Employee Data Protection in Nigeria: What Employers Must Know Under the NDPA

Table of Contents

Employee Data and the NDPA: What Every Nigerian Employer Must Know

The moment you hire someone, you become a data controller under the Nigeria Data Protection Act 2023. Most Nigerian business owners don’t think about it that way. Employee data protection in Nigeria is not a customer-facing obligation. It begins the moment you take on staff, and it covers some of the most sensitive personal data the NDPA regulates.

Salaries, medical records, bank details, biometric identifiers, performance assessments, disciplinary files: none of these are administrative records that sit quietly in a drawer. They are personal data, and the law creates specific obligations around how you collect, use, store, and eventually delete them.

This applies to you whether you have five staff or five hundred. The NDPA does not include a small business exemption. If you employ people in Nigeria, this is your compliance obligation.

This article is part of PlanetWeb’s NDPA compliance series. For the broader legal framework, see our NDPA Compliance Guide for Nigerian Businesses and our breakdown of NDPA Key Features. If your business deals with international clients or partners and you are navigating both the NDPA and GDPR, see our NDPA vs GDPR comparison.

Your Employees Are Data Subjects Too

Most Nigerian employers think of data protection as something owed to customers. The NDPA does not make that distinction. Your employees have the same rights under the Act as any other data subject: access, correction, objection, and, in some cases, deletion. What makes the employment relationship different is the power dynamic. An employee cannot freely choose whether to hand over their bank details, health records, or biometric data, such as fingerprints. The job requires it. That is why consent is rarely appropriate as a lawful basis in HR contexts, and why most Nigerian employers are quietly non-compliant.

The misconception that “internal data” sits outside regulatory scrutiny is also worth addressing directly. The NDPA does not distinguish between data you hold on customers and data you hold on staff. The Nigeria Data Protection Commission does not either.

What Counts as Employee Data Under the NDPA

The scope is broader than most employers realise. It covers everything from the moment someone applies to the point their records are deleted: CVs, application forms, interview notes, background checks, payroll records, bank details, NIN, pension fund details, salary history, employment contracts, performance reviews, disciplinary records, and correspondence related to grievances or exits.

Two categories Nigerian employers routinely collect but rarely treat as regulated data are guarantor information and next-of-kin details. Both contain personal data about third parties with no direct relationship with your business. The NDPA applies to that data too, which means you need a lawful basis and must handle it accordingly.

On top of that sits sensitive category data: health records, biometrics, and any data revealing ethnic origin, religious beliefs, or trade union membership. These carry a higher standard of protection, and most Nigerian employers processing them have not taken the additional steps the law requires.

Your technology systems are relevant here. If your business runs HR records on Microsoft 365, uses a cloud-based payroll or attendance platform, or stores employee documents in SharePoint, all of that is in scope. The platform you use does not change your compliance obligations. It just determines where the data sits and who else can access it.

The Lawful Basis Problem in HR

This is where employee data protection in Nigeria breaks down most often, and most employers have no idea.

The default assumption is that having someone sign an employment contract is enough. Some employers add a broad consent clause on top. Neither is a lawful basis under the NDPA.

The correct bases for most employment data are contract and legal obligation. Payroll processing sits under contract, because you need the bank details to pay the person, and that is a necessary part of the employment agreement. PAYE filing, pension remittances, and records required under Nigerian labour law are legally mandated, regardless of what the employee wants.

Legitimate interests can apply in limited employment scenarios, such as certain security monitoring or internal fraud prevention, but doing so requires a documented balancing test and carries the right for employees to object. It is not a catch-all.

Sensitive personal data, including health records and biometrics, requires a lawful basis plus an additional condition. For most Nigerian employers, this means identifying and documenting that additional condition before processing begins. Where health data is collected for insurance purposes beyond what a specific legal obligation requires, explicit consent is typically the relevant condition, and it must meet a higher standard than ordinary consent. Biometric data requires a specific documented basis regardless of the purpose.

The Employment Lifecycle: Where Your Obligations Arise

Stage 1: Recruitment

Before collecting any data from a candidate, the NDPA requires that you inform them what you are collecting, why, and what you will do with it. Most Nigerian employers have never issued a privacy notice to a job applicant.

Background check data is particularly sensitive. You can collect only what is necessary to verify qualifications and screen for relevant risks, but the scope must be proportionate to the role. A background check that goes beyond what the position requires is unlawful processing. And if a candidate is unsuccessful, their data should not be kept indefinitely. You need a defined retention period and a reason for it.

If you use digital recruitment tools such as applicant tracking systems, LinkedIn integrations, or HR software that stores candidate pipelines, those platforms are processing personal data on your behalf. You need a data processing agreement with any vendor handling candidate information.

Stage 2: Active Employment

Once staff are on board, the obligations shift toward accuracy, access, and proportionality.

Employee records must be kept accurate and current. Under the NDPA, employees have the right to request correction of inaccurate data, access their records, object to certain processing, and, in some cases, request deletion. A business that ignores these requests is in breach. Our Data Subject Rights guide covers what employers must do when a request arrives.

The NDPA requires that you collect and retain only what is necessary for a defined purpose. Collecting more employee data than the role requires, or keeping it longer than needed, is not a neutral filing decision. It is non-compliance.

Workplace monitoring deserves particular attention. Using Microsoft 365 or any similar platform, it is technically possible to track email activity, document access, Teams conversations, and login patterns. Whether you can do so lawfully is a different question. It requires a legitimate basis, proportionality, and prior disclosure to staff. A policy buried in an employee handbook that no one has read does not count.

CCTV in the workplace follows the same principle. You need a stated purpose, proportionate coverage, defined retention periods for footage, and staff must know the cameras are there and why.

Health data collected for group medical insurance must be handled with particular care. The minimum necessary principle applies: your insurer needs only what is required to process claims, not a comprehensive medical history. A data-sharing agreement with the insurance provider should be in place, and it should specify what data is transferred and why.

If your business uses biometric attendance systems (fingerprint or facial recognition), the data being generated is sensitive personal data under the NDPA. Your staff need to be informed. You need a documented basis for the processing. And you need to know where that data is stored, who has access to it, and whether it is being processed or hosted outside Nigeria. Many biometric attendance vendors store data on servers abroad, which triggers cross-border transfer obligations under the Act. If employee data is transferred outside Nigeria, you must ensure that the destination country or the transfer arrangement meets the adequacy or safeguard requirements set out in the NDPA.

Stage 3: Exit and Post-Employment

This is where Nigerian employers are most exposed. When an employee leaves, their data does not cease to be regulated. How long you can keep it depends entirely on your legal basis and the category of data involved.

Some retention is legally mandated. The Nigeria Revenue Service requires payroll and tax records to be kept for defined periods. Pension contributions and remittance records are governed by the National Pension Commission, which sets its own retention requirements. Records relevant to pending or likely litigation may need to be preserved. These obligations give you a lawful basis to keep that data for the required period.

Everything else should be deleted on a defined schedule: performance reviews beyond their purpose, disciplinary records past the necessary period, CVs of unsuccessful candidates, and health data no longer needed for insurance. Many Nigerian businesses have employee records going back ten or fifteen years with no documented reason for keeping them. That is not a filing habit. It is an NDPA compliance failure.

Your Microsoft 365 or SharePoint environment likely holds much of this data. Retention and deletion policies configured at the platform level can enforce compliance automatically, but only if they have been set up deliberately. Default settings do not reflect NDPA requirements. For Nigerian businesses running on Microsoft 365, our implementation services include compliance configuration as part of the deployment.

When an Employee Makes a Data Request

Any employee, current or former, can submit a data subject access request. The NDPA gives you 30 days to respond.

A valid request does not need to use legal language or mention the NDPA by name. If a former employee sends an email asking what records you still have, that is a request. HR cannot defer it because the relationship ended badly. The 30-day clock runs from the point of receipt regardless.

You can decline certain elements of a request on legitimate grounds, such as legal professional privilege, third-party data, or ongoing investigations, but you must explain the refusal and cannot simply ignore the request.

Where employers frequently get caught is when a former employee requests deletion of their records, and the employer has no documented retention policy. Without one, it is difficult to justify why you still have the data. With one, you can point to a specific legal requirement and respond accordingly.

Common Mistakes Nigerian Employers Make

Most compliance failures here are not deliberate. They come from never having thought about the obligations.

Using consent as the lawful basis for employment data. It does not hold, and it gives employees an exit from any processing they decide to challenge.

Issuing no privacy notice to new hires or job applicants. The obligation exists from the first point of data collection. A verbal briefing at onboarding is not sufficient.

Installing a fingerprint attendance machine and never telling staff why their biometrics are being collected, where the data goes, or how long it is kept. This is happening across Nigerian offices every day.

Sharing employee health information with insurance providers under a verbal arrangement rather than a documented data-sharing framework.

Keeping former employee records indefinitely because deletion was never part of the offboarding process. Some businesses still have files on staff who left a decade ago.

Running cloud HR platforms or payroll software without a data processing agreement with the vendor. If a third party is handling your employee data, you need a contract that sets out their obligations.

Any of these gaps can become the basis for an NDPC enforcement action. Our guide to the Nigeria Data Protection Commission covers what the commission can do, how audits work, and what businesses can expect if a complaint is filed against them.

Conclusion and Next Steps

Employee data protection in Nigeria is not a future obligation waiting to kick in. It is a present one, and it applies to every business with staff, regardless of size or sector.

Getting employee data protection right in Nigeria is mostly a matter of structure: knowing what data you hold, having a documented basis for it, telling your staff, and having clear policies for what happens when someone leaves. None of that requires a compliance department. It requires intentional decisions about how your business handles information people entrust to you when they agree to work for you.

The technology your business already uses, whether Microsoft 365, HR platforms, or biometric attendance systems, can either support that compliance or undermine it, depending on how it is configured. How you configure these systems is as much a part of NDPA compliance as the policies themselves.

For compliance strategies and ROPA documentation that cover both customer and employee data, see our Data Protection Compliance Strategies guide.

If your business needs help reviewing its HR data practices, configuring your Microsoft 365 environment for NDPA compliance, or building a data retention framework that covers the full employment lifecycle, get in touch with PlanetWeb. This is exactly the kind of work where getting it right once prevents significant problems later.

Frequently Asked Questions

Does the NDPA apply to employee data in Nigeria?

Yes. The Nigeria Data Protection Act 2023 applies to all personal data processed by organisations in Nigeria, including data collected and held on employees. There is no exemption for small businesses or for internal HR records.

What lawful basis should Nigerian employers use for payroll processing?

Contract is the correct basis for payroll processing, as it is necessary to perform the employment agreement. PAYE filing and pension remittances sit under legal obligation, as these are statutory requirements under Nigerian tax and pension law.

Can a Nigerian employer monitor staff emails and workplace communications?

Monitoring is not automatically prohibited, but it requires a lawful basis, must be proportionate to the stated purpose, and must be disclosed to staff in advance. Covert or undisclosed monitoring of staff communications is unlikely to satisfy NDPA requirements.

Do employees have the right to see their own HR records?

Yes. Under the NDPA, employees can submit a data subject access request to see the personal data their employer holds on them. Employers have 30 days to respond and cannot refuse simply because the employment relationship ended badly.

How long can a Nigerian business keep former employee data?

Retention periods depend on the type of data and the legal basis for keeping it. Payroll and tax records must be kept for periods specified by FIRS. Pension records have their own requirements. Beyond legally mandated retention, personal data that is no longer needed should be deleted on a defined schedule.

Is biometric attendance data considered sensitive personal data under the NDPA?

Yes. Biometric data is a sensitive personal data category under the NDPA and carries a higher standard of protection. Employers using fingerprint or facial recognition attendance systems must have a documented lawful basis, inform staff, and ensure appropriate safeguards are in place for storage and access.

What should a Nigerian employer do if an employee requests deletion of their data?

The employer must respond within 30 days. If a legal retention obligation applies, such as FIRS or pension records, the employer can decline deletion of those specific records and must explain why. Data held without a documented retention basis should generally be deleted on request.

Does the NDPA apply to data collected during the recruitment process?

Yes. Personal data collected from job applicants, including CVs, interview notes, and background check results, is regulated by the NDPA from the point of collection. Applicants should be informed what data is being collected and why, and unsuccessful candidate data should not be kept indefinitely.

Does the NDPA require employers to register with the NDPC?

Organisations that process personal data above certain thresholds are required to register with the Nigeria Data Protection Commission. Many employers with staff will fall within scope, particularly where they process employee records at scale or handle sensitive personal data. Our guide to the Nigeria Data Protection Commission covers registration requirements and what compliance looks like in practice.

Share this article:

🎯 Fresh Reads

Microsoft Teams for Nigerian businesses with corporate office professional.

Microsoft Teams for Nigerian Businesses: Features, Use Cases and Hidden Capabilities

April 15, 2026

Managed IT support in Nigeria with PlanetWeb Solutions business professionals.

Managed IT Support in Nigeria: What It Includes and What Most Providers Miss

April 14, 2026

Zoho CRM for Nigerian businesses in a modern office meeting.

Zoho CRM for Nigerian Businesses: When It Fits and How It Works

April 13, 2026

Zoho implementation in Nigeria presentation with business team, timeline, and expectations.

Zoho Implementation in Nigeria: Process, Timeline and What to Expect

April 12, 2026

Shadow IT in Nigeria business risk cover with office professional and webinar title.

Shadow IT in Nigeria: What Businesses Get Wrong and How to Manage It

April 11, 2026

👉 Browse by Category

Grow Your Business Today

PlanetWeb Solutions is committed to delivering IT services that support your goals. Whether you need day-to-day IT management, a digital overhaul, or strategic advice, we’re here to provide solutions that drive success.