Personal data protection in the post-lockdown use of robots in Nigeria

By Emmanuel Salami, privacy advisor

Following attempts to re-open various sectors of the Nigerian economy for business, the (Nigerian) media has been awash with news that various institutions have been acquiring robots with the objective of securing the safety of the general public. Some of these institutions (for instance- the Federal Aviation Authority) have carried out public demonstrations on the use of these robots.[1] Unfortunately, it is surprising that for an activity which will process large volumes of sensitive personal data; profile data subjects; collect and store body temperatures and other health-related data of Nigerian residents, no consideration has been given to data protection law. While these robots are yet to be put into full use as at the time of writing this piece, it is not out of place to expect that in preparing to launch these robots, the efforts towards data protection compliance ought to have formed part of the communication being advanced by responsible institutions. In a bid to pre-empt and forestall this impending violation of the Nigerian Data Protection Regulation (NDPR), some non-exhaustive considerations which ought to be taken into account are highlighted in this article.

• Lawfulness: Article 2.2 of the NDPR provides that personal data should only be processed if one of the legal bases of processing personal data which are – consent, legitimate interest, contractual agreement, legal, public and vital interests – are complied with. The National Information Technology Development Agency (NITDA), the closest semblance of a data protection supervisory authority in Nigeria, has in a previous statement taken the position that ‘public and vital interests’ are justifiable legal basis for processing personal data.[2]
• Information: Article 2.5 of the NDPR provides that personal data processing media shall display a privacy policy containing information about the legal basis, description and purpose for which personal data are collected etc. In the deployment of robots after the lockdown, particularly at airports and large public gatherings, actions such as placing conspicuous signposts in the vicinity where the robots will be deployed, providing adequate information on relevant websites etc. will be effective measures for meeting this standard. Furthermore, there is a lack of clarity on the involvement of any third-party service providers in the deployment of the robots. Will the personal data retrieved by these robots be shared with such third parties (if any)? Will the personal data be stored within or outside Nigeria? All these and other relevant questions will be adequately resolved if the appropriate provisions of the NDPR are complied with.
• Data deletion: One of the most consequential risks that may accrue from the post-lockdown use of robots in Nigeria is the possible unlawful retention and reuse of the data collected even after the eradication of the COVID-19 pandemic. The large volumes of (sensitive) personal data that will be collected through these robots makes this risk a potentially biting challenge. As anticipated under Section 2.1 (1) (c) of the NDPR, personal data collected by these robots should be deleted periodically. In determining the timeframe for data deletion, only necessary factors such as the 14-day incubation period of the virus should be put into consideration.
• Data security: Controllers and processors involved in the deployment of robots to be used for post-lockdown purposes must in accordance with Section 2.6 of the NDPR, adopt adequate technical and organizational measures which will ensure the security of the collected data and restrict access to the data on a need-to-know basis. This consideration must be given very detailed attention because of the sensitive nature of the personal data that will be processed by these robots.
• Privacy Impact Assessments (PIA): Though the NDPR does not expressly define or provide for a PIA for specified processing activities,[3] this provision may be implied from section 3.1.5 (J) of the NDPR which mandates relevant organizations to submit their ‘policies and procedures used in assessing the impact of technologies’. From this provision, it can be implied that the NDPR anticipates some form of PIA in the use of technologies even though this is not developed any further under the legislation. Despite not being grounded in the NDPR, conducting a PIA before the deployment of an army of robots in Nigeria’s fight against the COVID-19 pandemic will highlight the risks that could be expected therefrom with remedies being designed before deployment.

In conclusion, it will amount to an enormous dent to Nigeria’s aspirations of being a data protection compliant country[4]  if robots are deployed to tackle the COVID-19 pandemic without recourse to Nigeria’s first and only comprehensive law on data protection, the NDPR. It has to be said that the attitude of NITDA in these challenging times is quite worrisome. One would expect that as the responsible Agency that drafted and issued the NDPR, [5]  NITDA would champion compliance with its provisions. Unfortunately, this is not the case. It is hoped that NITDA will awaken to its responsibilities by releasing comprehensive guidance and policy documents that can purposefully stir Nigerian data protection law in the proper direction.

REFERENCES

*Emmanuel Salami – privacy/data protection advisor.

1. Samuel Nwite, Nigeria Deploys Robots to Airports As it Prepares to Resume Commercial Flights. (June 28^th 2020, Tekedia). Available at: https://www.tekedia.com/nigeria-deploys-robots-to-airports-as-it-prepares-to-resume-commercial-flights/ See also: Ijeoma Popoola, COVID-19: Unilag gets robots for temperature, blood pressure checks, others. (June 29^th 2020, NNN). Available at: https://nnn.com.ng/covid-19-unilag-gets-robots-for-temperature-blood-pressure-checks-others/ accessed 29/6/2020.

2. Emmanuel Elebeke, NITDA promises to Align COVID-19 Data Collection Strategies with NDPR guidelines. (29^th March 2020, Vanguard) Available at: https://www.vanguardngr.com/2020/03/nitda-promises-to-align-covid-19-data-collection-strategies-with-ndpr-guidelines/ accessed 29/6/2020.

3. See Article 35 of the GDPR.

4. See the preamble and Section 1.0 of the NDPR.

5. See the preamble of the NDPR.

Written by Emmanuel Salami, privacy advisor.