By Temitayo Ogunmokun
Sir: The Coronavirus (Covid-19) pandemic continues to chart a devastating course on the globe, leaving in its wake, a trail of illness, death, overwhelmed health institutions and crumbling economies. Nigeria is not spared as President Buhari on March 30 announced a two-week lockdown in states that have recorded the highest numbers of coronavirus cases till date, at the lapse of which was extended for a further two-week period. The processing of vital personal information for the purpose of managing risks, identifying infected persons and contact tracing, is inevitable. Hence, its privacy and data protection implications cannot be ignored.
The processing of personal data in Nigeria is regulated by the Nigerian Data Protection Regulation (NDPR) 2019 and other sectoral laws i.e. National Health Act. While the NDPR is not an exhaustive data protection law, it is a modest attempt to raise the Nigerian framework to global standards and was inspired by its European counterpart, the General Data Protection Regulation of May 2018 (GDPR). The NDPR defines personal data as “any information relating to an identified or identifiable natural person (Data Subject). Hence, any personal information collected from an individual for the purpose of taking requisite measures against coronavirus would fall under the scope of the law.
Employers are obliged to provide safe working environments and protect the health of their employees. In the pursuit of these objectives, the processing of personal data relating to health and travel histories would be justified provided they are premised on one or more legal bases. If employees’ consent is sought to be relied upon, such consent must be specific, informed and freely given, and the employee must be informed of his right to withdraw it at any time. The use of additional measures i.e. a questionnaire, would have to be justified, taking into consideration the evaluation of risk and the necessity and proportionality of the measure.
Health information is classified as “sensitive personal data” which requires a high degree of confidentiality. Therefore, while an employer may notify its staff of a suspected case of coronavirus in the organisation, the identity of the affected individual must not be disclosed without a legal basis otherwise the employer may be in breach of privacy laws and the confidentiality clause in the employee’s terms of employment, if applicable. Similarly, disclosure to third parties and the authorities should only be effected in reliance on one or more of legal bases contained in the NDPR and the National Health Act.
In the protection of employees’ health, employers reserve the discretion to control access to the working premises. In a situation where there is a suspicion or confirmation of coronavirus, the employer can lawfully restrict the employee from gaining access to the premises. In any event, this issue would seem to fall within the scope of labour and employment laws, and not data protection law, and may impact on the status of the employee’s job, remuneration and sickness benefits as per the contractual terms of engagement.
The National Health Act cloaks the medical records of all patients with confidentiality and imposes a strict obligation of non-disclosure to third parties. However, confidentiality can be waived by the patient in writing, by an order of court, or where non-disclosure would constitute a grave threat to public health. In addition, public health workers who may be in possession of such confidential records may disclose same if it is necessary for a legitimate purpose within the ordinary course and scope of their duties, where such disclosure is in the interest of the patient.
While their privacy laws serve the purpose of advancing the interest of data subjects, they will not operate to impede measures necessary for the protection of public interest or health. Hence, the existence of legal bases for processing personal data other than the consent of the data subject. The severity of the coronavirus pandemic is of public concern and therefore, protection of data subjects’ interests, public interest and legal obligation(s) of the data controller can conveniently avail as legal bases. Nevertheless, an organisation seeking to process personal data in reliance on one or more legal bases, must concurrently apply the principles of lawfulness, storage limitation, data minimization, accountability, duty of care and accountability, failure of which could incur liability for breach and sanctions.
- Temitayo Ogunmokun, Brussels, Belgium.
Leave a Reply