TITLE PAGE

 

UNIVERSITY OF NIGERIA

 INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) POLICY

NOVEMBER, 2025

TABLE OF CONTENTS

                                                                                                                          

Title Page

Executive Summary

1.0       INTRODUCTION               

1.1       ICT Vision

1.2       ICT Mission

1.3       Purpose of Policy

1.4       Scope of the Policy

1.5       Definition of Terms

 

2.0       GOVERNANCE STURUCTURE            

2.1       Introduction

2.2       Structure

2.2.1    The ICT Management Board

• Director of ICT Centre
• Qualification for Director of ICT Centre

2.2.2    ICT Technical Committee

2.2.3    The ICT Centre

2.2.4    Other ICT Related Centres

 

3.0       RESPONSIBILITIES OF THE UNITS OF ICT CENTRE              

3.1       Administration Unit

3.2       Network Unit

3.3       Hardware Unit

3.4       Innovation Unit (including E-Learning)

3.5       Training Unit

3.6       CBT/CBE Unit

3.7       Customer Service Unit

3.8       WEB Ranking Unit

3.9       Website Unit

3.10     Portal Unit

3.11     Quality Assurance and Complaint Management Unit

3.12     Monitoring and Evaluation Unit

 

4.0       ICT SERVICE MANAGEMENT POLICY                   

4.1       Privacy, Data Security and Integrity

• Data Owner
• Data Custodian
• Data User

4.2       Access User Ethics

4.3       Code of Conduct and Operational Ethics for ICT Staff

4.3.1    Server Room/Data Centre

4.3.2    Data Protection

4.3.3    Specific Day-To-day Operations and other Responsibilities of the ICT Centre

4.3.4    Protection of other ICT Physical Infrastructure

4.4       Responsibility of other Users/(End Users)

4.5       Use of University Official Email (Access, Decommissioning)

 

5.0       RESPONSIBILITIES OF HEADS OF ACADEMIC AND

ADMINISTRATIVE UNIT                               

5.1       University Librarian

5.2       Provost

5,3       Director of Academic Planning…

5.4       Deans and Director of Institutes and Centres

5.5       Heads of Academic Departments/Programmes

5.6       Heads of Administrative Unit

 

6.0       ICT POLICIES FOR TEACHING, LEARNING, RESEARCH AND

            COMMUNITY DEVELOPMENT                          

6.1       Policy on TLR

6.2       Policy on Community Development

6.3       Policy on the Integration of AI in Digital Education (DE)

6.4       Policy on University Library

6.5       Responsibilities of Lecturers (including Academic Advisers and Exam Officer)

6.5.1    Responsibilities of Lecturers…

6.5.2    Responsibilities of Academic Advisers

6.5.3    Responsibilities of Examination Officers

6.6       Responsibilities of Students

6.7       Administrative and Technical Staff

 

7.0       POLICIES ON ADMINISTRATIVE GOVERNANCE                   

7.1       Policy on Staff Recruitment

7.2       Policy on Assessment and Promotion

7.3       Policy on Internal/External Communication

7.4       Policy on Documentation

7.5       Policy on Registry Activities

7.6       Policy on Bursary Activities

7.7       Policy on Audit Activities

7.8       Policy on Official Meetings

7.9       Policy on Home-grown ICT Solutions

7.10     ICT Procurement and Management Policy

 

8.0       POLICIES ON ICT ENHANCED IGR ACTIVITIES                       

8.1       Policy on Commercialization of Teaching, Learning and Research  (TLR)

8.2       Policy on University Enterprises

8.3       Policy on Distant-Learning

8.4       Policy on UNN Payment Platform

 

9.0       POLICIES ON DEVELOPMENT OF THE UNIVERSITY ICT INFRASTRUCTURE     

9.1       Procurement of ICT Goods and Services

9.2       Decommissioning of ICT Equipment and E-Waste Management

9.3       ICT Budget

9.4       Short Term Actions Identified and Recommended (1-5 Years)

9.4       Medium Term Investment (6-10 Years)

9.5       Long Term Development and Management of the University

ICT Infrastructure (> 10 Years)

10.0:    POLICIES ON AI AND EMERGING TECHNOLOGIES                    

12.0     ICT POLICIES ON SOCIAL MEDIA                  

APPENDIX A:           Organogram of the ICT Structure

APPENDIX B:           Data Protection Act 2023

 

UNIVERSITY OF NIGERIA

 INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) POLICY (DRAFT)

 

 

EXECUTIVE SUMMARY

This Information and Communications Technology (ICT) Policy of the University of Nigeria, Nsukka is designed to identify the content and depth of ICT infrastructure required to drive excellence in the overall business of the University: student life-cycle management, academic activities (teaching, learning, research and community service), staff records management and general administration of the University. In addition to the above, the policy identifies and proposes processes and systems including manpower (responsibilities), hardware, software, and procedures for efficient and reputable teaching, learning, research, community development and institutional administration of the University.

 

It outlines robust system for deployment and management of ICT services in the University including online, e-learning, undergraduate, postgraduate and life-long learning aligned to the strategic objectives of the University. It also seeks to develop effective system for strategic resource allocation on an on-going/rolling plan basis, to achieve a robust system of response to university wide evolving priorities in teaching, research, community development and university administration deploying cutting edge ICT infrastructure. This policy aims to support the aspirations of the University to become a globally competitive and leading centre of excellence. It also aims to ensure emplacement/deployment and operation of an ICT infrastructure that promotes the vision and mission of the University of Nigeria based on ethical best practices.

 

 

1.1. ICT Vision

To transform the University of Nigeria into a world class learning environment, driven by cutting edge and best-in-class Information and Communication Technology Infrastructure.

 

1.2. ICT Mission

To ensure that all the components of the mission of the University – teaching, learning, research and community service are ICT-driven.

 

1.3. Purpose of Policy

In seeking to support/promote the vision and mission of the University, this policy will specifically seek to

1. Secure the deployment and management of a robust uninterruptible high quality ICT facility to drive the entirety of university business.
2. Ensure the integrity, reliability, availability, and superior performance of ICT systems.
3. Ensure ethical use of ICT systems for their intended purposes consistent with the principles and values that govern use of other University facilities and services, and in line with global best practices.
4. Provide user-friendly system for support to all users of ICT to ensure best outcomes for all stakeholders.
5. Establish processes for addressing policy violations in line with evolving technologies, changes in user ecosystem and University priorities.

 

1.4. Scope of the Policy

1. This Policy applies at all times to all persons (as may be specified following) who use the ICT systems and infrastructure of the university, including but not limited to all University of Nigeria students, staff, researchers, exchange scholars and all visitors (including conference visitors), and third-party collaborators and vendors. It applies to the use of all ICT systems and infrastructure, including those managed by the Directorate of ICT as well as facilities provided or administered by all colleges, faculties, institutes, centres, departments and units of the University; and university-based and controlled facilities (including third parties who may be connected to the University network for the duration of such exposure). Use of ICT systems, even when carried out on a privately owned computer that is not managed or maintained by the University of Nigeria but is connected to the University network or deployed in the implementation of University official business shall be governed by applicable aspects of this Policy.

 

1.5  Definition of Terms

Academic Data
Information on courses, curricula, enrolment, results, degrees, transcripts, exam timetables, alumni data, and related academic documents.

Administrative Unit (ICT Centre)
The section that manages the Office of the ICT Director and coordinates the activities of all other ICT units.

Confidential Data
Information requiring protection from unauthorized access, modification, or disclosure, though its exposure may not cause significant institutional harm (e.g., vendor contracts, intellectual property).

Customer Service Unit (ICT Centre)
The “Help Desk” for staff and students, receiving service requests, resolving issues, or directing them to the relevant ICT unit.

Data Custodian
A unit or employee responsible for managing systems and servers that collect, store, and provide access to institutional data.

Data Owner
A unit or official with managerial and operational responsibility for a category of institutional data.

Data User
Any member of the university community who uses institutional data in the conduct of official business.

E-Learning Unit
The section responsible for supporting online learning platforms, virtual classes, and related ICT infrastructure.

Highly Confidential Data
Sensitive data (e.g., health information, financial records, student personal data) that requires strict protection and encryption.

Human Resource Data
Information on staff establishment, staffing levels, manuals, benefit schemes, and related human resources documentation.

ICT Centre
The main body responsible for planning, designing, implementing, coordinating, and monitoring ICT projects and infrastructure in the University.

ICT Management Board
A governing body made up of senior university officials and external experts responsible for monitoring and implementing ICT policy.

ICT Technical Committee
A committee of experts assisting the ICT Management Board with technical decisions, technology integration, and supervision of ICT-related processes.

Institutional Data
All data created, collected, or managed by the University that supports planning, management, operations, or auditing of functions.

Internal Use Data
Data for internal/private use within the University (e.g., inter-office memos, internal policies) requiring reasonable security measures.

Library Data
Information on subscribed journals, print collections, and special collections (photos, archives, music) in the University Library.

Monitoring and Evaluation Unit
The unit that supervises ICT staff, liaises with faculty ICT liaisons, and ensures compliance with assigned responsibilities.

Network Unit
The ICT unit responsible for designing, implementing, and maintaining the University’s network infrastructure (LAN, intranet, wireless).

Personnel Data
Staff-related data such as qualifications, ranks, pension, compensation, financial/banking details, and demographics.

Portal Unit
The ICT unit that manages staff and student issues related to the University portal (course registration, fees, exam scores, attendance lists).

Privacy, Data Security & Integrity
Principles ensuring institutional data is classified, protected, and accessed responsibly, in line with international and national laws.

Public Data
Information intended for broad distribution with little or no risk to the University if disclosed (e.g., brochures, websites, press releases).

Research Data
Outputs of systematic research (e.g., publications, reports, policies, dissertations, strategic plans).

Student Data
Information about student demographics (age, sex, region, religion), registrations, academic performance, and financial status.

Web Ranking Unit
The ICT section responsible for registering the University with global web ranking bodies and positioning it for better ranking outcomes.

Website Unit
The team responsible for maintaining the University website, faculty/department subdomains, and student portals.

 

2.0.  GOVERNANCE STRUCTURE

 

• Introduction

The trend worldwide is in the direction of decentralized management structure.  Accordingly, this UNN ICT Governance structure shall provide for regulating, monitoring and the implementation of the university ICT policy at all functional levels of the university.

 

• STRUCTURE

The Governance Structure of the University ICT shall consist of:

• The ICT Centre Management Board
• ICT Technical Committee
• The ICT Centre
• The ICT Units
• All other ICT related centres of the University

(See Appendix I: The organogram of the ICT structure)

 

2.2.1.  THE ICT MANAGEMENT BOARD

The membership of Board shall consist of the following:

1. A Chairman that shall be a member of the University Governing Council to be appointed by the Council
2. The Vice-Chancellor or his representative
3. The Bursar or his representative
4. The ICT Director
5. The Directors of ICT-related Centres
6. The DVC, UNEC or his representative
7. Director of Academic Planning Unit
8. The Provosts, College of Medicine and College of Postgraduate Studies or their representatives
9. Two honorary external members appointed by the Vice-Chancellor. Such persons shall be nationally and internationally acknowledged leading experts in ICT matters and shall also be disposed to assist the Management Board and the University to secure grants, aids and endowments for ICT

 

The Board shall be responsible for the monitoring and implementation of the ICT policy with the following as its specific functions:

• Proposing policy options in relation to development plans, fund raising strategies, regulations enactment, etc.
• Monitoring the role of players in the policy.
• Liaising with industry, National University Commission, Ministry of Education, NCC, NITDA and others on ICT matters.
• Representing the stakeholders in all ICT concerns owned by the university, or in which the University has interest.
• Ensuring the compliance of all stakeholder to the ICT policy
• Advising the University management on changing financial implication of maintaining cutting-edge ICT infrastructure and also on possible funding sources and variations including all embedded staff and student contributions/charges
• Superintend the implementation of the Budget of the ICT directorate to ensure seamless and high-quality ICT service.

 

 

2.2.2. ICT DEVELOPMENT COMMITTEE

The ICT Development Committee is a standing committee whose responsibility is to assist the Administration in making the University of Nigeria a Centre of Excellence and its programme/products globally competitve with the following terms of reference:

1. Assess ICT needs of departments, units, and faculties, and advise the university management on ICT infrastructure acquisition, deployment, and maintenance.
2. In collaboration with relevant departments and units, promote ICT literacy and capacity building among staff, students, and management.
3. Guide the integration of ICT into curricular, virtual learning, and online resources.
4. Promote the adoption of emerging technologies for teaching, research, administration, and outreach
5. Recommend frameworks for digital transformation, e-learning, e-governance, and ICT-driven research support.
6. Monitor ICT projects to ensure efficiency, accountability, and sustainability.

 

 

2.2.2. 1 ICT Technical Sub-Committee

 

This is a Sub-Committee of the ICT Development Committee to assist the ICT Development Committee on all technical matters. The Technical Sub-Committee shall consist of the following:

1. Director, ICT Centre (Chairman)
2. Deputy Directors, ICT Centre
3. Head, Computer Science
4. Head, Electronics and Computer Engineering
5. Head, Department of Electrical Engineering
6. 6. Directors/Heads of other ICT related Centres and Departments
7. 7. Representative of the University Librarian

 

The functions of the Technical Sub-Committee shall include but not limited to the following:

1. To study emerging technologies and propose integration into university processes and ICT resources given current needs
2. Defining the functional relationship among all ICT related centres/units and ensuring that there are no duplication of functions or redundancy among them.
3. Supervise the development of a functional handbook for the relevant ICT related centres and day to day implementation of aspects of this policy as may be advised by the management board
4. To ensure that issues of safety, scope, privacy, copyright and liability are identified and managed in the best interest of the University
5. To ensure sustainable development and emplacement of high-quality infrastructure and management processes in line with technology evolution, user ecosystem changes and global best practices
6. Liaise with all heads of department, unit and centre to identify ICT policy violations and report same to the Board.
7. Advise the ICT Development Committee on all aspects of the development of the University ICT infrastructure.
8. Advise the ICT Development Committee on Human Resources and training/capacity needs for the maintenance of robust cutting-edge ICT infrastructure.
9. Advise the University management on matters related to third party and contractor/vendor service provisions related to ICT bearing in mind the critical need to ensure technology transfer to responsible University ICT staff over the minimum possible timelines. In this regards, it is recommended that:
   1. third party/contract of ICT service(s) to the University be transferred to the University not later than 5 years from first provision of such service(s);
   2. appropriate number of university ICT personnel shall have been trained over the contract period; and
   3. wherever necessary, appropriate after-sales support in favour of the University shall be negotiated as part of the initial service/equipment contract.

 

• THE ICT CENTRE

The ICT Centre, in carrying out its duties, shall:

1. Be responsible for the planning, designing, implementation, co-ordination, and monitoring of the implementation of all ICT projects which includes, but not limited to deployment, operation, maintenance, support and disposal functions.
2. Superintend the overall development of ICT in the University. This is to ensure the effective and optimal utilization of ICT resources in the University.
3. Superintend the overall management of the University ICT infrastructure as to ensure the efficient and effective use of the University ICT infrastructure
4. Ensure considerate use of infrastructure and facilities by competing users.
5. Drive the training, continual retraining, certification and motivation of appropriate level (quality and quantity) of ICT personnel and professionals needed to maintain a very efficient and robust infrastructure for set purpose
6. Advise the University and all units thereof (including research personnel who procure ICT equipment as part of university-based grant-funded activities) on all matters related to procurement of all ICT equipment to ensure equipment compatibility, ease of maintenance and value for money.
7. Establish and maintain highly trained, competent and motivated equipment maintenance crew to:
   1. Achieve timely, seamless and cost-effective maintenance of all of University’s ICT equipment
   2. Ensure there is kept a roaster/timetable for such maintenance and
   3. Undertake the maintenance of ICT equipment and infrastructure
8. Develop and implement an appropriate backup and restoration policy for all University Institutional Data, a business continuity plan and information security policies to ensure protection, integrity and reliability of all institutional data.
9. Promote and implement the development of a centralized system of authentication that ensures users of the University’s information technology resources and associated data are correctly identified, authorized and authenticated before access to the corresponding systems and resources is granted.
10. Ensure the development and implementation of appropriate protocol to ensure audit trail to track access to all Confidential and Highly Confidential Institutional data.
11. Ensure that whenever certain portion of a given institutional data is generated and maintained by an external party, there is a mechanism to track and account for any fees that may be attached to such actions as should duly accrue to the University for the period of such a contract/arrangement

 

For purpose of this Policy, the ICT infrastructure of the University shall be understood to include all computer hardware (howsoever defined) including handheld devices and peripherals, wired or wireless network equipment owned by, and administered by or for or licensed to the University;  software licensed to, owned by or howsoever operated by the University or for the University legitimately; and any other facilities related to the foregoing, owned by, licenced to, or otherwise legitimately operated by the University (or her agents and proxies) for purpose of or in pursuit of this policy.

 

The ICT Centre shall be divided into the following units, each of them headed by Deputy Director or such other competent professional of significantly high rank. The units are:

1. Administrative Unit
2. Network Unit
3. Hardware and Maintenance Unit
4. Software Development Unit
5. Capacity building (Training) Unit
6. E-learning Unit
7. Computer Based Testing/Examination (CBT/CBE) Unit
8. Customer services Unit
9. Web ranking Unit
10. Website and Portal Unit

 

• Other ICT Related Centres

These centres shall include:

1. Computing Centre
2. Management Information Systems Unit

• Centre for Distance and e-Learning

1. Centre for Lion Gadgets and Technologies
2. Computer Communication Centre
3. Any other centres that may be created or defined by the appropriate authorities for purpose of this policy.

 

3.0   RESPONSIBILITIES OF THE UNITS OF ICT CENTRE

The responsibilities of the individual units of the ICT Centre shall be as follows:

 

3.1. Administration Unit

Manage the Office of the Director and the Central Administration of the ICT Centre, and coordinate the different units.

 

3.2. Network Unit

1. Design, implement and maintain the University network infrastructure (the backbone, the Local Area Network, the Intranet, the Wireless, etc.)
2. Determine the cost of bandwidth relevant ISPs and advise accordingly.

• Deploy, manage and efficiently utilize available bandwidth to best achieve set objectives of the University.

1. Develop a network map showing the network layout throughout the University campuses

 

3.3. Hardware Unit

1. Determine and schedule periodic preventive maintenance of all University ICT hardware
2. Determine cost of maintenance of equipment and facilities and therefrom conduct a periodic review of any embedded costs, charges and contribution (including ICT cost component of funded University-based research).

• Determine cost of replacement of equipment and procurement of new additional ones.

 

 

 

3.4.  Innovation Unit (including E-learning)

1. Determine cost of software licenses (application for the main information systems, specialized applications, database platforms, web and desktop applications, antiviruses) including common applications procured based on multi-user licence etc., and advise accordingly
2. Design, implement and maintain the University website, portals and in-house software solutions

• Manage University data.

 

3.5.  Training Unit

1. Identifying and implementing relevant ICT training programmes for all cadres of the University staff.

 

1. Ensuring that every staff makes use of available ICT resources in carrying out their official duties.

 

3.6.  CBT/CBE Unit

1. Provide the infrastructure for online activities such as meetings,

collaborations, webinars, teaching and learning, etc.

1. Train staff and students on how to access and use necessary online platforms

 

iii.        Provide the necessary infrastructure and technical support for all

Computer-based tests and examinations in the University,

1. In consultation with departments and the Exam Unit of the Registry

provide timetables for all CBT tests and examinations

 

1. Provide support to all categories of users of ICT resources.

vi          Escalate user feedbacks to relevant ICT units for immediate action

 

3.7   Customer Service Unit

1. Acts as the help Desk of the ICT Centre
2. Receive all enquiries demand for services from staff and students resolve the issues or pass their request to appropriate unit of the Centre to resolution.
3. Return the response or solution back to the source.

 

3.8. Web Ranking Unit

1. Ensure the University is registered with relevant web ranking bodies/platforms
2. Prepare the University and take all necessary steps to position the University to perform well in each ranking

 

3.9. Website Unit

1. Maintain and update the University website
2. Superintend the creation and population and maintenance of faculty, department and other sections of the University sub-domains

• Ensure the maintenance of the student’s portal and its availability for student’s lifecycle processes

3.10   Portal Unit

1. Receive and resolve all issues arising from the student and staff on their roles in the University Portal- from fee payment to course registrations, and from course attendance list to exam scores upload

 

3.11 Quality Assurance and Complaint Management Unit

1. General supervising of all the units’ activities to ensure they are in line with the general objectives of the Centre.
2. Ensure ethical practices are followed by individuals and units in their daily operations.
3. Ensure the output of individuals and units meet the expected standards by doing the following, etc:
   1. Daily crawling of the University web pages on the UNN website to find out any form of error(s) in the website
   2. Interacting with the Website Unit to resolve any error(s) documented

• Offering suggestions as solutions to such error(s) to any Unit responsible for resolving the error(s) found.

1. Follow up feedbacks customers to the Units to ensure that all the concerns were resolved by the Unit concerned.
2. Working with Web ranking Unit in detecting and delinking broken links found on UNN website.

 

3.12 Monitoring and Evaluation Unit

Constantly monitoring and evaluating the activities of all the units of the centre to ensure they align and are geared towards attaining the goals of the various units.  These include but not limited to:

1. Supervises the duties of various ICT Faculty Liaison Offices (who are ICT Staff), who are first port of call for technical support to various Faculties/Centres/Units etc.
2. Monitor/manages duties all ICT staff to ensure they comply with assigned responsibilities.
3. Monitors the day-to-day management of ICT Centre environment (cleanliness and safety)

 

 

4.0.  ICT SERVICE MANAGEMENT POLICY

4.1   Privacy, Data Security & Integrity

Institutional data refers to all data created, collected, maintained, recorded or managed by the University and/or agents working on her behalf, which satisfy one or more of the following criteria:

• The data is relevant to planning, managing, operating, or auditing a major administrative function of the University.
• The data is referenced or required for use by more than one organizational unit
• The data is included in an official University administrative report
• The data is used to derive a data element that meets these criteria.

 

This data can be contained in any form, including but not limited to documents, databases, spread sheets, email and web site; represented in any form including but not limited to letters, numbers, words, pictures, sounds, symbols, or any combination thereof; communicated in any form including but not limited to handwriting, printing, photocopying, photographing and web publishing; and recorded upon any media including but not limited to papers, maps, films, prints, discs, drives, memory sticks and other computing devices. These data may take the form of one or more of the following:

1. Research Data refers to all outputs of creative work undertaken on a systematic basis in order to create knowledge and increase the stock of knowledge and information. These include all original research publications (books, book chapters, Journal articles, conference publications, thesis and dissertations), projects / annual reports, planning documents (policies, strategic plans) etc.
2. Library Data refers to data, which contain information on University library profiles such as subscribed journals, available print collections (books, serials and references), available special collections (photos, music, archives).
3. Academic Data refers to data, which contain information on University academic profiles such as courses/curricula enrolment, results, degree/ transcript, course /examination time-tables all related academic document and alumni related data bases.
4. Student Data refers to information relating to student characteristics (course & residence registration, academic performance financial status) and student demographics (region, age, sex, religion).
5. Human Resource Data refers to data, which contain information on the human resource profile of the University such as establishment, staffing level, procedures and manuals, benefit schemes and beneficiaries.
6. Personnel Data refers to information relating to staff characteristics (qualification, rank, pension accrued, compensations, salary, financial and banking and insurance etc.) and staff demographics (region, age, sex, religion, marital status, department and all personnel related data and documents, etc.).
7. Financial Data refers to data, which contain information on University financial profiles such as revenue, expenditure, budget, assets, liabilities, contracts, including academic contracts and facilities.

 

Members of the University community and other (third party) stakeholders require access to different categories of institutional data in support of the University’s teaching, research and community service. Members of the above community working with or using institutional data in any manner must comply with all applicable international conventions, national laws on data protection and all applicable University policies, procedures and standards, as well as all applicable contracts and licenses. To enable clear application of appropriate policies institutional data may be categorised according to roles and controls as follows:

• Data Owner – a unit or official with management policy and operational responsibility for institutional data.
• Data Custodian – a unit or employee responsible for the operation and management of systems and servers which collect, manage and provide access to institutional data. Thus, the director ICT, including its staff is responsible for managing the server infrastructure that houses the academic data or other data as may be consigned to the unit by the University.
• Data user – a member of the community using institutional data in the conduct of University business.

 

The Data owners as defined are responsible for the formal classification of such data based on its sensitivity and confidentiality and thus for purposes of data security. Sensitivity and confidentiality of data relate to challenges that may arise from loss of data or data falling into unauthorised hands as: loss of critical University operations; loss of opportunities, cost or value of the data; damage to the reputation of the university (including members of University community) that may arise or lead to litigation and financial loss; lack of corrective actions or repairs and violation of University mission and policies. To manage these challenges data may be categorised and managed as follows:

 

Highly Confidential: Data is classified as Highly Confidential when an unauthorized disclosure, alteration or destruction of that data will cause a significant level of risk to the University or members of the community. Access to Highly Confidential data must be responsibly and individually re­quested and then authorized by the Data Owner who is responsible for the data. The assessment of risk and access approval will be determined by the data owner or appropriate University functionaries (and in consultation with private owner as appropriate). Examples of such data include sensitive health information, personal data including banking and financial information, university financial data and information, sensitive student personal information and all data protected by law. Such data may not be sent by email or forwarded. Confidential printing and hand/ signed delivery are required to transmit such data. Electronic encryption is needed for electronic transmission.

 

Confidential:  These relate to information that would not necessarily expose the University to significant loss, but the data owner has determined security measures are needed to protect from unauthorized access, modifications, or disclosure. Examples include Intellectual Property related data: licensed and/ or under development, records, purchasing information, vendor contracts, and system configurations and data protected by law or whose release may only follow FOI act requests. As for Highly confidential data above, these may not be transmitted via email (particularly to an external email).

 

Internal use data: These relate to data classified as internal / private for all the information assets that are not explicitly classified as Highly Confidential, Confi­dential or Public data. A reasonable level of security control should be applied to internal data. Such data may be routinely available without restriction but its integrity must be carefully maintained. Examples include routine correspondence, employee newsletters and memos, inter-office memoranda, internal policies & procedures. No special precautions are needed for transmission of these data.

 

Public Data: Data will be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates. Such data are intended for broad distribution in support of the University’s missions or freely available to any person or organization with no restrictions. Examples include brochures, news releases, pamphlets, web sites, internal phone directories, marketing materials.  No special precautions are needed for handling and transfer.

 

The University shall ensure that information relevant for tactical and strategic needs of University management is provided in a timely and easy to access way. The University shall, therefore, promote and support the development of high level reporting applications that consolidates data from across all institutional databases using data mining and/or other approaches that support development and management of secure audit trail.

 

4.2. Access User Ethics

The ICT Unit shall grant internet access (and university specific email account) to the University network to:

 

Staff:

All staff of the University shall be provided with valid Internet access and email accounts for official or authorised personal uses. These accounts shall remain active as long as the staff is in the service or pensioner of the university. In the event of resignation or dismissal the staff shall be given a grace period of 6 months to back out his emails.

 

Students:

All registered students of the University shall be provided with valid Internet and email accounts to enhance lawful use in the pursuit of their studies. Such account shall be disabled one year after graduation.

 

Administration:

These accounts are applicable to Principal Officers of the University, Provost, Deans/Directors, Heads of Departments and Units and other university functionaries for official use where it is necessary to identify an office or action rather than an operative. Such accounts shall be transferred to in-coming officers at times of change in administration.

 

Visitors:

These are temporary accounts which shall be given to intending users who are in the University for Official Duties or other short duration activities e.g. external examiners, visiting staff/scholars, conference visitors and visitors from other institutions. Application for this category of accounts must be through the head of department or unit to which the visitor is affiliated. Such an account shall be disabled immediately the visitor leaves the university based on a time.

 

Restrictions to Access:

Users are expressly forbidden from unauthorized access to accounts, data or files on University ICT resources. The Director of ICT may restrict access to an individual user on the grounds that the user is in breach of this policy.

 

 

University Liability:

The University accepts no responsibility for:

1. Loss or damage or consequential loss or damage, arising from personal use of her ICT resources (including if such loss or damage were to arise from authorised access);
2. Loss of data or interference with personal files arising from the University’s efforts to maintain her ICT resources. Users are advised to constantly backup their personal and important data and specifically to desist from storing personal data and files on university ICT facilities.

 

4.3. Code of Conduct and Operational Ethics for ICT Staff

ICT Centre (including all staff and third-party personnel) shall follow a policy of conducting its business ethically and in compliance with the letter and spirit of the law and international best practices. This is critical to international reputation for excellence and integrity of the University of Nigeria.

 

4.3.1. Server Room/Data Centre

1. Physical Access:
2. Access to this facility is restricted to only authorized personnel of the ICT Centre or any other authorized third-party personnel as may be determined by the Director of ICT.
3. All third-party access to the server room/data centre shall be supervised by the staff responsible for that centre

iii.  Edibles, liquid, electromagnetic objects or any other objects that may constitute hazard to the data centre/server room equipment or their functions are not authorized to be brought into the server room/data centre by anyone.

1. A log of all entrants into the server room/data centre must be maintained at all times and backed up by secure CCTV records

 

1. Movement of equipment

Unauthorized movement of equipment in and out of the server room/data centre is strictly prohibited.

1. Physical protection

The server room/data centre shall be protected against exposure to water, dust, fire, electrical surge and high temperature

 

4.3.2. Data Protection

All ICT staff shall ensure the protection of the university digital infrastructure and information assets against any compromise or attack that may affect its confidentiality, integrity or availability. To ensure this, the following steps need to be taken:

1. Access privileges to user accounts, official correspondences and documents must not be abused.
2. Copying, divulging or any other form of manipulation of official documents is prohibited.
3. All ICT infrastructures must be protected from virus, malware, etc. with necessary tools.

 

 

4.3.3. Specific Day-To-Day Operations and other Responsibilities of the ICT Centre

In the conduct of its day-to-day operations, the ICT Centre shall see to the following:

1. Integrity, maintenance and efficiency of the campus Network
2. Network infrastructure including internet servers, switches, routers, optic fibres, wireless access points, etc.

• Intranet/Internet Access

1. Provision and management of university email (…@unn.edu.ng)
2. Provision of Internet Service on campus
3. Maintenance of all servers connected to the network

• Internet Security management and system integrity
• Maintenance of network infrastructure in all buildings on campus

1. CISCO Administration.
2. Development of such software as may be directed or required for effective operation of the University ICT and System-wide enterprise management
3. Administration of staff and students records

• Student life cycle management including management of processes for timely issuance of transcript
• Production of staff and students identity cards
• Administration of University portal and Database servers

1. Collaboration with the Registrar/Faculties and Department to implement course registration and process results; implementing all online registrations

• Collaboration with the Bursar to ensure comprehensive fees collection across the system and financial management as may be required
• Collaboration with Departments and Faculties/the Registrar to produce Examinations Time-Table and ensure seamless management of semester and professional examinations
• Collaboration with Departments to implement CBT examinations
• Collaboration with Personnel Services to manage staff database

1. Collaboration with Medical Centre Services for Hospital Enterprise Management

• Collaboration with the University research community and students to enhance research visibility
• Collaboration with appropriate organs of the University including but not limited to the University Senate to achieve enhanced visibility and ranking for the university
• Creation of sub-domains and populating them for departments, faculties and centres
• Maintenance of Portal and Database servers
• Administration of Web servers and Content Management System.
• Installation and management of University computing facilities/data processing and analysis, graphics services and facilities as well as sales and services; and provision of commercial access to same as may be determined by the university from time to time
• Organizing ICT Training Programme for both staff and students
• Organizing Professionals certification training programmes such as CISCO Training
• Deploying multimedia systems for seminars, conferences and workshops
• Deploying multimedia systems in all lecture rooms and auditoria
• Deploying multimedia systems for post-graduate theses defense on request.
• Ensuring ethical use of all University ICT infrastructure including by constraining or otherwise denying access to sites and services not deemed consistent with the business of the University
• Other ICT related services as may be identified or defined from time to time by the University

 

4.3.4.   Protection of other ICT Physical Infrastructure

It shall be the responsibility of the ICT Centre to work with appropriate organs of the university (Works, Physical planning, Security, etc.) to ensure the protection of all ICT infrastructure including fibre optic cables, masts, radios; provision of cabling maps and marks, etc.  However, it shall be the responsibility of the host department, centre, office, hostel, etc. to ensure the security of any ICT infrastructure installed within their premises.

 

4.4. Responsibility of other Users/ (End Users)

It shall be the responsibility of other users to:

1. Ensure that a secure backup is kept of all their data and that a backup alternative exists in the event of failure of a piece of technology in the network; and
2. Ensure that they have been checked against the intended purpose prior to commencement of usage. However, where ICT Infrastructure is being used in such a way that the content or subject matter of the use is sensitive or likely to raise questions related to unethical or inappropriate use of ICT infrastructure, the user shall take appropriate steps to ensure that:
3. no members of the University community or any other people are exposed to materials that may cause offence; and
4. there is no breach of any laws regarding the viewing, use or publication of materials.
5. The University shall accept no responsibility for any emotional or mental harm resulting from using the University’s ICT Infrastructure.

 

4.5   Use of University Official Email (Access, Decommissioning of Email)

Policy on University E-mail

All staff and students are entitled to have a university official email account

1. The format for staff is to be surname@unn.edu.ng while student format shall be firstname.surname.matricnumber@unn.edu.ng (undergraduate) or firstname.surname@unn.edu.ng (postgraduate)
2. Official email is to be used for all official communications

 

5.0.  RESPONSIBILITIES OF HEADS AND ACADEMIC AND ADMINISTRATIVE 

        UNIT

It shall be the responsibility of the Directorate of ICT to:

1. Maintain and update a short, medium and long-terms development plan for this purpose. These plans shall encompass all aspects of hardware and software procurement, installation, commissioning and maintenance as well as development of requisite manpower in line with the evolution of technology, evolving demands of the University and funding requirement
2. Advise the University management on matters related to third party and contractor/vendor service provisions related to ICT bearing in mind the critical need to ensure technology transfer to responsible University ICT staff over the minimum possible timelines. In this regards, it is recommended that:
   1. third party/contract ICT service to the University be transferred to the University not later than 5 years from first provision of such service;
   2. appropriate number of university ICT personnel shall have been trained over the contract period; and

• wherever necessary, appropriate after-sales support in favour of the university shall be negotiated as part of the initial service / equipment contract.

1. Drive the transition from the current wireless network to a combination of wired and wireless network to increase speed, reduce down-time and maintenance needs and achieve long-term economy.
2. Develop timetables for the phased and gradual fixed wire cabling of all University facilities, starting first with permanent structures. Such cabling shall include the cabling of all offices, laboratories and workshops to enable seamless communication and reduced labour down-time in the university.
3. Advise the University and take necessary action as directed for the disposal of all end of life ICT equipment in line with national policy, global best practices and specific environmental considerations bearing in mind the need for data protection (The Privacy and Personal Information Protection Act 1998; The Health Records and Information Policy Act 2002) and social responsibility.

 

It is expected, subject to availability of resources that implementation of items a-e shall commence immediately and run in phases over the short term (4-5 years) and medium term (10 years) based on carefully considered grouping and prioritization of University facilities and resource availability.

 

To ensure that the need for cabling fall-out with the completion of cabling of existing facilities, all new structural developments of the University going forward shall include bill for comprehensive cable installation as part of construction.

 

5.1   University Librarian

        The University Librarian (UL) shall ensure that all ICT policies are domesticated in the Library and ensure that all aspect of the University ICT policies are implemented in the Library.

 

5.2   Provost

The Provost shall ensure that all ICT policies are domesticated in the College and ensure that all aspect of the University ICT policies are implemented in the College.

 

 

5.3   Director of Academic Planning Unit

        The Director of Academic Planning Unit shall ensure that all ICT policies are domesticated in the Unit and ensure that all aspects of the University ICT policies are implemented in the Unit.

 

 

5.4  Deans of Faculty/School and Directors of Institute and Centre

            The Deans of Faculty/School and Directors of Institute and Centre shall ensure that all ICT policies are domesticated in the faculties/Schools and ensure that all aspects of the University ICT policies are implemented.

 

5.5  Heads of Academic Departments/Programmes

The Heads of Academic Department/Programme shall ensure that all ICT policies are domesticated in the Departments and ensure that all aspects of the University ICT policies are implemented.

 

5.6  Heads of Administrative Unit

As in 5.3 above

 

6.0   ICT POLICIES FOR TEACHING, LEARNING, RESEARCH AND

        COMMUNITY DEVELOPMENT

 

6.1   Policy for Teaching, Learning, Research (TLR)

• All teaching material/resources should be digitized. Teaching material should be in form of PowerPoint slides, video clips, podcasts, virtual simulations,
• The teaching process/pedagogy should be digitalized using e-learning platforms (Google classroom, Zoom, Google Meet, Microsoft Teams, Telegram, etc.)
• Assessment in instruction delivery should be done using digital technologies including e-learning platforms, CBT, Assessment Applications (Kahoot, Google forms, Mentimeter, Formaloo, Quizzlet, etc.)
• All Sandwich and Evening Programmes (SEP) of the University should be digitalized and should have a dedicated Online Option or a blended learning option.
• Research processes should be digitalized involving digital technologies for research write-ups, data collection, data analysis, laboratory works (simulations), laboratory reports, result presentation, consultation of e-library materials, and digitized referencing styles
• Research results should be captured, stored, and disseminated digitally.

 

• Policy on Community Development

• Staff and students should undergo digital skill upgrading/ training every three years and certified by the University.
• The digital skills training process for interested individuals, Communities, schools, organizations should be digitalized. This will include digitalizing the advert for programmes to be offered, admission process, registration, training, assessment, etc

6.3       Policy on the Integration of AI in Digital Education (DE)

• When AI is integrated or consulted in DE, proper attribution should be given to Authors
• Standardized regulations like GDPR, CCPA, NDPR (Nigeria) should be followed in consulting in AI.

6.4       Policy on University Library

6.5    Responsibilities of Lecturers (including Academic Advisers and Exam Officers)

6.5.1  Responsibilities of Lecturers

• Ensure that they undergo the regular digital skills (Up skilling).
• Ensure that all teaching resources used should be in electronic forms (digitized).
• Use digital technologies in instruction delivery and assessment
• Release of results should be in electronic forms and timely.
• Lecturers should take students’ attendance electronically.

     6.5.2  Responsibilities of Academic Advisers

–  Should ensure they are digitally literate by upgrading themselves periodically

–  Should digitally capture records of students being advised

– Communicate, advise and provide mentorship regularly for students digitally using emails, Phone calls, social media platforms, etc.

 

     6.5.3  Responsibilities of Examination Officers

– Should ensure they are digitally literate by upgrading themselves periodically.

– Use secured digital technology to capture, collate, compute and disseminate students’ results.

– Digitally compute CGPA of students regularly for further administrative purposes by the

University Exams Unit.

 

 

6.6  Responsibilities of Students

• Ensure that they undergo regular digital skill upskilling certification provided by the University
• Students should register their courses electronically through the platform provided by the University within the given timeline.
• Students should clock into classes digitally.
• Students should provide personal digital technologies for effective learning.
• Students should submit assignments, class works electronically as may be required by the course/programme.
• Students should endeavour to be conversant with e-learning platforms used for teaching and learning.
• Students should keep the standardized and customized e-classroom rules, else face the set consequences.

 

6.7  Responsibilities of  Administrative and Technical Staff        

• Faculty Officers
• Faculty Officers should be ICT compliant
• They should have access to the University Portal for activities
• They should carry out online clearance for students in the students portal
• They should generate student’s information reports for the management.
• They should manage student’s profile online for the faculties.

 

• Departmental ICT Representatives

ICT Representatives should be IT compliant and should carry out these activities:

• Generation of contents for departmental subdomains
• Management of the departmental subdomains
• Generation of electronic contents for the University ICT
• Provision of IT consultant services staff of the department.
• Assist lecturers in generation of class list and upload of grades to the student portal
• Assist lecturers in management of their profile and web pages in the University website
• Other administrative staff
• Ensure that the University email is used for official responses
• Ensure that they manage their pages in the University staff portal.

 

7.0       POLICIES ON ADMINISTRATIVE GOVERNANCE

• ICT Policies on Staff Recruitment

• Advert to be hosted online on the University online Platforms
• Submission of all application material should be in electronic form
• All recruitment Test/exam to be Computer based
• Communications with the applicants should be electronic

 

• ICT Policies on Assessment and Promotion

• All appraisal materials (forms, publications and other support materials) are to be in electronic form only

–    Assessment by appropriate Assessors should be done electronically

 

7.3   ICT Policies on Internal/External Communication

• All internal memos should be electronic only through the University Intranet
• Use of UNN official email for all official communication is mandatory

 

• ICT Policies on Documentation

• All staff files at all levels should be digitized and securely stored for ease of access
• All administrative and Technical document in various Units to be digitized and securely stored

–    Approval process for funding, retirement of funds are to be electronically done only

 

7.5       ICT Policies on Registry Activities

–    All Students records should be digitized: All registry activities should be automated. This implies that all the branches of the registry like admissions, exams, records, careers and so on should make use of their modules/accounts  in the university portal for the management of admission processes, result computations, record management and so on.

 

–    Students lifecycle completely digitalized from Admission to graduation and archiving.

– The records department should make use of the university itranscript portal for transcript management

– Documents management:  movement of documents like memos and so on should be done electronically

7.6       ICT Policies on Bursary Activities:

1. The bursary department should have a module/account in the university portal.
2. The bursar and some bursary staff should be given admin account in the portal for generating financial reports and for other financial transactions.

 

7.7.      ICT Policies on Audit Activities:

1. The audit department should have admin account in the university portal. This will enable them carry out online clearance and generate necessary reports.
2. The Audit unit should also have access to asset management applications of the university for audit activities.

 

7.8     ICT Policies on Official Meetings

• Video conferencing should be used for official meeting where appropriate
• Minutes of meetings should be electronic only (production and circulation)

 

7.9   Policy on Home Grown Solutions

This policy aims to provide guidelines and procedures for the development, implementation, and management of home-grown ICT solutions within this university. This University is a home of research and development, and as such it is expected that the research products will evolve into commercializable solutions. The University should encourage all ICT-related departments and units to develop home-grown solutions that meet the needs of the University, as well as Nigeria and beyond. This can be done through competitions, hackthons, and ICT fairs. Home grown solutions could be software solutions/applications, analytics tools, AI tools, hardware, and embedded systems, etc.

This policy applies to all university staff, students, and departments involved in the development and use of ICT solutions.

Policy Overview

1. Solution Development: Home-grown ICT solutions will be developed in accordance with university standards and guidelines, ensuring compatibility, security, and scalability.
2. Intellectual Property: The university must ensure to protect intellectual property rights related to home-grown ICT solutions, ensuring compliance with relevant laws and regulations

iii. Innovation: to encourage innovation and creativity in the development of home-grown ICT solutions, innovation centres/hubs should be empowered to scout for and develop ICT talents.

1. Collaboration: The university’s innovation centre should foster collaboration between departments and faculties to leverage expertise and resources.
2. Security: It is also the responsibility of the innovation centre to ensure the security and integrity of home-grown ICT solutions, protecting against unauthorized access and data breaches.
3. Sustainability: To ensure sustainability of ICT solutions standards must be put in place for them to meet the university’s long-term needs.

vii. Marketing:  The University should do all within her powers to support home-grown solutions and give priority to home-grown solutions over outsourced solutions.

viii. ICT Committee:

1. Implementation Plan: The ICT Committee in (viii) should develop a plan for implementing home-grown ICT solutions, including timelines and resource allocation and regularly review and evaluate home-grown ICT solutions to ensure they meet university needs and standards.
2. Commercialization: Home-grown solutions should be encouraged to grow into registered startups, bid for university and outside contracts and supplies with other vendors.

7.10  Policy on ICT Procurement and Management Policy

 

8.0   POLICIES ON ICT ENHANCED INTERNALLY GENERATED REVENUE

(IGR) ACTIVITIES

8.1  Policy on Commercialization of Teaching, Learning and Research (TLR)

All students projects/thesis are to be uploaded to the university online depository where only the abstracts will be open accessed while the rest of the study will be paid access.

 

• Policy on University Enterprises

All the university IGR enterprises must have web-presence

Every SME business on campus should be registered under e-market system of the university.

 

• Policy on Distant-Learning

• C-Del is to identify academic programmes of the university that could be commercialized

–  Designated units of the university are to digitalize distance learning of their

programmes for distance learning activities (eg, Sandwich programme, Centre for Social Policy Programme, etc).

 

8.4  UNN to Develop Payment Platform

• UNN is to create an online payment platform to be used by business ventures on campus

 

9.0   POLICIES ON DEVELOPMENT OF THE UNIVERSITY ICT INFRASTRUCTURE

9.1   Procurement of ICT Goods and Services

This shall be in consonance with the University Procurement policy and the federal government Procurement act at large. However the Procurement policy shall be amended to include:

Establishment of E-Procurement System

All procurement processes, purchase of goods/services and maintaining inventory are done through structured e-procurement. This will help to manage all Procurement process including sending purchase requisition, generating purchase orders, selecting and managing vendors.

The structured processes include:

1. e-sourcing involving pre-qualifying potential suppliers.
2. e-tendering request for information, proposals and quotations.
3. e-auctioning evaluating suppliers, negotiation and contract management.
4. e-ordering and payment: creating requisition and purchase orders and receiving ordered items

• Policy on Decommissioning ICT Equipment Infrastructure

• Typically a laptop’s average lifespan is from 3 to 5 years, with some laptops lasting up to 7 years or more with proper care and maintenance. This also depends on usage patterns. A heavily used laptop would last 3 to 5 years.

 

• Desktop PC’s average lifespan is from 5 to 8 years, with some lasting more with proper care and maintenance. This also depends on usage patterns. With regular high-quality components upgrades and proper cooling and maintenance can extend its lifespan.

 

• Policy on Preventive Maintenance
• Preventive maintenance involves regular servicing, proper handling, and management of computer systems aimed at prolonging the lifespan of the systems. The following steps should be adhered to in order to achieve this.

 

• Regular maintenance: Ensure regular periodic maintenance of PCs and peripheral devices such as printers, monitors, scanners, etc through cleaning dust and updating software.

 

• Proper cooling and ventilation: Ensure that the operating environments have a proper cooling systems such as air conditioners, ventilators, fans, etc.

 

• Hardware Upgrades: Before PCs are decommissioned, units must exhaust the option of upgrading hardware components, like RAMs or storage drives, etc. to help improve the performance of PCs and extend their lifespan.

 

• Using high-quality power supplies and batteries: Most hardware failures are caused by frequent switching OFF and ON of the systems due to erratic power supplies. Units must ensure that hardware devices are operated only on stable power supply. The use of surge protectors is encouraged to protect the damage of expensive devices.

 

• Replacement of Parts: It is recommended that only the right brand and specification of a device should be used as a replacement.

 

• Policy on Decommissioning of Computer Hardware
• When a hardware device is certified as unserviceable after several maintenance efforts or that the device has reached its end of life support, such device(s) should be recommended for decommissioning through Central Stores.
• Experts verification: Experts in the specific hardware devices should be consulted to certify that the device is no longer serviceable and recommend decommissioning

 

• Data Extraction: Before a PC such as laptop, desktop or tablet PC is decommissioned, relevant ICT personnel should ensure that the hard drive or data storage devices are removed, labeled and archived properly. In cases where the drives cannot be removed, all stored data must be backed up and the storage device like ROM, etc should be flashed to erase all data.

 

• Slow performance: Devices that have exceeded their lifespan but are still functional, though not performing optimally in terms of speed, may be decommissioned and given to students to work with. These could be donated to the University Staff Schools.
• Incompatibility with newer software or hardware: When a hardware’s software or driver becomes incompatible with newer operating systems, the performance of such devices will drastically reduce or may not be used anymore. At such point, there should be a recommendation for decommissioning.

 

• Increased maintenance costs: When a particular piece of hardware or PC is constantly gulping funds for maintenance with little return on investment, it is a sign that such hardware be decommissioned.

 

• Hardware failures: PCs and devices can also be decommissioned due to hardware failure. In such cases, they could be recommended to be sold as scraps through the Central Stores

 

• E-Waste plants: The University shall establish an E-Waste Plant for recycling of hardware components like metals, plastics, fibre, glass, etc. These recycled materials could be used as raw materials for new products, or they could be a source of revenue to the University when sold to industries.

 

• Proper E-Waste Management: There should be a designated site for the dumping of e-waste materials, safely stored away from office and residential areas to avoid pollution and health hazards.

 

• Regular Education on E-Waste Management: Relevant bodies in charge of e-waste management should organize regular seminars on e-waste management for the university community.

 

• ICT Budget

9.4   Short-Term Actions Identified and Recommended (1-5year):

• Approval and adoption of ICT policy to drive implementation of ICT driven Teaching Learning and Research (TLR) and ICT driven processes leading to e-governance
• Our classrooms are designed for brick-and-mortar teaching and learning; So, restructure All Lecture Halls for deployment of smart classroom equipment

• Faculty members training on digital pedagogy to maximize smart classroom use.

• Deployment of smart classroom equipment to Faculty Lecture Halls
• Deploy some percentage of the ICT component of the students’ fee in structured replacement of aging infrastructure.
• Some percentage of exam fees meant pencil and paper exams should be allocated to equip CBE/CBT centres equipment since sizeable exams are computer based.
• The University to constitute a strong Grant Team that constantly search out calls and sources of grant for the support of ICT development and put in very strong applications. These grants will support other sources of funding ICT projects in the Univerity.
• Strengthen ICT existing ICT infrastructure including:
  • Fibre backbone
  • Stocking of spare devices and network materials for quick maintenance to reduce downtime
  • Consistent power supply
  • Workstations, intra-campus networking, broadband internet
  • Research databases
  • plagiarism-checking tools
  • strong physical and system security
• Strengthening the ICT Centre (Nsukka & Enugu Campuses), Centre for Distance & e-Learning (CDeL), including phased replacement of obsolete computing devices in the CBE/CBT Centres
• E- Library :
• Provision of licence to access E-journal database resources (Elsevier, IEEE, JSTOR) and other online resources via partnerships and consortia.

 

9.5   Medium Term Investment (6-10 years):

• Engage the Alumni and the friends of the University to partner and take up identified ICT projects if required, name them after them as incentive.
• Seeking special Endowments for ICT infrastructure and to establish User devices pool for students who may not be able to afford personal devices to borrow from.
• Train and up-skill Faculty members, Administrative/Technical staff, and students on ICT tools and e-learning best practices
• Promote integration of ICT and virtual reality tools into TLR activities to enhance delivery.
• Improve on ICT driven teaching Learning and Research processes:

• • Complete intranet and web services
  • Upgrade departmental e-library setups
  • Continue the connection of all buildings across campuses by fibre optic
  • Enforce ICT-ready building designs
  • Deployment of Smart Classroom equipment to Departmental Lecture Halls

E-Library & Digital Resources

• Continuous building/updating of Digital repository for theses, dissertations, and faculty research.
• Sustained subscription to global e-resources databases (Elsevier, IEEE, JSTOR, etc.).
• E-book lending platform with DRM support for controlled student access.
• Mobile-friendly library portal for remote access.
• Digitization of rare/local content (African studies, Nigerian research archives) to preserve heritage.

9.6  Long-Term Development and Management of the University ICT (> 10 years)

• Completion of the “abandoned” ICT building
• Relocation of the Data Centre from its temporal location at the base of the University Library to a standard space in the ICT to achieve a Tier 2 Data Centre.
• Public-Private Partnerships (PPPs): Engage tech firms (Huawei, Microsoft, MTN) for infrastructure funding and training.

• Capacity building: Continuous ICT training for staff and digital literacy workshops for students.
• Policy & Governance: Establish ICT steering committee for planning, monitoring, and sustainability.
• Sustainability: Budget for periodic upgrades, maintenance, and ICT security audits.
• Inclusivity: Ensure affordability and accessibility (e.g., subsidized laptops/tablets, low-cost data bundles for students) through established units like Lion Gargets.

 

11.0    POLICIES ON VENDOR ENGAGEMENT

 

11.0   POLICIES ON VENDOR ENGAGEMENT SOFTWARE APPLICATIONS AND

            SERVICES

• The arm of the university that the service/solution is for will identify and itemize the    requirements which the product should meet and this will be advertised by Management for vendors to submit proposals.

 

• The screening for qualified vendors will be carried out by ICT Technical Committee to shortlist best proposals through rigorous technical presentations and interactions.
• The Technical Committee will recommend 3 of the best vendors to Management to appointment one.
• Any Memoranda of Understanding (MoU)/contract entered into by the University with any Vendor for provision of application solutions or services to the University must not exceed 5 years in the first instance and must include processes for transfer-of-knowledge to the University.  At the end of the life of the MoU/contract, total control must be handed over the university to operate such application while the services of the vendor may be retained as technical support where absolutely necessary under a different MoU/contract.
• However, where it becomes necessary for the contract to be extended at the end of the 5 years period, a renegotiated contract of not more than 3 years can be entered into after a proper and critical review of the Vendor’s performance within the last 5 years.

 

 

 

 

 

11.0  POLICIES ON EMERGING TECHNOLOGIES

11.1   Policy on the Use of AI

Artificial Intelligence (AI): The term ‘artificial intelligence’ was first used at a 1956 workshop held at Dartmouth College, a US Ivy League university, to describe the “science and engineering of making intelligent machines, especially intelligent computer programs” (McCarthy et al., 2006, p. 2). The interdisciplinary nature of AI is such that every field of endeavour in the era of Industry 4.0 and beyond finds application of AI in its processes.  Though AI has revolutionized many spheres of life including education, the use AI to enhance job performance is encouraged where necessary but with approval by relevant authorities in the University. However, there are many ways that AI can be used unethically and the University frowns at such. Some of them but not limited to these are prohibited.

1. Prohibition on unethical use Deep-fakes, which is the automatic generation of fake news, and the replacement of faces in videos so that politicians and celebrities appear to say or do things they never said or did.
2. Bias: The use of AI programs and systems with inbuilt bias to put some users at disadvantage is not encouraged

iii. Lack of Transparency: AI system that do not have proven record of transparency should not be deployed in the university’s ICT infrastructure

1. The use of Generative AI such as ChatGPT, and the likes to gain undue advantages in exams, quizzes, interviews, etc is not acceptable
2. Revitalization of the Computing Centre as a Centre for Cluster and High Performance Computing (HPC) to aid in the development of AI models and systems.

 

• Policy on the use of smart and autonomous devices like drones, UAVs, IoTs, CCTV, recording devices, etc.

 

1. This section should emphasize on and encourage the development of such smart and autonomous devices for the purposes of research and learning but also stress on the acceptable usage.
2. The use of smart devices such as smart meters for monitoring appliances, homes, water and other utilities, etc should be encouraged
3. There is a need to have a Unit under the ICT or relevant arm of the University whose membership should include the Security Department on monitoring the use of such devices
4. The use of drones for monitoring the University environments as a means of security surveillance is recommended

11.2.3     Key Policies on Autonomous Devices like Drones, UAVs, IoTs, CCTV

The following policies should govern the use of drones, unmanned vehicles, IoT, and CCTV, etc in the University of Nigeria, Nsukka.

1. Data Governance & Privacy

1. Data Collection Policy: Data collection with such devices may include images, biometrics, location data, etc as may be appropriate.
2. Consent & Transparency: Adherence to the Nigeria Data Protection Act is a must. Users of such devices should ensure that users/public know when and how they are being monitored.

iii. Data Retention & Deletion: Specific information on data storage and deletion should be made known ahead of time to user of such facilities, like how long data (like CCTV footage) is stored and when it must be deleted.

• Compliance: images and data must align with national and global laws like GDPR, HIPAA, or local data protection laws.

11.2.4   Cybersecurity & Access Control

1. Authentication & Authorization: Only authorized personnel can access or control devices.
2. Encryption Policy: All data in transit (video feeds, sensor data) and at rest must be encrypted.
3. Incident Response Policy: Clear steps to follow in case of hacking, malware, or device takeover.
4. Regular Security Audits: Vulnerability testing and updates for IoT firmware and UAV software.

3. Safety and Operational Use

There is a need to create a university airspace management (UNN-UAM) who will formulate standards for safety and operational strategies for all vehicles that fly over the university’s airspace. Such policies should include:

1. Operational Policy: UNN-UAM must define where, when, and how devices (like drones or CCTV) may be deployed within the University.
2. Airspace & Flight Regulations (for UAVs/drones): Such operations must comply with aviation authority rules like the Nigeria Civil Aviation Authority (NCAA) contained in the Nigerian Civil Aviation Regulations (NCARs), in Parts 21 and Parts 8, respectively which cover the operation of drones.
3. Failsafe Policy: Devices should have automatic shutdown or return-to-base in case of malfunction.
4. Risk Assessment Policy: There should be regular evaluation of safety risks before deployment, especially in highly populated areas like where events are taking place.

4. Ethics & Accountability

1. Ethical Use Policy: Unauthorized and harmful surveillance that infringe on individual’s privacy, discrimination, or unauthorized profiling is prohibited.
2. Human-in-the-Loop Policy: Every autonomous system should be have mechanisms to enable humans to override it by humans in critical scenarios.
3. Accountability Framework: In cases of misuse, errors, or accidents there must be clear responsibility assignment.

5. Compliance & Standards

1. Regulatory Compliance Policy: All devices under these categories must provide proof of compliance with international standards such as ISO/IEC for IoT, ICAO for drones, etc. and ensure alignment with national/international standards
2. Procurement Policy: Only devices that meet certified safety and privacy standards must be acquired for use with the University.
3. Environmental Policy: Such devices must minimize environmental impact such noise pollution, excess energy use, reduction in carbon footprint, and reduction in e-waste from IoT devices.

6. Monitoring & Auditing

1. Continuous Monitoring Policy: Real-time tracking for security anomalies (esp. for CCTV & IoT) must be put in place by the Security Department, the UNN-UAM, etc,
2. Audit Policy: Setup up independent audits of device logs and data usage for periodic monitoring and reporting.
3. Transparency Reports: There should be regular public or internal reports on how devices are used and made accessible to monitoring units of the University.

 

11. 3 Policy on Developing ICT Talents

It is advised that University adopts policies that encourage curriculum update and modernization, research & innovation, industry linkages, faculty training, infrastructure, inclusion, ethics, and outcome measurement. These create a robust pipeline of ICT talent ready for Industry 4.0/5.0 and national digital transformation goals. These ensures that our students are ready for the industry at the end of their programmes.

11.3.1      Key Policies for ICT Talent Development in Universities

The following are key policies that could be adopted by the University of Nigeria towards ICT talent development covering the areas of curriculum modernization, research & innovation, industry linkages, faculty training, infrastructure, inclusion, ethics, and outcome measurement.

 Curriculum & Skills Development

1. Industry-Aligned Curriculum Policy: Regularly update ICT curriculum to match global trends in the areas like AI, cybersecurity, cloud, data science, IoT, blockchain technologies, etc.
2. Incorporate hands-on labs, coding bootcamps, and hackathons: The various innovation hubs like the Roar Hub, UNN Science Park, etc are expected to have regular programmes supervised by a unit that oversees such hubs. Such programmes should contain activities like bootcamps, hackthons, coding competitions, etc. every session.

11.3.2   Soft Skills & Entrepreneurship Policy:

1. Policies under ICT talent development should ensure students also develop such soft skills for teamwork, communication, critical thinking, problem-solving, and innovation skills.
2. It should also encourage ICT students like students in Computing Sciences, Engineering and Education to incubate startups and solve real-world problems.

 Research & Innovation

• Research Policy:

1. Support applied ICT research in areas like AI, fintech, e-health, and smart cities.
2. Incentivize publications, patents, and open-source contributions.

11.3.4   Innovation & Incubation Policy:

Establish university-based innovation hubs, maker spaces, and tech incubators.

1. Facilitate student–industry collaboration projects.

3. Industry Collaboration & Partnerships

11.3.5   Industry Linkages Policy:

1. Partner with tech companies (local & global) for internships, mentorship, and joint projects.
2. Co-create curriculum modules with industry experts to capture the realities of the present day in the curricular.

• Certification Policy:

1. Integrate globally recognized ICT certifications such as Cisco, AWS, Google, Microsoft, CompTIA into degree programs.

 Capacity Building for Faculty

1. Continuous Training Policy: Should include the following
2. Mandatory periodic re-training for ICT lecturers in emerging technologies.
3. Sabbaticals or exchange programs with industry or research labs.
4. Research Grant & Incentives Policy: Provide funding, incentives, and recognition for faculty who advance ICT research and mentorship.

 Infrastructure & Access

• Digital Infrastructure Policy:

1. Invest in high-speed internet, cloud labs, e-libraries, and virtual learning platforms.
2. Provide open access labs for students to experiment with AI, IoT, and robotics.
3. Cybersecurity & Data Policy
4. Protect students’ data and intellectual property.
5. Promote cyber hygiene and responsible use of ICT resources.

 Equity & Inclusion

• Inclusion Policy

1. Encourage participation of women and underrepresented groups in ICT programs.
2. Scholarships and mentorship for disadvantaged students.
3. Accessibility Policy
4. Ensure ICT learning materials and platforms are accessible to students with disabilities.

7. Ethics & Responsible ICT Use

11. 6   Digital Ethics Policy

i. Embed ethics, data privacy, cybersecurity, and responsible AI into ICT courses.

ii. Develop a code of conduct for ICT research and development.

8. Monitoring & Evaluation

11.7 a   Talent Development Metrics Policy

i. Track graduates’ employability, startup creation, patents, and certifications.

ii. Regularly review programme outcomes with input from alumni and employers.

 

 Internet Television

Internet Television, also known as IPTV, is a television content that is delivered over the internet instead of traditional methods like satellite, cable, or terrestrial broadcast. IPTV can follow any of these models: Subscription-based services such a Netflix, Amazon Prime Video, etc. Free/ad-supported services like YouTube, Pluto TV, etc. and Live TV streaming like Sling TV, YouTube TV, DSTV Stream, etc.

 

• Policies guiding IPTV

The following policies should apply in the deployment and use of IPTV in this University.

      ICT Infrastructure & Network Policy

1. The University should ensure the availability of a high-bandwidth and stable internet to support streaming.
2. The network managers should have a defined network segmentation so that the IPTV traffic does not overload academic networks.

iii. Network managers should provide Quality of Service (QoS) rules to prioritize educational IPTV streams over entertainment.

2. Content Licensing & Copyright Policy

1. In cases where TV contents must be procured, the IPTV managers should secure proper licenses for live TV channels, recorded lectures and video-on-demand.
2. Contents must comply with copyright laws when rebroadcasting or recording content.

iii. Local contents for broadcast to the university community and the global audience should be developed by different departments and units of the University while maintaining professionalism.

1. Contents must adhere to national laws on broadcasting like that of the Nigeria broadcasting Corporation (NBC), among others
2. There should be policies for faculty-generated contents taking into account copy rights and intellectual properties. It should clearly state who owns a recorded lecture, etc.

11.9   Access & User Management Policy

1. Staff, students and visitors to the university should have access to the IPTV.
2. UNN IPTV users must log in with identifiable credentials as a means of authentication and authorization to the system using university login credentials, or campus-only access.

iii. IPTV channel management should restrict age-sensitive or inappropriate contents by using content filters.

11.10  Data Privacy & Security Policy

1. There is the need to adhere with national Data Protection Act to protect student viewing data. The IPTV must be Nigerian Data Protection Regulation compliance.
2. As part of data proctection broadcast should ensure a secure transmission such as encrypted streams, and the use VPN for remote access.

iii. Users of the IPTV must prevent misuse such as illegal redistribution of university IPTV contents.

5. Acceptable Use Policy (AUP)

1. End User Agreement License (EUAL) must clarify that the IPTV is for educational enrichment of lectures, tutorials, academic, documentaries, etc. contents with limited entertainment use.
2. The IPTV managers should prohibit streaming activities that violate copyright or laws.

iii. The IPTV usage must comply with fair usage to avoid overloading the system.

Content Development & Academic Integration Policy

1. There may be need to apply some incentives to encourage faculty members to produce educational video contents such as recorded lectures, and tutorials.
2. There may be need to create a framework for open educational resources (OER) distribution via IPTV.

iii. Operators should align IPTV services with blended learning, distance learning, and e-library services.

Maintenance & Sustainability Policy

1. For the IPTV to be self-sustaining there should be budget for hardware units such as servers, encoders, set-top boxes, etc., and software upgrades.
2. There should be periodic training of ICT staff to maintain and troubleshoot IPTV systems.

iii. University Management should include IPTV in its long-term digital strategy.

 

12.0   ICT POLICY ON SOCIAL MEDIA

This policy acknowledges the right of staff and students of the University of Nigeria to use the social media for engagements, social networking and  research activities. The Policy is developed to provide guidelines for the responsible and effective use of social media platforms by all entities and affiliates to the University of Nigeria. It aims to protect the UNN’s digital identity and data, encourage responsible online engagement and prevent reputational, legal, or security risks.

12.1  The ICT Unit, together with the Information and Public Relations Officer shall create and manage official institutional social media accounts (e.g., Facebook, X/Twitter, Instagram, LinkedIn, YouTube, WhatsApp).

12.3: Provide technical assistance to the Information and Public Relations Unit in monitoring and reporting unauthorized social media account bearing the names of the University or using any of the university’s visual identifications.

12.4 Use of Official Accounts.

12.4.1: Only authorised staff, approved by the ICT Directorate or the Information and Public Relations Unit, may operate official institutional accounts.

12.4.2: Login credentials must be securely managed and changed periodically. The change should be done in cooperation with the Public Relations Unit.

12.5:  Security and Privacy

12.5.1: Social media activities should comply with data protection and privacy regulations.

12.5.2: Staff must avoid sharing sensitive institutional information on social media

11.5.3: Strong passwords and two-factor authentication must be enabled for official accounts.

12.5.4: Administrators must ensure proper handover of login credentials during role transitions, transfers or retirement

12.5.5: Personal data of staff / students must not be shared on social media without consent, in compliance with data protection regulations

12.5.6: Cyberbullying, harassment, hate speech, or defamatory content against individuals or the University is strictly prohibited.

For Detailed University of Nigeria’s Social Media, Policy please refer to Public Communication and Social Media policy.

14.0. CONCLUSION

This document is compiled, signed and presented this 12^th Day of September, 2025 by the Information and Technology Policy Committee, comprising the following members of staff of the University of Nigeria:

 

APPENDIX A

ORGANOGRAM OF THE ICT STRUCTURE

 

 

 

 

 

 

 

 

 

 

APPENDIX B

NIGERIA DATA PROTECTION ACT, 2023

 

 

Nigeria Data Protection Act, 2023                             2022 No. 37              A 717

Extraordinary

Federal Republic of Nigeria Official Gazette

No. 119                                  Lagos – 1st July, 2023                                    Vol. 110

Government Notice No. 82

 

The following is published as supplement to this Gazette :

Act No.                                                               Short Title                                                                Page

37      Nigeria Data Protection Act, 2023  ..          ..        ..        ..        ..        ..          A719-758

 

 

 

 

 

 

 

 

 

 

Printed and Published by The Federal Government Printer, Lagos, Nigeria FGP 97/62023/1,200

Annual Subscription from 1st January, 2023 is Local : N50,000.00 Overseas : N65,000.00 [Surface Mail] N80,000.00 [Second Class Air Mail]. Present issue N3,500 per copy. Subscribers who wish to obtain Gazette after 1st January should apply to the Federal Government Printer, Lagos for amended Subscriptions.

 

 

 

A 718                2023 No. 37                            Nigeria Data Protection Act, 2023

 

 

 

 

 

Section :

 

1. Objectives
2. Application

Arrangement of Sections

 

 

Part I—Objectives and Application

 

Nigeria Data Protection Act, 2023                             2022 No. 37

• Exemption of application

Part II — Establishment of the Nigeria Data Protection Commission,

and its Governing Council

4. Establishment of the Nigeria Data Protection Commission
5. Functions of the Commission
6. Powers of the Commission
7. Independence of the Commission
8. Establishment of the Governing Council of the Commission
9. Appointment of members of the Council
10. Tenure of members of the Council
11. Cessation of membership
12. Functions and powers of the Council
13. Conflict of interest

Part III — Appointment of the National Commissioner, and Other Staff of the Commission

14. Appointment of the National Commissioner for the Commission
15. Secretary to the Council
16. Staff of the Commission
17. Staff regulations and discipline
18. Pension

Part IV — Financial Provisions

19. Funds of the Commission
20. Expenditure of the Fund
21. Power to borrow and accept gifts
22. Account and audit
23. Annual reports and estimates

 

Part V — Principles and Lawful Basis Governing Processing of Personal Data

24. Principles of personal data processing
25. Lawful basis of personal data processing
26. Consent
27. Provision of information to the data subject
28. Data privacy impact assessment
29. Obligations of the data controller and data processor
30. Sensitive personal data
31. Children or persons lacking the legal capacity to consent
32. Data Protection Officers
33. Data protection compliance services

Part VI — Rights of a Data Subject

34. Rights of a data subject
35. Withdrawal of consent
36. Right to object
37. Automated decision making
38. Data portability

Part VII — Data Security

39. Security, integrity, and confidentiality
40. Personal data breaches

Part VIII — Cross-border Transfers of Personal Data

41. Basis for cross-border transfer of personal data
42. Adequacy of protection
43. Other bases for transfer of personal data outside Nigeria

Part IX — Registration and Fees

44. Registration of data controllers and data processors of major importance
45. Fees and levies

 

Part X — Enforcement

46. Complaints and investigations
47. Compliance orders
48. Enforcement orders
49. Offences and penalties
50. Judicial review
51. Civil remedies
52. Forfeiture
53. Joint and vicarious liability

 

 

Part XI — Legal Proceedings

54. Limitation of suits against the Commission
55. Service of documents
56. Restriction on execution against property of the Commission
57. Indemnity of staff, members, and employees of the Commission
58. Power of arrest, search, and seizure
59. Right to appear in court

Part XII — Miscellaneous Provisions

60. Directives by the Minister
61. Regulations
62. Directives, codes, and guidelines
63. Priority of the Act
64. Transitional provisions
65. Interpretation
66. Citation

Schedule

 

 

 

Nigeria Data Protection Act, 2023                             2022 No. 37

ACT No. 37

An Act to Provide a Legal Framework for the Protection of Personal Information, and Establish the Nigeria Data Protection Commission for the Regulation of the Processing of Personal Information ;

and for Related Matters

 

[12th Day of June, 2023]

 

ENACTED by the National Assembly of the Federal Republic of Nigeria— PART I—OBJECTIVES AND APPLICATION

1. —(1) The objectives of this Act are to —
   • safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999 ;
   • provide for the regulation of processing of personal data ;
   • promote data processing practices that safeguard the security of personal data and privacy of data subjects ;
   • ensure that personal data is processed in a fair, lawful and accountable manner ;
   • protect data subjects’ rights, and provide means of recourse and remedies, in the event of the breach of the data subject’s rights ;

(f ) ensure that data controllers and data processors fulfil their obligations to data subjects ;

• establish an impartial, independent, and effective regulatory Commission to superintend over data protection and privacy issues, and supervise data controllers and data processors ; and
• strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data.

2. —(1) This Act shall apply to the processing of personal data, whether by automated means or not.

(2) This Act shall apply, where the —

• data controller or data processor is domiciled in, resident in, or operating in Nigeria ;
• processing of personal data occurs within Nigeria ; or
• the data controller or the data processor is not domiciled in, resident in, or operating in Nigeria, but is processing personal data of a data subject in Commencement.

 

Objectives

Application

Exemption of application

Establishment of the Nigeria Data Protection Commission

3. —(1) This Act shall not apply to the processing of personal data carried out by one or more persons solely for personal or household purposes: Provided that such processing for personal or household purposes does not constitute a violation of fundamental right to privacy of a data subject.

• Subject to the rights and freedoms under the Constitution and the limitations, the obligations under Part V, other than sections 24, 25, 32, and 40 of this Act, shall not apply to a data controller or data processor if the processing of personal data is —
  • carried out by a competent authority for the purposes of the prevention, investigation, detection, prosecution, or adjudication of a criminal offence or the execution of a criminal penalty, in accordance with any applicable law ;
  • carried out by a competent authority for the purposes of prevention or control of a national public health emergency ;
  • carried out by a competent authority, as is necessary for national security ;
  • in respect of publication in the public interest, for journalism, educational, artistic and literary purposes to the extent that such obligations and rights are incompatible with such purposes ; or
  • necessary for the establishment, exercise, or defense of legal claims, whether in court proceedings, or in an administrative or out-of-court
• The Commission may by regulation prescribe types of personal data and processing that may be exempted from application of this
• Notwithstanding the provisions of this Act, the Commission may issue a guidance notice containing legal safeguards and best practices to a data controller or processor, in respect of any aspect of data processing exempted under this section where in the opinion of the Commission, such processing violates or is likely to violate sections 24 and 25 of this

Part II — Establishment of the Nigeria Data Protection Commission, and its Governing Council

4. —(1) There is established the Nigeria Data Protection Commission (in this Act, referred to as “the Commission”).

• The Commission —
  • shall be a body corporate, with perpetual succession and a common seal ;
  • may sue or be sued in its corporate name ; and
  • may acquire, hold and dispose of its

 

• The Commission —
  • shall have its head office in the Federal Capital Territory ; and
  • may maintain other offices, in any part of Nigeria, for the purposes of achieving the objects of the Commission.
• Subject to the approval of the Council, the National Commissioner may acquire other offices and premises for the use of the Commission.

5. The Commission shall —
   • regulate the deployment of technological and organisational measures to enhance personal data protection ;
   • foster the development of personal data protection technologies, in accordance with recognised international best practices and applicable international law ;
   • where necessary, accredit, license, and register suitable persons to provide data protection compliance services ;
   • register data controllers and data processors of major importance ;
   • promote awareness on the obligation of data controllers and data processors under this Act ;

(f ) promote public awareness and understanding of personal data protection, rights and obligations imposed under this Act, and the risks to personal data ;

• receive complaints relating to violations of this Act or subsidiary legislation made under this Act ;
• collaborate with any relevant ministry, department, agency, body, company, firm, or person for the attainment of the objectives of this Act ;
• ensure compliance with national and international personal data protection obligations and best practice ;
• participate in international fora and engage with national and regional authorities responsible for data protection with a view to developing efficient strategies for the regulation of cross-border transfers of personal data ;
• determine whether countries, regions, business sectors, binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms, afford adequate personal data protection standards for cross- border transfers ;
• collect and publish information with respect to personal data protection, including personal data breaches ;
• advise government on policy issues relating to data protection and privacy ;
• submit legislative proposals to the Minister necessary for strengthening personal data protection in Nigeria ; and
• carry out other legal actions as are necessary for the performance of the functions of the Commission.

 

 

Functions of the Commission

Powers of the Commission

Independence of the Commission

Establishment of the Governing Council of the Commission

 

Schedule

6. The Commission shall have powers to —
   • oversee the implementation of the provisions of this Act ;
   • prescribe fees payable by data controllers and data processors in accordance with data processing activities ;
   • issue regulations, rules, directives and guidance under this Act ;
   • prescribe the manner and frequency of filing, and content of compliance returns by data controllers and data processors of major importance to the Commission ;
   • call for information from a person, or inspect any documents with respect to any thing done under this Act ;

(f ) conduct investigations into any violation of a requirement under this Act or subsidiary legislation made under this Act by a data controller or a data processor ;

• impose penalties in respect of any violation of the provisions of this Act or subsidiary legislation made under this Act ;
• acquire assets, and sell, let, lease, or dispose of any of its property ; and
• perform such other acts as are necessary to give effect to the functions of the Commission.

7. The Commission shall be independent in the performance of its functions under this

 

8. —(1) There shall be for the Commission, a Governing Council (in this Act referred to as “the Council”), which shall consist of —
   • a part-time Chairman, who shall be a retired judge of Nigeria ;
   • the National Commissioner ;
   • a representative, not below the rank of a Director or its equivalent, from —
     • the Federal Ministry responsible for Justice,
     • the Federal Ministry responsible for communications and digital economy,
     • the Central Bank of Nigeria, and
     • a law enforcement agency ; and
   • one representative from the private

• Members of the Council other than the National Commissioner shall be paid such allowances as may be determined, in collaboration with the Revenue Mobilisation Allocation and Fiscal Commission.
• The supplementary provisions set out in the Schedule to this Act shall apply with respect to the proceedings of the Council, and other matters contained in it.

 

9. —(1) The Chairman and non-ex-officio members of the Council shall be appointed by the President, on the recommendation of the Minister.

• A member appointed to the Council under section 8 of this Act from—
  • the private sector shall be a Nigerian and possess not less than five years cognate experience and proficiency in data protection and privacy; and
  • government, under section 8(1)(c) of this Act, may have proficiency in data protection and privacy.

10. —(1) Members of the Council other than the National Commissioner shall be part-time members.

• The Chairman and non-ex-officio members of the Council shall hold office —
  • for a term of four years, and may be eligible for re-appointment for another term of four years, and no more ; and
  • on such terms and conditions, as may be specified in their letters of

11. —(1) A person shall cease to be a member of the Council, where the person —
    • dies ;
    • becomes bankrupt or compounds with his creditors ;
    • is convicted of a felony or any offence involving dishonesty or fraud ;
    • is disqualified from professional qualification ;
    • is guilty of a serious misconduct with regard to the discharge of the person’s duties ;

(f ) under section 8(1)(c) of this Act, ceases to occupy the office by virtue of which he became a member of the Council ; or

(g) resigns from appointment by giving at least two months’ notice, in writing, addressed to the President.

• The President, on the recommendation of the Minister, may remove a member of the Council, where satisfied that it is not in the interest of the Commission or the public that the member continues in that office.
• Where a member of the Council ceases to hold office before the expiration of the term, the President shall appoint a person to fill the vacancy, and the person so appointed shall hold office for the remainder of the term of office of that member.

Appointment of members of the Council

Tenure of members of the Council

Cessation of membership

Functions and powers of the Council

 

Act No. 4,

2014

 

Conflict of interest

12. —(1) The functions of the Council are to —
    • formulate and provide overall policy direction of the affairs of the Commission ;
    • approve strategic plans, action plans and budget support programmes submitted by the National Commissioner ;
    • approve annual reports and financial reports submitted by the National Commissioner ;
    • approve the terms and conditions of service of the employees of the Commission, including remuneration, allowances and pension benefits in accordance with the Pension Reform Act ;
    • approve staff regulations for the appointment, promotion and discipline of staff of the Commission ;

(f ) provide advice and counsel to the National Commissioner;

• assist the National Commissioner in matters relating to compliance by ministries, departments and agencies of government with this Act ; and
• handle such other matters, as may be prescribed by any other provision of this

(2) The Council shall have the power to delegate any of its functions under this Act to a committee set up by it, in accordance with the provisions of this Act.

13. —(1) A member of the Council shall —
    • ensure that personal interest shall not conflict with the member’s duties under this Act ;
    • not make secret profit in the course of discharging official duties ;
    • fully disclose to the Council any personal, commercial, financial, or other interest, which may directly or indirectly hold or be connected with the business of the Commission or becomes the subject of consideration by the Council ;
    • subject to subsection (3), be ineligible to participate in any Council deliberation and voting-related matter ; and
    • not accept any gift or advantage in whatever form or manner, for anything done or likely to be done with respect to the responsibilities of the

• A member of the Council, who contravenes the provisions of paragraphs (b) and (e), commits an offence and is liable on conviction to —
  • in the case of a contravention of paragraph (b), a fine of at least N10,000,000 or imprisonment for a term not more than three years, or both ; or
  • in the case of a contravention of paragraph (d), a fine of at least N5,000,000, or imprisonment for a term not more than two years, or

 

Part III — Appointment of the National Commissioner, and Other Staff of the Commission

14. —(1) There shall be for the Commission, a National Commissioner, who shall be —
    • appointed by the President, on the recommendation of the Minister ;
    • the chief executive and accounting officer of the Commission; and
    • responsible for the execution of the policies and administration of the affairs of the Commission.

• The National Commissioner shall —
  • hold a certification in data protection from a training body which is duly accredited in line with international best practices ; and
  • possess at least 10 years cognate experience, at a senior management level, in data protection, cybersecurity management, information and communication technology, law, consumer protection, management science, or other relevant disciplines.
• A person appointed as the National Commissioner shall not hold any other management position in a Ministry, Department, or Agency of Government, corporation, company, or any other business establishment.
• The National Commissioner shall hold office —
  • for a term of five years, and may be re-appointed for another term of five years, and no more ; and
  • on such other terms and conditions as may be specified in the letter of

15. The National Commissioner shall be the Secretary to the Council, and —
    • be responsible to the Council;
    • keep the Council’s records;
    • conduct the Council’s correspondence ; and
    • discharge such other duties, as the Council may
16. The Commission shall, subject to the approval of the Council, recruit directly or by secondment from the Public Service of the Federation, such number of staff, as it deems necessary and expedient —
    • for the proper and efficient performance of its functions ; and
    • on such terms and conditions, with remunerations, allowances, and

 

 

Appointment of the National Commissioner for the Commission

Secretary to the Council

Staff of the Commission

Staff regulations and discipline

 

Pension Act No. 4, 2014

 

Fund of the Commission

17. —(1) The Commission may make staff regulations relating generally to the conditions of service of the staff, and such regulations may provide for —
    • the appointment, promotion, and disciplinary control of staff of the Commission ; and
    • appeals by staff against dismissal or other disciplinary measures :

Provided that pending the making of such staff regulations, any instrument relating to conditions of service in the Public Service of the Federation shall be applicable, with such modifications, as may be necessary to the staff of the Commission.

(2) The staff regulations made under subsection (1) shall not have effect until approved by the Council.

18. —(1) Staff of the Commission shall be entitled to pension and other retirement benefits, as prescribed under the Pension Reform Act.

• Without prejudice to the provisions of subsection (1), nothing in this Act shall prevent the appointment of a person to any office on conditions, which preclude the grant of pension and other retirement benefits in respect of that office.
• For the application of the provisions of the Pension Reform Act, any power exercisable by a Minister or other authority of the Federal Government, other than the power to make regulations under the Pension Reform Act, shall be vested in, and exercisable by the Council.

Part IV — Financial Provisions

19. —(1) The Commission shall establish a Fund (in this Act referred to as “the Fund”) for the performance of its functions under this Act.

• There shall be paid into the Fund established under subsection (1) —
  • a take-off grant as may be appropriated by the National Assembly which shall be drawn in the following manner —
    • 20% of the take-off grant shall be from the Consolidated Revenue Fund of the Federation,
    • 40% of the take-off grant shall be from the Nigerian Communications Commission, and
    • 40% of the take-off grant shall be from the National Information Technology Development Agency ;
  • donations, gifts, loans, grants, aids, endowments, and voluntary contributions ;
  • returns on investments of the Commission ;
  • levies, fees, penalties, and fines collected by the Commission ; and
  • such other money or assets that may accrue to the

 

• 50% of the total amount of the take-off grant shall be provided to the Commission on the commencement of this Act, and the remaining 50% of the take-off grant shall be provided on the anniversary of the date on which this Act
• Subject to any applicable law, the Commission may borrow such sums of money, as may be required in the performance of its functions under to this

20. —(1) There shall be chargeable to the Fund —
    • the cost of administration of the Commission ;
    • allowances and remuneration payable to members of the Council ;
    • remunerations, allowances, retiring benefits, such as pensions and gratuities, and such other money payable to the staff of the Commission ;
    • the payment for consultancies and contracts, including mobilisation, fluctuations, variations, and legal fees ;
    • expenses necessary to meet capital expenditure, such as, for the purchase, acquisition, or maintenance of property or other equipment of the Commission ;

(f ) repayment of funds borrowed by the Commission, including interest on such borrowed funds ; and

(g) any other expenditure, approved by the Council, for the purposes of performing the functions of the Commission under this Act.

(2) The Fund of the Commission shall be managed in accordance with the rules made by the Council.

21. —(1) Subject to any applicable law, the Commission may borrow such sums of money, as may be required in the performance of the functions of the Commission under this Act.

(2) The Commission may accept gifts, grants of money, aids, or other assets, provided that the terms and conditions of the acceptance are consistent with the objectives and functions of the Commission under this Act.

22. —(1) The Commission shall keep and maintain proper accounts and records, including records of —
    • receipts, payments, assets, and liabilities ; and
    • income and expenditure, in a form which conforms with existing laws on accounts and audit.

(2) The Commission shall cause the accounts to be audited, not later than six months after the end of each year, by auditors appointed from the list maintained by the Auditor-General for the Federation, and in accordance with the guidelines provided by the Auditor-General for the Federation.

 

Expenditure of the Fund

Power to borrow and accept gifts

Account and audit

 

Annual reports and estimates

• An auditor appointed under subsection (2) shall have full and free access to all account records, documents, and papers of the Commission.
• For the purpose of this section, the financial year of the Commission shall be from 1 January to 31 December of every year, or such other period, as may be determined by the Council.

23. —(1) The Commission shall, not later than six months after the end of each financial year, submit to the National Assembly through the Minister —
    • a report of its activities during the preceding year, including the audited accounts of the Commission ; and
    • an estimate of the expenditure and income for the next succeeding year.

 

(2) Notwithstanding the provisions of subsection (1), the Commission

Principles of personal data processing

may, in any financial year, submit supplementary or adjusted statements of estimated income and expenditure to the National Assembly.

Part V — Principles and Lawful Basis Governing Processing Of Personal Data

24. —(1) A data controller or data processor shall ensure that personal data is —
    • processed in a fair, lawful and transparent manner ;
    • collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes ;
    • adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed ;
    • retained for not longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed ;
    • accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed ; and

(f ) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.

• A data controller and data processor shall use appropriate technical and organisational measures to ensure confidentiality, integrity, and availability of personal data.
• Notwithstanding anything to the contrary in this Act or any other law, a data controller or data processor owes a duty of care, in respect of data processing, and shall demonstrate accountability, in respect of the principles contained in this

 

• For the purposes of subsection (1) (b) —
  • compatibility of further processing shall be assessed considering —
    • the relationship between the original purpose and the purpose of the intended further processing,
    • the nature of the personal data concerned,
    • the consequences of further processing,
    • how the personal data has been collected, and
    • the existence of appropriate safeguards ; and
  • further processing for archiving purposes in the public interest, scientific, historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes.

25. —(1) Without prejudice to the principles set out in this Act, data processing shall be lawful, where —
    • the data subject has given and not withdrawn consent for the specific purpose or purposes for which personal data is to be processed ; or
    • the processing is necessary —
      • for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract,
      • for compliance with a legal obligation to which the data controller or data processor is subject,
      • to protect the vital interest of the data subject or another person,
      • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor, or
      • for the purposes of the legitimate interests pursued by the data controller or data processor, or by a third party to whom the data is
    • Interests in personal data processing shall not be legitimate for the purposes of subsection (1)(b)(v), where —
      • they override the fundamental rights, freedoms and the interests of the data subject ;
      • they are incompatible with other lawful basis of processing under subsection (1)(b) (i)-(iv) ; or
      • the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.

26. —(1) A data controller shall bear the burden of proof for establishing a data subject’s consent.

 

Lawful basis of personal data processing

 

Consent

 

Provision of information to the data subject

• In determining whether consent was freely and intentionally given, account shall be taken of whether, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
• Silence or inactivity of the data subject shall not constitute
• Where the processing of personal data is based on the consent of the data subject, the data subject shall be informed of the right to withdraw consent, prior to the granting of consent.
• The withdrawal of consent under subsection (4) shall not affect the lawfulness of data processing that occurred before the withdrawal of the
• A request for consent shall be in clear and simple language and accessible format.
• Consent —
  • shall be in the affirmative, and not based on a pre-selected confirmation ; and
  • may be provided in writing, orally, or through electronic

27. —(1) Before a data controller collects personal data directly from a data subject, the data controller shall inform the data subject of the —
    • identity, residence or place of business of, and means of communication with the data controller and its representatives, where necessary ;
    • specific lawful basis of processing under section 25(1) or 30(1) of this Act, and the purposes of the processing for which the personal data are intended ;
    • recipients or categories of recipients of the personal data, if any ;
    • existence of the rights of the data subject under Part VI ;
    • retention period for the personal data ;

(f ) right to lodge a complaint with the Commission in accordance with section 46 (1) of this Act ; and

• existence of automated decision-making, including profiling, the significance and envisaged consequences of such processing for the data subject, and the right to object to and challenge such processing.
• Before a data controller collects personal data, other than directly from the data subject, the data controller shall inform the data subject of the matters set out in subsection (1), except where the —
  • data subject already has been provided with such information ; or
  • provision of such information is impossible or would involve a disproportionate effort or expense.

 

• The information referred to in subsection (1) shall be contained in a privacy policy and expressed in clear, concise, transparent, intelligible, and easily accessible format, taking into consideration the class of data subjects targeted by the data processing.

28. —(1) Where the processing of personal data may likely result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context, and purposes, a data controller shall, prior to the processing, carry out a data privacy impact assessment.

• The data controller shall consult the Commission prior to the processing if, notwithstanding the measures envisaged under this section, the data protection impact assessment indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject.
• The Commission may make regulations or issue directives with regards to this section, including the categories of processing and persons subject to the requirement for the conduct of a data privacy impact
• For purposes of this section, a “data privacy impact assessment” is a process designed to identify the risks and impact of the envisaged processing of personal data, and it comprises —
  • a systematic description of the envisaged processing and its purpose, including the legitimate interest pursued by the data controller, data processor, or third party ;
  • an assessment of the necessity and proportionality of the processing in relation to the purposes for which the personal data would be processed ;
  • an assessment of the risks to the rights and freedoms of a data subject ; and
  • the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data, taking into account the rights and legitimate interests of a data subject and other persons concerned.

29. —(1) Where a data controller engages the services of a data processor, or a data processor engages the services of another data processor, the data controller or data processor engaging another shall ensure that the engaged data processor —
    • complies with the principles and obligations set out in this Act as applicable to the data controller ;
    • assists the data controller or data processor, as the case may be, by the use of appropriate technical and organisational measures, in the fulfilment of the data controller’s obligations to honour the rights of a data subject under Part VI ;

 

 

Data privacy impact assessment.

Obligations of the data controller and data processor

 

Sensitive personal data

• implements appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of personal data as required in Part VII ;
• provides the data controller or engaging data processor, where applicable, with information reasonably required to comply and demonstrate compliance with this Act ; and
• notifies the data controller or engaging data processor, where applicable, when a new data processor is engaged.

(2) The measures under subsection (1) include a written agreement between the data controllers and the data processor, or between data processors, as the case may be.

30. —(1) Without prejudice to the principles set out in this Act, a data controller or data processor shall not process, or permit a data processor to process on its behalf, sensitive personal data, unless the —
    • data subject has given and not withdrawn consent to the processing for the specific purpose or purposes for which it will be processed ;
    • processing is necessary for the purposes of performing the obligations of the data controller or exercising rights of the data subject under employment or social security laws or any other similar laws ;
    • processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent ;
    • processing is carried out in the course of its legitimate activities, with appropriate safeguards, by a foundation, association, or such other non-profit organisation with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes, and the —
      • processing relates solely to the members or former members of the entity, or to persons, who have regular contact with it in connection with its purposes, and
      • sensitive personal data is not disclosed outside of the entity without the explicit consent of the data subject ;
    • processing is necessary for the establishment, exercise, or defense of a legal claim, obtaining legal advice, or conduct of a legal proceeding ;

(f ) processing is necessary for reasons of substantial public interest, on the basis of a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject ;

(g) processing is carried out for purposes of medical care or community welfare, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality ;

 

• processing is necessary for reasons of public health and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject ; or
• processing is necessary for archiving purposes in the public interest, or historical, statistical, or scientific research, in each case on the basis of a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights and freedoms and the interests of the data subject.
• The Commission may make regulations or issue directives prescribing —
  • further categories of personal data that may be classified as sensitive personal data ;
  • further grounds on which such personal data may be processed ; and
  • safeguards that may
• The Commission shall, in making regulations or issuing directives under subsection (2), have regard to the —
  • risk of significant harm that may be caused to a data subject or a class of data subjects by the processing of such category of personal data ;
  • reasonable expectation of confidentiality attached to such category of personal data ; and
  • adequacy of protection afforded to personal data

31. —(1) Where a data subject is a child or a person lacking the legal capacity to consent, a data controller shall obtain the consent of the parent or legal guardian, as applicable, to rely on consent under this

• A data controller shall apply appropriate mechanisms to verify age and consent, taking into consideration available technology.
• For the purposes of subsection (2), presentation of any government approved identification documents shall be an appropriate mechanism.
• subsection (1) shall not apply, where the processing is —
  • necessary to protect the vital interests of the child or person lacking the legal capacity to consent ;
  • carried out for purposes of education, medical, or social care, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality ; or
  • necessary for proceedings before a court relating to the
• Where the circumstance relates to the processing of personal data of a child of 13 years and above in relation to the provision of information and services by electronic means at the specific request of the child, the Commission shall make regulations in accordance with the objectives of this

 

 

Children or persons lacking the legal capacity to consent

Act No. 26,

2003

 

 

Data Protection Officers

Data protection compliance services

 

Rights of a data subject

• Nothing in this Act shall be construed as authorising data processing in respect of a child in a manner that is inconsistent with the provisions of the Child’s Right

32. —(1) A data controller of major importance shall designate a Data Protection Officer with expert knowledge of data protection law and practices, and the ability to carry out the tasks prescribed under this Act and subsidiary legislation made under it.

• The Data Protection Officer may be an employee of a data controller or engaged by a service contract.
• The Data Protection Officer shall —
  • advise the data controller or the data processor, and their employees, who carry out processing made under this Act ;
  • monitor compliance with this Act and related policies of the data controller or data processor ; and
  • act as the contact point for the Commission on issues relating to data

33. The Commission may license a person having a requisite level of expertise, in relation to data protection and this Act, to monitor, audit and report on compliance by data controllers and data processors with —
    • this Act ; and
    • regulations, guidelines, directives, and codes of conduct issued by the Commission made under the provisions of this

Part VI — Rights of a Data Subject

34. —(1) A data subject has the right to obtain from a data controller, without constraint or unreasonable delay —
    • confirmation as to whether the data controller or a data processor operating on its behalf, is storing or otherwise processing personal data relating to the data subject, and where that is the case —
      • the purposes of the processing,
      • the categories of personal data concerned,
      • the recipients or categories of recipient to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organisations,
      • where possible, the period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
      • the existence of the right to request from the data controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject or to object to such processing,

 

• the right to lodge a complaint with the Commission,
• where the personal data is not collected from the data subject, any available information as to their source, and
• the existence of automated decision-making, including profiling, the significance and envisaged consequences for the data subject ;

• a copy of data subject’s personal data in a commonly used electronic format, except to the extent that providing such data would impose unreasonable costs on the data controller, in which case the data subject may be required by the data controller to bear some or all of such costs ;
• the correction or, if correction is not feasible or suitable, deletion of the data subject’s personal data that is inaccurate, out of date, incomplete, or misleading ;
• the erasure of personal data concerning the data subject, without undue delay ; and
• restriction of data processing pending —
  • the resolution of a request,
  • objection by the data subject under this Act, or
  • the establishment, exercise, or defense of legal
• A data controller shall erase personal data without undue delay, where —
  • the personal data is no longer necessary, in relation to the purposes for which it was collected or processed, or
  • the data controller has no other lawful basis to retain the personal data.

 

35. —(1) A data subject shall have the right to withdraw, at any time,

 

Withdrawal consent to the processing of personal data under this Act.

• The data controller shall ensure that it is as easy for the data subject to withdraw, as to give consent.

36. —(1) A data subject shall have the right to object to the processing of personal data relating to the data subject.

• A data controller shall discontinue the processing of personal data, unless the data controller demonstrates a public interest or other legitimate grounds, which overrides the fundamental rights and freedoms, and the interests of the data subject.
• Where personal data is processed for direct marketing purposes, the data subject shall have the right to object, at any time, to the processing of personal data concerning the data subject, which includes profiling to the extent that it is related to such direct marketing.

 

Right to object

Automated decision making

Data portability

• Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

37. —(1) A data subject shall have the right not to be subject to a decision based solely on automated processing of personal data, including profiling, which produces legal or similar significant effects concerning the data

• Subsection (1) shall not apply, where the decision is —
  • necessary for entering into or the performance of a contract between the data subject and a data controller ;
  • authorised by a written law, which establishes suitable measures to safeguard the fundamental rights and freedoms, and the interests of the data subject ; or
  • authorised by the consent of the data
• The data controller shall implement suitable measures to safeguard the data subject’s fundamental rights, freedoms and interests, including the rights to —
  • obtain human intervention on the part of the data controller ;
  • express the data subject’s point of view ; and
  • contest the

38. —(1) The Commission may make regulations establishing a right of personal data portability.

• Right of data portability under this Act shall entitle the data subject to —
  • receive, without undue delay from a data controller, personal data concerning the data subject in a structured, commonly used, and machine- readable format ;
  • transmit the personal data obtained under paragraph (a) to another data controller without any hindrance ; and
  • where technically possible, have the personal data transmitted directly from one data controller to another.
• The Commission may prescribe —
  • circumstances and conditions on which the data subject may exercise the right of data portability ; and
  • the obligations it would impose on a data controller or data processor, or categories of data controllers or data processors, including in relation to costs and timing.

 

Part VII — Data Security

39. —(1) Adata controller and data processor shall implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful destruction, loss, misuse, alteration, unauthorised disclosure, or access, taking into account —
    • the amount and sensitivity of the personal data ;
    • the nature, degree and likelihood of harm to a data subject that could result from the loss, disclosure, or other misuse of the personal data ;
    • the extent of the processing ;
    • the period of data retention ; and
    • the availability and cost of any technologies, tools, or other measures to be implemented relative to the size of the data controller or data

• Measures implemented under subsection (1) may include —
  • pseudonymisation or other methods of de-identification of personal data ;
  • encryption of personal data ;
  • processes to ensure security, integrity, confidentiality, availability and resilience of processing systems and services ;
  • processes to restore availability of and access to personal data in a timely manner, in the event of a physical or technical incident ;
  • periodic assessments of risks to processing systems and services, including where the processing involves the transmission of data over an electronic communications network ;

(f ) regular testing, assessing, and evaluation of the effectiveness of the measures implemented against current and evolving risks identified ; and

(g) regular updating of the measures and introduction of new measures to address shortcomings in effectiveness, and accommodate evolving risks.

40. —(1) Where a personal data breach has occurred with respect to personal data being stored or processed by a data processor, the data processor shall, on becoming aware of the breach —
    • notify the data controller or data processor that engaged it, describing the nature of the personal data breach including, where possible, the categories and approximate numbers of data subjects and personal data records concerned ; and
    • respond to all information requests from the data controller or data processor that engaged it, as they may require to comply with their obligations under this section.

 

Security, integrity, a n d confidentiality

 

Personal data breaches

• A data controller shall, within 72 hours of becoming aware of a breach which is likely to result in a risk to the rights and freedoms of individuals, notify the Commission of the breach and, where feasible, describe the nature of the personal data breach including the categories and approximate numbers of data subjects and personal data records concerned.
• Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject the data controller shall immediately communicate the personal data breach to the data subject in plain and clear language, including advice about measures the data subject could take to mitigate effectively the possible adverse effects of the data breach and if a direct communication to the data subject would involve disproportionate effort or expense, or is otherwise not feasible, the data controller may instead make a public communication in one or more widely used media sources such that the data subject is likely to be informed.
• The notifications and communications referred to in subsections (1),

(2) and (3) shall, in addition to the requirements of those subsections —

• communicate the name and contact details of a point of contact of the data controller, where more information can be obtained ;
• describe the likely consequences of the personal data breach ; and
• describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

• The Commission may, at any time, make a public communication about a personal data breach notified to it under subsection (2), where it considers the steps of the data controller to inform data subjects
• The Commission shall issue and publish regulations on the steps to be taken by a data controller to adequately inform data subjects of a personal data breach for purposes of subsection (3).
• In evaluating whether a personal data breach is likely to result in a risk to the rights and freedoms of a data subject under subsection (3), a data controller and the Commission may take into account —
  • the likely effectiveness of any technical and administrative measures implemented to mitigate the likely harm resulting from the personal data breach, including any encryption or de-identification of the data ;
  • any subsequent measures taken by the data controller to mitigate such risk ; and
  • the nature, scope and sensitivity of the personal data

 

• A data controller and data processor shall keep a record of all personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken in a manner that enables the Commission to verify compliance with this section.
• Where it is not possible to provide information under this section at the same time, the information may be provided in phases without undue

Part VIII — Cross-border Transfers of Personal Data

41. —(1) A data controller or data processor shall not transfer or permit personal data to be transferred from Nigeria to another country, unless —
    • the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with this Act ; or
    • one of the conditions set out in section 43 of this Act

• A data controller or data processor shall record the basis for transfer of personal data to another country under subsection (1) and the adequacy of protection under section 42 of this Act.
• The Commission may make regulations requiring data controllers and data processors to notify it of the measures in place under subsection (1) and to explain their adequacy in terms of section 42 of this
• The Commission may, by regulations, designate categories of personal data that are subject to additional specified restrictions on transfer to another country based on the nature of such personal data and risks to data subjects.

42. —(1) A level of protection is adequate for the purposes of this section if it upholds principles that are substantially similar to the conditions for processing of the personal data provided for in this

• The adequacy of protection referred to in subsection (1) shall be assessed taking into account the —
  • availability of enforceable data subject rights, the ability of a data subject to enforce such rights through administrative or judicial redress, and the rule of law ;
  • existence of any appropriate instrument between the Commission and a competent authority in the recipient jurisdiction that ensures adequate data protection ;
  • access of a public authority to personal data ;
  • existence of an effective data protection law ;
  • existence and functioning of an independent, competent data protection, or similar supervisory authority with adequate enforcement powers ; and

 

Basis for cross-border transfer of personal data

Adequacy of protection

Other bases for transfer of personal data outside Nigeria

(f ) international commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations.

• The Commission shall issue guidelines as to the assessment of adequacy and the factors set out under subsection (2).
• The Commission may determine whether a country, region or specified sector within a country, or standard contractual clauses, affords an adequate level of protection under subsection (1).
• The Commission may approve binding corporate rules, codes of conduct, certification mechanisms or similar instruments for data transfer proposed to it, where the Commission is satisfied that such instruments meet appropriate standards of data protection in accordance with the objectives of this
• The absence of a determination by the Commission under subsection

(4) or (5) with respect to a country, territory, sector, binding corporate rules, contractual clause, code of conduct, or certification mechanism shall not imply the adequacy of the protections afforded by it.

• The Commission may make a determination under subsection (4) based on adequacy decision made by a competent authority of other jurisdictions, where such decision have taken into account factors similar to those listed in this section.

43. —(1) In the absence of adequacy of protection under section ż42 of this Act, a data controller or data processor shall only transfer personal data from Nigeria to another country if the—
    • data subject has provided and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections ;
    • transfer is necessary for the performance of a contract to which a data subject is a party or in order to take steps at the request of a data subject, prior to entering into a contract ;
    • transfer is for the sole benefit of a data subject and —
      • it is not reasonably practicable to obtain the consent of the data subject to that transfer, and
      • if it were reasonably practicable to obtain such consent, the data subject would likely give it ;
    • transfer is necessary for important reasons of public interest ;
    • transfer is necessary for the establishment, exercise, or defense of legal claims ; or

(f ) transfer is necessary to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent.

 

(2) Without prejudice to any provision of this Act, no specific international, multi-national cross border data transfer codes, rules or certification mechanisms shall be adopted as Federal Republic of Nigeria standard for the protection of data subject or data sovereignty without approval of the National Assembly.

 

Part Ix — Registration and Fees

44. —(1) Data controllers and data processors of major importance shall register with the Commission within six months after the commencement of the Act or on becoming a data controller or data processor of major

• Registration under subsection (1) shall be made by notifying the Commission of —
  • the name and address of the data controller or data processor, and name and address of the data protection officer of the data controller or data processor ;
  • a description of personal data and the categories and number of data subjects to which the personal data relate ;
  • the purposes for which personal data is processed ;
  • the categories of recipients to whom the data controller or data processor intends or is likely to disclose personal data ;
  • the name and address, or name and address of any representative of any data processor operating directly or indirectly on its behalf ;

(f ) the country to which the data controller or data processor intends, directly or indirectly to transfer the personal data ;

• a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of the personal data ; and
• any other information required by the
• A data controller or data processor of major importance shall notify the Commission of any significant change to the information submitted under subsection (2) within 60 days after such change.
• The Commission shall maintain and publish on its website a register of duly registered data controllers and data processors of major importance.
• A data controller or data processor shall be removed from the register of the Commission, where it notifies the Commission that it has ceased to operate as a data controller or data processor of major importance.
• The Commission may exempt a class of data controllers or data processors of major importance from the registration requirements of this section, where it considers such requirement to be unnecessary or

 

Registration of data controllers and data processors of major importance

Fees and levies

Complaints and investigations

45. The Commission may prescribe fees or levies to be paid by data controllers and data processors of major importance.

 

Part X — Enforcement

46. —(1) A data subject, who is aggrieved by the decision, action, or inaction of a data controller or data processor in violation of this Act, or subsidiary legislation made under this Act may lodge a complaint with the

• The Commission may investigate any complaint referred to it, where it appears to the Commission that the complaint is not frivolous or
• The Commission may initiate an investigation of its own accord where it has reason to believe a data controller or data processor has violated or is likely to violate this Act or any subsidiary legislation made under this
• The Commission may, for the purpose of an investigation, order a person to —
  • attend at a specific time and place for the purpose of being examined orally in relation to a complaint ;
  • produce such document, record, or article, as may be required with respect to any matter relevant to the investigation, which the person is not prevented by any other written law from disclosing ; or
  • furnish a statement in writing made under oath or an affirmation setting out all information, which may be required under the order.
• Where any material to which an investigation relates, consists of information stored in any document, record, minutes, mechanical or electronic device, the Commission may require the person named to produce such material or give access to the Commission to conduct an inspection on the material.
• For the purposes of subsection (5), the person shall ensure that the information relating to the material under investigation is visible and legible, in a structured, commonly used and machine-readable format.
• The Commission may, where necessary, make representations to —
  • the data controller or data processor on behalf of a complainant ; or
  • a complainant on behalf of the data controller or data
• The Commission shall —
  • establish a unit to receive and follow up on complaints from data subjects and conduct investigations ; and
  • adopt rules and procedures on handling complaints and conducting investigations referred to it under this Act.

 

47. —(1) Where the Commission is satisfied that a data controller or data processor has violated or is likely to violate any requirement under this Act or subsidiary legislation made under this Act, the Commission may make an appropriate compliance order against that data controller or data

• The order made by the Commission under subsection (1) may include a —
  • warning that certain act or omission is likely to be a violation of one or more provisions under this Act or any subsidiary legislation or orders issued under it ;
  • requirement that the data controller or data processor complies with such provisions, including complying with the requests of a data subject to exercise one or more rights under this Act ; or
  • cease and desist order requiring the data controller or data processor to stop or refrain from doing an act, which is in violation of this Act, including stopping or refraining from processing personal data that is the subject of the order.
• An order made under this section shall be in writing and shall specify —
  • the provisions of this Act that the Commission is satisfied the data controller or data processor has violated ;
  • specific measures to be taken by the data controller or data processor to avoid, remedy, or eliminate the situation which has resulted in the violation ;
  • a period within which to implement such measures ; and
  • a right to judicial review under section 50 of this

48. —(1) Notwithstanding any criminal sanctions under this Act, if the Commission, after completing an investigation under section 46 of this Act, is satisfied that a data controller or data processor has violated any provision of this Act or subsidiary legislation made under this Act, it —
    • may make any appropriate enforcement order or impose a sanction on the data controller or data processor ; and
    • shall inform the data controller or data processor, and if applicable, any data subject who lodged a complaint leading to the investigation, in writing of its decision.

• An enforcement order made or sanction imposed under subsection
• shall include —
  • requiring the data controller or data processor to remedy the violation ;
  • ordering the data controller or data processor to pay compensation to a data subject, who has suffered injury, loss, or harm as a result of a violation ;

Compliance orders

Enforcement orders

Offences and penalties

 

Judicial review

• ordering the data controller or data processor to account for the profits realised from the violation ; or
• ordering the data controller or data processor to pay a penalty or remedial fee.

• A penalty or remedial fee under subsection (2)(d) may be an amount up to the —
  • higher maximum amount, in the case of a data controller or data processor of major importance ; or
  • standard maximum amount, in the case of a data controller or data processor not of major importance.
• The “higher maximum amount” shall be the greater of —
  • N10,000,000, and
  • 2% of its annual gross revenue in the preceding financial
• The “standard maximum amount” shall be the greater of —
  • N2,000,000, and
  • 2% of its annual gross revenue in the preceding financial
• The Commission shall, in determining the sanctions, take into consideration the —
  • nature, gravity, and duration of the infringement ;
  • purpose of the processing ;
  • number of data subjects involved ;
  • level of damage and damage mitigation measures implemented ;
  • intent or negligence ;

(f ) degree of cooperation with the Commission ; and

(g)  types of personal data involved.

49. —(1) A data controller or data processor, who fails to comply with orders made under section 47 of this Act commits an offence and is liable on conviction to —
    • a fine of up to the —
      • higher maximum amount, in the case of a data controller or data processor of major importance, or
      • standard maximum amount, in the case of a data controller or data processor not of major importance ; or
    • imprisonment for a term not more than one year or
50. A person who is not satisfied with an order of the Commission, may apply to the court for judicial review within 30 days after the order was

 

51. A data subject, who suffers injury, loss, or harm as a result of a violation of this Act by a data controller or data processor, may recover damages from such data controller or data processor in civil proceedings.
52. Notwithstanding anything to the contrary, the Court may make an order of forfeiture against a convicted data controller, data processor, or individual in accordance with the Proceeds of Crime (Recovery and Management) Act.
53. —(1) Where an offence has been committed by a body corporate or firm, the body corporate or firm, as well as principal officers of the body corporate or firm shall be deemed culpable, unless the principal officers prove that —
    • the offence was committed without their consent or connivance ; and
    • they exercised diligence to prevent the commission of the

• A data controller and data processor shall be vicariously liable for the acts or omissions of its agent or employees, in so far as the acts or omissions relate to its business.

Civil remedies

 

Forfeiture Act No. 16,

2022

 

Joint and vicarious liability

 

 

Part XI — Legal Proceedings

54. —(1) A suit shall not be instituted against the Commission, a member of the Council, or staff of the Commission for an act done under or in execution of this Act, or any public duty of the Commission, unless —
    • it is commenced within three months after the act, neglect, or default complained of ; or
    • in the case of continued damage or injury, within three months after the ceasing of such act, neglect or default complained of.

• A suit shall not be commenced against the Commission, a member of the Council, or staff of the Commission before the expiration of one month after written notice of intention to commence the suit is served on the Commission, a member, or staff of the Commission by the intending plaintiff or plaintiff’s agent.
• The notice referred to in subsection (2) shall clearly state the —
  • cause of action ;
  • particulars of the claim ;
  • name and place of abode of the intending plaintiff ; and
  • relief
• Subject to the provisions of this Act, the provisions of the Public Officers Protection Act, shall apply in relation to any suit instituted against an official or employee of the Commission.

 

Limitation of suits against the Commission

 

Cap. P41, LFN, 2004

Service of documents

Restriction on execution against property of the Commission

Indemnity of staff, members, and employees of the Commission

 

Power of arrest, search, and seizure

55. A notice, summons, process, or document, required or authorised to be served on the Commission under the provisions of this Act or any other law or enactment, may be served by delivering it to the National Commissioner at the head office of the Commission.
56. —(1) An execution or attachment process shall not be issued against the property of the Commission, in respect of an action or suit against the

(2) A sum of money which may be the judgment of any court awarded against the Commission shall be paid from the Fund of the Commission.

57. The National Commissioner, a member of Council, staff of the Commission, or other persons engaged by the Commission shall be indemnified out of the assets of the Commission against —
    • losses, charges, claims, expenses, and liabilities incurred in the discharge of official duties, or
    • liability incurred in defending criminal or civil proceedings, where the —
      • judgement is given in favour of the National Commissioner, a member of the Council, or staff of the Commission,
      • National Commissioner, a member of the Council, or staff of the Commission is otherwise acquitted,
      • proceedings are otherwise disposed of without any finding or admission of any material breach of duty, or
      • court grants the National Commissioner, a member of the Council, or staff of the Commission relief from liability for negligence, default, breach of duty, or breach of trust in relation to the Commission.

58. —(1) The Commission shall apply ex-parte to a Judge in Chambers for the issuance of a warrant for the purpose of obtaining evidence in relation to an investigation.

• A Judge may issue a warrant under subsection (1) on the satisfaction that —
  • a person has engaged, is engaging, or is likely to engage in a conduct that contravenes the provisions of this Act ;
  • the warrant is sought to prevent the commission of an offence under this Act ;
  • the warrant is sought to prevent interference with investigative process under this Act ;
  • the warrant is for the purpose of investigating data security breaches and data privacy breaches, or obtaining electronic evidence ; or
  • the person named in the warrant is preparing to commit an offence under this Act.

 

to —

• A warrant issued under subsection (2) shall authorise the Commission

 

• in the company of a law enforcement officer, enter and search any

 

premises, where —

• an offence under this Act is being committed,
• there is evidence of the commission of an offence under this Act or other relevant law,
• there is an urgent need to prevent the commission of an offence under this Act or other relevant law, or
• where there is reasonable suspicion that a crime under this Act is or about to be committed ;

• stop and search any person found on such premises ;
• enter and search any conveyance found on the premises ;
• seize, seal, remove, or detain anything which is, or contains evidence of the commission of an offence under this Act ;
• use or cause to be used a computer or other devices to search any data contained in or available to any computer system or computer network; (f ) use any technology to decode or decrypt any coded or encrypted data

contained in a computer into readable text or comprehensible format ; or

(g) require any person having charge of or conversant with the operation of a computer or electronic device in connection with an offence under this Act to produce such computer or electronic device.

59. A legal officer of the Commission or a private legal practitioner engaged by the Commission may represent the Commission in civil proceedings, in respect of matters relating to the business or operations of the

Part XII — Miscellaneous Provisions

60. Subject to the provisions of this Act, the Minister may give to the Commission directives of a general nature or relating generally to matters of policy with respect to the objectives and functions of the Commission, and the Commission shall comply with the directives.
61. —(1) The Commission may make regulations for carrying out its objectives under this

• Without prejudice to subsection (1), the regulations may provide for —
  • the financial management of the affairs of the Commission ;
  • the protection of personal data and data subjects ;
  • the manner in which the Commission may exercise any power, discharge any duty or perform any function under this Act ;
  • any matter that under this Act is required or permitted to be prescribed ;

 

Right to appear in court

Directives by the Minister

Regulations

Directives, codes, and guidelines

Priority of the Act

Transitional provisions

• the forms of applications and related documents required for the purposes of this Act ;

(f ) the procedures to be followed under this Act in the submission of complaints to the Commission ;

• frequency of filing and content of compliance returns by data controllers and data processors of major importance to the Commission ;
• fees, fines, and charges prescribed under this Act and such related matters ; and
• any matter that the Commission considers necessary or expedient to give effect to the objectives of this Act.
• The regulations made under this Act may —
  • create offences in respect of any contravention of the regulations ; and
  • impose penalty not more than that prescribed in this
• The Commission may, prior to making any regulation under this Act, publish on its website, a draft regulation and a notice inviting comments to be submitted on the proposed regulation within a stipulated time.

62. The Commission may, where necessary, issue directives, codes, or guidelines on the —
    • conduct of the business and operations of the Commission in a manner that —
      • fosters accountability, ensures transparency and consistency with the highest ethical standards, and
      • ensures compliance with international best practices, as it relates to the regulation of data protection and privacy ;
    • budgeting and expenditure of the Commission in accordance with the provisions of this Act ;
    • governance code for the Commission ; and
    • any other matter relevant to the operations of the
63. Where the provisions of any other law or enactment, in so far as they provide or relate directly or indirectly to the processing of personal data, are inconsistent with any of the provisions of this Act, the provisions of this Act shall prevail.
64. —(1) A reference to the Nigeria Data Protection Bureau (in this section referred to as “the Bureau”) existing before the commencement of this Act, or a document issued in the name of the Bureau, shall be read as a reference to the Commission established under this Act, and all persons engaged by the Commission shall have the same rights, powers and remedies as existed in the Bureau before the commencement of this Act.

 

• For the purpose of subsection (1) —
  • a person who, prior to the commencement of this Act, was an officer, employee or member of staff of the Bureau shall continue in office, and be deemed to have been appointed under this Act on such terms and conditions not less favourable than that enjoyed prior to the transfer of service ;
  • all existing agreements and contracts currently in effect by the Bureau, as it relates to the provisions of this Act shall continue ;
  • all records and equipment previously belonging to or allocated for use to the Bureau shall become, on the effective date of this Act, part of the records and equipment of the Commission ;
  • properties held immediately before the commencement of this Act on behalf of the Bureau shall on the commencement of this Act, be vested in the Commission established under this Act ;
  • any proceeding or cause of action pending or existing immediately before the commencement of this Act by or against the Bureau, in respect of any right, interest, obligation or liability may be commenced or continued, as the case may be by the Commission ; and

(f ) all orders, rules, regulations, decisions, directions, licences, authorisations, certificates, consents, approvals, declarations, permits, registrations, rates or other documents that are in effect before the coming into effect of this Act and that are made or issued by the National Information Technology Development Agency or the Bureau shall continue in effect as if they were made or issued by the Commission until they expire or are repealed, replaced, reassembled or altered.

65. In this Act —

“automated decision-making” means a decision based solely on automated processing by automated means, without any human involvement ;

“applicable law” means any law enacted by the National Assembly or House of Assembly of any State in Nigeria ;

“binding corporate rules” means personal data protection policies and procedures adhered to by the members of a group of firms under common control with respect to the transfer of personal data among such members and containing provisions for the protection of such personal data ;

“biometric data” means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of an individual, which allow or confirm the unique identification of that individual, including without limitation by physical measurements, facial images, blood typing, fingerprinting, retinal scanning, voice recognition and deoxyribonucleic acid (DNA) analysis ;

 

Interpretation

 

“certification mechanism” means certification by an official or professional third-party entity that evaluates the personal data protection policies and procedures of data controllers and data processors according to best practices ;

“child” has the meaning ascribed in the Child’s Right Act, No. 26, 2003 ; “Commission” means the Nigeria Data Protection Commission

established under this Act ;

“consent” means any freely given, specific, informed, and unambiguous indication, whether by a written or oral statement or an affirmative action, of an individual’s agreement to the processing of personal data relating to him or to another individual on whose behalf he has the permission to provide such consent ;

“Council” means the Governing Council of the Commission established under this Act ;

“competent authority” includes —

• the Government of the Federal Republic of Nigeria or any foreign government ; or
• any state government, statutory authority, government authority, institution, agency, department, board, commission, or organisation within or outside Nigeria, exercising executive, legislative, judicial, investigative, regulatory, or administrative functions ;

“court” means any court of competent jurisdiction ;

“data controller” means an individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data ;

“data controller or data processor of major importance” means a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate ;

“data processor” means an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor ;

“data subject” means an individual to whom personal data relates ; “Minister” means the Minister responsible for matters relating to

communications and digital economy ;

“National Commissioner” means the National Commissioner of the Nigeria Data Protection Commission ;

“personal data” means any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an

 

identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual ;

“personal data breach” means a breach of security of a data controller or data processor leading to or likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed ;

“President” means the President of the Federal Republic of Nigeria ; “processing” means any operation or set of operations which is

performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction and does not include the mere transit of data originating outside Nigeria ;

“pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person ;

“sensitive personal data” means personal data relating to an individual’s —

• genetic and biometric data, for the purpose of uniquely identifying a natural person,
• race or ethnic origin,
• religious or similar beliefs, such as those reflecting conscience or philosophy,
• health status,
• sex life,

(f ) political opinions or affiliations,

• trade union memberships, or
• other information prescribed by the Commission, as sensitive personal data under section 30 (2), and

“social security laws” means “the Employee Compensation Act, Pension Reform Act, National Health Insurance Authority Act, National Housing Fund Act, Nigeria Social Insurance Trust Fund Act, Industrial Trust Fund Act or any other similar law.

66. This Act may be cited as the Nigeria Data Protection Act, Citation

 

SCHEDULE                                        Section 8(3)

SUPPLEMENTARY PROVISIONS RELATING TO PROCEEDINGS OF THE COUNCIL

Council to Regulate Proceedings

1. Subject to the provisions of this Act, the Council may make standing orders regulating the proceedings of the Council and set up any committee and the Council shall meet once in a quarter of a year.

Presiding Officer

2. Every meeting of the Council shall be presided over by the Chairman, and where the Chairman is absent, the members present at the meeting shall elect one of their members to preside at the meeting.

Quorum

3. The quorum at a meeting of the Council shall be the Chairman, or in an appropriate case, the person presiding at the meeting under paragraph 2 of this Schedule, and four other members.
4. The quorum of any committee of Council shall be determined by the

Voting

5. At a meeting of the Council, each member present shall be entitled to one vote and any question on which a vote is required shall be determined by a majority of votes of members present and voting but, in the case of an equal division of votes, the Chairman or the member presiding over the meeting shall have a casting vote.
6. Where the Council seeks the advice of any person on a particular nature, the Council may invite that person to attend for such period as it deems fit, but the person, who is invited shall not be entitled to vote at any meeting of the Council and shall not count towards the quorum.

Teleconference meeting

7. In addition to meeting with all participants physically present, the Council may hold or continue a meeting by the use of any means of communication by which all the participants can hear and be heard at the same time and such a meeting is referred to in this item as a “teleconference meeting”.
8. A member of the Council, who participates in a teleconference meeting shall be taken for all purposes to have been present at the meeting.
9. The Council may establish procedure for teleconference meetings (including recording the minutes of such meetings) in its minutes book.

 

Committees of the Council

10. Subject to standing orders made by the Council under this Act, the Council may appoint such number of standing and ad- hoc committees, as it deems fit to consider and report on any matter with which the Council is
11. Every committee appointed under the provisions of paragraph 10 shall be presided over by a member of the Council, and shall be made up of such number of persons, as the Council may determine in each case.
12. The decision of a committee shall have no effect until it is approved or ratified by the Council.

Seal of the Commission

13. The affixing of the seal of the Commission shall be done and authenticated by the signature of the National Commissioner or such other member authorised by the Council to act for that purpose.
14. A contract or instrument which, if made by a person not being a body corporate, shall not be required to be under seal, may be made or executed by the National Commissioner or by any other officer or staff specifically authorised by the National Commissioner to act for that purpose.
15. A document purporting to be a contract, an instrument, or other document signed or sealed on behalf of the Commission shall be received in evidence and shall, unless the contrary is proved, be presumed, without further proof, to have been so signed and sealed.

Miscellaneous

16. The validity of a proceeding of the Council or its committee is not adversely affected by —
    • any vacancy in the membership of the Council ;
    • any defect in the appointment of a member of the Council, staff, or committee ; or
    • reason that a person not entitled to do so took part in the
17. A member of the Council or any of its committees, who has a personal interest in any contract or arrangement entered into or proposed to be considered by the Commission shall —
    • disclose to the members of the Council the nature of the interest, in advance of any consideration of the matter ;
    • not influence or seek to influence a decision to be made in relation to the matter ;

 

• take no part in any consideration of the matter ; and
• be absent from the meeting or that part of the meeting during which the matter is discussed.

18. If a member of the Council discloses an interest under paragraph 17, the disclosure shall be recorded in the minutes of the meeting of the

 

 

I, certify, in accordance with section 2 (1) of the Acts Authentication Act, Cap. A2, Laws of the Federation of Nigeria 2004, that this is a true copy of the Bill passed by both Houses of the National Assembly.

 

 

 

SANI MAGAJI TAMBAWAL, fcna

Clerk to the National Assembly

5th Day of June, 2023.

 

 

Explanatory Memorandum

This Act provides a legal framework for the protection of personal information and establishes the Nigeria Data Protection Commission for the regulation of the processing of personal information.

 

 

 

 

 

SCHEDULE TO THE NIGERIA DATA PROTECTION BILL, 2023

 

(1) Short Title of the Bill	(2) Long Title of the Bill	(3) Summary of the Contents of the Bill	(4) Date Passed by the Senate	(5) Date Passed by the House of Representatives
Nigeria Data Protection Bill, 2023	An Act to provide a legal framework for the protection of personal information, and establish the Nigeria Data Protection Commission for the	This Bill provides a legal framework for the protection of personal information, and establishes the Nigeria Data Protection Commi-	3rd May, 2023.	24th May, 2023.
	regulation of the processing of personal	ssion for the regulation of  the
	information ; and for related matters.	processing of personal information.

 

I certify that this Bill has been carefully compared by me with the decision reached by the National Assembly and found by me to be true and correct decision of the Houses and is in accordance with the provisions of the Acts Authentication Act Cap. A2, Laws of the Federation of Nigeria, 2004.

I Assent

SANI MAGAJI TAMBAWAL, fcna

Clerk to the National Assembly

5th Day of June, 2023.

 

Bola Ahmed Tinubu, gcfr

President of the Federal Republic of Nigeria

12th Day of June, 2023.

 

 

TOR 3: Standard ICT policies for Data Protection

Data Classification: The University’s data asset can be classified under public, internal, and restricted based on sensitivity, criticality, and regulatory requirements. The Data Protection Policy of this University can be categorized under two broad areas of access control levels; Pyhsical and Digital Access. These policies and procedures stated herein is aimed at helping the University of Nigeria protect sensitive data, maintain compliance with regulations, and build trust with students, staff, and stakeholders.

1. Physical Access Control

Physical access to where data is stored is a critical aspect of data security. The following policies apply as measures to ensure the security of data storage facilities:

Physical Access Control Measures:

1. Secure Doors and Locks: All internal and restricted data facilities such as the University’s Data Centre, and the Bursary Unit, Personnel (HR), Departmental, etc. Computer Rooms must Implement electronic door locks, biometric authentication, or card reader systems to control access.
2. Surveillance Systems: Such internal and restricted data facilities must have CCTV cameras to monitor the premises and detect potential security breaches.

iii. Security Personnel: As a third layer of access control, the Security Department personnel should be posted to monitor such facilities to control the access points, and respond to incidents.

1. Access Logs: There should be registers in each sensitive facility to maintain records of who enters and exits the facility, including timestamps and access levels.
2. Perimeter Security: Outside the Facility should have installed motion detectors, breach alarms, and AI-powered cameras to monitor activity around the facility.
3. Multi-Factor Authentication (MFA): MFA can also be employed in securing the physical facility by using a combination of authentication methods, such as card swipes, biometrics, and PIN codes, to restrict entry.

vii. Server Room Protection: Implement advanced measures like rack-level biometrics, video monitoring, and time-restricted access.

viii. Handling of hardware components: Any equipment in the cares of a university staff must be carefully handled and protected from theft, damage, unauthorised usage and data access. Where any of the above occurs the staff should report the matter immediately to their supervisors.

1. Inscriptions: All the university’s hardware devices must bear visible inscriptions in the form of engravings, permanent paint or maker inscriptions.
2. Point of Exit: any staff in possession of the university’s device must remove all personal data stored in it and handover the device to an officer who inspects its state and documents same.
3. Repairs: In the case of equipment malfunction, the officer in possession of such device should immediately notify his superior who takes the necessary steps to getting it fixed.

xii. Repairs outside the University: In the case of repairs taking place outside the University the officer who took it for repairs must ensure that the device’s contents are not compromised, such as by copying, snaping, or backing up the contents to other sources. The staff must also take inventory of the device/devices to ensure that no part or component such as hard disks, memory devices, cables, covers, etc. is swapped or removed entirely.

 

1. Digital Access Control

In securing the data asset of the University stored in digital formats like computers, and other forms of storage devices, as well as online locations such as in Cloud storages, portals, emails, etc, the CIA Triad of Confidentiality, Integrity, and Availability must be adhered to. To achieve these, the following policies will apply.

 

1. Access Controls: While individuals may be authenticated to use a data facility, Role-based access controls must be applied to restrict data access to authorized personnel only, ensuring that users have access to data necessary for their job functions.
2. Data Encryption: Sensitive data must be encrypted both in transit and at rest using strong encryption algorithms and hash protocols to prevent unauthorized access.

iii. Passwords: All computers and programs must be protected with strong passwords comprising of a mixture of alphanumeric and special characters of whose length should not be less than eight (8). Additional protections such as two-factor or biometric authentication is also encouraged. Password changes is encouraged from time to time. Each user is responsible for the use and protection of his/her password and must take full responsibility for its compromise or loss.

1. Use of Pirated Software: It is highly advised that pirated software applications be not installed in the University’s devices.
2. Data Loss Prevention (DLP): To prevent unauthorized transmission or leakage of sensitive data DLP controls are used.
3. Data Retention and Disposal: It may be necessary for each unit of the University to define data retention periods based on legal, regulatory, and business requirements and securely dispose of data at the end of its lifecycle.

vii. Incident Response: Proper procedures must be put in place at each unit to respond to data breaches, including notification of affected individuals, relevant organs of the University, and regulatory bodies.

viii. Compliance and Enforcement: Members of the university committee must be made to be aware of extant laws guiding data protection in order to ensure compliance with relevant laws and regulations, such as the Nigeria Data Protection Act (NDPA), 2023, etc.

1. Training and Awareness: The University through the ICT Unit and relevant departments should provide regular training and awareness programmes for staff and students on data protection best practices.
2. Regular Audits and Reviews: The University through the ICT Unit should conduct regular audits and reviews to ensure compliance with data protection policies and procedures.
3. Conduct Data Protection Impact Assessments (DPIAs): Some new technologies and expired software systems like antiviruses may introduce some forms of risks and vulnerabilities to the University information system. To identify and mitigate such risks there is need to conduct data protection impact assessment.

xii. Maintain Records of Processing Activity: to ensure transparency it is necessary to document data processing activities.

xiii. Appoint a Data Protection Officer (DPO): The ICT Unit should appoint a DPO to oversee data protection activities and provide guidance throughout the University. This can be replicated at departmental or unit levels. The ICT Officers at these levels can also play that role.

xiv. Implement Privacy-by-Design: From the outset of any ICT project in the University, data protection must be integrated into the systems design and processes. Vendors must show how their solutions comply with this.