Nigeria’s IT clearinghouse, the National Information Technology Development Agency (NITDA) has described the licensing of law firms as Data Protection Compliance Organisations (DPCO) as reflecting the dynamics of IT regulations.
In a statement issued this week in Abuja, the agency described its licensing of law firms as DPCOs as exemplifying creativity and innovation in IT regulation.
The NITDA introduced the Nigeria Data Protection Regulation (NDPR) in 2019 and is designed to safeguard the right of natural persons to data privacy, foster safe conduct of transactions involving exchange of personal data. All public and private entities handling data must comply with the NDPR and only DPCOs are licensed to ensure compliance.
According to the NITDA,”NDPR further recognises and institutionalises the capacity of prepared legal practitioners to participate in the audit, training and compliance services for data controllers and processors.”
But it appears some stakeholders are still unclear on the role of DPCOs. NITDA’s statement is in reaction to some of those concerns.
Read the agency’s full reaction below as signed by Head of Corporate Affairs and External Relations, Mrs Hadiza Umar.
NITDA’s licensing of law firms as DPCOs exemplifies creativity and innovation in IT regulation
The attention of the National Information Technology Development Agency (NITDA) has been drawn to a social media post made by a concerned legal practitioner on the propriety of NITDA licensing law firms as Data Protection Compliance Organisations (DPCO) to provide data-privacy related services to the public. In his opinion, this stifles the growth of data privacy in Nigeria.
NITDA regards highly the opinion of well-meaning individuals and organisations on the implementation of its mandate, hence there is a need for clarification for the benefit of the writer and our esteemed stakeholders.
The right to privacy is a constitutional right guaranteed by section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended). However, it is factual and legal inaccuracy to equate the right of data privacy or indeed the provision of data privacy-related services, to the right to data protection. Data protection goes beyond protecting personal data privacy; it also involves the processes, systems and rules to ensure the confidentiality, integrity and availability of data.
The Nigeria Data Protection Regulation (NDPR) does not seek to inhibit, restrict or curtail the rights of the legal practitioner as provided by the Legal Practitioners Act. The NDPR rather, has opened a new vista of opportunities for lawyers to expand their practice into the area of Data Protection. Lawyers have a right to conduct, take part in proceedings and file court and administrative processes relating to the enforcement or defence of the right to privacy. However, not every lawyer has the competence to conduct and file Annual Data Audit Report as prescribed by Article 4.1(5,6,7) of the NDPR.
NITDA licensed law firms understand that they represent the Agency in the drive to entrench compliance and help data holding entities to bridge the historical and systemic gap in data protection compliance in Nigeria. Unlike the requirements legal practitioners must fulfil before appearing in the courts of law, the criteria for licensing as a DPCO, requires knowledge of data protection compliance and enforcement, which is not part of the residual knowledge of every lawyer.
The opinion of the author that the DPCO scheme lacks precedent is a testimony to the innovation NITDA is bringing to its regulatory mandate. Moreover, as the evergreen Lord Denning said in the case of Parker v. Parker, “If we never do anything which has not been done before, we shall never get anywhere.”
While lawyers retain their privilege to traditional privacy rights advocacy and enforcement in most other jurisdictions, NDPR further recognises and institutionalises the capacity of prepared legal practitioners to participate in the audit, training and compliance services for data controllers and processors. It is encouraging to note that Nigeria’s model has become subject of intense studies for adoption within and outside Africa.
NITDA is pleased that due to its licensing of DPCOs, training and awareness on data privacy protection has been widely entrenched, jobs are being created, bureaucratic bottlenecks have been eliminated in the bid to comply and the country is fast-tracking its progress towards digital economy maturity.
The National Information Technology Development Agency (NITDA) is the apex regulator for Information Technology in Nigeria under the auspices of the Federal Ministry of Communication and Digital Economy. The Agency is empowered by Section 6(c) of the NITDA 2007 to develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions in Nigeria. The Agency issued the NDPR in 2019 as Nigeria’s first comprehensive framework for the protection of personal data. The NDPR provides the principles and framework for the protection and processing of personal data of Nigerians and residents.