NDPC, Governors’ Forum Move to Secure Citizens’ Data Amid Growing Public Sector Digitisation

Abstract
The Nigeria Data Protection Commission (NDPC) and the Nigeria Governors' Forum (NGF) have initiated a crucial partnership to bolster data protection across Nigeria's subnational governments. This collaboration, formalized through a Memorandum of Understanding, aims to secure citizens' data amidst the accelerating digitisation of public sector services. It underscores the commitment to implementing the Nigeria Data Protection Act 2023 (NDPA) at the state level, fostering public trust, and enhancing investor confidence in digital infrastructure. The initiative includes capacity building, data harmonization, and compliance audits, addressing the unique challenges of data governance within a federated system and signaling a proactive approach to safeguarding personal information in Nigeria's evolving digital economy.
Introduction
Nigeria's ambitious drive towards a digital economy has brought with it an imperative need for robust data protection mechanisms, particularly within the public sector. As government services increasingly migrate online, the volume and sensitivity of citizens' personal data handled by state institutions have grown exponentially. In recognition of this critical development, the Nigeria Data Protection Commission (NDPC) has forged a strategic alliance with the Nigeria Governors' Forum (NGF) to reinforce data privacy and security standards across all states. This partnership, marked by the signing of a Memorandum of Understanding, represents a significant step towards ensuring that the benefits of digitisation are not undermined by data breaches or privacy infringements.
This collaboration is particularly timely given the foundational legal framework established by the Nigeria Data Protection Act 2023 (NDPA), which provides a comprehensive legal basis for data protection in the country. The NDPC's engagement with the NGF aims to translate the principles and provisions of the NDPA into actionable strategies at the subnational level, thereby building public trust and enhancing the security of digital public infrastructure. This article will delve into the legal and practical implications of this partnership, examining its potential to address the complexities of data governance in a federated system and its significance for legal practitioners navigating Nigeria's evolving data protection landscape.
The core thesis of this article is that the NDPC-NGF collaboration is indispensable for the effective implementation of the NDPA across Nigeria's diverse states. By fostering a unified approach to data protection, this partnership seeks to mitigate the inherent risks of public sector digitisation, ensuring that citizens' fundamental right to privacy, as enshrined in the Constitution, is upheld in the digital age.
Background
The legal landscape for data protection in Nigeria has undergone significant transformation with the enactment of the Nigeria Data Protection Act 2023 (NDPA), which received Presidential assent on June 12, 2023. This landmark legislation superseded the Nigeria Data Protection Regulation 2019 (NDPR) and its Implementation Framework of 2020, establishing a more robust and comprehensive framework for safeguarding personal information. The primary objectives of the NDPA include protecting the fundamental rights and freedoms of data subjects, establishing the Nigeria Data Protection Commission (NDPC) for the regulation of personal information processing, promoting secure data processing practices, and strengthening the legal foundations of the national digital economy.
The NDPA 2023 formally established the Nigeria Data Protection Commission (NDPC) as the apex supervisory and regulatory authority for data protection in Nigeria, taking over from the erstwhile Nigeria Data Protection Bureau (NDPB). The Commission is mandated to oversee the implementation of the NDPA, safeguard the rights of natural persons to data privacy, and promote data processing practices that ensure the security of personal data. Further operational guidance is provided by the General Application and Implementation Directive (GAID) 2025, issued by the NDPC on March 20, 2025, which offers comprehensive and binding directives for implementing the NDPA across various aspects of data processing.
Concurrently, Nigeria has witnessed an accelerated push for public sector digitisation, with various government ministries, departments, and agencies at both federal and state levels adopting digital systems for service delivery and record-keeping. This digital transformation, while offering immense benefits in efficiency and accessibility, inherently involves the collection, processing, and storage of vast amounts of citizens' personal data. This rapid digitisation necessitates a strong, harmonized data protection framework to address challenges such as outdated data storage formats, lack of synergy between departments, data silos, and the ever-present risks of cyberattacks and data breaches.
Analysis
The recent Memorandum of Understanding (MoU) between the Nigeria Data Protection Commission (NDPC) and the Nigeria Governors' Forum (NGF) marks a pivotal moment in Nigeria's data protection journey, particularly concerning subnational governance. This collaboration is designed to extend the reach and enforcement of the Nigeria Data Protection Act 2023 (NDPA) to state governments, which are increasingly digitising their services. Dr. Vincent Olatunji, the National Commissioner and CEO of the NDPC, emphasized that prioritizing privacy at the subnational level is crucial for strengthening citizens' confidence in state governments and enhancing investor confidence in state digital infrastructure.
Key aspects of this partnership include capacity-building initiatives, such as free training workshops and Virtual Privacy Academy (VPA) vouchers offered to NGF staff, aimed at equipping them with practical knowledge on personal data protection. The discussions between the NDPC and NGF also covered critical issues like data harmonization, compliance audits, and certification processes, culminating in an agreement to establish a working group to advance data protection and privacy at the state level. This structured approach is essential for addressing the inherent complexities of implementing a unified data protection regime across Nigeria's 36 states, each with its unique administrative structures and digital maturity levels.
However, the implementation of data protection in a federated system like Nigeria presents significant challenges. While the NDPA establishes the NDPC with powers to issue compliance orders and investigate complaints, concerns persist regarding the consistent application of these standards to government institutions compared to private entities. Reports of exposed taxpayer data in some states, without apparent enforcement actions against the responsible government agencies, highlight a potential accountability gap. Furthermore, public sector digitisation often grapples with issues such as outdated data storage infrastructure, a shortage of skilled data professionals, policy gaps, inadequate funding, and cybersecurity vulnerabilities, all of which can impede effective data protection.
The NDPA grants data subjects several rights, including the right to be informed, access, rectification, objection to processing, data portability, and the right to be forgotten. Ensuring these rights are upheld at the state level requires not only robust legal frameworks but also significant investment in technical and organizational measures. The NDPA also mandates Data Controllers of Major Importance to designate a Data Protection Officer (DPO) and conduct annual compliance audits, requirements that state government agencies, as significant data controllers, must adhere to. The success of the NDPC-NGF collaboration will largely depend on overcoming these practical and institutional hurdles, fostering a culture of data privacy, and ensuring that enforcement is equitable across all sectors.
While the NDPA draws inspiration from international frameworks like the EU's GDPR, its application within Nigeria's unique socio-political context requires tailored strategies. The establishment of a dedicated working group is a positive step towards developing context-specific solutions for data harmonization and compliance across states. Nevertheless, ongoing challenges such as limited resources, inadequate public awareness, and potential overlaps in regulatory responsibilities with other agencies underscore the need for continuous effort and strategic coordination to fully realize the NDPA's objectives.
Conclusion
The strategic partnership between the Nigeria Data Protection Commission and the Nigeria Governors' Forum is a critical development for the future of data privacy and security in Nigeria. By extending the reach of the Nigeria Data Protection Act 2023 to the subnational level, this collaboration is poised to build greater public trust in government digital services and enhance Nigeria's attractiveness for digital investment. The commitment to capacity building, data harmonization, and compliance audits signals a proactive and structured approach to embedding data protection principles across all tiers of government.
For legal practitioners, this development underscores the increasing importance of data protection compliance for all entities, particularly those engaging with state governments or processing citizens' data on their behalf. Attorneys must advise state government agencies, their contractors, and partners on their obligations under the NDPA, including conducting Data Protection Impact Assessments (DPIAs), appointing Data Protection Officers (DPOs), implementing robust technical and organizational security measures, and ensuring adherence to data subject rights. Practitioners should closely monitor the activities of the NDPC-NGF working group, any forthcoming state-specific regulations or guidelines, and enforcement trends, as these will shape the practical landscape of data protection at the state level. Proactive engagement and continuous education will be essential to navigate this evolving regulatory environment and ensure compliance in Nigeria's rapidly digitising public sector.
Citations
- 1.Nigeria Data Protection Act 2023
- 2.General Application and Implementation Directive 2025
- 3.Constitution of the Federal Republic of Nigeria 1999 (as amended)
- 4.Nigeria Data Protection Regulation 2019
How does this affect your business?
Get an AI analysis of this article grounded in your jurisdictions, practice areas, and any policy documents you've uploaded to Wansom.