NITDA Guidelines for Management of Personal Data Give Public Institutions 60-Day Ultimatum to Digitise

Mr Kashifu Inuwa Abdullahi, DG, NITAD
Mr Kashifu Inuwa Abdullahi, DG, NITDA

The National Information Technology Development Agency (NITDA) has released  Guideline for Management of Personal Data by Public Institutions in Nigeria, 2020, in furtherance of its regulatory mandate and as supplementary regulation to the Nigeria Data Protection Regulation (NDPR), 2019.

This was contained in a press release issued on May 17, 2020 and signed by Mrs.Hadiza Umar, Head of Corporate Affairs and External Relations at NITDA. It gives has given public institutions holding or processing personal data a 60-day ultimatum for them to securely digitize these databases

The new Guideline which stipulates the requirements for the processing of personal data by public institutions in Nigeria was issued to reinforce the implementation of the NDPR with all the principles and provisions of the NDPR remaining valid and applicable to all Nigerians including public institutions.

It requires all public institutions and entities co-owned by the Government of Nigeria to process all personal data of Nigerians and Data Subjects in Nigeria in line with best practices and in conformity with the highest standards taking cognisance that some public sector data processing may be founded on vital or public interest.

Being position of trust, data controllers and processors are required to apply the highest ethical and professional standards in processing such data. The Guideline also mandates the use of secure technology and automated processes for personal data by public institutions, in line with the requirements of the National Digital Economy Policy and Strategy.

The Guideline requires all Public Institutions holding or processing personal data to securely digitize all personal databases within 60 days from the issuance of the Guidelines and to maintain the highest level of information security to guarantee confidentiality, integrity, availability and resilience of all databases within their control.

Recognizing the need for collaboration in some cases between the public and private sector to tackle emergencies or other state-led interventions for the benefit of citizens, NITDA ensured that the Guideline provides a strict framework for these types of collaborations to ensure that the privacy of Nigerians is not unduly infringed, citing the COVID-19 pandemic which has brought up the need for more personal data use to limit the spread of the virus.

The agency recognises the existence of constitutional limitations on privacy rights in the interest of public health and safety but pointed out that such limitations must be based on defined frameworks. It implored all concerned parties to comply strictly with the requirements of the Guideline and seek professional guidance from licensed Data Protection Compliance Organisations (DPCO) for the purpose of compliance.

NITDA vowed it will not relent in its surveillance to ensure adequate compliance with the NDPR and the provisions of the Guidelines warning it will not hesitate to invoke the punitive sanctions provided in the NITDA Act 2007 and NDPR in the event of breach or abuse of personal data of Nigerians.

It, therefore, urged all concerned parties to study these Guidelines diligently and apply them accordingly while also encouraging all parties to reach out to the Agency and seek clarifications or guidance when needed.

The Guideline for Management of Personal Data by Public Institutions in Nigeria, 2020and other regulatory instruments of NITDA are available on the Agency’s website:

NITDA considers the issuance of this public-sector specific Guideline as another trailblazing effort made in consonance with the emerging global data regulatory models.

NITDA is the apex regulatory agency for Information Technology in Nigeria under the auspices of the Federal Ministry of Communication and Digital Economy. It is empowered by Section 6(c) of the National Information Technology Development Act, 2007 to develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions in Nigeria. The Agency issued the NDPR in 2019 as Nigeria’s first comprehensive framework for the protection of personal data. The NDPR provides the principles and framework for the protection and processing of personal data of Nigerians and residents.