Nigeria: data privacy checklist for working remotely

Back to Technology Law Committee publications

Davidson Oturo
Aelex, Lagos


Due to the Covid-19 pandemic, employers and employees have had to work remotely in a manner that can best be described as unprecedented. We have, therefore, compiled a data privacy checklist which should be considered in helping minimise risks when working from home.

Data breaches

As more employees are forced to work from home, the risk of data breaches has increased substantially. For instance, when employees are working remotely, they are prone to distractions on many fronts and may relax on cyber diligence. This could result in third parties being inadvertently exposed to official communications and information. There has also been a huge increase in cyberattacks from phishing emails to system takeovers.

Employees should be aware of the need to maintain high data protection standards when working from home and immediately report any suspicion of a data breach to their IT department.

To reduce incidences of data breach, companies may provide working tools such as laptops or other relevant devices to ensure that employees limit signing in from unauthorised or insecure devices.

Sharing of personal data

Employees may inadvertently be sharing sensitive personal data with service providers and vendors due to the Covid-19 pandemic.

Under these circumstances, the employee should undertake due diligence prior to sharing such personal data and check that appropriate security measures are in place. One easy way an employee can go about this is to regularly check whether the site being accessed is secured or encrypted. This can be confirmed if the website has a padlock sign. If service providers are processing personal data during the course of a transaction, they will need to ensure that there is an appropriate contract in place containing the provisions prescribed by the Nigeria Data Protection Regulation (NDPR) and where applicable, the European Union’s General Data Protection Regulation (GDPR).

Employees should also determine whether any personal data is going to be transferred to entities outside of Nigeria and if additional safeguards are required to lawfully transfer the data in this way.[1]

Security measures

The employer has a huge role to play in providing security at these times. It is crucial for a company’s network to be properly guarded and not be neglected. Hackers have taken advantage of the Covid-19 lockdown period to infiltrate networks.

Employees should also take precautions to prevent undue exposure of a company to cyber risk. Perhaps, it is time to re-educate employees on appropriate cybersecurity tips.

Sudden changes to a company’s operation may lead to the use of new technology, including situations such as virtual meetings being hacked and sensitive conversations overheard or leaked to third parties.

Therefore, in selecting software applications, employers must take note that security measures have been put in place by the service provider. Also, employees should be reminded on the need for them to maintain confidentiality when dealing with official documents.

Some security measures that could be adopted to minimise this from occurring include ensuring that employees screen lock their devices and regularly update passwords.

Use of personal devices and the Internet of Things

Not all employers are able to provide laptops and similar devices to their employees to help them work remotely. Consequently, a number of employers have permitted their employees to use personal devices in executing official instructions.

The danger with this approach is that employees’ personal devices may have malware that could affect the company’s network. The employees could also use their personal devices to record sensitive information. Furthermore, with the Internet of Things and the connectivity of different devices, information can be circulated through different platforms that could eventually harm the company’s business.

Employers, therefore, may need to reconsider this approach and take some security measures to limit the risk of exposure.

Disclosure of medical information

Employers are required to exercise care when collecting, using and disseminating Covid-19-related information about their employees. They should exercise care in balancing between providing information in the public interests and protecting an individual’s rights by not collecting or providing more information than is necessary. Policies should also be updated to cover self-isolation and lockdown measures.

Monitoring employees

There are now several instances of different governments around the world using tracking technology to help prevent the spread of the virus. However, this has led to significant discrimination and should be approached with caution.

Most employers are also concerned that their employees may not be working remotely and may consider taking steps to monitor their activities. However, employers should be wary of using work equipment such as phones and laptops to keep track of their employees without a legal obligation to do so.

It is, therefore, advisable that the employer considers this very carefully as it may be deemed as a breach of the employee’s constitutional right to privacy.[2] Consequently, the employer should contact a professional to assist in identifying any data protection risks that may arise from monitoring employees who work from home.

Abstaining from subtle direct marketing

On the basis of public interest, organisations are permitted to send public health messages to their clients, prospects and the general public as these messages are not intended for marketing purposes.[3]

However, to avoid data privacy issues, organisations should desist from sending marketing information along with Covid-19 updates in their communications with clients. While it is fitting to notify clients that the office is closed and employees are working remotely, the firm may be crossing boundaries when it includes marketing materials in such email correspondence.

Updating privacy notices and policies

Businesses will probably be collecting health data on employees or visitors in response to the pandemic beyond what is provided for in their existing privacy notices. Furthermore, organisations may be using new technologies such as Microsoft Teams and Zoom which were not in use when their privacy policies were set up.

Organisations should consequently consider updating their privacy policies and notices in relation to data collection in response to the Covid-19 pandemic.[4]

The company can also undertake a Data Protection Impact Assessment (DPIA), particularly when it involves employees and special category data. This will allow it identify compliance risks, as well as risks to the rights of individuals, and assist it in minimising those risks.


[1] Section 2.11 of the NDPR.

[2] Section 37, Constitution of the Federal Republic of Nigeria (as amended).

[3] Section 2.2 of the NDPR.

[4] Section 2.5 of the NDPR.