The Nigerian Bar Association (NBA) as a Data Controller
Since the NBA processes its members’ personal data by collection, storage and transmission etc. of same for varying purposes, hence, it is a data controller since it unarguably determines the purpose and means of processing its members data. For the avoidance of doubt, article 1.3.(x) of the Nigeria Data Protection Regulation (NDPR) 2019 defines a data controller as:
“a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed.”
Although the NDPR does not by this definition, include legal persons in its admittedly deficient definition, the Interpretation Act defines “person” to include any body of persons corporate or unincorporate”. See also the foreign decision in Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV10 where the Court of Justice of European Union (CJEU) defined a data controller as:
“… a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing”
See page 442 of my Casebook on Data Protection, ISBN 978-620-2-55355-1
Legal basis for publication
Under the NDPR, personal data can only be processed (either by collection, storage, use, transmission, publication, disclosure, dissemnitaion, destruction and/or loss etc) where there exists a lawful basis for such processing. (See article 2.2). Of all the grounds of lawful processing, the one that nearly supports the NBA’s publication of its members’ personal data as done by the ECNBA seems to be “where processing is necessary for the performance of contract to which a data subject is a party” (see article 2.2(b)
The question that comes to mind from the foregoing assumption is, whether or not there exists a contract between the NBA and its members that necessitates the publication of members’ personal data on the Internet?
In Fawehinmi v NBA (1989) LPELR – 1259(SC), the Supreme Court of Nigeria, per Obaseki, JSC (as he then was) held that:
“The Constitution of the Nigerian Bar Association is not a statutory instrument. It is not a subsidiary legislation to the Legal Practitioners Act. It is a pure and simple private document which the members of the Nigerian Bar Association were entitled to draw up in exercise of their right to provide a constitution for the Association to regulate its affairs.”
Since all members of the NBA are bound by its constitution, it is to be conceded that, the NBA’s legal basis for processing its members’ personal data ought to be drawn from such constitution which represents an agreement (contract) between the members. See Aduasim v Emeh (2018) LPELR- 46066 (CA). I note with interest that, section 5(e)(iv) of the NBA Constitution 2015 (as amended) specifically empowers the General Secretary to keep a roll of the members.
It is also worthy of note that, while section 9(1) (2) and (4) provide for the establishment of the ECNBA and procedure for election, none of the subsections expressly provides for the publication of members’ personal data (in the form of provisional list) on the Internet. When recourse is however had to the 2020 ECNBA Guidelines (Final) (https://nigerianbar.org.ng/2020-ecnba-guidelines-final), it will be seen that, while paragraphs 8.3 provides that the branch chairmen shall confirm the personal data (full names, mobile phone numbers and active email addresses) of their eligible brach members, paragraph 8.5 empowers the ECNBA to publish the list for members to correct errors and omissions.
Thus, from the foregoing, the provision of paragraph 8.5 of the ECNBA Guidelines arguably provides a legal basis for the publication of member’s personal data on the Internet.
NBA’s obligations under the NDPR
A Data Controller’s obligation under the NDPR does not stop at the identification of a legal basis for processing data, in fact, the legal basis is the foundation on which all other data protection safeguards and duties rest.
Under article 2.4 of the NDPR, the NBA (as a data controller) is duty bound to take responsibility for the action of third parties with which it shares members’ personal data, but since it has “shared” our data with the whole World on its website, I am afraid it appears, the NBA can no longer assure us of the sanctity of our data which are now in the unguarded public domain, albeit for the “legitimate” purpose of elections. I use ‘legitimate purpose’ here advisedly especially since it is not one of the grounds of lawful processing under the NDPR unlike the GDPR which is inapplicable here.
As a data controller, the Bar is meant to publish its privacy policy (at least) on its website pursuant to article 2.5 but the last time I checked its website (https://nigerianbar.org.ng/) , I found out with avoidable despondency that Africa’s most influential Bar association does not have a privacy policy on its website. This says much about our data protection practice in Nigeria. It can however always get better!
Not only don’t we have a privacy policy, at no time, as data subjects, had the members been expressly and specifically informed that our personal data will be published on the Internet especially with telephone numbers and email addresses in violation article 3.1(1). While it may be argued that the 2020 ECNBA Guidelines constitutes information on the impending publication of personal data, same falls short of it expectations by omitting to provide safeguards on “opting out”. Since the right to vote is neither absolute (see art. 4(1)(b) of the NBA Constitution) nor can it not be waived or abandoned. Most importantly, data subjects have the right to object to processing or further processing of their data (art. 2.8), especially for the benefit of members who do not want to be part of the Bar’s electoral process, albeit unadvisable.
By article 4.1(1) of the NDPR, the NBA ought to make public its various data protection policies but this writer is not aware of any such publication on the subject. The Bar processes the personal data of tens of thousands of lawyers spread over 125 branches but it does not have a Data Protection Officer again, this is in violation of article 4.1(2) of the NDPR, not to talk of the conduct and filing of data compliance audit and summary with the regulator as mandated by the NDPR.
Conclusion
Beyond jostling to elect any of the eminent candidates into the elective offices, it is never late too come to a party when it has to do with alignment with Global standards with respect to data protection which has been practiced in Europe since the early 70s; the Bar must lead this charge for its members to follow. It is this writer’s respectful opinion that, the General Secretary can double as our Data Protection Officer since he is the constitutional custodian of our personal data, all our data access and exit points need to be lined with our privacy notice which may be a start-up point for the Bar’s compliance with its data protection obligations and relevant regulations.