The collection and processing of personal data by employers have become a ubiquitous practice. However, this practice raises important questions about the balance between employers’ legitimate interests and employees’ right to privacy. A relevant landmark case is the Morrisons Supermarket data breach in 2014, where a disgruntled employee leaked the personal data of over 100,000 employees online, resulting in a £16.5 million fine and significant reputational damage to the business. The breach not only affected the employees but also led to a loss of customer trust, ultimately impacting the supermarket’s bottom line. Though the decision was later overturned at the Supreme Court where the court unanimously agreed that Morrisons Supermarket is not liable for the action of Skelton, employers should not become complacent. Drawing an inference from the provision of Section 51 of the NDPA, an employer can still be jointly or vicariously liable for the actions of employees that result in a data breach in circumstances where there is a ‘sufficient connection’ between their nefarious activities and what they are paid to do. To avoid liability, employers need to ensure they are taking all necessary steps to ensure compliance with the NDPA, including having the appropriate safeguards in place (i. e. training, policies, and monitoring) to protect against data breaches by rogue employees. The facts in the Morrisons case were quite extreme, and there are many other situations where not having the proper safeguards in place will come back to haunt employers.
The Legal Framework for Data Processing
The legal framework for data processing in Nigeria provides employers with four primary grounds for processing employee personal data, namely: employee consent, fulfilling the employment contract, compliance with legal obligations, and legitimate interests. While these grounds offer a foundation for employers to process employee data, they are not without limitations and potential pitfalls. For instance, relying solely on employee consent can be problematic due to the power dynamics at play in the employer-employee relationship, which may lead to implicit coercion. Similarly, fulfilling the employment contract and compliance with legal obligations may not cover all scenarios, leaving room for ambiguity. Moreover, legitimate interests, while a viable option, requires a delicate balance between the employer’s interests and the employee’s rights and freedoms. Therefore, employers must navigate these grounds carefully, ensuring they prioritize transparency, employee rights, and compliance to avoid potential legal and reputational consequences.
Processing Sensitive Employee Data
Under the Nigeria Data Protection Act (NDPA), the processing of sensitive employee data is subject to stringent exceptions, with explicit consent being a crucial requirement. Sensitive employee data encompasses information related to an individual’s health, trade union membership, religious beliefs, and other personal attributes that are considered sensitive in nature. Given the potential risks associated with the processing of such data, the NDPR mandates that employers obtain explicit consent from employees before processing their sensitive data.
Explicit consent, in this context, refers to a specific, informed, and unambiguous expression of consent by the employee, indicating their agreement to the processing of their sensitive data. This means that employers must provide employees with clear and concise information about the purpose, scope, and implications of processing their sensitive data, and obtain their voluntary and informed consent.
The requirement for explicit consent serves as a safeguard against the potential misuse of sensitive employee data, ensuring that employees have control over their personal information and are aware of how it will be used.
Compliance with Labour Laws and Regulations
In addition to the NDPA, Nigerian employers must also comply with relevant labor laws and regulations, including the Labour Act, the Employee Compensation Act, and the National Health Act. These laws provide a safety net for employees, protecting their rights and interests in the workplace.
Conclusion
In conclusion, the protection of employee data in Nigeria is a complex issue that requires careful consideration of labor law and data protection laws and regulations. Employers must prioritize transparency, employee rights, and compliance to create a safe and secure work environment. Thus, they can foster trust and loyalty among their employees, ultimately benefiting both the organization and the individuals who work for it.