Berkeley Legal | Data and Privacy Laws in Nigeria
nigerian law firm, lagos law firm, lawyers in lagos, attorneys in nigeria, solicitors in lagos, litigation experts in lagos nigeria
post-template-default,single,single-post,postid-16504,single-format-standard,ajax_leftright,page_not_loaded,,qode-theme-ver-7.7,wpb-js-composer js-comp-ver-6.7.0,vc_responsive

02 Nov Data and Privacy Laws in Nigeria

Contrary to the belief that that there are no comprehensive legislations regulating data protection and privacy in Nigeria, there are three principal legislations in this regard and they include the following:

  • The Constitution of the Federal Republic of Nigeria, wherein Section 37 states that

“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”

  • The National Information Technology Development Agency (NITDA) Act 2007
  • The National Information Technology Development Agency (NITDA) Guidelines on Data Protection, made pursuant to the NITDA Act.

The NITDA is the national body responsible for planning, developing, and promoting the use of information technology in Nigeria. NITDA, in performing this duty, issues guidelines which prescribe the minimum data protection requirements for the collection, storage, processing, management, operation, and technical controls for information. The Guidelines are currently the only set of regulations that contain specific and detailed provisions on the protection, storage, transfer, or treatment of personal data in Nigeria.

The NITDA Guidelines define “personal data” as:

any information relating to an identified or identifiable natural person (data subject); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”.

Generally, the Guidelines contain principles that should be adhered to when dealing with personal data of Nigeria residents including the collection and processing of personal data. Some of these principles are as follows:

  • It must be processed lawfully and fairly
  • It must only be used for the purpose for which it was collected
  • It must be accurate and where necessary kept up to date
  • It must be processed in accordance with the rights of data subjects
  • Personal data must not be transferred outside Nigeria unless adequate provisions are in place for it to be protected

The NITDA Guidelines apply to Federal, State and Local Government agencies and institutions as well as private sector organisations that own, use or deploy information systems of the Federal Republic of Nigeria. It also applies to organisations based outside Nigeria where such organisations process personal data of Nigerian residents. However, there has been no indication of it being adopted as the legislative authority that it is.

In addition to the above legislations, there are also some sector specific legislations/rules that relate to the privacy of data in Nigeria;

  • The Consumer Code of Practice Regulations 2007

This Regulation provides that all licensees (all telecommunication service providers) must take reasonable steps to protect customer information against “improper or accidental disclosure” and must ensure that such information is securely stored.

It also provides that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”.

It is pertinent to note that the application of the Regulations is not restricted to Nigerian citizens alone; the regulation applies to customer information relating to customers of any nationality that use a licensee’s network.

  • The Nigerian Communications Commission RTS (Registration of Telephone Subscribers) Regulation 2011

The Regulation provides some form of protection to data collected, collated, retained, and managed by telecommunication companies operating in Nigeria and independent registration agents in view of their obligations to collate and retain data of subscribers under the Regulation (see section 11 & 35). Section 9 of the Regulation provides that subscribers information contained in the Central Database shall be held on a strict confidentiality basis and no person or entity shall be allowed access to any subscriber’s information that is on the Central Database except as prescribed by the Regulation.

  • The Cybercrimes (Prohibition, prevention Etc) Act 2015

This Act provides a legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria including identity theft, cybersquatting, hacking and even child pornography. It also allows the interception of electronic communication by way of Court Order, where there is reasonable ground to suspect that the content of any electronic communication is reasonably required for the purposes of criminal investigation or proceedings and so on.

  • The National Identity Management Commission (NIMC) Act 2007

The Commission is empowered to establish, operate and manage the National Identity Management System (NIMS), carry out the enrolment of citizens and legal residents, create and operate a National Identity Database, issue Unique National Identification Numbers to qualified citizens and legal residents.

Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information contained in the Database with respect to a registered individual entry without the authorization of the Commission. However, the Commission is empowered to provide a third party with information recorded in an individual’s entry in the Database without the individual’s consent, provided it is in the interest of National Security.

  • The Freedom of Information Act, 2011 (FOI Act)

The Act seeks to protect personal privacy and it provides that a public institution is obliged to deny an application for information that contains personal information, unless the individual involved consents to the disclosure, or where such information is publicly available. The Act also provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc).

  • Electronic Transactions Bill 2015

This Bill although not yet assented to by the President of the Federal Republic of Nigeria, contains certain provisions relating to data protection. These provisions if passed will apply to any business which involves the processing of personal data whether by automated means, using computers, or non-automated means where such data forms part of a filing system.


Berkeley legal has the requisite expertise to proffer detailed legal opinions on Data protection and Privacy in Nigeria.