At a glance
- Data privacy plays a critical role for organisations, particularly regarding employee data, as it impacts decision-making, and overall business operations.
- The Nigeria Data Protection Act 2023 (NDPA) and the Nigerian Data Protection Regulation (NDPR) 2019 remain the primary legislations on employee data protection.
- Organisations must take measures to safeguard employee data, such as data minimisation, conducting Data Privacy Impact Assessments (DPIAs), implementing security measures, and providing employee education on data protection.
- Breaches of employee data privacy can result in sanctions by the Nigeria Data Protection Commission, legal claims, financial losses, reputational damage, operational disruptions, and loss of competitive advantage for organisations.
Data is king as the parlance goes and everyone has come to recognise the importance and use of data in all spheres of life. Data helps organisations to make informed decisions about their businesses, profile clients and customers, detect problems and proffer solutions, measure the effectiveness of different strategies that they employ, analyse performance, and determine measures for improvement, etc. Due to the importance of data, access to it is extremely valuable to the recipient and this is why cyberattacks are increasing to exploit the data for often criminal purposes. As such, data collectors, such as governments, organisations, and individuals must put in place the appropriate regulatory framework and measures to be a step ahead of these criminal activities.
In Nigeria, access to the internet, flexible working, social media, growth of e-commerce etc, have increased the processing of data by organisations and individuals. As of 2019, there were over 3.1 million registered companies with the Corporate Affairs Commission in Nigeria. This implies that there are millions of employees whose data are being processed daily. Therefore, data privacy, which deals with how data is collected, processed, and stored, should become a key focus for employers in Nigeria.
Many organisations, while developing their cybersecurity and data privacy framework, tend to focus mainly on the protection of personal data they collect externally ie from customers/consumers, vendors, contractors, third party service providers etc whilst neglecting the data processed internally. The reality is that employees also enjoy the rights conferred on data subjects under applicable data protection laws. In fact, privacy is a fundamental human right under the Nigerian constitution.
Criminals can use personal data of employees to defraud or harass or even sell to third parties which can lead to such employees’ activities being tracked and monitored, thereby infringing on their right to privacy, and in most cases, financial losses.
Why is data privacy important and how can employers protect the personal data of their employees? These are some of the questions that will be addressed in this article.
What is employee personal data?
Employee personal data includes any information that can be used to identify an employee such as name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifiers.
What is data privacy and why is it important?
Data privacy refers to the protection of personal data from unauthorised access, use, and disclosure, ensuring that it is handled, stored, and processed in a manner that respects their rights and expectations of privacy. Data privacy is important because among other things, it ensures the protection of the information of organisations and their employees, customers, clients, etc., from fraudulent activities which can lead to dire consequences such as distrust and loss of revenue. Also, upholding strong data privacy standards can enhance a company's reputation and brand image, leading to increased customer loyalty and positive public perception.
What are the laws that govern data privacy in Nigeria?
- The Constitution of the Federal Republic of Nigeria.
- The NDPA.
- The NDPR 2019.
- The NDPR Implementation Framework.
- Other sectoral laws may be applicable in certain instances.
How can employers protect the personal data of their employees?
- Data Minimisation: Employers should collect and retain only the personal data that is necessary for the legitimate purposes of the organisation. They should avoid collecting excessive or irrelevant information that could pose unnecessary risks to employee privacy.
- DPIAs: Employers should conduct DPIAs to identify and assess the potential privacy risks associated with processing employee personal data. The findings should be used to implement appropriate measures to mitigate risks and ensure compliance with data protection laws.
- Employee Privacy Notice: Employers can display a simple and conspicuous privacy policy that outlines how the organisation collects, uses, stores, and protects the personal data of its employees. It serves as a communication tool to inform employees about their privacy rights and the organisation's data protection practices. The privacy policy should stipulate the description of collectable personal information, the purpose of collection and technical methods used to collect and store personal information among others.
- Securing Personal Data: Employers should develop security measures to protect the personal data they collect from their employees. Such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorised individuals, employing data encryption technologies, developing organisational policy for handling personal data, protection of emailing systems and continuous capacity building for staff.
- Audit: Conducting regular audits of the employer’s systems to ensure that they are functioning properly, and all the security measures put in place are working correctly.
- Education: Regularly educating employees on the importance of their personal data, their role in protection and why measures put in place by the employer should be complied with and enforced.
In addition, signing data protection contracts and inserting data protection clauses in employment contracts are measures that employers can also adopt to protect the personal data of their employees. These measures are essential in fulfilling their data protection obligations to employees as they can be utilised to inform employees about the specific reasons for the processing of their data, prior to obtaining consent.
What are the permitted uses of employees’ data under Nigerian law?
The permitted use of employees' personal data typically depends on the organisation's internal policies and legitimate business interests, as defined under the applicable laws. Some common permitted uses of employees' personal data may include the following:
- Employers may collect, process, and use employees' personal data for legitimate employment-related purposes, such as recruitment, hiring, onboarding, performance evaluation, promotion, compensation, benefits administration, and termination of employment.
- Employers may use employees' personal data to manage payroll processing, including salary payments, tax deductions, benefits enrolment, and retirement contributions. This may involve sharing personal data with third-party payroll providers, financial institutions, and benefits administrators.
- Employers are permitted to use employees' personal data to comply with legal and regulatory requirements, such as tax reporting, labour laws, workplace safety regulations, immigration laws, and anti-discrimination laws. This may include sharing personal data with relevant government agencies, regulatory authorities, and law enforcement agencies as required by law.
- Employers may use employees' personal data to communicate with them about work-related matters, including job assignments, training opportunities, company policies, and organisational changes. This may involve collecting and using personal data for email communications, internal messaging platforms, and employee surveys.
- Employers may collect and process employees' personal data for performance management purposes, such as conducting performance evaluations, setting goals, providing feedback, and identifying training or development needs.
- Employees' personal data may be used by employers to ensure their health and safety in the workplace, such as monitoring attendance, tracking sick leave, conducting health screenings, and implementing workplace accommodations for disabilities. Employers must handle health-related data with particular care and comply with the NDPA in this regard.
What are the implications of breach of employee’s data privacy?
The implications of breach of employee’s data privacy are wide-ranging and can have far-reaching consequences for the affected individuals and the organisation. Possible implications include sanctions against the employer by the Data Protection Commission, legal action by the employee against the employer for breach of data privacy, financial losses, reputational damage, operational disruption, loss of competitive advantage etc.