Data Security laws and
eHealth in Nigeria
Basil Udotai, Esq.,
Managing Partner
Technology Advisors LLP
ICT LAWYERS & CONSULTANTS
Outline
• What has Law got to do with all these?
• -Data Security: why should we care?
• Overview of data protection/ security regime in
Nigeria
• How does this apply to eHealth?
• Does the legal framework support the protection
of data for eHealth service; An analysis of how
the law applies to patient data
• What are the challenges or loopholes in the law?
• Solutions
What has Law got to do with it?
•
•
•
•
Wey tin Lawyers dey do sef? Really?
Legal, Regulatory and Transactional Objectives
The Nature of ICT
How technology or ICT challenges Law
Nature of ICT
•
•
•
•
•
•
•
•
•
•
Global;
Knowledge based and proprietary;
Digital/Electronic;
Fast Paced and Real Time;
Inherent Insecurity vs Interoperability;
Mired by Legal Externalities;
Unlimited Scalability;
Fiercely Competitive;
Cheaper Communication;
Constantly changing and evolving – “All computers to communicate
and all communication gadgets to compute!” INTEL CEO, 2004, in
Abuja. ITU – same year: VOICE as APPLICATION!;
• Operates in the physical: ATTRIBUTION vs ANONYMITY;
• Value-neutral – the Good, the Bad and the Ugly; and finally
• Shared System
How does Law Challenge ICT
• Form: Non-tangible, electronic or digital materials;
• Identity & Authentication: attribution of electronic
activities, undeniably, to identifiable individual actors;
• Liability: whether civil (cause of action) or criminal
(prohibition), for certainty specific laws/regulations must
be enacted or promulgated;
• Authority: substantive legal authority to act and technical
capacity to investigate and prosecute – LEAs must be
conferred legal authority;
• Legal Process: Evidential standards and Court rules and/or
procedures (civil and criminal) – Admissibility and Weight;
• Jurisdiction: location of party, international cooperation
and enforcement coordination – Dual Criminality
requirements
Privacy & Data Security
• Why should we care?
• Data Explosion – personal data (biometricmania –
Nigeria)
• Dangers – self evident - no point listing in a technology
forum
• Data fertilization (linking dumb/blind databases to
other public databases to squeeze out intelligent data)
– SimReg; BVN; NHIS; Pencom; FRSC; NIS; etc – running
that across standard health data held in any held
establishment, will reveal all we need to know;
• Uncertainty of Legal Consequences in Data related
transactions
Crux of the Matter
• ATTRIBUTION vs ANONYMITY
• Competing business models with inordinate
legal and technological challenges
Kaiser hospital fined $250,000 for
privacy breach in octuplet case
• California health regulators fined Kaiser
Permanente's Bellflower hospital $250,000 for
failing to keep employees from snooping in the
medical records of Nadya Suleman, the mother
who set off a media frenzy after giving birth to
octuplets in January, 2009. The fine is the first
monetary penalty imposed and largest allowed
under a new state law enacted in 2008 after
widely publicized violations of privacy at UCLA
Medical Center involving Farrah Fawcett, Britney
Spears, Maria Shriver, and other celebrities.[1]
$25K settlement reached in medical
record breach case
• A $25,000 legal settlement was reached in a
case in which a young girl’s medical records
were improperly accessed in 2010 by a
Rensselaer County Jail nurse and two
Rensselaer County corrections officers,
according to court documents.
Talk Talk
• British broadband provider, Talk Talk, suffered its
third major cyber attack in the last 12 months.
Information accessed from the attack includes
“names and addresses, dates of birth, email
addresses,
telephone
numbers,
account
information, and crucially, credit card and bank
details”
• BBC reported that the attackers used distributed
denial of service (DDOS) to overwhelm the
company’s website.
• Its share capital dropped 10% at LSE.
CIA Boss Attacked
• The personal email account of the US’s top spy was
compromised by hackers who claimed to be high
school students. Those hackers had threatened on
Twitter to release the same documents.
• The people behind the breach, who call themselves
CWA (Crackas With Attitude), said they had breached
John Brennan’s account and followed up with
screenshots containing social security numbers,
cellphone numbers and email addresses. The cell
numbers and email addresses appeared to be genuine.
Data Protection & Security
• Data protection involves the implementation
of administrative, technical or physical
measures to guard against unauthorized
access and misuse of data.
• DATA Security and DATA privacy- the
difference? Data Security enhances data
privacy; while the latter creates a right under
which data subjects (citizens) can seek
remedies through laid down legal process
Objectives of Data Security
• Confidentiality;
• Integrity – data, system and
networks;
• Availability (Survivability)
• Protection
of
Critical
Information Infrastructure (CIIP)
What does a typical Data Security Law
Regulate?
•
•
•
•
Definition of Data
Identification of Data Assets
Identification of data handler and procedures
Establishment of standard Security Controls to
Manage and Control Risk
• Establishment of Third Party Service Provider
Responsibilities
• Creates sanction and penalties for violations
• Compensation and remedies for data subjects
Laws and Regulations
• Nigeria does not have an overarching data protection law.
• CONSTITUTION
• RELEVANT LAWS




National Health Act
Cybercrime Act
Nigerian Communication Act
Freedom of Information Act
• REGULATIONS- {Interim measures}


No laws
Bad laws {Curable}

LEGAL INSTRUMENTS – ORDERS
• RULES
• DIRECTIONS
• REGULATIONS
The Constitution
• The Constitution of the Federal Republic of
Nigeria 1999 (as amended)
• Section 37 guaranties the Right to Private and
Family life by providing that the privacy of
citizens, their homes, correspondence, telephone
conversations and telegraphic communications is
hereby guaranteed and protected.
• This right is not unlimited as it could be
derogated from in deserving circumstances as
per section 45 of the Constitution
National Health Act
• The NHA requires a person in charge of the
health establishment who is in possession of a
user’s or patient’s health records to set up control
measures to prevent unauthorized access to
those records and to the storage facility in which,
or system by which, records are kept. Requiring
the person in charge of a health establishment to
be in possession of the health records creates
uncertainty. It is not clear whether possession is
to actual possession or constructive possession or
both.
National Health Act
• Section 29(2) of the National Health Act provides that:
• Any person who• (a)fails to perform a duty imposed on them under subsection (1);
• (b)falsifies any record by adding to or deleting or changing any
information contained in that record;
• (c)creates, changes or destroys a record without authority to do so;
• (d) fails to create or change a record when properly required to do
so;
Section 29 Contd.
•
(e) provides false information with the intent that it be included in a record;
•
(f) without authority, copies any part of a record;
•
(g) without authority, connects the personal identification elements of a user's record with any
element of that record that concerns the user's condition, treatment or history;
•
(h) gains unauthorised access to a record or record-keeping system, including intercepting
information being transmitted from one person, or one part of a record-keeping system, to
another; i) without authority, connects any part of a computer or other electronic system on which
records are kept to-(i) any other computer or other electronic system; or(ii) any terminal or other
installation connected to or forming part of any other computer or other electronic system; or.
(j) without authority, modifies or impairs the operation of-
•


•
(i) any part of the operating system of a computer or other electronic system on which a user's records are
kept; or
(ii) any part of the programme used to record, store, retrieve or display information on a computer or other
electronic system on which a user's records are kept:
commits an offence and is liable on conviction to imprisonment for a period not exceeding two
years or to a fine of N250,000.00 or both.
Cybercrime Act
• The Cybercrime Act contains extensive provisions
covering a wide range of offences which would apply to
any person who commits offences against systems
designated critical national infrastructure. The offence
include



Section 8- System interference
Section 9 intercepting electronic messages
Section 13; computer related forgery
Section 16 unauthorized modification of computer
systems, and network data and system interference.
• The penalties are severe, ranging from imprisonment
from 2 years to 14 years and substantial fines.
Cybercrime Act 2015
• Under Section 3 of the Cybercrime Act, certain computer
systems, networks, computer programs, computer data or
traffic data vital to the country, whose incapacity or
destruction of or interference with such system would have
a debilitating impact on security, national or economic
security, national public health and safety, or any
combination of these matters, may be designated Critical
National Information Infrastructure. In the case of such
designation, the President by means of an Order, may
prescribe:

minimum standards, guidelines, rules or procedures for the
protection or preservation of critical information infrastructure;
Cybercrime Act
• the general management of critical information infrastructure;
• access to, transfer and control of data in any critical information
infrastructure;
• infrastructural or procedural rules and requirements for securing
the integrity and authenticity of data or information contained in
any designated critical national information infrastructure;
• the storage or archiving of data or information designated as critical
national information infrastructure;
• recovery plans in the event of disaster, breach or loss of the critical
national infrastructure or any part of it; and
• any other matter required for the adequate protection,
management and control of data and other resources in any critical
national information infrastructure
Duties of Service Providers
S. 38 (1) A service provider shall keep all traffic data and subscriber
information as may be prescribed by the relevant authority for the
time being, responsible for the regulation of communication services
in Nigeria, for a period of 2 years.
• (2) A service provider shall, at the request of the relevant authority
referred to in subsection (1) of this section or any law enforcement
agency (a) preserve, hold or retain any traffic data, subscriber
information, non- content information, and content data; or
(b) release any information required to be kept under subsection
(1) of this section.
(3) A law enforcement agency may, through its authorized officer,
request for the release of any information in respect of subsection
(2) (b) of this section and it shall be the duty of the service
provider to comply.
Obligations of Service Providers
•
Registration of Cybercafé – S.7
(1) From the commencement of this Act all operators of a cybercafé shall register
as a business concern with Computer Professionals’ Registration
Council
in
addition to a business name registration with the Corporate Affairs Commission.
Cybercafés shall maintain a register of users through a
sign-in
register.
This
register shall be available to law enforcement personnel whenever needed.
(2) Any person, who perpetrates electronic fraud or online fraud using a
cybercafé, shall be guilty of an offence and shall be sentenced to Three Years
imprisonment or a fine of One Million Naira or both.
(3) In the event of proven connivance by the owners of the cybercafé, such
owners shall be guilty of an offence and shall be liable to a fine of N 2,000,000.00 or a
3 years jail term or both.
(4) The burden of proving connivance in subsection 3 above shall be on the
prosecutor.
Service Providers- Further Obligations
• S. 22 and 29 requires institutions and operators
not to use their special knowledge as engine of
fraud. Lawful Interception requirements;
• Corporate liabilities and those of officers and
managers;
• No waiver of liability and in addition to S.146 and
147 of the Communications Act, which has a
waiver of criminal liability to protect operators in
civil or criminal suits post cooperation with LEA
Nigerian Communications Act 2003
• 146 —(1) A licensee shall use his best endeavour to prevent the network
facilities that he owns or provides or the network service, applications
service or content application service that he provides from being used in,
or in relation to, the commission of any offence under any law in
operation in Nigeria.
• (2) A licensee shall, upon written request by the Commission or any other
authority, assist the Commission or other authority as far as reasonably
necessary in preventing the commission or attempted commission of an
offence under any written law in operation in Nigeria or otherwise in
enforcing the laws of Nigeria, including the protection of the public
revenue and preservation of national security.
• (3) Any licensee, shall not be liable in any criminal proceedings of any
nature for any damage (including punitive damages), loss, cost or
expenditure suffered or to be suffered (whether directly or indirectly) for
any act or omission done in good faith in the performance of the duty
imposed under subsections (1) and (2).
Nigerian Communications Act
• 147. The Commission may determine that a licensee or
class of licensee shall implement the capability to allow
authorised interception of communications and such
determination may specify the technical requirements
for authorised interception capability.
• Please NOTE:
• Working with the ONSA and other National Security
Agencies, NCC has made these determinations and a
proposed legislation is pending at the National
Assembly on the matter;
• However, interim measures are being implemented to
achieve the objectives of this provision, which security
professionals can take advantage of, as necessary
Freedom of Information Act
•
Under Section 11 of the Freedom of Information Act, a public institution must
deny an application for information that contains personal information, and
Information exempted. Section 11 provides thus (1) Subject to subsection (2), a
public institution must deny an application for information that contains personal
information and information exempted under this subsection includes –
(a)
files and personal information maintained with respect to clients, patients,
residents, students, or other individuals receiving social, medical, educational,
vocation, financial, supervisory or custodial care or services directly or indirectly
from public institutions;
(a)
personnel files and personal information maintained with respect to employees,
appointees or elected officials of any public institution or applicants for such
positions;
(a)
files and personal information maintained with respect to any applicant,
registrant or licensee by any government or public institution cooperating with
or engaged in professional or occupational registration, licensure or discipline;
Freedom of Information Act
•
(d) information required of any tax payer in connection with the assessment or
collection of any tax unless disclosure is otherwise requested by the statute; and
•
(e) information revealing the identity of persons who file complaints with or
provide information to administrative, investigative, law enforcement or penal
agencies on the commission of any crime.
•
(2) A public institution shall disclose any information that contains personal
information if - (a) the individual to whom it relates consents to the disclosure;
or (b) the information is publicly available
•
(3) Where disclosure of any information referred to in this section would be in the
public interest, and if the public interest in the disclosure of such information
clearly outweighs the protection of the privacy of the individual to whom such
information relates, the public institution to whom request for disclosure is made
shall disclose such information subject to Section 14 (2) of this Act.
DRAFT NATIONAL GUIDELINES ON
DATA PROTECTION BY NITDA
• The Draft National Guidelines on Data Protection
issued by NITDA pursuant to sections 6, 17 and 18 of
the NITDA Act.
• The purpose of the Draft Guideline is to

Prescribe guidelines for all organizations or persons that
control, collect, store and process personal data of Nigeria
residents within and outside Nigeria for protecting of a
specific category of data commonly known as Personal
Data or Object Identifiable Information (OII).
Prescribe minimum data protection requirements for the
collection, storage, processing, management, operation,
and technical controls for information in this category
Nigerian Communications Act (Registration of
Telephone Subscribers Regulations) 2011
•
Under Regulation 9 provides for Data Protection and Confidentiality
•
9.—(1) In furtherance of the rights guaranteed by section 37 of the Constitution of
the Federal Republic of Nigeria, 1999 and subject to any guidelines issued by the
Commission including terms and conditions that may from time to time be issued
either by the Commission or a licensee, any subscriber whose personal
information is stored in the Central Database or a licensee’s database, shall be
entitled to view the said information and to request updates and amendments
thereto.
(2) The subscriber information contained in the Central Database shall be held on
a strictly confidential basis and no person or entity shall be allowed access to any
subscriber information on the Central Database except as provided in these
Regulations.
(3) Licensees, Independent Registration Agents and Subscriber Registration
Solution Providers shall not under any circumstances retain, duplicate, deal in or
make copies of any Subscriber Information or store in whatever form any copies of
the subscriber information for any purpose other than as stipulated in these
Regulations or in an Act of the National Assembly.
•
•
NCC Regulation Contd.
•
(4) Licensees, Independent Registration Agents, Subscriber Registration
Solution Providers and the Commission shall each take all reasonable
precautions in accordance with international practices to preserve the
integrity and prevent any corruption, loss or unauthorized disclosure of
subscriber information obtained pursuant to these Regulations and shall
take steps to restrict unauthorized use of the Subscriber Information by
their employees who may be involved in the capturing or processing of
such subscriber information.
• (5) Licensees shall utilize personal information retained pursuant to these
Regulations, solely for their operations and in accordance with the
provisions of Part VI of the General Consumer Code of Practice for
Telecommunications Services and any other instruments of the
Commission or any Act of the National Assembly regulating the specific
purposes for which the personal information may be used.
• (6)
Licensees, Independent Registration Agents and Subscriber
Registration Solution Providers shall not retain the Biometrics of any
subscriber after transmission thereof to the Central Database.
How does the laws apply to patient
data?
• With respect to capturing of health
information, section 25 of the National Health
Act mandates every health establishment to
keep a health record for each patient.
• And under Section 26(1) of the National
Health Act all information concerning a
patient, including information relating to his
or her health status, treatment or stay in a
health establishment is confidential.
What is Patient Data?
• There is no a specific provision defining health data or
patient information in our laws, however, section 26(1)
of the National Health Act provides helpful guidance.
Thus, health data or patient information includes, but
not limited to, all information relating to the patient’s
health status, treatment or stay in any health
establishment. The provision states that:
• “All information concerning a user , including
information relating to his or her health status,
treatment or stay in a health establishment is
confidential.”
Access to patients’ information
•
•
There are three scenarios under the National Health Act (NHA) whereby user
information can be accessed.
(1) Health workers or any health care provider that has access to the health
records of a patient user may disclose such personal information to any other
person, health care provider or health establishment as is necessary for any
legitimate purpose within the ordinary course and scope of his or her duties where
such access or disclosure is in the interest of the user.
•
(2) Where access is needed for the purposes of treatment. In this case, the user's
consent has to be obtained. The NHA does not specify how the consent or
authorization is to be obtained.
•
(3)The third scenario is for purposes of study, teaching or research. The health
care provider is required to obtain authorization from the user, head of the health
establishment concerned and the relevant health research ethics committee.
Where the study, teaching or research will not reflect or obtain information which
identifies a user, the health care provider does not need to obtain the specified
authorizations.
Access to patient information Contd.
• Patients’ health record can be accessed without authorisation
where such access is in the interest of defence, public safety, public
order, public morality or public morality. This derives from section
45(1) of the Constitution of the Federal Republic of Nigeria which
states the right of privacy guaranteed under the Constitution shall
not invalidate any law that is reasonably justifiable in a democratic
society in the interest of defence, public safety, public order, public
morality or public health or for the purpose of protecting the rights
and freedom of other persons. Please see Section 28 (1) of the
NHA.
• Section 34 of the National Health Act prescribes that every
institution, health agency and health establishment at which health
research is conducted, shall establish or have access to a health
research ethics committee, which is registered with the National
Ethics Committee.
Use of Patient Information
• Patient information may be used for
treatment, for study, research or teaching.
Where used for treatment, the patient's
authorization needs to be sought and where
used for study, research or teaching,
authorization has to be obtained from the
patient, the head of the health establishment
and the relevant health research ethics
committee. In each case, the NHA does not
state how the authorization should be sought.
Storage of patient information
• There are no specific obligations in the National
Health Act relating to the storage of patient
information.
• The Cybercrime Act requires service providers to
keep all traffic data and subscriber information as
may be prescribed by the relevant authority for
the time being, responsible for the regulation of
communications services in Nigeria, for a period
of 2 years.
Data Transfer
• There are no provisions relating to data transfer in the
laws that apply to the health sector.
• It is subject to interpretation whether the provision in
the National Health Act which allows a health worker
or health care provider to disclose patient information
to any other person, however, on the face of it, and
given the possibility of emergency cases and need for
medical attention from a location different from a
patent’s regular hospital, a health care worker or
health care provider may transfer patient information
even to persons or hospitals outside Nigeria so long as
it is for a legitimate purpose and in the interest of the
patient.
Third Party Responsibilities
• Third party is “one who is not a party to a lawsuit,
agreement, or other transaction but somehow involved in
the transaction; someone other than the principal parties”.
Drawing from this definition, third party in the
circumstance, mean those who are not directly involved in
health management, but are indirectly involved either
because of the services they render or their
professionalism. They are essentially independent
contractors, contracted mostly by the health institutions to
provide specific solutions, example storage of data.
• The recently enacted Cybercrime Act provides severe
penalties for systems-based and content-related violations
which are enforceable against third party technology
service providers in Nigeria
Gaps/Challenges
•
The protection of patient information suffers from a number of deficiencies in the laws that apply
to the health sector. The provisions in the National Health Act relating to patient information are
vaguely worded, giving rise to uncertainties in relation to:
•
the entities obligated to comply with data processing requirements;
•
the lack of provisions on data quality;
•
the lack of provisions on actual consent by patients before information is obtained;
•
the lack of provisions on ownership of patient data
•
the lack of provisions on how long patient data is to be retained;
•
the non-vesting of information rights in patients, for example, patients do not have right of access
to their data; and
•
the lack of provisions for third party responsibilities and cross-border transfer of data.
Solutions
• Utilization of legal instruments to enable
interim solutions to meet data protection and
security mandates contained in our laws,
starting with the NHA and all other technology
related Laws
Conclusion
•
•
•
•
Assist in sensitizing the Legislature
Enforcement of privacy rights
Interpretation of Privacy Laws
Capacity Building
THANK YOU
CONTACT:
basil@ta.com.ng
08033066004