+234-704-009-2801, +234-704-009-2804
Mon - Fri 09:00-17:00
Contact Us Today

A Website Owner's Guide to Data Privacy and Protection in Nigeria

A Website Owner's Guide to Data Privacy and Protection in Nigeria

* Reviewed 26th August 2021*

Data privacy is the proper and responsible collection, creation, use, sharing, retention and disposal of information about people. It also includes decisions about when not to collect, not to create, not to share and not to permit certain use of information to protect a person's privacy interest. 

In this day and age of the internet, a large number of people have their personal data online. These data mostly include: name, address, pictures, email address, bank details, or medical information. These data reveal sensitive personal information that can be exploited to harm users often  for economic gain. It has therefore  become important to protect data and regulate the way data is used. 

It is the practice worldwide through various laws and enactments that people should  be able to decide whether or not they want to share some information, who gets access to their information, the duration of that access, the reason for the access and and they should also be able to modify some of this information, if necessary. For more insight you can see our article on an Overview Of The Nigeria Data Protection Regulation.

As a website owner, there are a set of obligations that you should be aware of that lie on you because you deal with collecting people’s data. 

Legal Framework for Data Protection in Nigeria 

Unlike other climes and jurisdictions like Europe and the United States, Nigeria is yet to develop a robust framework for  data privacy and protection but there are some laws that are applicable in that field and you should not take chances with data privacy and protection . 


  1. The Constitution: This forms the foundation of data privacy rights and protection in Nigeria. Section 37 of the constitution provides privacy to be a fundamental right which can be enforced in a court of law. 

  1. The NCC Consumer Code of Practice Regulation 2007: Part VI of this law seeks to protect the data of consumers electronic, written and verbal data. This law applies to the telecom sector.

  1. The Freedom of Information Act 2011: Section 14 of this Act protects personal data.

  1. The Consumer Protection Framework 2016: This framework by the Central Bank of Nigeria applies to financial institutions. It prohibits them from disclosing the personal information of their customers amongst other requirements. 

  1. The Nigerian Data Protection Regulation 2019. This applies to all natural persons of Nigerian descent whether residing in Nigeria or outside Nigeria. It also applies to all transactions intended for the processing of personal data and to actual processing of personal data. For the purpose of this article, this Regulation will be our focus’.

There are other regulations and laws like the National Health Act 2014, the National Identity Management Commission (NIMC Act) 2007, The Cybercrimes (Prohibition, Prevention, etc.) Act 2015, The Child Rights Act 2003 and others which exist to ensure data privacy and protection for all categories of Nigerians. 

Obligations of the Website Owner

  1. You are required to state the purpose of the collection of the data. This information is important because people ought to know why you are collecting their information and what you intend to use the information for.

  2. Consent must be obtained from the individuals . It must be obtained without fraud, coercion or undue influence. In addition, you must inform the person sharing information of their right to withdraw consent at any time.

  3. You are required to put in place security measures to ensure that the data being processed is properly protected. This means as a website owner you are required to ensure that your system is adequately protected by setting up firewalls, protection from hackers, using data encryption technologies  allowing only a limited set of individuals have access to the data, etc.

  4. You are also required to notify your customers if your privacy policy changes.

  5. When you transfer data to a third party, you have to show that the owner of the data has consented to the transfer of that data. There must be a written contract with the third party and you have to ensure that the third party complies with the Regulation.

  6. Collect and process data in accordance with specific, legitimate and lawful purposes that the data owner consented to.

  7. Ensure the personal data is adequate, accurate and without prejudice to the dignity of the human person.

  8. Store the personal data only for the period within which it is reasonably needed.

In conclusion, you should note that as a person in the possession of personal data, you  owe a duty of care to the owner of the  data and you would be responsible for any act or omission in respect of the data. In addition, processing of personal data would only be considered lawful if at least one of the following applies:

  1. Consent is obtained 

  2. The data is being processed for the performance of a contract;

  3. The data is being processed for the purpose of compliance with a legal obligation;

  4. The data is being processed  to protect the vital interests of the owner of the data and

  5. Processing is for the performance of a task carried out in the public interest