In Nigeria, privacy is a fundamental human right guaranteed by the Constitution. However, this promise of privacy is not backed by comprehensive data protection legislation — leaving citizens unprotected as government and private organisations routinely collect and process their personal data.

This paper reviews the data collection practices, policies and regulations in place to govern the management of online and offline personal data in Nigeria. It offers policy recommendations for a new data protection framework, necessary to protect the data privacy of Nigerian citizens.

The research flags five primary concerns around the collection and use of personal data in Nigeria:

1. The use of personal data may be incompatible with the purpose for which it was collected.
2. Individuals have no rights in relation to the collection, use, and storage of their personal information.
3. Nigerians are not offered adequate opportunities to consent to, or opt out of, data collection.
4. There is limited to no transparency in the processing of personal data and there is a lack of information available on how this personal data is used and stored, leading to greater risk of a personal data breach.
5. Children are exposed to privacy risks online and often lack the legal capacity to give valid consent, and may unknowingly disclose personal information to online platforms due to the appealing nature of their visual content.

To address these concerns, the National Assembly should include the following elements in a data protection framework:

1. Use of personal data must be in accordance with the purpose for which it was collected.
2. Consent of the individual must be obtained prior to collecting his/her personal data.
3. Rights of the individual to seek legal remedies for misuse and/or unauthorised access to his/her personal data must be guaranteed.

This paper was produced by the World Web Foundation and Paradigm Initiative, with support from Omidyar Network and Google. Chukwuyere Izuogu conducted the research.