In the present day, data is everything, acquisition, processing, and analyzing it for deductions. It is almost like a crystal ball that businesses use for different profitable purposes through prediction of what is obtainable in particular situations and with particular people or groups of people based on their characteristics such as age, gender, ethnicity, background, size, medical history, hobbies, likes, and dislikes. For example, using data analytics to gain an understanding of breast cancer and revealing trends for better medical care. (Sheikh, 2023)
That is how important data is, and personal data is even more important and sensitive as it has more far-reaching implications. Personal data is any information that may be used, either directly or through combinations of data relating to or being about a person, to identify a living individual e.g. name, age, address, identification number, etc. This is different from general data, which is more random and vague.
The Data Protection Act 2023 seeks to manage how data controllers and processors, i.e.people or companies that collect, store, and process data, handle our data. Section 24 of this Act provides guidelines that the data controllers and processors must abide by in collecting and processing data in Nigeria.
Section 24 provides the following six guidelines:
(1) A data controller or data processor shall ensure that personal data is —
(a) processed in a fair, lawful, and transparent manner;
Data controllers and processors must be fair and lawful concerning how they analyse and use your data. ie they must use it in accordance with this legislation and must not contradict the provisions of any Nigerian law. They must also be open and honest about how they use it i.e. what it is being used for, how long it will be kept, and any other matters with regard to how it is used. And they must be forthcoming with information about the processing of your data if you enquire about it.
(b) collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes;
The purpose for which your data is being collected must be specified in clear terms, it must not be for an unlawful purpose and the company must limit the use of the data to functions for which it has stated were the reasons for collecting the data.
(c) adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed;
The data controllers and processors should not request more data than they need for the particular purpose for which they collected the data. For example, a company requesting your data to send you tailored job ads should not ask for your medical history or your National Identity number as this is more than what is necessary to prescribe job ads tailored to you.
(d) retained for not longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed;
Data controllers and processors should not retain your data for longer than they need it for the purpose they collected it. Once it is no longer needed, it should be deleted or destroyed. It should not be held indefinitely.
(e) accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed;
The data collected must be correct and complete to the best of their ability ie the information given is the information which should be used or processed. It should not be altered in any way. However, if the data provider gives wrong information this could be said to be out of the control of the data controllers and processors. They should, however, aim to keep the data in their possession updated as well as possible. This could be by requesting the provider to update their information, including the date of the last entry against information provided for reference, or updating information automatically where appropriate. For example, if in 2001 a person stated their age to be 16, in 2011, that person would be 26. With each year that passes, that data could be updated to have increased by one year thus keeping the data up to date.
The record must not be recorded inappropriately to imply something that wasn’t true. The information must be complete and accurate enough for the right deductions to be made upon consideration. The data controllers and processors must provide an avenue for full and accurate information to be given and stored.
(f ) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach:
Where a person provides personal information or data, the receiver must have a system in place to protect this data from unauthorized access, loss, destruction, or any kind of damage such as corruption or tampering. The data must be secure and protected from any breach or unauthorized use.
(2) A data controller and data processor shall use appropriate technical and organisational measures to ensure confidentiality, integrity, and availability of personal data. (3) Notwithstanding anything to the contrary in this Act or any other law, a data controller or data processor owes a duty of care, in respect of data processing, and shall demonstrate accountability, in respect of the principles contained in this Act.
The data controllers and processors shall have the appropriate technical and organisational mechanisms in place to ensure that the data collected is secure, accurate, and readily available for use or authorised access.
The Act, by virtue of section 2, places a duty of care on the data controllers and processors to ensure that this provision is complied with. This means that where they fail in that regard, depending on the circumstances, liability on their part may arise and the affected person(s) could seek redress.
The Act seeks to protect us through protecting our privacy, particularly, our personal data. It tries to achieve this by regulating how the data controllers and processors use them. However, there is only so much that the law can do. On our part, there are a few things we can do to secure our personal data, some of these include:
- Protect your personal information with strong passwords
Make sure to use strong passwords when opening accounts. Try to avoid using your name or date of birth. Use a mixture of alphabets, numbers, and symbols. Do not use one password across all your accounts, rather, if remembering separate passwords is a problem, have at least three passwords and use them randomly across your different accounts. Try to use a unique password for your email as your email can be used to gain access to your other accounts.
- Make sure your devices are secure
Your devices carry a bulk of your personal data, thus you must try to keep it secure. Try using passwords or other security options like face-scanning or fingerprint to protect your devices
- Install the latest software and app updates
Keep up to date on software installations on your devices, especially security updates. Updates for software and apps include critical security patches that help shield your devices from online fraudsters.
- Be careful about wifi
Never trust the security of public wifi. Steer clear of unprotected public wifi networks. Ensure that the passwords on your personal wifi networks are secure and that you change them regularly.
- Set up two-factor authentication
Stop hackers from accessing your personal accounts and data by turning on two-factor authentication, just remember to not use your name, date of birth, or any easily accessible predictable information as the code or security question for the authentication. Using two-factor authentication will keep your accounts safe even if someone knows your password, it is an additional layer of security.
- Back up your personal data
Protect your most valuable information by backing it up to an external hard drive or cloud storage service. This makes a backup copy of your data to protect you from losing critical information in the event that a device is stolen, lost, or compromised.
Our world is driven by data. We can all have simpler, more comfortable lives that are more linked, at work and at home, when we share data. The law on data protection outlines the steps that must be taken to guarantee that everyone’s data is treated fairly and appropriately. This is due to the possibility of harm occurring if personal information ends up in the wrong hands. People could become the targets of identity theft, prejudice, or even physical harm, depending on the circumstances. All workplaces, commercial endeavors, societies, groups, clubs, and enterprises of any kind are subject to data protection laws. There are numerous advantages to following data privacy regulations. Good data protection is not only required by law, but it also makes financial sense because it can save you money and effort. Additionally, for businesses, it demonstrates to consumers that you value their privacy, which is beneficial to your brand and reputation.
Chinenye Mbachu Esq
References
- Data Protection Act, 2023
- https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online
- https://ico.org.uk/for-organisations/advice-for-small-organisations/the-benefits-of-data-protection-laws/
- https://uel.ac.uk/sites/default/files/what-is-personal-data.pdf
- https://www.linkedin.com/pulse/leveraging-data-analytics-breast-cancer-insights-unveiling-sheikh/
- https://www.digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal-information-online-safe
- https://www.chubb.com/us-en/individuals-families/resources/6-ways-to-protect-your-personal-information-online.html
