The National Information Technology Development Agency (NITDA) has given explanation as why Law Firms are being licensed as Data Protection Compliance Organisations (DPCO).
This follows a social media post made by a concerned legal practitioner on the propriety of NITDA licensing law firms as Data Protection Compliance Organisations (DPCO) to provide data-privacy related services to the public.
Referenced post (Source: Gbenga Odugbemi/LinkedIn):
In his opinion, this stifles the growth of data privacy in Nigeria.
But in a swift response, NITDA said they regard highly the opinion of well-meaning individuals and organisations on the implementation of the mandate, hence there is a need for clarification for the benefit of the writer and other esteemed stakeholders.
A statement signed by the Head, Corporate Affairs and External Relations at NITDA, Mrs Hadiza Umar, reads:
“The right to privacy is a constitutional right guaranteed by section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended). However, it is factual and legal inaccuracy to equate the right of data privacy or indeed the provision of data privacy-related services, to the right to data protection. Data protection goes beyond protecting personal data privacy; it also involves the processes, systems and rules to ensure the confidentiality, integrity and availability of data.
“The Nigeria Data Protection Regulation (NDPR) does not seek to inhibit, restrict or curtail the rights of the legal practitioner as provided by the Legal Practitioners Act. The NDPR rather, has opened a new vista of opportunities for lawyers to expand their practice into the area of Data Protection. Lawyers have a right to conduct, take part in proceedings and file court and administrative processes relating to the enforcement or defence of the right to privacy. However, not every lawyer has the competence to conduct and file Annual Data Audit Report as prescribed by Article 4.1(5,6,7) of the NDPR.
“NITDA licensed law firms understand that they represent the Agency in the drive to entrench compliance and help data holding entities to bridge the historical and systemic gap in data protection compliance in Nigeria. Unlike the requirements legal practitioners must fulfil before appearing in the courts of law, the criteria for licensing as a DPCO, requires knowledge of data protection compliance and enforcement, which is not part of the residual knowledge of every lawyer.
“The opinion of the author that the DPCO scheme lacks precedent is a testimony to the innovation NITDA is bringing to its regulatory mandate. Moreover, as the evergreen Lord Denning said in the case of Parker v. Parker, ‘If we never do anything which has not been done before, we shall never get anywhere.’
“While lawyers retain their privilege to traditional privacy rights advocacy and enforcement in most other jurisdictions, NDPR further recognises and institutionalises the capacity of prepared legal practitioners to participate in the audit, training and compliance services for data controllers and processors. It is encouraging to note that Nigeria’s model has become subject of intense studies for adoption within and outside Africa”.
She further said that NITDA is pleased that due to its licensing of DPCOs, training and awareness on data privacy protection has been widely entrenched, jobs are being created, bureaucratic bottlenecks have been eliminated in the bid to comply and the country is fast-tracking its progress towards digital economy maturity.
The National Information Technology Development Agency (NITDA) is the apex regulator for Information Technology in Nigeria under the auspices of the Federal Ministry of Communication and Digital Economy.
The Agency is empowered by Section 6(c) of the NITDA 2007 to develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions in Nigeria.
The Agency issued the NDPR in 2019 as Nigeria’s first comprehensive framework for the protection of personal data.
The NDPR provides the principles and framework for the protection and processing of personal data of Nigerians and residents.