Subscribe to our Newsletter to receive the latest updates on our content. By tapping the “Subscribe” button you will be redirected to subscription page. Subscription is free.
The pervasiveness and the allure of the internet continues to hold sway and wax stronger amongst different age groups, more so with the younger generation. A huge outcome of this, is the readiness of a number of users in sharing their personal data on various platforms. One of the rising challenges amidst all this, is children’s data, studies have shown that more than 83% of children will have regular access to a smartphone in their pre- and early teens. Business organisations unknowingly sometimes are therefore exposed to processing the data of a child for several purposes, whether commercial or administrative. In view of this, it is important that the right privacy principles are adopted when dealing with child data. This instalment of ALN Nigeria’s Privacy Please series will examine the provisions relating to the protection of child data under Nigerian law and offer guidance to business organisations.
Processing Personal Data of a Child
However, the NDPA has established a new regime with respect to the processing of personal data belonging to a child and persons lacking legal capacity.
Age – The NDPA increases the age requirement for data protection purposes. A child is now considered as any person below 18 years of age a significant increase from the provisions of the NDPR highlighted above
Consent – Whilst the NDPR and its Implementation Framework were silent on whom to obtain consent from, the NDPA explicitly states that a data controller shall obtain the consent of the parent or legal guardian, as applicable. However, this consent will not be required where:
Protection – The NDPA provides an additional layer of responsibility on data controllers as it requires them to apply appropriate mechanisms to verify age and consent, taking into consideration available technology. For this purpose, the presentation of any government-approved identification document is deemed as an appropriate mechanism.
Finally, the NDPA authorises the Nigeria Data Protection Commission (NDPC) to make regulations for the protection of children that are 13 years and above in relation to the provision of information and services by electronic means at the specific request of the child. This means that we should expect specific guidelines from the regulators specifically as it relates to the processing of data from children in the aforementioned age group (13 years and above but below 18) via the internet and other electronic means.
The above provisions clearly show that the NDPA has given significant attention to the processing of child data. It goes further to state that nothing within the Act shall be construed as authorising data processing in respect of a child in a manner that is inconsistent with the provisions of the Child’s Right Act.
Should you have any questions regarding this legal alert do not hesitate to contact Sumbo Akintola.
Emmanuel Ido – Associate