NDPR: Can commercial banks publish personal data of violators of PTA / BTA guidelines on their websites, in accordance with CBN guidelines?
Recently, the Central Bank of Nigeria (“CBN”) issued a directive to commercial banks to post the personal information of customers who violate the provisions of its PTA / BTA guidelines (“Guidelines”) on their websites. Now from a data protection point of view this raises all kinds of red flags as an individual’s name and Bank Verification Number (BVN) is classified as personal data, the processing of which must be carried out in accordance with the provisions of the Nigerian Data Protection Regulation. (“NDPR”). In addition, there is a constitutional guarantee to every individual, in accordance with the provisions of Article 37 of the Nigerian Constitution of 1999, of their privacy and privacy, including the right to keep their information private.
This article aims to clarify whether the publication of personal data of defaulting bank customers complies with the provisions of the NDPR and other provisions relating to the protection of consumer data.
In law, the relationship between a bank and its customer is contractual in nature and is often characterized as that of a debtor – creditor with superimposed duties and obligations, on the bank’s side. One of these superimposed duties is the duty of secrecy or confidentiality. Simply put, a bank is required to keep the affairs of its customers secret. This obligation is not limited to account transactions – it extends to all information the bank has about the customer. This duty is not absolute, however, and exceptions include where the bank is required by law to make the disclosure; and when the client consents to the disclosure.
In addition, the NDPR, with a view to protecting the rights of individuals to data privacy, among other purposes, provides strict guidelines for the processing of personal data. In this regard, the NDPR stipulates that there must be a legal basis for the processing of personal data and has identified five legal bases – consent, legal obligation, vital interest, contract performance and public interest. The publication of customer information by a bank on its website, as required by the Directives, constitutes “processing” of personal data within the meaning of the NDPR. Therefore, the question arises as to whether CBN’s directive to publish the names of defaulters under the Guidelines constitutes a valid basis under the NDPR. For the purposes of this article and in accordance with the Bill of Rights, the focus will be on two of the five legal bases provided by the NDPR – Consent and Legal Obligation.
Legal obligation – Required by law to make the disclosure
As established in UBA Plc v Bakare Wasiu1, the bank in possession of a client’s money may be considered a trustee and therefore owes its client an obligation of confidentiality with respect to the account details of that client. customer and related issues. However, where the bank is required by law to disclose a customer’s information, the customer’s right to privacy and confidentiality does not apply. For example, Article 31 of the Anti-Money Laundering Regulations2 provides that when the bank suspects a customer’s account of being used for fraudulent activities, it has a legal obligation to transmit this information to the competent authorities for criminal investigation. This is also in accordance with the provisions of Article 2.1 of the NDPR Implementation Framework which exempts the applicability of the NDPR provisions in cases of transmission of personal data to regulatory bodies for the purposes of criminal investigation and investigation. ‘tax offenses, among others.
However, the publication of personal data of defaulters under the Guidelines does not fall under the transmission of data to regulatory authorities for criminal investigations and tax offenses, as provided by the NDPR. Consequently, this particular processing must identify one of the other legal bases for processing provided for in article 2.2 of the NDPR, in order to comply with the requirements of the NDPR.
Section 33 of the Central Bank of Nigeria Act 2007 (“CBN Act”) provides that the CBN may issue directives to any person and institution under its supervision. In addition, the Banks and Other Financial Institutions Act 2020 (“BOFIA”) gives the Governor of the CBN the power to regulate the functioning and control of all institutions under the supervision of the CBN. By virtue of the powers conferred on the CBN to enact regulations or to issue directives by the CBN Act and the BOFIA, it can be inferred that commercial banks have a legal obligation to comply with the directives issued by the CBN in the exercise of its statutory powers, to avoid the penalties applicable in the event of non-compliance.
In addition to the above, when commercial banks decide to publish personal data of defaulters under the Guidelines on their websites, they can rely on the legal obligation, i.e.; the processing was necessary for compliance with a legal obligation to which commercial banks are subject, under article 2.2 (c) of the NDPR, as a legal basis for such processing of the customer’s personal data.
Consent – Client Consents to Disclosure
Another possible legal basis for the publication of a customer’s bank details on the website of a commercial bank is Consent. Under the NDPR, consent is the default legal basis for valid processing of personal data. In this regard, article 2.1 of the NDPR stipulates that… personal data will be collected and processed in accordance with the specific, legitimate and lawful purpose granted by the data subject. Accordingly, data controllers (commercial banks, in this case) have an obligation to ensure that customers consent to every processing activity (including the publication of their personal information on their websites) and such consent must be informed and has been obtained without fraud, coercion or undue influence. In addition, the Bill of Rights authorizes commercial banks to disclose a customer’s account information when the customer has consented to such disclosure.
Under the NDPR, for this processing to be based on consent, the customers concerned would, at the time of the PTA or BTA request, have been individually informed of all the possible uses of their personal data for the purpose of obtaining the PTA or BTA, including the publication of their personal information on the website of the processing bank; where they are lacking under the Guidelines. At the same time, the banks would also have obtained a waiver of the right to customer confidentiality in such an event, along with an express consent to such publication. When the previous condition is met, the publication of personal data of defaulting customers under the Guidelines will be deemed to have been made on the basis of consent and therefore not in violation of the provisions of the NDPR.
While every individual has the right to privacy and should be able to protect their private information from indiscriminate and unauthorized disclosure to the public, personal information may be released in certain circumstances without infringing that individual’s right to privacy. / to privacy. These exceptional cases include cases where banks publish the personal data of defaulting customers under the Directives, in accordance with the CBN directive, being the regulator of the banking sector and the appropriate authority vested with the power to issue directives to any person or institution under its jurisdiction. surveillance; who are required to comply in order to promote a healthy financial system in Nigeria. Therefore, commercial banks are advised to update their data protection policy documents, including data protection notices, to include legal obligation or consent as the basis for posting details of defaulters in under the guidelines, to ensure compliance with the provisions of the NDPR. .