Authored By: Lawson Boladuro Joan
Lead City University
ABSTRACT
This article examines how sensitive personal data is protected under Nigerian law, particularly within the framework of the Nigeria Data Protection Act 2023. It highlights the growing importance of privacy in the digital age and the efforts made to safeguard individuals’ data. The article reviews relevant judicial decisions that have shaped the interpretation of data protection principles in Nigeria. It also identifies major challenges such as weak enforcement, low public awareness, and limited judicial capacity. The article concludes by recommending stronger implementation measures, clearer regulatory guidelines, and continuous public and judicial education to enhance the effective protection of sensitive personal data in Nigeria.
INTRODUCTION
In today’s digital world, personal information is constantly being collected, stored, and shared. Some of this information is more private and requires special care. This type of information is called sensitive personal data. The misuse of such data can lead to discrimination, identity theft, or damage to a person’s reputation. Nigeria has made progress in protecting data through laws like the Nigeria Data Protection Act 2023.1 However, there is still a need for better awareness, stronger enforcement, and a clearer understanding of how sensitive data should be handled.
OVERVIEW OF SENSITIVE PERSONAL DATA UNDER THE NIGERIA DATA PROTECTION ACT
The NDPA, passed into law on 12 June 2023, is Nigeria’s first primary data protection legislation. Part V of the Act 2provides for the concept of sensitive personal data.
The Act defines sensitive personal data as any personal data relating to an individual’s biometric and genetic data, race or ethnic origin, religion, political opinions or affiliations, health status, sex life, or trade union membership.3Sensitive personal data refers to information about a data subject that is very private and could harm them if shared without permission.
Sensitive personal data poses higher risks for data subjects than other types of data. It may expose individuals to discrimination, segregation, embarrassment, loss of opportunities, and human rights violations. 4For example, revealing someone’s health condition, such as being HIV positive, without consent can lead to discrimination.
The idea of sensitive personal data is also recognized in other countries, such as under the European Union’s General Data Protection Regulation (GDPR),5 which gives similar examples and requires strict conditions before such data can be processed.
Furthermore, the Nigeria Data Protection Act expressly prohibits the processing of sensitive personal data except in cases of consent, contract, vital interest, public interest, or legitimate interest.6
EXAMPLES OF SENSITIVE PERSONAL DATA
Sensitive personal data can cover different areas of a person’s private life. The most common examples include:
- Racial or Ethnic Origin: This includes all information showing a person’s race or tribe.
- Religious or Philosophical Beliefs: For example, knowing that an individual is a Christian or Muslim
- Political Opinions: This refers to data showing a person’s political party or support for a particular candidate.
- Health Information: It includes but not limited to medical records, disability status, or mental health information.
- Sex Life : It refers to details about a person’s private relationships or sexual orientation.
- Biometric and Genetic Data: Fingerprints, facial recognition data, DNA information.
- Trade Union Membership: Knowing whether someone belongs to a union or labour group.
LEGAL PRECEDENTS
Judicial interpretation of sensitive personal data in Nigeria is still developing. However, landmark cases such as Digital Rights Lawyers Initiative v. National Identity Management Commission7 affirmed that personal and sensitive data, including biometric data and national identification information, must be securely stored and accessed only in compliance with data protection law.
In Incorporated Trustees of Paradigm Initiative for Information Technology v. National Identity Management Commission,8the court emphasized that data controllers must adhere to strict data processing and security measures, particularly for biometric data, which is classified as sensitive personal data.
In Godfrey Eneye v. MTN Nigeria,9 a subscriber sued MTN for the disclosure of his phone records without consent. The court recognized that the unauthorized disclosure of personal and sensitive data, such as the publication of his phone records, violates privacy rights under the Constitution and the NDPA.
Similarly, in Europe, cases like Schrems v. Data Protection Commissioner 10and Google Spain v. AEPD11 have emphasized the need to protect sensitive data and give individuals control over their information.
CHALLENGES IN HANDLING SENSITIVE PERSONAL DATA
Although Nigeria has taken important steps to protect data through the NDPA and the establishment of the Nigeria Data Protection Commission (NDPC), several challenges still affect the effective handling of sensitive personal data.
One major challenge is low public awareness. Many Nigerians do not know their data protection rights or how to report violations which makes it difficult to hold organizations accountable.
Another challenge is weak enforcement, many data controllers and data processors collect and process sensitive data without following the law, and penalties are rarely applied.
In addition, many public institutions and small businesses lack the technical capacity to build secure systems for managing sensitive data.
Furthermore, limited judicial expertise remains a serious concern. Courts are still developing experience in data protection matters, which leads to inconsistent decisions and weak judicial guidance.
RECOMMENDATIONS
To address these issues, the NDPC should increase public education on data protection rights and strengthen enforcement against non-compliant data controllers and processors. Judges and lawyers should receive regular training on data protection law, and the NDPC should issue clear and simple compliance guidelines for institutions. With these measures, sensitive personal data in Nigeria can be more effectively protected against misuse and abuse.
CONCLUSION
Sensitive personal data is a vital part of the right to privacy and human dignity. Nigeria’s legal system has made progress through the Nigeria Data Protection Act 2023, but much more needs to be done to make these laws effective. There must be stronger awareness, enforcement, and judicial involvement. Protecting sensitive personal data is not only about compliance with the law but also about building trust in Nigeria’s growing digital society.
BIBLIOGRAPHY
Olumide, B, Annotated Nigeria Data Protection Act (Noetico Repertum Inc. 2023).
1 Nigeria Data Protection Act 2023.
2 Ibid, s 30.
3 Nigeria Data Protection Act 2023, s 65.
4 Olumide Babalola, Annotated Nigeria Data Protection Act (1st edn, Noetico Repertum Inc. 2023).
5 European Union General Data Protection Regulation (GDPR), art 9(1).
6 Nigeria Data Protection Act 2023, s30 (1)(a)-(f).
7 [2021] LPELR-55623(CA)
8 [2019] Federal High Court.
9 Appeal No: CA/A/689/2013 (Unreported).
10 Case C-362/14 Maximillian Schrems v Data Protection Commissioner EU:C:2015:650, [2015] ECR I-650
11 Case C-131/12 Google Spain SL v Agencia Española de Protección de Datos (AEPD) EU:C:2014:317, [2014] ECR I-317
