Patients’ privacy and health administrators’ liability under Nigeria Data Protection Regulation 2019

The sole aim of privacy is to protect individual from a wide range of embarrassing disclosures. Privacy laws do not only create a right of protection but also make health administrators more accountable for its business practices. The secrecy as to the identity of the Italian index case of Covid-19 in Nigeria necessitated this research and enquiry. It must be stated here that processing and reporting is key to Nigeria Data Protection Regulation (NDPR) compliance and failure is a breach and punishable. Unlike many legal concepts, law has only recognized the liability for data breach by health institutions and this is one work that establishes its legal basis.

Health care providers are data controller of their patients’ information, records and have a duty to follow this regulation as it sets a baseline of protection for individually identifiable health information. The regulation grants patients the choice as to whether their health information may be disclosed which include treatment, payment and health care operation plan. The regulation requires healthcare providers to obtain patient’s written consent before they disclose their health information to other people, organizations even for treatment. Informal institutions like civil society groups and media are relevant in achieving the goals of the regulation and more importantly, the protection of privacy right of Nigerians.

Personal data is defined very broadly in the NDPR as any information relating to an identified or identifiable natural person. It includes; a name, address, a photo, an email address, phone number, bank details, posts on social networking websites, medical information etc. The right to privacy is not just a constitutional right but also a fundamental right. Private data is information that is personal, secret and not to disclose to the third party.

Some categories of health care information falls within the scope of a privacy interest and some other are public information, which should be accessed by members of the public. The right to privacy was first pronounced in Nigeria in the case of Minister of Internal Affairs v. Shugaba Darman (1982) 3 NCLR 915 where the Court held that, the deportation of the applicant is a breach of his right to privacy. The darkness around the identity of the Italian index case of COVID-19 is backed in law, policy and good conscience. This means that, information held about the individual should be accessible to him or her only and animate or inanimate third party should be protected against disclosure or facilitating invasion of such personal information.

Privacy protection has not been traditionally afforded a high priority, it deserves particularly in the health sector. Much of patients’ information in Nigeria is with private hospitals with maximum independence and minimum privacy policies and value. In Nigeria, there is a privacy administrative restriction on personal information stored by private and public hospitals. For example, records maintained by National Health Insurance Scheme. Similarly, the African Union Convention on Cyber Security and Personal Data Protection 2014, protect patients with regard to the automatic processing of personal data. The convention aimed at continental level to protect and promote information collected and recorded either by government entities or by the private sector service suppliers. Privacy laws in most places allow for information to hold people accountable to be made public while setting some limits.

The transition from paper to computer base record keeping in the health sector promises greater efficiency and cost saving but with increased concerns about the threat to patient’s privacy in the course of data processing. The regulation sets out the conditions under which patient data can be processed. Processing means an operation performed on personal data and it applies also to data storage or retention. Forms of processing include, collection, storage, retrieval, review and disclosure by transmission, dissemination, restriction or destruction. In practice, it applies to the processing of personal data by non-Nigerian health administrators where such processing is in the context of monitoring of the behaviour of patient.

The key grounds for processing patient data that are relevant to health investigations are consent, legitimate or public interest. The requirement to attain specific consent of patient for each singular purpose of use is likely to treatment. As a result, processing should be carried out under a different ground of the NDPR where possible. A health worker or any health care provider that has access to the health records of a patient may disclose such personal information to any other person, health care provider or health establishment as it is necessary for any legitimate purpose within the ordinary course of scope of his/her duties where such access or disclosure is in the interest of the patient. Aside from consent, the legitimate interest condition is usually the most relevant condition when conducting investigations of patient. An important factor in undertaking the balancing test under the legitimate interest’s condition is to assess whether the patient would reasonably expect the type of processing.

Relying on patients’ consent to process its data, this will be considerably more difficult under the NDPR. Under the regulation, consent will not be valid unless it is: freely given (i.e. a product of an individual’s genuine free choice, specific and unambiguous. The patient must freely, informed and unambiguous consent to the processing of his data. Prior to collecting patient data, the health administrator must provide the patient with the identity of the hospital management, details of data protection officers and purposes of the processing for which the personal data are intended as well as legal basis for the processing and the period for which the personal data will be stored. It must also include the notice to the patient to lodge a complaint with NITDA if dissatisfied with the procedure.

Personal medical information may be disclosed to health professionals who are involved in the care. This is because personal health information is generally made available to other health professionals and health service providers who are involved in his care. Health administrator is liable for the actions or inactions of third parties, which handles the personal data of the patient including the health care givers or consultants.   It is important that patient’s collection and processing of privacy policy must be conspicuous on a board in the reception or on the website in way that patients in the locality or targeted patient can understand. Most of the major data processors such as; Google, Facebook, Whatsapp and foreign hospitals like Flying Doctors Nigeria, Primus International Super Specialty Hospital, Reddington Hospital, Dr. Hassans Hospital, Apollo Hospital with offices in Nigeria and abroad are bound by the regulation, regardless of whether the personal data of the patient it process is Nigeria or not. Similarly, the regulation applies to hospitals where Nigeria goes to take treatment abroad. These hospitals owe a duty to file compliance report with NITDA under the regulation. By reason of Nigeria’s mutual legal assistance agreement with most countries, NITDA can collaborate with Attorney General of the Federation (AGF) to go after foreign health administrators that breach data of patients’ if the need arises.

A personal health data intended for processing outside Nigeria can be transferred under the supervision of AGF and must ensure that the in post-democratic era. Their role in public enlightenment, data-driven governance rating and impact assessment is key for this regulation. CSOs and media working in health, governance and technology should be proactive in measuring the impact of the regulation in public health delivery and human right protection. Areas

of urgent enquiries include compliance level of health institutions, weight of sanctions, need for administrative reform. Media outfits must assist with the use of digital resources to conduct this investigation so as to easily link with tested audience and increase link with a larger audience within the shortest time.

There is positive relationship between press freedom and unregulated civil society. Faced with a trailer load of national emergencies amidst fast disappearing media and civil protection, there is a need for a free press and civic space. Civil societies in Nigeria have the capacity to scrutinize policies to adjustable advantage for the public and it should be encouraged so that they can change the way government officials do their work. The bottom line in this monitoring is to enhance service delivery. This to a large extent is to increase public trust and enhance the credibility of governance. Nevertheless, there is need for international funding and government support in the sphere of resources and capacity building so as to animate their operations and performance in promoting the regulation. It is in this way that its impact in promoting the use of the regulation will be in a manner consistent with the desire of the agency. Again, with the new high-speed technologies, it is easier to gain personal data, national secrets through cyberspace and multimedia. Personal health record attracts greater protection.  So it is advisable that health administrators minimizes the amount of personal information of patient collected although in most cases it will be difficult to completely remove the possibility of collecting this type of data.

The authors write from Benin City.