A Federal High Court in Lagos has directed the Psychiatric Hospitals Management Board to release to Media Rights Agenda (MRA) the Data Protection Policies of the Federal Neuro-Psychiatric Hospital in Yaba, Lagos, without compromising the confidentiality and privacy of its employees and patients, following a request made by the organization under the Freedom of Information Act, 2011.
The presiding judge, Justice Oluremi Omowunmi Oguntoyinbo, however, refused to grant MRA’s prayer for the award of N1 million which the organization claimed as exemplary and aggravated damages against the hospital and its management board for their violation of the organization’s right of access to information when they refused to disclose the information requested by MRA in its letter dated May 22, 2020.
She also declined other reliefs sought, including a declaration that the failure and/or refusal by the hospital’s management board to grant MRA access to the information requested in its letter dated May 22, 2020 is a violation of the organization’s right of access to information established and guaranteed by Sections 1(1) of the FOI Act; a declaration that it constitutes a wrongful denial of access to information under Section 7(5) of the FOI Act; a declaration that their failure to give a written notice to MRA that access to all or part of the information requested will not be granted and stating reasons for the denial as well as the section of the FOI Act under which the denial is made amounts to a violation of Section 4(b) of the Act.
Besides ordering the hospital’s management board to make copies of all data protection policies of the hospital issued in conformity with the Nigeria Data Protection Regulation (NDPR), 2019 available to MRA, Justice Oguntoyinbo refused to order the institution to disclose the other information requested by MRA, including:
- The name and contact details of the Data Protection Officer of the hospital, designated in accordance with the NDPR, and its relevant data privacy instruments and data protection directives;
- Details of all capacity building training or other capacity building activities undertaken for the Data Protection Officer of the hospital and its other personnel involved in any form of data processing since the issuance of the NDPR;
- The number of persons or individuals whose personal data the hospital processes on an annual basis, that is over a period of 12 months;
- A report from a detailed audit conducted by the hospital of its privacy and data protection practices in accordance with the NDPR, which should contain the personally identifiable information it collects on its employees and members of the public; the purpose for which the personally identifiable information is collected; copies of any and all notices given to individuals regarding the collection and use of their personal information; details of any access or opportunities given to individuals to review, amend, correct, supplement, or delete their personal information collected or held by the hospital; information on whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and details of any method used to obtain consent; copies of the policies of the hospital and details of its practices for ensuring the security as well as proper use of personally identifiable information; copies of its policies and details of its procedures for privacy and data protection, for monitoring and reporting violations of privacy and data protection policies, and for assessing the impact of technologies on its stated privacy and security policies.
In her ruling in MRA’s suit brought on behalf of the organization by Lagos lawyer, Mr. Alimi Adamu, against the hospital and its management board, Justice Oguntoyinbo refused to order the Attorney-General of the Federation to initiate criminal proceedings against the hospital and its management board for the offence of wrongful denial of access to information under Section 7(5) of the FOI Act.
The judge said she was aware that by virtue of Section 1(1) and (2) of the FOI Act, information, data and/or documents in the custody of public officials and institutions are to be provided upon application for the purposes of accountability, transparency and integrity, but that the right vested in MRA is not absolute.
She ruled that the information sought by MRA was beyond the threshold allowed by Regulation 4.1(1) of the NDPR, which “exclusively touches on data protection policies only and nothing more”.
The judge also held that by Section 12(1)(a)(iv) and Section 14(1)(a), (b) and (c) of the FOI Act, the information sought by MRA violates the hospital’s personnel and patients’ privacy, confidentiality and dignity, adding that since Section 37 of the 1999 Constitution guarantees the protection of the privacy of citizens, the hospital and its management board could not lawfully grant MRA’s entire requests.