1. Introduction:
1.1. Data privacy is the branch of data management that deals with handling personal data in compliance with data protection laws, regulations, and general privacy best practices. The General Data Protection Regulation (GDPR), which is a unified data privacy law across the European Union, defines data privacy as “empowering your users to make their own decisions about who can process their data and for what purpose.”
1.2. In Nigeria, privacy right draws its roots from the Constitution, as Section 37 of the Constitution of the Federal Republic of Nigeria, 1999(as amended) (CFRN), guarantees the privacy rights of every citizen of Nigeria, their homes, correspondence, telephone conversations and telegraphic communications. The Nigerian Data Protection Act, 2023 (NDPA), now specifically regulates the processing of personal information/data of a data subject by a data controller/processor.
1.3. Notably, employment relationships often involve the exchange and processing of personal data between the employee and the employer, and sometimes a third-party data processor, for purposes such as background check,payment of salary, health insurance, etc. Hence, this article seeks to balance the employee’s privacy rights under the data protection laws vis-à-vis the obligations of the employer in handling or processing employee’s personal data.
2. Definition of Relevant Terms:
2.1. Section 65 of the Nigerian Data Protection Act, 2023 defines a ‘data controller’ to mean any person, private or public authority who determines the purposes of the processing of personal data, whether acting alone or in conjunction with others. It also defines a ‘data processor’ as any individual, private or public authority who processes personal data on behalf of, or on the direction of a data controller or another data processor. A data subject on the other hand is defined as an individual to whom personal data relates.
2.2. Therefore, in an employment relationship, the employee is the data subject, whilst the employee could be both the data controller and the data processor. A third-party data processor may be involved in instances where the employer engages entities like tax authorities and auditors for processing the payment of taxes, or Health management organizations (HMO), pension managers, etc. The personal data processed in an employer-employee relationship includes, amongst others: name, account number, NIN, next of kin details, etc.
3.1. Under Section 34 of NDPA, 2023, an employee has the right to enquire from the employer without delay, confirmation as to whether the employer is storing or processing personal data, and where that is the case:
• The purpose of the processing.
• The categories of the personal data.
• The recipients or categories of recipients who will receive the personal data.
• The period in which the data will be in use.
• The right to lodge a complaint to the commission.
• In situations where the personal data is not collected from the employee, the right to know the source.
• The existence of automated decision-making.
3.2. Section 35 of the NDPA, 2023, recognizes that a data subjecthas the right to withdraw, at any time, consent to the processing of personal data. Also, Section 36 of NDPAprovides that a data subject can raise an objection to anyprocessing or interference of his/her personal data. Thus, an employee has full rights to his/her personal data, and wheres/he consents to the interference of his/her personal data, s/he also has the right to withdraw such consent.
3.3. Further, Section 39 (1) of NDPA 2023 provides that a data controller/the employer must implement appropriate measures to ensure the security, integrity, and confidentiality of personal data in its possession, including protection against accidental or unlawful destruction, misuse, and unauthorised disclosure, amongst other things.
3.4. Section 40(1) NDPA, 2023, provides that in a situation where a breach occurred due to the actions of a third-partydata processor, he must go ahead and fulfil two things to remedy his breach:
• Notify the data comptroller or the person who engaged his services, of the data breach, describing the nature of the personal data breached, where the breach is likely to occur, the categories and the approximate number of the data subjects (employees) and their personal data that was affected.
• Give appropriate response to any information request from the data controller or data processor (employer)that engaged it, as may be required to comply with their obligations under this section.
3.5. Section 40 (2) of the Act further provides that a datacontroller, upon becoming aware of a breach that will likely result in a risk to the rights and freedoms of individuals, must, within 72 hours, notify the Nigeria Data Protection Commission of the breach and, where feasible, describe to a reasonable extent the personal breach, including all the categories and approximate numbers of persons and data concerned.
3.6. By Section 41 (1) of the NDPA, 2023, a data controller ordata processor shall not transfer or permit the transfer of personal data from Nigeria to another country. Except in these circumstances:
• The person receiving the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that projects an adequate level of protection with respect to the personal data and that law must be in accordance with this Act. Or
• Any of the conditions in section 43 applies to the transfer.
3.7. Section 41 (2) further places the condition that where personal data must be transferred to another country, the data controller or data processor must record the reason for the transfer and the extent of protection under Section 42 of this Act, whilst Subsection (3) provides that the Nigerian Data Protection Commission (NDPC) may make rules that require the data controller and data processor to notify it of the measures in place and explain their adequacy in terms of Section 42 of the Act. However, with regards to the employee’s data outside Nigeria, the NPDA 2023, prescribes minimum data protection standard for all organisations or person that control, collect, store, or process the personal data of Nigerian citizens.
4. Employer’s Obligations in Protecting Employee Privacy Rights in Data Processing
4.1. We note that an employer ordinarily owes a duty of care to their employees (data subject) and will be held responsiblefor their acts and omissions in processing the employees’ personal data. As such, the employer cannot process the employee’s personal data for unlawful purposes.
4.2. Hence, Section 25 of the NDPA has prescribed the lawful purposes for which an employer can process data with the consent of the data subject/employee as follows:
a. For the performance of a contract involving the employee or take steps on the request of the employee before entering the contract.
b. For compliance with obligations of the employer under relevant laws; example, tax obligations (PAYE), obligations under the Pension Act, insurance law, or in obedience to court order, etc.
c. For the performance of a task carried out in the public interest or in exercise of official authority.
d. For the purposes of legitimate interests pursued by the employer, or by a third party to whom the data is disclosed.
4.3. To ensure that the employee’s data is properly protected whilst processing personal data, Organizations/employersmust reconcile their legitimate interests with the privacy rights of their employees by observing the following steps/obligations:
i. Privacy Policy: Employers are obligated to establish,display, or post a clear and understandable privacy statement/policy to the targeted group of employees.The privacy policy must specify, amongst others, what constitutes the employee’s consent, category of personal data collectible, reason for collection, and the technical procedures used to collect, process, and store the information.
ii. Procuring Consent: Before processing an employee’s personal data, an employer must obtain the employee‘s consent and ensure that no fraud, coercion, or undue influence was exerted to obtain the information. The employer must inform the employee of their right to withdraw consent, and/or object to the processing of the data.
iii. Encourage Open Communication: The employer should encourage an environment where employees feel comfortable in talking about their issues regarding privacy and monitoring procedures; be open to criticism without being vindictive; and be prepared to modifymonitoring procedures as necessary.
4.4. Use Monitoring Procedures and Data Responsibly: Anemployer should ensure that monitoring data is applied fairly, objectively, and without discrimination in making decisions about employee performance, promotions, or other work-related issues.
5. CONCLUSION
5.1. It suffices to say that an employee’s data privacy right, even in the workplace, is a Constitutionally guaranteed right, which must always be respected. In processing employees’personal data, employers are therefore enjoined to observe the procedures prescribed under the data protection laws to avoid breaches of the employee’s privacy rights.
REFERENCES
1. The Constitution of the Federal Republic of Nigeria, 1999 as (amended).
2. The Nigerian Data Protection, Act 2023.
3. A guide to GDPR Data Privacy Requirements (GDPR.EU) https://gdpr.eu/data-privacy/#:~:text=Data%20protection%20means%20keeping%20data,data%20and%20for%20what%20purpose. (Last Accessed 23 November 2023.)
4. ‘LinkedIn’ (Linkedin.com2023) <https://www.linkedin.com/pulse/striking-balance-employee-monitoring-privacy-modern-workplace-webhr/> (Last accessed on 23 November 2023.
5. Bisola Scott, ‘Data Protection Rights and Obligations in an Employer – Employee Relationship in Nigeria’ (Mondaq.com 13 January 2021) <https://www.mondaq.com/nigeria/employee-rights-labour-relations/1024306/data-protection-rights-and-obligations-in-an-employer–employee-relationship-in-nigeria#:~:text=Employers%20are%20required%20to%20procure,%2C%20coercion%2C%20or%20undue%20influence.> (Last accessed 23 November 2023.
Marvis Oduogu is a Team Lead at Stren & Blan Partners and supervises the Firm’s Taxation, Immigration, Labourand Employment Practice Groups. Ifeanyi Ezechukwu is an Associate in the Firm’s Commercial Dispute Resolution, Taxation, Immigration, Labour and Employment Practice Groups,
Stren & Blan Partners is a full-service commercial Law Firm that provides legal services to diverse local and international Clientele. The Business Counsel is a weekly column by Stren & Blan Partners that provides thought leadership insight on business and legal matters.
Connect with Stren & Blan Partners:
Website: www.strenandblan.com
LinkedIn: linkedin.com/company/strenandblan
Twitter: twitter.com/Strenandblan
Instagram: instagram.com/strenandblan