Privacy - NDPC

PREAMBLE:

Nigeria Data Protection Commission [hereafter referred to as “Data Controller” or NDPC] is an establishment of the Federal Government of Nigeria. The central mandate of NDPC is to implement the Nigeria Data Protection Act (NDPA) 2023.


Our contact information is provided under ARTICLE 12 of this Data Privacy Policy.


This privacy policy is in furtherance of section 37 of the Constitution of the Federal Republic of Nigeria (CFRN) 1999 (as amended), the Nigeria Data Protection Act (NDPA) 2023 and all other legal instruments designed to protect the privacy rights of natural persons.


As the “Data Controller”, we are cognizant of the privacy rights of all natural persons who are part of NDPC or interact with us on all our data processing mediums or platforms. These classes of people are our “Data Subjects”. As a responsible establishment, we are committed to safeguarding the privacy rights of our data subjects through this strict privacy policy. It shall complement extant legal regulatory framework as an internal standard of care we owe our “Data Subjects”.


ARTICLE 1: OUR GUIDING PRINCIPLES ON DATA PROCESSING

In processing your personal data, we adhere strictly to the principles of data processing as set out under S.24 of the NDPA. Our obligation in terms of the principle is to ensure that personal data is:


  • a)processed in a fair, lawful and transparent manner;
  • b) collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes;
  • c)adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed;
  • d)retained for not longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed;
  • e) accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed; and
  • f)processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.

Furthermore, we are committed to ensuring accountability, demonstrating duty of care to you and also upholding data Confidentiality, Integrity and availability.

ARTICLE 2:- CONSENT OF DATA SUBJECT

Except as otherwise required by operation of law or principles of law, your consent as the data subject is paramount in our considerations. You have the right to give, withhold or otherwise withdraw your consent to data processing. For further understanding of the operation of the principle of consent under data processing. See S.26 of the NDPA 2023.


ARTICLE 3:- OUR SCOPE OF DATA PROCESSING

In varying degrees, vis-à-vis the services we provide for you or your level of engagement with us, we do process your personal data. Below is a table containing the major types of personal data, the purpose and the lawful bases for processing them:


S/N PURPOSE OF COLLECTION TYPE OF DATA LAWFUL BASIS
1 REGULATORY ACTIONS Name, Phone, Email Address, Contact Address, Sex, Date of Birth, passport and educational record. LEGAL OBLIGATION. Some instances may involve public interest.
2 NOTIFICATIONS Name, Phone, Email Address, Contact Address, Sex and Date of Birth. LEGAL OBLIGATION. Some may require consent as prescribed by the NDPA.
3 DATA ANALYTICS Name, Phone, Email Address, Contact Address, Sex and Date of Birth. CONSENT. (To ensure that our services suit the purpose of data subjects and to measure our performance). Some may involve legitimate interest or legal obligation where analytics are tailored towards crime prevention.
4 SECURITY Name, Phone, Email Address, Contact Address, Sex, Date of Birth and passport. LEGAL OBLIGATION. For safety and security of lives and property. Some may involve legitimate interest or public interest where analytics are tailored towards crime prevention.
5 EMPLOYMENT Name, Phone, Email Address, Contact Address, Sex, Date of Birth, passport, medical record, educational record. CONTRACT. This is the major lawful basis. Some instances may involve other lawful basis such as consent, vital interest or legal obligation.
6 CONTRACT Name, Phone, Email Address, Contact Address, Sex, CONTRACT. Some instances may involve legitimate interest or public interest - particularly in carrying out due diligence.

Please note that the categories of data and the lawful basis provided are not exhaustive. We are governed by the NDP Act and we process data without prejudice to your rights as a data subject.

ARTICLE 4:- RIGHTS OF DATA SUBJECTS

We hold your privacy rights very dear to our operations. Apart from the right to give, withhold or withdraw consent, you have rights to all relevant information that may guide you in making informed decisions about your personal data. For example, you have the right to be notified of anyone or any place to which we may transfer your personal data. Your rights under S.34 and S.35 NDP Act include but are not limited to the following:


  • a)Right to be Informed: You can request a copy of the personal data we hold about you.
  • b)Right to Rectification: You can request us to correct any inaccurate or incomplete personal data we hold about you.
  • c)Right to Object to Processing: You can object to how we use your personal data, in certain situations. You can also request that we limit the way we use your personal data.
  • d)Right to Data Portability: You can request a copy of your personal data in a format that allows you to easily move it to another service provider.
  • e)Right to be Forgotten: You have the right to request that your data with us be forgotten.
  • f)Right in Relation to Automated Decision Making (which essentially entitles you to human intervention).
  • g)Right to withdraw Consent: You have a right to withdraw at any time, consent to the processing of your personal data.

Note that you also have a right to lodge a complaint with the Commission. See Part VI of the NDP Act.

ARTICLE 5:- WITHOLDING RELEVANT DATA

There are types of personal data that are mandatory for us to process in order to carry out your instructions or perform our legal mandate for your benefit. If you withhold such information, it may be impracticable to carry out our mandate in relation to you. If you seek more clarification on our data processing contact our designated Data Protection Officer as provided under ARTICLE 12 below.


ARTICLE 6:- TRANSFER OF DATA TO A THIRD-PARTY

As a public establishment, third parties may wish to provide essential services to you (through our platforms) while relying on the relevant lawful bases for processing your personal data in this regard. The type of data usually processed for this may be your contact details. Where such services depend on consent, you have the right to decline and further restrict the processing of your personal data. You can simply unsubscribe to the notices sent for the purpose of such services.


ARTICLE 7:- TECHNICAL INFORMATION AND COOKIES

Customarily, websites are designed to collect certain information from the visitor. Our website is also designed to collect your IP address and other information that your web browser typically shares with the websites that you visit. The purpose of this is to know you better and to automatically and dynamically engage with you through your actions on our website. “Cookies”, in computer parlance, are text files that are downloaded to your browsing devices such as phones or computers when you browse pages of websites. They contain small amounts of data and their essential function is to intelligently memorise your preferences and therefore present them to you as choices when you are browsing – even at different times. Note that various websites use cookies for different purposes some of which may undermine your privacy rights. We have taken measures to ensure that all methods adopted by us to engage automatically with you do not violate your privacy rights under the NDP Act. In the case of cookies, we ensure that they have security protocols and are not vulnerable to abuses by anyone.


ARTICLE 8:- PERSONAL DATA SECURITY AND INTEGRITY

We use cutting-edge technologies and foolproof protocols to provide you with comprehensive layers of security in the area of personal data. Thus, we are constantly vigilant in preventing cyber-attacks, fraudulent intrusion, unauthorised access, loss or corruption of personal data. We are equally cognizant of the obligations imposed on us by law in terms of data protection. Accordingly, we conduct reviews of process and privacy impact assessment, carry out trainings and obtain strict warranties where applicable.


ARTICLE 9:- STORAGE LIMITATION AND PURPOSE

The purpose of data processing usually determines the length of time within which your personal data is stored with us and the residue of data actually stored for this purpose. We collect and store personal data that is reasonably required by law or best practice to serve you or respond to legitimate enquiry about our transaction with you. We take this responsibility very seriously in view of the need for you to enjoy your privacy as guaranteed under the 1999 Constitution of the Federal Republic of Nigeria and international human rights law.


ARTICLE 10:- CAVEAT ON WEBSITE LINKS:

Our website may contain links to other websites. Save and except as otherwise expressly stated by us, any link to another website is not covered by our privacy policy. We strongly advise that you should satisfy yourself with the details of any privacy policy provided on other websites or links.


ARTICLE 11: TRANSFER TO THIRD PARTIES AND COUNTRIES

In carrying out our mandate effectively, we may require the services of third parties who may be within or outside the NDPA jurisdiction (Nigeria). Examples of such services include but are not limited to the following:


  • a) Internet connectivity,
  • b) Cloud storage,
  • c) Data analytics,
  • d) Data security, and
  • e) Software development.

In transferring your data to third parties, we shall be guided by the NDPA. See PART VIII of the NDP Act.

ARTICLE 12: DATA PRIVACY SERVICE UNIT (DPSU)

We have provided a platform to respond promptly and satisfactorily to all your requests, suggestions and complaints. This is called the DPSU. We have a Data Protection Officer who is responsible for prompt action on your data privacy. Contact the DPSU via this link: dpo@ndpc.gov.ng. Our DPSU serves as the internal mechanism to carry out the following services amongst others:

  • a) Data protection regulations compliance and breach services
  • b) Data protection and privacy advisory services
  • c) Data protection capacity building
  • d) Data Regulations Contracts drafting and advisory
  • e) Data protection and privacy breach remediation planning and support services
  • f) Information privacy audit
  • g) Data privacy breach impact assessment
  • h) Data Protection and Privacy Due Diligence Investigation
  • i) Data Protection Officer

ARTICLE 13: DATA DELETION

You can request the deletion of your personal data at any time. We will take reasonable steps to delete your personal data upon request, subject to any legal or regulatory requirements. We have established procedures for the secure deletion of personal data that has exceeded its retention period or is no longer necessary for business purposes. These procedures are designed to ensure the complete and irreversible destruction of your data while maintaining data security. The outline of our data deletion process is as follows:

  • a) Identification: We regularly review our data storage systems to identify personal data that has reached the end of its designated retention period or is no longer required for legal or business purposes.
  • b) Scheduling: Data identified for deletion is placed on a scheduled deletion list. This schedule considers the type of data, legal requirements, and potential risks associated with deletion delays.
  • c) Overwriting: Data slated for deletion is overwritten with random characters or patterns. This process renders the original data unreadable and unrecoverable.
  • d) d)Verification: After overwriting, we verify that the data deletion process has been successful and the original data is no longer accessible.
  • e) Audit Trail: We maintain an audit trail of all data deletion activities. This trail includes details like the type of data deleted, the date of deletion, and the individual responsible for the deletion.

In addition to our automated deletion processes, you can also request the deletion of your personal data at any time through our Data Subject Access Request Form. We will take all reasonable steps to fulfill your request within a commercially reasonable timeframe, subject to any legal or regulatory requirements. There may be certain situations where we are unable to completely delete your personal data. This may occur if: - We are required by law to retain your data for a specific period. - The data is necessary to resolve a legal dispute or enforce our terms of service. - The data has been anonymised and is no longer personally identifiable. In these cases, we will take steps to limit the processing of your data to the extent necessary.



ARTICLE 14:- DATA SUBJECT ACCESS REQUEST

A Data Subject Access Request (DSAR) is a request from an individual to access their personal data that is in the possession of the NDPC. This data may include your name, contact information, demographics, and any other information that can directly or indirectly identify you.
You can submit a DSAR by sending an email to us at dpo@ndpc.gov.ng. OR completing the DSAR form available here and sending the completed form via email to dpo@ndpc.gov.ng. Your request should clearly specify the information you are requesting. We may ask you for additional information to verify your identity before processing your request.
To protect your privacy and ensure we provide access to the correct data, and to the appropriate data subject, we may request additional information to verify your identity. This verification process may involve asking for identification documents (e.g., driver's license, passport) and verifying information associated with your account.
We will endeavor to respond to your DSAR within 30 days by confirmation of your request and provision of the requested information in a clear, concise and electronic format. If we are unable to provide you with the information you have requested, we will explain why the information cannot be provided. We will respond to your DSAR free of charge; however, a fee may be charged where the request is clearly unreasonable, submitted too frequently or where your request involves the same information repeatedly within a short time frame.


ARTICLE 15: REMEDIATION

Our data subjects are encouraged to report any complaint or concern about their data privacy through the DPSU. Our team at the DPSU shall take action to redress any grievance within 7 (seven) working days. If this extends for any reason, the data subject will be duly notified and appropriate measures will be taken to ensure that the rights and interests of the data subject are protected.



ARTICLE 16:- ALTERATION OF PRIVACY POLICY

The Data Controller (NDPC) reserves the right to alter the foregoing policy for the purposes of advancing data privacy rights, public interest or complying with lawful directives of the Federal Government – in line with the safeguards under the NDP Act and the 1999 Constitution of the Federal Republic of Nigeria.