Nigeria does not currently have a strict data protection statute. The usual recourse is the CFRN, which guarantees 'privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications', and English common law.
Other relevant laws include the Nigeria Data Protection Regulation 2019 (NDPR) recently issued by the National Information Technology Development Agency; the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (promoting cybersecurity and protecting computer systems, programs, e-communications, intellectual property, privacy rights and system data); and the Freedom of Information Act 2011 (applicable only to personal information in the custody of public agencies and institutions in Nigeria). The Personal Information and Data Protection Bill is pending before the National Assembly. In practice, employers provide for data protection in their handbooks or employee contracts.i Requirements for registration
There is currently no data protection agency requiring registration. Where data is used in the course of the company's usual line of business, consent or notification to the employee may, arguably, not be necessary. Where it is assumed that the employee's consent was obtained when executing the employment contract, a clause to this effect should be included in the handbook or contract. Under the NDPR, processing of personal data is considered lawful if, among other things, it is necessary for the performance of a contract in which the individual is a party, it is in compliance with a legal obligation, or consent has been given to its processing for one or more specific purposes.
In practice, companies tend to limit access to information about employees and company data by contractual terms. The need to ensure adequate data protection is commercially prudent. Also, the NDPR places a duty of care on any person entrusted with personal data and makes him or her accountable for acts or omission arising from processing the data. The NDPR also requires any person or organisation involved in data processing or control of data to develop security measures to protect the data.ii Cross-border data transfers
Any transfer of personal data undergoing processing or intended for processing after transfer to a foreign country or to an international organisation shall take place subject to the NDPR and under the supervision of the Honourable Attorney General of the Federation. The NDPR permits the transfer of data to a foreign country where, among other things, the consent of the individual has been obtained, the transfer is necessary for the performance of a contract, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of an employee between the employer and another entity. It is advisable for data being transferred to be used solely for the company business. The use of a joint-use agreement or safe harbour registration is discretionary.iii Sensitive data
The NDPR defines sensitive personal data to mean data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information; and requires measures to be put in place to protect it. Nigeria does not operate a social security system; however, medical information, client–solicitor communications and bank–customer communications do enjoy conditional protection by law.iv Background checks
Background checks are not the subject of statutory regulation. However, evidence suggests that many employers conduct such checks as a matter of prudence. The employee's approval may be required for certain checks. Credit and criminal records checks are allowed. There is no centralised credit registry in Nigeria, which means an individual's financial records are left in the custody of his or her bank, accessible only with clear authorisation and consent. Undertaking criminal checks, by discrete application to the Nigerian police, is a fairly common practice.