Data Protection

1. Review all the personal data held.

• What data do you hold?
• Why do you hold it?
• Who has access to the data?
• How is the data secured?

Carry out a Data Audit Exercise. Examine the various types of data processing carried out, identify the legal basis for carrying it out and document it. A simple table listing what you hold and why etc. will highlight where the gaps in your compliance are. This review process is a good way to capture all the data held and will be a good point of discussion at a PCC meeting to decide what needs to be done next.

Who has access to the data should be clear. Only those that need to see it should have access.

2. What policies and guidance do you already have in place?

The Church of Nigeria (Anglican Communion) website has a wealth of guidance policies on its Record Management page and these should be referred to by PCCs to form the basis of their own policies.

A clear policy for the retention of data is essential and personal data must be erased, without delay when:

• it is no longer necessary for purpose
• the data subject withdraws consent
• there is no longer any legal grounds to hold or process that data

Data cannot be kept indefinitely and PCCs must remove data, when asked by the data subject. There are exceptions to this removal request:

• For vital interests or public interest
• Archiving in relation to public interest, scientific/historic and statistical research
• Exercise of legal claims

3. Where is your data held?

Think about where your data is held and its security.

• Does it reside with 3rd parties on IT systems such as cloud suppliers, church members homes etc.?
• Of the data you hold about data subjects are these records electronic or paper based?
• How are the IT or paper system protected? (Passwords, encryption, lockable drawers, safes).
• Who needs authorised access to this data and information?

Any systems used to store or process data need to consider security as part of their implementation. You should only collect the data you need and keep it only as long as needed in order to fulfil an agreed purpose and then delete it.

4. Consent

Under NDPR, Consent cannot be assumed and must be laid out in simple terms in the forms individuals complete. Active consent is required and inactivity does not imply consent. Written consent is the recommended option because evidence of consent must be provided when asked by either individuals or the NDPC. The person consenting must know exactly what the PCC propose to use their data for. If the data subject is under 18 then you must obtain parental consent. PCCs need to think about how they will handle requests to have data removed and how this would be done.

In order to achieve clear unambiguous consent from individuals to hold their data PCCs will probably need more than one consent form. One size will not fit all. Consent forms should clearly indicate how long the data will be held.

Children. NDPR sets the consent age at 18 in Nigeria. Parental or guardian consent will be required if the person is under 18.

NDPR does not mean you cannot conduct "business as usual". What it does mean is that when you do hold individual's personal details, protecting these details is paramount and the consent form must make clear what the data will be used for and for how long.

5. 3rd Party Risk

Is data shared with people/ organisations outside of your PCC?

If any personal data you hold is "processed" by another company you would be wise to confirm the company complies with data protection and NDPR. For clarity, if they are breached and a complaint is upheld, you as the data controller (owner) remain equally liable. You will also need to review contracts held with companies that process data on your behalf. It is the PCC's responsibility to ensure the "processor" processes the data you give them, in accordance with NDPR.

Contracts with third parties that have access to the personal data you hold should have a statement within the contract confirming they comply with NDPR. Companies must demonstrate that they have the appropriate policies and security measures in place to protect the data. In these circumstance the PCC is the controller of the data and the 3rd Party Company is the "processor" of the data.

6. Subject Access Requests (SAR)

Individuals have the right to request a copy of all the personal data held. This means providing copies of all electronic and paper documents that contain their details or reference to them.

Personal data also includes footage held on a CCTV system, where the individual is the focus of the footage and/or they are clearly identifiable.

You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected.

The Data Compliance Officer (PCC Secretary is the obvious choice, but it could be a named employee) who will be the contact for any Subject Access Requests.

If the SAR request is valid and permissible the data has to be supplied within 30 days of the request being deemed valid. You should therefore ensure that the PCC and the Data Compliance Officer have procedures in place to comply with these requests promptly. Charging for requests is generally not permitted. Excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.

What to do if you identify a breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

If your data is breached and the data breached could cause material or emotional harm to the individual you have just 72 hours to declare it to the NDPC and if severe then also the data subject. You need to do this from the point that you are aware. Note: If the data is breached but is encrypted, i.e. it cannot be accessed by anyone and therefore will not cause harm you do NOT need to declare the breach.

7. Fines

The fines that can be imposed due to non-compliance depend on the severity of non-compliance. Examples of fines are:

• A warning in writing in cases of first and non-intentional noncompliance
• A fine up to 2% of annual gross revenue or 10 million Naira, whichever is greater
• For more serious violations, a fine up to 5% of annual gross revenue or 25 million Naira, whichever is greater

The right to be informed

In order to ensure that personal data is processed fairly, PCCs must provide certain minimum information to data subjects, regarding the collection and further processing of their personal data. NDPR states that such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

The right of access

Data subjects have the right to file a subject access request (SAR) and obtain from PCCs via the data compliance officer, a copy of their personal data, together with an explanation of the categories of data being processed, the purposes of such processing, and the categories of third parties to whom the data may be disclosed. NDPR requires PCCs to respond to SARs with information, including details of the period for which the data will be stored (or the criteria used to determine that period) and information about other rights of data subjects. SAR must be responded to within one month.

The right to rectification

Data subjects have the right to require PCCs correct errors in personal data held.

The right to erasure

Data subjects can request PCCs delete their personal data when the data is no longer needed for its original purpose, or where the processing is based on the consent and the data subject withdraws that consent (and no other lawful basis for the processing exists).

The right to restrict processing

This is a new feature of NDPR. In certain circumstances when personal data either cannot be deleted because the data is required for the purposes of exercising or defending legal claims or where the data subject does not wish to have the data deleted, the PCC may continue to store the data, but the purposes for which the data can be processed are strictly limited. E.g. A marriage certificate is a legal document and a data subject could not request the information is deleted.

The right to data portability

This is a new feature of NDPR. This permits the data subject to receive a copy of his or her personal data in a commonly used electronic format. E.g. Microsoft Word

The right to object

Data subjects have a right to object to processing of their personal data on certain grounds, in addition to the right to object to processing carried out for the purposes of profiling or direct marketing.

Rights in relation to automated decision making and profiling

Data subjects have the right not to be subject to decisions based solely on automated processing which significantly affect them. In reality for PCCs automated decisions are unlikely to be an issue but it is important to be aware of this right.