Employee Data Protection in Nigeria: What the NDPA Requires

The NDPA 2023 doesn't just apply to customer data. It applies to every piece of personal data you process — including your employees'.

Most Nigerian employers collect far more employee data than they realise: CVs, addresses, phone numbers, bank details, health records, biometric data (fingerprints for attendance), performance reviews, disciplinary records, family information for benefits. All of it is personal data under the NDPA.

And most of it is processed without a privacy notice, without a lawful basis assessment, and without any thought to data protection.

That's a compliance gap. Here's how to close it.

What employee data you probably process

Before you can comply, you need to know what you collect. Common employee data in Nigerian businesses:

Recruitment:

• CVs and cover letters
• Interview notes
• Reference check results
• Background check reports
• Copies of qualifications and certificates

Onboarding:

• Full name, address, phone, email
• Date of birth
• State of origin
• Next of kin details
• Bank account details for salary payments
• Tax identification number (TIN)
• Pension details (PFA information)
• Passport photographs
• National ID / NIN

During employment:

• Payroll records and salary history
• Performance reviews and appraisals
• Training records
• Disciplinary records
• Leave records (including sick leave — health data)
• Biometric data (fingerprint scans for attendance systems)
• CCTV footage (if you have cameras in the workplace)
• Email and computer usage logs (if you monitor)
• WhatsApp messages (if work is conducted via WhatsApp groups)

Health data:

• HMO enrollment information
• Medical certificates
• Pre-employment medical results
• Disability information
• Pregnancy-related data

Post-employment:

• Reason for leaving
• Exit interview records
• Reference letters
• Retained records for legal/tax/pension purposes

That's a significant volume of personal data, much of it sensitive. All of it falls under the NDPA.

Lawful basis for employee data processing

The most common lawful bases for employment data:

Contract performance. Processing necessary to fulfil the employment contract. Paying salary requires bank details. Managing leave requires leave records. This covers most routine employment processing.

Legal obligation. Nigerian law requires you to process certain employee data — tax deductions (PAYE), pension contributions, statutory reporting. Legal obligation is your basis here.

Legitimate interest. Performance management, training records, internal restructuring. The employer has a legitimate interest in managing the workforce. But you need to balance this against the employee's rights — and document the balancing test.

Consent. Be very careful with consent in employment. An employee may feel they can't freely refuse a request from their employer, which undermines the "freely given" requirement. Use consent only where the employee has a genuine choice with no negative consequences for refusing — for example, optional social events or voluntary surveys.

Don't rely on consent for mandatory processing. Collecting bank details for payroll isn't a consent issue — it's a contractual necessity. Using consent as your basis when the employee has no real choice to refuse creates a weak legal foundation.

Employee privacy notice

Your employees need a privacy notice — just like your customers do. Most Nigerian employers don't have one.

The notice should cover:

• Who you are (the employer as data controller)
• What personal data you collect and why
• The lawful basis for each processing activity
• Who you share employee data with (payroll providers, HMO, pension fund, tax authorities, group companies)
• International transfers (if employee data goes to systems outside Nigeria)
• How long you keep the data
• Employee rights (access, correction, deletion, objection)
• How to exercise those rights
• Contact details for the DPO or privacy contact

When to provide it: At the start of employment. Include it in your onboarding pack. For existing employees, distribute it as a policy update.

Sensitive data: biometrics and health

Biometric data

Many Nigerian offices use fingerprint scanners for attendance. Fingerprint data is biometric data — a special category under the NDPA that requires additional safeguards.

What you need:

• A specific, documented lawful basis for processing biometric data
• A DPIA covering the biometric processing
• Technical security measures (encryption at rest and in transit)
• Clear retention policy (delete when the employee leaves, unless legally required to retain)
• Privacy notice disclosure specifically mentioning biometric processing
• Alternative for employees who object (manual sign-in sheet)

Biometric attendance systems are common in Nigeria but rarely compliant. If you use one, this is a priority area.

Health data

HMO enrollment, medical certificates, and sick leave records all involve health data — another special category.

What you need:

• Process health data only for the specific employment purpose (managing sick leave, providing health benefits)
• Restrict access — not everyone in HR needs to see medical details
• Store separately from general employee files where practical
• Don't share more health data than necessary (HR needs to know an employee is on sick leave, but may not need the diagnosis)

Employee monitoring

If you monitor employees — email surveillance, internet usage tracking, CCTV, GPS tracking on company vehicles — the NDPA applies.

Before monitoring:

• Conduct a DPIA — monitoring is intrusive and requires impact assessment
• Have a clear, published policy explaining what's monitored and why
• Ensure the monitoring is proportionate — monitoring everything because you can isn't lawful
• Tell employees — covert monitoring is extremely hard to justify under data protection law

WhatsApp monitoring: Many Nigerian businesses operate through WhatsApp groups. If you access or monitor these groups, that's processing personal data. If work WhatsApp groups include personal conversations, tread carefully.

Cross-border transfers of employee data

If your Nigerian business is part of a multinational group, employee data often flows internationally:

• HR systems hosted abroad (Workday, BambooHR, SAP SuccessFactors)
• Payroll processed by a group function in another country
• Performance data shared with a parent company
• IT systems managed from a different jurisdiction

Each of these is a cross-border data transfer requiring:

• Intra-group DPA or binding corporate rules
• Documentation of the transfer
• Employee privacy notice disclosure
• Appropriate safeguards

Retention: how long to keep employee data

Don't keep employee data forever. Set retention periods:

Data Category	Suggested Retention
Recruitment records (unsuccessful)	6-12 months after decision
Employment records (general)	6 years after employment ends
Payroll and tax records	6 years (tax requirement)
Pension records	Duration of pension obligations
Health records	Duration of employment + 6 years
Biometric data	Delete when employment ends
CCTV footage	30-90 days unless incident requires longer
Disciplinary records	Varies by severity — 6 months to 6 years

After the retention period, delete the data. Actually delete it — from active systems, backups, and archives. Document the deletion.

Getting compliant

1. Audit your employee data — what do you collect, where is it stored, who has access?
2. Write an employee privacy notice — distribute to all current employees and include in onboarding
3. Review your lawful bases — especially for sensitive processing (biometrics, health, monitoring)
4. Conduct DPIAs — for biometric systems, monitoring, and any AI-assisted HR processes
5. Set retention periods — and implement actual deletion processes
6. Review cross-border flows — if employee data leaves Nigeria, document the transfers
7. Train HR staff — they handle the most sensitive employee data and need to understand their obligations

---

Need help with employee data protection compliance? We design employee privacy frameworks, conduct DPIAs for HR systems, and help you comply with the NDPA. Talk to us.