
24. The data holder must, where processing is carried out on his behalf, choose a processor who provides sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out and must ensure compliance with those measures.
25. NITDA may, in consultation with any appropriate regulatory body, develop rules and guidelines for Data Protection in Nigeria.
Electronic contracts
26.—(1) In the context of contract formation, unless otherwise agreed by the parties, an offer and acceptance may be expressed by means of a document as defined in this Act.
(2) Where a document is used in the formation of a contract, that contract shall not be denied validity or enforceability on the ground that a document was used for that purpose.
(3) A contract may be formed by the interaction of electronic agents: Provided that the interaction results in the agents engaging in operations that confirm or indicate the existence of a contract.
(4) (a) A contract may be formed by the interaction of an electronic agent and a natural person. (b) A contract is formed if the person has reason to know that he is dealing with an electronic agent and the person takes actions or makes a statement that he has reason to know that the electronic agent will perform the subject of the contract, or instruct a person or agent to do so.
(5) Where there is an obligation on any person, agency or body corporate, to make financial payments, such obligation shall be fulfilled if the payment is made electronically in a manner specified by the Central Bank of Nigeria under any law, regulation or directive. (6) NITDA or any appropriate regulatory body, having due regard to developments in Information Technology, may by regulation provide that subsection (1) does not apply to a specified transaction or to a specified law.
Policy/Regulation Mirrors
n/a