COVID-19, Privacy and Data Protection: Matters Arising | Temitayo Ogunmokun

The Coronavirus (Covid-19) pandemic
continues to chart a devastating course on the globe, leaving in its wake, a
trail of illness, death, overwhelmed health institutions and crumbling
economies. Governments, organisations and individuals are increasingly
constrained to deploy strategies to mitigate its impact. Nigeria is not spared
as President Muhammadu Buhari on 30^th March 2020 announced a two
week lockdown in states that have recorded the highest numbers of coronavirus
cases till date, at the lapse of which was immediately extended for a further
two-week period.[ii]
Organisations have also been forced to suspend physical operations and resort to
remote working, thus altering the commercial landscape. The processing of vital
personal information for the purpose of managing risks, identifying infected
persons and contact tracing, is important in the fight against the pandemic.
Hence, the privacy and data protection implications of the situation cannot be ignored. 

In view of the toughening regime for the
processing of personal data, there is a general concern as to whether the high
standards of compliance created in the operative privacy framework, is likely
to preclude the optimal implementation of requisite measures. Stakeholders[iii]
are wary of requesting and processing certain sensitive data in pursuit of anti-coronavirus objectives without
running afoul of the law. Some of the issues that have been highlighted include
but are not limited to whether employers can: (i) request specifics about
employees’ travel histories, illnesses or current symptoms or compel them to
fill health status questionnaires; (ii) demand for medical certificates to
augment responses to health related questions; (iii) disclose the health status
of employees to colleagues, third parties or the authorities; (iv) send workers
home on suspicions or confirmation of infection; (v) respond to data subjects’
requests within the stipulated timelines given the closure of physical office
spaces; and (vi) whether hospitals and health workers can disclose the
confidential information of patients to third parties and the authorities.

It is important to address these issues because
while privacy and data protection laws do not stand in the way of the management of public health, there are
important points that should be considered when handling personal data in these
contexts, particularly health and other sensitive data.

The Legal
Framework

The processing of personal data in Nigeria
falls within the purview of a rapidly developing Privacy Framework strengthened
by the coming into force of the Nigerian Data Protection Regulation (NDPR) in
2019, and comprising other sectoral laws. While the NDPR is not in itself a
superintending and exhaustive data protection law, it is a modest attempt to
raise the Nigerian data protection framework to global standards and was
inspired by its European counterpart, the General Data Protection Regulation of
May 2018 (GDPR). It pushes entities to unprecedented standards of compliance
and avails to the benefit of Nigerians, irrespective of their geographic
locations. In addition to the stated objectives of the law[iv],
it is engendering transparency in the processing of personal data, and granting
to Nigerians, control over how their personal data is requested and processed.

The NDPR defines “Personal Data” as:

 “any
information relating to an identified
or identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person”[v].

 “Sensitive Personal Data” is
identified as:

Data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity,
political views, trades union membership, criminal records or any other
sensitive personal information;

 “Processing” is described as:

“any operation or set of operations which is performed on personal data
or on sets of personal data, whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction”[vi].

It would appear from the above definitions
that any personal information collected by an entity from a data subject for
the purpose of devising and implementing requisite measures against the coronavirus
pandemic would fall under the scope of the NDPR. For health related matters,
supplemental provisions relating to the processing of personal data are
contained in the National Health Act[vii].

 Data Processing 

The NDPR identifies five (5) independent
conditions on the basis of which an organisation can lawfully process personal data[viii].
These derive from the principle of lawful processing and are commonly referred
to as legal bases. They are:

i.                   
Consent
of the data subject for a specified purpose(s). Such consent must not have been
obtained with fraud, coercion or undue influence[ix]

ii.                  
Necessary
for the performance of a contract to which the data subject is a party

iii.                
Compliance
with a legal obligation of which the controller is a subject

iv.                
Protection
of the vital interests of the data subject or other natural persons

v.                  
Performance
of a task carried out in the public interest or in the exercise of official
public mandate

In addition to the above, relevant
stakeholders are obliged to take into cognizance, the principles enshrined in
the NDPR i.e. data processing must accord with a specific and legitimate
purpose (purpose limitation); it must be conducted adequately (minimization) and
accurately (accuracy); data collected must be stored for a reasonable period
(storage limitation); and must be protected from foreseeable hazards
(confidentiality & integrity). Data Processing also creates a fiduciary
relationship between the controller and the data subject (duty of care), with
the former being obliged to demonstrate compliance with these principles
(accountability). It should be noted that while personal data can be processed
on the strength of at least one legal basis, the principles in the NDPR are
cumulative and must all be complied with for valid processing.

MATTERS ARISING

Can employers request
specifics about employees’ travel histories, illnesses or current symptoms or
compel them to fill questionnaires revealing these information?

Employers have an immutable obligation to
provide a safe working environment and protect the health of their employees.
In the pursuit of these objectives, the collection and processing of personal
data relating to health and travel histories would be justified provided they
are premised on one or more legal bases. If employees’ consent is sought to be
relied upon, such consent must be specific, informed and freely given, and the
employee must be informed of his right to to withdraw this consent at any time[x].
The use of additional measures e.g. a questionnaire, would have to be
justified, taking into consideration the evaluation of risk and the necessity
and proportionality of the measure.

Alternately, the protection of the vital
interest of the data subject or other natural persons, compliance with a legal
obligation by the controller and public interest concerns[xi]
can be conveniently relied upon as legal bases for processing personal
information in the circumstance.

Can employers demand for
medical reports to augment responses to health related questions?

The obligation of employers to protect the
health of employees also extends to other persons who may have legitimate
reasons to be present in the workplace. Requesting a medical report to augment
health related responses of employees’ in this circumstance would therefore
fall within the scope of this objective as to justify such demand. However,
cognizance must be taken of the confidentiality obligation foisted on any
entity who may be in possession of a document of this nature[xii],
the waiver of which can only be justified on the grounds of consent, order of
court and public interest[xiii].

Can data controllers disclose
health status of employees to colleagues, third parties or the authorities?

 Health information is classified as
“sensitive personal data” which requires a high degree of confidentiality.
Therefore, while an employer may notify its staff of a suspected case of
coronavirus in the organisation, the identity of the affected individual must
not be disclosed without a legal basis otherwise the employer would be in
breach of privacy laws and in extension, the confidentiality clause in the
employee’s terms of employment, where applicable. Similarly, disclosure to
third parties and the authorities should only be effected in reliance on one or
more of the legal bases indicated in the NDPR and the National Health Act.

 Can employers send employees
home on suspicions or confirmation of infection? 

In the protection of employees’ health, employers
reserve the discretion to control access to the working premises. In a
situation where there is a suspicion or confirmation of coronavirus, the
employer can lawfully restrict the employee from gaining access to the
premises. In any event, this issue would seem to fall within the scope of
labour and employment laws, and not data protection law, and may impact on the
status of the employee’s job, remuneration and sickness benefits as per the
contractual terms of engagement.

 Can data controllers respond
to data subjects’ requests beyond the stipulated timelines in view of closure
of physical office spaces?

 The NDPR creates a mechanism for individuals
to request a copy of their data under a formal process. The Controller is bound
to accede to this request in a concise, transparent, intelligible and easily
accessible form, using clear and plain language. It is understandable that the
ongoing global health crises may impede the capacity of organisations to
process data subjects’ requests promptly given the challenges of operating
remotely. However, in the event of inability or failure to take action in
respect of any such request, the data controller must, not later than one month
from the date of the request, inform the data subject of the reasons for default
and a right to recourse to supervisory authorities[xiv].
Given that the NDPR does not expressly provide a specific timeline within which
a data subject’s request must be processed, it is unclear what the consequences
for breach would be.

 Can hospitals can disclose the
confidential information of patients to third parties and the authorities?

 The National Health Act cloaks the medical
records of all patients with confidentiality and further imposes a strict
obligation of non-disclosure to third parties. However, confidentiality can be
waived where the patient has consented in writing to the disclosure of such
medical records, or a court of competent jurisdiction has ordered the
disclosure of same, or non-disclosure would constitute a grave threat to public
health. In addition, a public health worker who may be in possession of such
confidential records may disclose same if it is necessary for a legitimate
purpose within the ordinary course and scope of his or her duties where such
disclosure is in the interest of the patient[xv].

 CONCLUSION

 It should be reiterated that privacy and
data protection laws aim to encourage transparency in the processing of
personal data and grant control to individuals over how their personal data is
to be requested and processed. While their construction primarily serves the
purpose of advancing the interest of data subjects, they will not operate to
impede measures necessary for the protection of public interest or health. Hence,
the existence of varied independent legal bases for processing personal data other
than the consent of the data subject. The severity of the coronavirus pandemic
is undoubtedly of a public concern and therefore, protection of data subjects’
interests, public interest and legal obligation(s) of the data controller can
conveniently avail as legal bases for processing, assuming without conceding
that the consent of the data subject cannot be reasonably procured.

 Nevertheless, an organisation seeking to request
and process personal data in reliance on one or more legal bases, must
necessarily apply the fundamental principles enshrined in the NDPR. It must
ensure that the legal basis on which it seeks to rely lawfully avails it in the
circumstances and must show specificity of purpose. The collected data should
be limited to what is required and must be protected from breach and
unauthorized disclosure. The controller must refrain from abusing the existent
fiduciary relationship and must be able to clearly demonstrate compliance with
its obligations under the law, failure of which could incur liability for
breach and sanctions[xvi].