nigeria data protection regulation 2019 ... · web viewregulation or any foreign data protection...
TRANSCRIPT
[DRAFT]
IMPLEMENTATION FRAMEWORK OF THE NIGERIA DATA PROTECTION
REGULATION (Page 2-38)
AND
IMPLEMENTATION STRATEGY OF NIGERIA CLOUD COMPUTING POLICY
(Page 39-83)
2019
1
[DRAFT]
NIGERIA DATA PROTECTION REGULATION 2019:
IMPLEMENTATION FRAMEWORK
July, 2019(Version 1)
2
ContentsNIGERIA DATA PROTECTION REGULATION 2019: IMPLEMENTATION FRAMEWORK............................4
1. BACKGROUND............................................................................................................................4
2. SUMMARY OF THE NDPR...............................................................................................................4
3. PROPOSED COMPLIANCE APPROACH............................................................................................6
3.1 Criteria for Licensing as DPCO..................................................................................................7
3.2 When Appointment of Data Protection Officer is Required.....................................................8
4.COMPLIANCE FRAMEWORK...........................................................................................................8
4.1 Forms of Compliance...............................................................................................................8
4.2 Compliance Checklist for Data Controllers...............................................................................9
5. ENFORCEMENT FRAMEWORK.....................................................................................................11
5.1 Forms of Enforcement...........................................................................................................11
5.1.2 Complaint Filings.................................................................................................................11
5.1.3 Investigations......................................................................................................................12
5.1.4 Administrative Sanctions....................................................................................................12
5.1.5 Criminal Prosecution...........................................................................................................13
6. ENFORCEMENT PROCESS.............................................................................................................13
7. HOW PERSONAL DATA IS TO BE HANDLED..................................................................................15
7.1 Further Processing.................................................................................................................15
8. DIGITAL CONSENT........................................................................................................................16
8.1 Types of Consent...................................................................................................................16
8.2 Consent Requirement under NDPR.......................................................................................16
8.3 Valid Consent Guide...........................................................................................................17
8.4 Consent to Cookies.............................................................................................................17
9. DATA AUDITS...............................................................................................................................18
9.1 Audit Periods.........................................................................................................................18
9.2 Audit Filing Fees.....................................................................................................................18
9.3 Content of Audit Report........................................................................................................19
9.4 Audit Verification Statement by DPCO...................................................................................20
10. TRANSFER OF DATA ABROAD....................................................................................................21
11. DURATION OF STORAGE OF RECORDS...............................................................................21
12. REPORT OF DATA PRIVACY BREACH...................................................................................22
13. ESTABLISHMENT OF ADMINISTRATIVE REDRESS PANEL....................................................23
14. THIRD PARTY PROCESSORS.................................................................................................24
15. DATA PROTECTION IN MDAs..............................................................................................24
16. RELATIONSHIP WITH ATTORNEY-GENERAL OF THE FEDERATION......................................25
3
17. CONTINUOUS PUBLIC AWARENESS AND CAPACITY BUILDING...........................................26
ANNEXURE A.......................................................................................................................................26
ANNEXURE B........................................................................................................................................30
SAMPLE PRIVACY POLICY TEMPLATE FOR PUBLIC INSTITUTIONS....................................................30
1.0 Your Privacy Rights................................................................................................................30
2.0 Consent..................................................................................................................................31
3.0 Your Personal Information.....................................................................................................31
4.0 What we do with your personal information.........................................................................32
5.0 Cookies..................................................................................................................................32
6.0 How we protect your personal information..........................................................................32
7.0 How We Share your information within NITDA and other users...........................................33
8.0 Security..................................................................................................................................33
9.0 Data Confidentiality Rights....................................................................................................34
10.0 Links to Other Websites and Premises.................................................................................34
11.0 Governing Law.....................................................................................................................34
COUNTRIES WITH ADEQUATE DATA PROTECTION LAWS................................................................35
Table 1.0: Enforcement Process..........................................................................................................13Table 2.0: NDPR Compliance Template...............................................................................................26
Figure 1.0:NDPR triangular Compliance Model.....................................................................................7Figure 2.0: Enforcement Framework...................................................................................................11
4
NIGERIA DATA PROTECTION REGULATION 2019: IMPLEMENTATION FRAMEWORK
1. BACKGROUNDThe spate at which Nigerian’s data is being breached by service provider has
assumed an epidemic rate. On a daily basis, personally identifiable
information of Nigerians is being used by unauthorized persons to further their
own interest without the consent of the Data Subject. The Data Protection
Regulation is at present, the most robust data protection framework in Nigeria.
Accordingly, stakeholders have encouraged NITDA to ensure the effective
implementation and enforcement of the Regulation.
2. SUMMARY OF THE NDPRThe NDPR was issued on 25th January, 2019 pursuant to Section 6 (a,c) of
the NITDA Act, 2007. The NDPR was made in recognition of the fact that
many public and private bodies have migrated their respective businesses and
other information systems online. These information systems have thus
become critical information infrastructure which must be safeguarded,
regulated and protected against atrocious breaches. Government further
takes cognizance of emerging data protection regulations within the
international community geared towards security of lives and property and
fostering the integrity of commerce and industry in the data economy.
The principles of the NDPR are enumerated as follows:
a) Lawfulness and Legitimacy: Article 2.1(1a) provides that Personal Data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject.
b) Specific Purpose: In addition to Article 2.1(1a) cited above, Article 3.1(7c) mandates the Data Controller to expressly inform the Data Subject of the purpose(s) of the processing for which the Personal Data are intended as well as the legal basis for the processing. This has hitherto been observed in the breach. This, we believe would change as government is poised to stem the tide of brazen breach of people’s right to privacy.
5
c) Data Minimization: Data Controllers are expected to collect the minimum required data and avoid unnecessary surplusage. Data that is not useful for the Controller ought not to be collected. No data shall be obtained except the specific purpose of collection is made known to the Data Subject. This principle relates also to the principle on purpose of collection. By insisting that the purpose for collecting or further processing of a data set must be communicated to the Data Subject, the regulation has closed the door to a multitude of potential abuses.
d) Accuracy: The NDPR provides that collected and processed Personal Data shall be adequate, accurate and without prejudice to the dignity of human person (Art. 2.1(b)). The NDPR prohibits the abuse or inaccurate representation of personally identifiable data, even if such data where given with due consent. Data Controllers and processors are required to ensure regular update of personal data in their custody to achieve this.
e) Storage and Security: Data Controllers are required to store data only for the period they are reasonably required to so do. The Regulation does not explicitly provide for a time period because that detail, we believe should be left to contract agreement. However, where such is not specified, the dispute redress mechanisms can specify what would constitute sufficient storage period. The Regulation also places the onus of security on the Data Controller and Processor. Art. 2.1(d) provides- personal data shall be secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
f) Confidentiality, Integrity and Availability: Article 3 generally enumerates the rights of the data subject. One of the underpinning principles of the NDPR is that data control must comply with basic minimum standards of information security management. The Regulation specifies the role of the Controller and the Data subject in such case.
Compliance and Enforcement: One of the novelties of the NDPR is its
compliance structure. The Regulation creates a nouveau class of
professionals- Data Protection Compliance Organisations (DPCO). A DPCO is
any entity duly licensed by NITDA for the purpose of training, auditing,
consulting and rendering services and products for the purpose of compliance
6
with this Regulation or any foreign Data Protection Law or Regulation having
effect in Nigeria (See Article 1.3 (xiii)).
This Framework is therefore a general strategic approach to enforcement of
the Regulation. The objectives of the NDPR are to-
a) to safeguard the rights of natural persons to data privacy;
b) to foster safe conduct for transactions involving the exchange of Personal
Data;
c) to prevent manipulation of Personal Data; and
d) to ensure that Nigerian businesses remain competitive in international trade
through the safe-guards afforded by a just and equitable legal regulatory
framework on data protection and which is in tune with best practice.
The NDPR applies to every Data Controller and Data Administrator. A Data
Controller is defined by the Regulation as a person who either alone, jointly
with other persons or in common with other persons or a statutory body
determines the purposes for and the manner in which Personal Data is
processed or is to be processed. A Data Administrator is a person or an
organization that processes data.
3. PROPOSED COMPLIANCE APPROACHThe approach adopted by the Nigeria Data Protection Regulation (NDPR)
considers the Nigerian context and seeks to be implemented in an non-
obstructive, compliance promoting approach. The NDPR uses a triangular
compliance model.
7
Figure 1.0:NDPR triangular Compliance Model
In this model, NITDA would register Data Protection Compliance
Organisations (DPCO) who will provide auditing and compliance services for
Data Controllers. The criteria for licensing DPCOs would be published and
such licensed DPCOs will be listed on NITDA site. Data Controllers who
process personally identifiable information of more than 2000 Data Subjects
are expected to submit a summary of its data protection audit to the Agency
on an annual basis.
3.1 Criteria for Licensing as DPCOA DPCO may be one or more of the following;
Professional Service Consultancy firm IT Service Provider Audit firm Law firm
Which has Data Protection certification or experience in addition to any one of the following-
a) Data Scienceb) Data Protection and privacyc) Information Privacyd) Information Audit
8
NDPR COMPLIANCE
MODEL
DPCOData Controller
NITDA (as National DPO)
e) Data Managementf) Information security g) Data protection legal servicesh) Information Technology Due Diligence i) EU GDPR implementation and compliancej) Cyber Security/Cyber Security lawk) Data Analytics l) Data Governance
DPCOs are licensed to provide one or more of these services; a) Data protection regulations compliance and breach services for Data
Controllers and Data Administrators
b) Data protection and privacy advisory servicesc) Data protection training and awareness servicesd) Data Regulations Contracts drafting and advisorye) Data protection and privacy breach remediation planning and support
servicesf) Information privacy auditg) Data privacy breach impact assessmenth) Data Protection and Privacy Due Diligence Investigationi) Outsourced Data Protection Officer etc.
3.2 When Appointment of Data Protection Officer is RequiredA Data Controller is required to appoint a dedicated data protection officer
where one or more of the following conditions are present:
a) The entity is a Government Organ, Ministry, Department, Institution or Agency;
b) The core activities of the organization relate to usual processing of large sets of personal data;
c) The organization processes sensitive personal data in the regular course of its business; and
d) The organization processes critical national databases consisting of personal data.
4.COMPLIANCE FRAMEWORK
4.1 Forms of Compliance i. Cooperation: NITDA will, to the extent practicable and consistent with
the provisions of the Act and regulatory instruments, seek the
9
cooperation of concerned entities in achieving compliance with the
applicable provisions.
ii. Assistance: NITDA may provide technical assistance to concerned
entities to help them comply voluntarily with the applicable provisions.
This is being done through the DPCOs
iii. Self-Reporting: The concerned entity will be required to proactively
provide information to show compliance with the applicable provisions.
iv. Signal Detection: The compliance framework will ensure the proactive
monitoring and evaluation of data provided by concerned entities by
utilizing analytic tools to identify patterns that reflect non-compliance.
4.2 Compliance Checklist for Data ControllersThe Data Controller is the focal point in the data protection value chain. Most
responsibilities for compliance lie with the Data Controller. The following
checklist would guide Controllers to reduce liabilities and fines.
i. Conduct of Information audit: Article 3.1(7) of the NDPR provides what
the audit report should contain.
ii. Legally justifiable basis for processing: Article 2.2 specifies five legal
basis for processing of personal data they are- Consent of Data
Subject; performance of contract; legal obligation; protection of vital
interest or public interest. A controller must identify which basis he is
processing the personal data.
iii. Clear information on data processing: Article 2.5 provides for Publicity
and Clarity of Privacy Policy. It states- any medium through which
Personal Data is being collected or processed shall display a simple
and conspicuous privacy policy that the class of Data Subject being
targeted can understand.
iv. Design System to be data protection compliant: Data Controllers must
show that their systems are built with data protection in mind. Article 2.6
provides- Anyone involved in data processing or the control of data
shall develop security measures to protect data; such measures include
but not limited to protecting systems from hackers, setting up firewalls,
10
storing data securely with access to specific authorized individuals,
employing data encryption technologies, developing organizational
policy for handling Personal Data…
v. Awareness creation on data protection: continuous capacity building for
staff is a Controller’s duty.
vi. Develop and Circulate an internal Data Privacy Strategy or Policy to
help staff, vendors to understand the Controller’s direction in respect of
managing personal data.
vii. Conduct Data Protection Impact Assessment enroute to compliance or
periodically.
viii. Process of notification of appropriate authority in the event of data
breach
ix. Appoint a Data Protection Officer or assign an appropriate person who
has responsibility to the top-most hierarchy of the Organisation in
respect of data protection
x. Update agreement with third party processors to ensure compliance
with the NDPR.
xi. Design system to make data request and access easy for Data Subjects
xii. Design system to enable Data Subjects easily correct or update
information about themselves.
xiii. Design system to enable Data Subjects easily transfer (port) data to another platform at minimal costs.
xiv. Process for objection to processing of personal data is clearly
communicated to Data Subjects
xv. Procedure for informing and protecting rights of Data Subject where
automated decision is being made on personal data
11
5. ENFORCEMENT FRAMEWORK
Figure 2.0: Enforcement Framework
5.1 Forms of Enforcement
5.1.1 SurveillanceSurveillance refers to specific, deliberate monitoring carried out to identify breach with the NDPR. This routine activity arises out of the understanding that operators or parties obligated to preform specific task or to comply with provisions of NDPR particularly as it affects Data Subjects may be in deliberate or unconscious breach of the Regulation. Surveillance will aid NITDA to identify breaches of regulatory instruments or coopt other stakeholders to identify and report breaches to the Agency.
5.1.2 Complaint FilingsA Compliance Officer or any person who believes a party is not complying
with any of the provisions of any regulatory instrument may file a complaint
with NITDA. Such complaints must meet the following requirements:
a. A complaint must be filed in writing, either on paper or electronically.
12
b. A complaint must name the person that is the subject of the complaint
and describe the acts or omissions believed to be in violation of the applicable
provision(s).
c. NITDA may prescribe additional procedures for the filing of complaints,
as well as the place and manner of filing.
5.1.3 InvestigationsNITDA will investigate any complaint filed against a concerned entity when a
preliminary review of the facts indicates a possible violation of the provision(s)
of any regulatory instrument. NITDA may by its officers or through designated
DPCO, investigate any complaint filed by third parties and may also do so
based on a special audit check or “spot check”. Investigation may include a
review of the policies, procedures, or practices of the concerned entity and of
the circumstances regarding any alleged violation. At the time of the initial
written communication with the concerned entity, NITDA will indicate the basis
of the audit.
5.1.4 Administrative SanctionsWhere NITDA, has ascertained through the foregoing tools of enforcement or
by the Administrative Redress Panel established pursuant to Article 4.2 of the
NDPR, that a party is in breach of the NDPR, NITDA may issue and order for
compliance with relevant provision to curtail further breach. NITDA may
additionally prescribe additional sanction in liquidated monetary value. A
decision on the money value shall be based on the severity of the breach, the
number of data subjects affected, opportunity for curtailment left unexplored
and whether the breach is the first by the offending entity. NITDA may also
issue other administrative orders to include:
i. Suspension of service pending further investigations;
ii. Order for parties in breach to appear before a panel to determine
liability of officers in line with Article 4.2;
iii. Issue public notice to warn the public to desist from patronizing or doing
business with the affected party;
13
iv. Refer the parties in breach to other Self-Regulatory Organization (SRO)
for appropriate sanctions
5.1.5 Criminal ProsecutionWhere NITDA has determined that a party is in grave breach of the NDPR,
especially where such breach affects national security, sovereignty and
cohesion, it may seek to prosecute officers of the organization as provided for
in Section 17(1,3) NITDA Act 2007. NITDA shall seek a fiat of the Honorable
Attorney General of the Federation (HAGF) or may file a petition with any
prosecuting authority in Nigeria, this may include; the Economic and Financial
Crimes Commission (EFCC), the Department of State Security (DSS), the
Nigerian Police Force (NPF), the Independent Corrupt Practices Commission
(ICPC) or the Office of National Security Adviser (ONSA).
6. ENFORCEMENT PROCESS
Table 1.0: Enforcement Process
Enforcement Activity
Description of Action
Documentation of Breach
1. At this stage it is required that a report, memo, petition or complaint is officially submitted to NITDA through the office of the Director General of NITDA.
2. The Document must be duly signed by an Officer of NITDA or the external complainant.
3. For external complaint; the document must be written and signed by an Individual either in personal capacity or a group (of persons or companies) or registered entity (registered with the CAC).
Request for Additional Information and Investigation
If it appears NITDA is not sufficiently briefed or may need further information to arrive at a conclusion of breach of the NDPR, the following procedure would be employed:
i. “Request for Additional Information" would be issued to either the complainant, the
14
alleged violator or any other party who may be in a position to provide clarity on facts of the allegation of breach.
ii. Invite relevant parties for an “Investigation Meeting” to elicit facts to establish or disprove breach.
iii. “Request for Investigation in partnership with law enforcement agencies.
Continuation or Termination of Enforcement Process
Where NITDA is satisfied that there is a prima facie evidence on a breach, NITDA may:
1. Request for a response from the violator stating the allegations against them;
2. In the event that NITDA finds the explanations of the alleged violator coherent and sufficient NITDA will respond to the allegation and enforcement will be terminated
Notice of Enforcement
Where NITDA is satisfied that a breach of NDPR has occurred;1. NITDA will then issue a “Notice of Enforcement”” citing
the specific breach and demand mandatory compliance within a specific time frame from the date of the service of notice.
2. NITDA may issue an administrative fine or penalty in line with extant regulation
Issuance of Public Notice (OPTIONAL)
NITDA may consider issuing a public statement warning the public and other agencies of Government of the dangers of dealing with a violator who has perpetuated a breach of the NDPR.
Request of Prosecution
A. Where a violator does not take steps to address breach or consult with NITDA as to what steps to be taken to remedy breach after the period stated in the "Notice for Enforcement"; or
B. NITDA may file an official Petition or Notice of Prosecution to the Office of the Attorney General of the Federation, stating the following:
I. Original complaint;II. Enforcement process initiated by NITDA; and
15
III. Implication of the action of the violator to the development of ICT in Nigeria.
IV. A copy of the notice would be copied to the Presidency and any other relevant organ of government.
7. HOW PERSONAL DATA IS TO BE HANDLEDAccording to Article 2.1.1(a)(i) Data Controllers are to ensure data collected is
specific; legitimate; adequate; accurate; stored for the period reasonably
needed; purpose of collection stated; secured and explicit, unambiguous
consent granted by the Data Subject.
7.1 Further ProcessingArticle 3.1(7)m: Where the Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected, the controller shall provide the Data Subject prior to that further processing with information on that other purpose, and with any relevant further information;Where a Data Controller wishes to further process a data initially collected for
a defined, limited purpose, the Data Controller shall consider the following:
a) Whether there exists a connection between the original purpose and the
proposed purpose;
b) The context in which the data was originally collected;
c) Possible implication of the new processing on the data subject; and
d) Existence of requisite safeguards for the data subject
The above information shall be provided to the Data Subject before the further
processing is done. The further processing may be done if the Data Subject
gives consent based on the new information or the processing is required in
compliance with a legal obligation.
16
8. DIGITAL CONSENT‘Consent’ of the Data Subject means any freely given, specific, informed and
unambiguous indication of the Data Subject's wishes by which he or she,
through a statement or a clear affirmative action, signifies agreement to the
processing of Personal Data relating to him or her (Article 1.3iii). Consent may
be made through a statement- written, sign or an affirmative action signifying
agreement to the processing of personal data.
8.1 Types of Consenta) Implied Consent: participating and volunteering of data in certain
conditions can be an implied consent.
b) Explicit Consent: Subject gives clear, documentable consent eg. Tick a
box, sign a form, send an email or sign a paper
c) Opt-out Consent: you are in, except you choose to opt-out.
e.g I don’t want to receive XXX newsletter
If the box is left unticked, you will receive the XXX newsletter
Exceptions to the above may be cases of: health emergency, national
security and crime prevention.
8.2 Consent Requirement under NDPRa) Transparency: There must be an explicit privacy policy stating type
of data collected, how processed, who processes, security standard etc;
b) No implied consent: Silence, pre-ticked boxes or inactivity does not
constitute consent;
c) No bundled consent: Separate data consent request from general
terms and conditions. There must be consent for different type of data
use class;
d) Access to data: Subject can request and receive data he gave, how
such is being used, who has access to it. Data Controllers must keep
consent records; and
e) Special category / higher standard consent: Sensitive personal
data such as ethnic, political affiliation, religious beliefs, trade union
17
membership, biometric, sexual orientation, health and such like requires
specific, higher consent method. A tick of a box would not suffice.
8.3 Valid Consent Guidea) Make your consent request prominent, concise, separate from
other terms and conditions and easy to understand;
b) Include the name of your organization and any third parties, why
you want the data, what you will do with it and the right to
withdraw consent at any time;
c) You must ask people to actively opt-in. Don’t use pre-ticked
boxes, opt-out boxes or default settings;
d) Wherever possible, give granular options to consent separately to
different purposes and different types of processing;
e) Keep records to evidence contract- who consented, when, how
and what they were told;
f) Make it easy for people to withdraw consent at any time they
choose;
g) Keep consent under review and refresh them if anything changes;
and
h) Build regular reviews into your business processes
(Source: UK Information Commissioner’s Office)
8.4 Consent to CookiesThe Use of Cookies on a website or other digital platforms requires consent.
The consent must be freely given, informed and specific. Consent for Cookies
do not necessarily need the ticking of a box or similar methods, the continued
use of a website which has met the following requirements would suffice as
consent:
The information must be clear and easy to understand;
the purpose of the use of the cookies must be provided;
the identity of the person or entity which is responsible for the use of the
cookies must appear;
18
the possibility of withdrawal of consent must be easily accessible and
be described in the information; and
this information must be easily accessible for the user at all times.
9. DATA AUDITSAudits are investigations or examinations of records, process and procedure of Data Controllers and Processors to ensure they are in compliance with the requirements of the NDPR. The NDPR requires regulated parties to keep and produce a peculiar class of records, logs or databases in accordance with stipulated rules. Failure to maintain these records in the manner provided may lead to harm to others, violation or the commission of a crime. Therefore, NITDA may, on its own carry out scheduled Audits, or may require report of Audits as carried out by DPCOs and may schedule “spot check” or “Special Audits” to ascertain compliance or to identify breaches. Usually these audits or investigations are unscheduled and maybe at a “tipoff “or maybe random to ensure compliance with the NDPR and related laws.
9.1 Audit Periods Article 4.1(7) addresses the period when audit report is to be filed by Data
Controllers. The Article provides as follows:
(7) On annual basis, a Data Controller who processed the Personal Data of more than 2000 Data Subjects in a period of 12 months shall, not later than the 15th of March of the following year, submit a summary of its data protection audit to the Agency. The data protection audit shall contain information as specified in 4.1(5).
Non-filing of Annual Audit report by a Data Controller is a prima facie case of
breach. 15th of March is the Latest date for filing of Annual Data Audit Report.
9.2 Audit Filing FeesEach Controller is expected to file the audit report and pay the following
amount as applicable:
Filing Fees for Annual Audit Reports1. Filing of Report of less than 10,000 Data Subjects N5,000
2 Filing of Report between 10,000-50,000 Data Subjects N10,000
4 Filing of Report of more than 50,000 Data Subjects N20,000
19
9.3 Content of Audit ReportThe data protection audit shall contain information as specified in Article 3.1(7)
of the Regulation. for clarity, the report shall contain the following:
a) the identity and the contact details of the Controller;
b) the contact details of the Data Protection Officer;
c) the purpose(s) of the processing for which the Personal Data are
intended as well as the legal basis for the processing;
d) the legitimate interests pursued by the Controller or by a third party;
e) the recipients or categories of recipients of the Personal Data, if any;
f) where applicable, the fact that the Controller intends to transfer
Personal Data to a third country or international organization and the
existence or absence of an adequacy decision by NITDA;
g) the period for which the Personal Data will be stored, or if that is not
possible, the criteria used to determine that period;
h) the existence of the right to request from the Controller access to and
rectification or erasure of Personal Data or restriction of processing
concerning the Data Subject or to object to processing as well as the
right to Data Portability;
i) the existence of the right to withdraw consent at any time, without
affecting the lawfulness of processing based on consent before its
withdrawal;
j) the right to lodge a complaint with a relevant authority;
k) whether the provision of Personal Data is a statutory or contractual
requirement, or a requirement necessary to enter into a contract, as well
as whether the Data Subject is obliged to provide the Personal Data
and the possible consequences of failure to provide such data;
l) the existence of automated decision-making, including profiling and,
at least, in those cases, meaningful information about the logic involved,
as well as the significance and the envisaged consequences of such
processing for the Data Subject;
20
m) Where the Controller intends to further process the Personal Data
for a purpose other than that for which the Personal Data were
collected, the controller shall provide the Data Subject prior to that
further processing with information on that other purpose, and with any
relevant further information; and
n) Where applicable, that the Controller intends to transfer Personal
Data to a recipient in a foreign country or international organization and
the existence or absence of an adequacy decision by The Agency.
A draft standard template for the audit report is attached as Annexure A in this
Framework, the final, Stakeholders agreed version would be adopted by Data
Protection Compliance Organisations (DPCO) in the course of Audit
implementation.
9.4 Audit Verification Statement by DPCOA DPCO shall make the following Audit Verification Statement as a pre-
condition to the filing of an Annual Audit Report or any other report demanded
by NITDA.
I ……………………. Of ………………………………. a licensed Data Protection Compliance Organisation (DPCO) under Article 4.1(4) of the Nigeria Data Protection Regulation (NDPR) hereby make this statement on oath that the Data Audit Report (DAR) herein filed by ……………………… (Name of Organisation) is conducted in line with the NDPR and that it is an accurate reflection of the organisation’s Personal Data Management practice. SIGN LICENSE NUMBER DATE
10. TRANSFER OF DATA ABROADWhere data is being transferred abroad as stipulated in Article 2.11, the
following information is required-
i. The List of Countries where Nigerian citizens personally identifiable
information are transferred in the regular course of business.
ii. The Data Protection laws and contact of National Data Protection
Office/Administration of such countries listed in i) above.
21
iii. The privacy policy of the Data Controller, compliant with the provisions
of the NDPR.
iv. Overview of encryption method and data security standard
v. Any other detail that assures the privacy of personal data is adequately
protected in the target country.
NITDA shall coordinate transfer requests with the office of the Attorney-
General of the Federation. A ‘white-list’ of jurisdictions shall be compiled and
published on official media of communication. Where transfer to a jurisdiction
outside the White list is being sought, the Data Controller shall ensure there is
a verifiable documentation of consent to one or more of the exceptions stated
in Article 2.12 of the NDPR
11. DURATION OF STORAGE OF RECORDS The length of storage of data shall be determined by:
a) The contract term agreed by parties;
b) Whether the transaction type has statutory implication;
c) Whether there is an express request for deletion by the Data Subject,
where such Subject is not under an investigation which may require the
data; and
d) The cost implication of storage of such data by the Data Controller.
NITDA would consider the above and other circumstances to determine if the
data was stored appropriately and for a reasonable length of time.
12. REPORT OF DATA PRIVACY BREACHIn line with Article 4.1(8) and other relevant provisions, Data Subjects, civil
society or professional organisations or any government Agency may report a
breach of this Regulation to NITDA through an advertised channel. Upon
receipt of this report, the Director General/CEO may direct action to be taken
which may include the following steps:
Contact the Organisation for enquiry;
Review of earlier filed annual report (if any);
Data Protection Regulation Compliance Query;
22
Administrative Action; and
Prosecution
Data Controllers and Administrators also have a duty of Self-Reporting Data
Breaches. The NDPR requires Data handlers to have policies and procedures
for monitoring and reporting violations of privacy and data protection policies
(See Article 4.1(5)j). Data Controllers and Administrators have a duty to report
to NITDA within 72 hours of their knowledge of the breach. The Report shall
include the number of data likely to be affected, cause of breach and remedial
actions being taken.
Notification of Data Breach to NITDA must include the following information:
A description of the circumstances of the loss or unauthorized access or
disclosure
i. The date or time period during which the loss or unauthorized access or
disclosure occurred
ii. A description of the personal information involved in the loss or
unauthorized access or disclosure
iii. An assessment of the risk of harm to individuals as a result of the loss
or unauthorized access or disclosure
iv. An estimate of the number of individuals to whom there is a real risk of
significant harm as a result of the loss or unauthorized access or
disclosure
v. A description of any steps the organization has taken to reduce the risk
of harm to individuals
vi. A description of any steps the organization has taken to notify
individuals of the loss or unauthorized access or disclosure, and
vii. The name and contact information for a person who can answer, on
behalf of the organization, the Agency’s questions about the loss of
unauthorized access or disclosure
23
13. ESTABLISHMENT OF ADMINISTRATIVE REDRESS PANELIn line with Article 4.2 of the Regulation, NITDA shall establish Administrative
Redress Panels (ARP) as the Director General/CEO may deem appropriate.
The ARP shall be composed of accomplished IT professionals, Public
administrators and lawyers who shall work with the Agency for the purpose of
resolving issues related to the Regulation.
The ARP procedure shall give preference to online dispute resolution
mechanism. Where it is impracticable to adopt such mechanism, the ARP
panel shall be constituted and shall give its opinion within a stipulated period
of time.
The rules of procedure of the ARP shall be drawn up by a Panel of experts.
The ARP Procedure shall however be designed with the following in mind:
a) Principles of fair hearing, fairness and transparency
b) Arguments and case presentations shall be done in writing. The
procedure shall limit oral presentation to the barest minimum
c) The ARP shall in reaching its decision, clearly state the proof of
violation, identify some or all the data subjects affected by the breach
(in an anonymized, pseudonymized or summarized format), the
provision of the Regulation violated and any acts of omission or
commission which exacerbated the breach.
d) In reaching its decision, the Panel may consider whether the indicted
entity has a reputation for data or other criminal or corporate breaches
in the past; the number of employees in its establishment; the impact of
the fine on its overall contribution to the economy. Nothing in this
provision shall however limit the powers of the ARP to discharge its
duties as expected of a typical quasi-judicial panel
14. THIRD PARTY PROCESSORSData Controllers are required to publish a list of third parties with whom the
Data Subject’s data may be shared. This publication which must also be
included in the audit filing report include:
24
i) Categories of Third-party data recipients eg. Credit Reference
Agencies; Payment Processors; Insurance Brokers; Anti-Corruption
Agencies etc.
ii) Third Party Name
iii) Third Party Jurisdiction
iv) Purpose of disclosure e.g. Fraud Checking; Payment Processing;
Dispute Management; Risk Management; Statutory Requirement etc.
v) Type of Data Disclosed e.g. Name, phone number, address, payment
details; salary details etc.
15. DATA PROTECTION IN MDAsNITDA shall deploy strategies and programmes to improve electronic
governance in public institutions. Federal Public Institutions (FPIs) shall be
given more time to comply with the Regulation. NITDA shall coordinate the
process of improving Data Protection in FPIs through training and process
change management.
Every MDA shall designate a Directorate-level officer as its Data Protection
Officer. Such person shall be responsible for:
Informing and advising the MDA on compliance with NDPR and other
applicable data protection laws and policies
monitoring compliance with the Regulation and with the internal policies
of the organization including assigning responsibilities, awareness
raising and training staff
facilitating the cooperation with relevant stakeholders and acting as
point of contact with NITDA.
Every FPI shall incorporate a Privacy Policy with its website and digital media
platform to assure the privacy of the Data Subjects interacting with the FPI. A
sample Privacy Policy for government Agencies and institutions is available in
Annexure A for guidance.
25
16. RELATIONSHIP WITH ATTORNEY-GENERAL OF THE FEDERATIONIn accordance with Article 2.12 of the NDPR, where a Data Controller seeks to
transfer data to a foreign country, NITDA shall examine if such country has
adequate data protection law or regulation that can guarantee minimum
privacy for Nigerian citizens’ data. Where there is need for further legal
cooperation from a target country, NITDA may approach the office of Attorney-
General for that purpose. In such circumstance, such data transfer and
storage processes shall be done under the supervision of the Attorney-
General.
Generally, Adequacy Decision shall be issued by NITDA in respect of transfer
to foreign countries if the information specified in paragraph 6 above are
satisfactorily provided by the Data Controller. The Office of the Attorney
General may in its supervisory role prohibit the transfer of Nigerian private
data to certain countries where it is of the opinion that the country’s data
protection regime is inadequate or incompatible with the Nigerian law.
NITDA shall generate a list of countries with acceptable data protection laws,
this list shall be validated by the Attorney-General. Where a Data Controller
seeks to transfer to any country other than the ones listed, then such shall be
subject to further processes to ascertain the protection of Nigerian citizens’
data
17. CONTINUOUS PUBLIC AWARENESS AND CAPACITY BUILDINGNITDA shall engage in continuous organization of seminars, workshops,
conferences and other information dissemination programmes to socialize the
NDPR and improve its public acceptance and compliance.
26
ANNEXURE ATable 2.0: NDPR Compliance Template
AUDIT TEMPLATE FOR NDPR COMPLIANCE
NoNDPR Provision
Question Response Comments
1 Accountability and governance
1.1
Is your top-management aware of the Nigeria Data Protection Regulation (NDPR) and the potential implication on your organisation?
1.2 Art. 2.6Have you implemented any information security standard in your organisation before? If YES, specify.
1.3 Art. 2.1(d) Do you have a documented data breach incident management procedure
1.4 Art. 1.2Do you collect and process personal information through digital mediums?
27
1.5 Art. 2.6Have you organised any NDPR awareness seminar for your staff or suppliers?
1.6 Art. 4.1(5)
Have you conducted a detailed audit of your privacy and data protection practices?
1.7 Art. 2.5
Have you set out the management support and direction for data protection compliance in a framework of policies and procedures?
1.8 Art. 2.1 Do you have a Data Protection compliance and review mechanism?
1.9 Art. 2.6Have you developed a capacity building plan for compliance with data protection for all staff?
1.10 Art. 3.1(1) Do you know the types of personal data you hold?
1.11 Art. 4.1(5) Do you know the sources of the personal data you hold?
1.12 Art. 4.1(5) Who do you share personal data with
1.13 Art. 4.1(2) Who is responsible for your compliance with data protection
laws and processes
1.14 Art. 1.3
Have you assessed whether you are a Data Controller or Data Administrator/Processor?
1.15 Art 4.1(5)
Have you reviewed your Human Resources policy to ensure personal data of employees are handled in compliance with the NDPR?
1.16 Art. 2.5(d)
Have appropriate technical and organisational measures been implemented to show you have considered and integrated data protection into your processing activities?
1.17 Art. 4.5
Do you have a policy for conducting Data Protection Impact Assessment (DPIA) on existing or potential projects?
1.18 Art. 4.5
Does your DPIA Policy address issues such as: a) A description of the envisaged processing operations b) The purposes of the processing c) The legitimate interest pursued by the controller d) An assessment of the necessity and proportionality of the processing operations in relation to the purposes e) An assessment of the risks to the rights and freedoms of Data Subject f) Risk mitigation measures being proposed to address the risk
2 DATA PROTECTION OFFICER/DATA PROTECTION COMPLIANCE ORGANISATION Art. 4.1(4) Have you appointed a Data Protection Compliance
28
Organisation (DPCO)?
Art. 4.1(4)Which kind of service has a DPCO provided for you till date? Hint- Audit, Data Protection Impact Assessment, Data Breach Remediation etc.
Art. 4.1(2) Does your DPCO also perform the role of your DPO?
2.1 Art. 4.1(2)
Has a Data Protection Officer (DPO) been appointed and given responsibility for NDPR compliance and the management of organisational procedures in line with the requirements of NDPR?
Art. 4.1(4) Do you utilise the same DPCO for Data Protection compliance implementation and audit?
2.2 Art. 4.1(3) Have you trained your Data Protection Officer in the last one year?
Art. 4.1(2)Does the Data Protection Officer (DPO) have sufficient access, support and the budget to perform the role?
Art. 4.1(2)If the DPO has other job functions, have you evaluated whether there is no conflict of interest?
Art. 4.1(2)
Does the DPO have verifiable professional expertise and knowledge of data protection to do the following: a) To inform and advice the business, management, employees and third parties who carry out processing, of their obligations under the NDPR b) To monitor compliance with the NDPR and with the organisation's own data protection objectives c) Assignment of responsibilities, awareness-raising and training of staff involved in processing operations d) To provide advice where requested as regards the data protection impact assessment and monitor its performance e) To cooperate with NITDA as the Supervisory Authority f) To act as the contact point for NITDA on issues relating to data processing
2.3 Art. 2.5
Is there a clearly available mechanism (e.g. webpage, etc.) for data subjects that explains how to contact your organisation to pursue issues relating to personal data?
3 DOCUMENTATION TO DEMONSTRATE COMPLIANCE
3.1 Art. 3.1 Have you documented your data processing activities?
3.2 Art. 2.5Have you included an appropriate privacy notice in each data collection process, including those done through third parties?
Art. 4.1(5) Have you agreed a schedule to review current privacy notices contracts for compliance with NDPR?
3.3 Art. 2.2Other than the grounds of Consent of an employee, has your organisation recorded other legal grounds on which it processes its employees' data?
3.4 Art. 4.1(5)Have you identified what personal data is collected and whether this is collected directly from the data subject or via a third party?
29
Art. 3.1(7)Does this inventory include data retention periods or do you have a separate data retention schedule?
3.5 Art. 1.3 Do you have a register of data breaches and security incidents?
4
4.1 Have you carried out a comprehensive review of the various types of processing your organisation perform?
Have you identified lawful basis for your processing activities and documented this?
Have you explained the lawful basis for processing personal data in your privacy notice(s)?
4.2 Have you reviewed how you seek, record and manage consent?
Have you reviewed the systems currently used to record consent and have you implemented appropriate mechanisms to ensure an effective audit trail?
4.3
If your organisation offers services directly to children, have you communicated privacy information in a clear, plain way that a child will understand?
Do you adopt data pseudonymisation, anonymisation and encryption methods to reduce exposure of personal data?
4.4
Have you identified all the points at which personal data is collected: websites, application forms (employment and other), emails, in-bound and out-bound telephone calls, CCTV, exchanges of business cards and, attendance at events etc?
4.5 Do you have procedures for regularly reviewing the accuracy of personal data?
Do you have a system for Data Subjects to erase or amend their personal data in your custody?
4.6
Have you identified all the ways in which personal data is stored, including backups?
Have you evaluated points where data minimisation can be implemented in your data collection process?
Have you reviewed your forms and other data collection tools to comply with the NDPR?
4.7
Have you identified the purposes for processing personal data, for determining and authorising internal or external access and all disclosures of data?
30
4.8 Are your organisational procedures checked to ensure that you can preserve the rights of individuals under the NDPR?
4.9
Is there a clearly available mechanism (e.g. webpage, etc.) for data subjects that explains how to contact the organisation to pursue issues relating to personal data?
4.10 Are all staff trained to recognise and deal with subject access requests?
4.11
Have you identified
4.12 Do you have a procedure for dealing with subject access requests from third parties?
4.13
Has your organisation implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively?
Do you have mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms?
4.15 Have you trained all staff who deal with personal data about their responsibilities and data protection procedures?
Are these responsibilities written into job descriptions?
4.17 Have you contracted with any third-party data processors?
If so, are such contracts compliant with the requirements of the NDPR?
Have you agreed a schedule to review current contracts for compliance with NDPR?
4.18 Do you transfer personal data to organisations in countries outside the Nigeria?
If so, do you have in place appropriate contracts and methods of ensuring compliance?
4.19 Are the countries you transfer data to in the White List of Countries with adequate Data Protection laws?
Where the countries are not in the White List have you recorded the basis of transfer?
4.20
Do you have in place adequate information systems security (e.g. as specified in ISO/IEC 27001) and does it include physical, logical, technical and operational measures that ensure the security of processing of personal data?
31
ANNEXURE B
SAMPLE PRIVACY POLICY TEMPLATE FOR PUBLIC INSTITUTIONSThis Privacy policy between The National Information Technology Development
Agency (hereinafter referred to as NITDA) and You, constitutes our commitment to
your privacy on our website, social media platforms and premises.
1.0 Your Privacy RightsThis Privacy Policy describes your privacy rights regarding our collection, use,
storage, sharing and protection of your personal information. It applies to the NITDA
website and all applications, services, tools and physical contact with us regardless
of how you access or use them.
If you are created a username, identification code, password or any other piece of
information as part of our access security measures, you must treat such information
as confidential, and you must not disclose it to any third party. We reserve the right
to disable any user identification code or password, whether chosen by you or
allocated by us, at any time, if in our opinion you have failed to comply with any of
the provisions of these Conditions. If you know or suspect that anyone other than
you know your security details, you must promptly notify us at [email protected]
2.0 ConsentYou accept this Privacy Policy when you give consent upon access to our platforms,
or use our services, content, features, technologies or functions offered on our
website, digital platforms or visit any of our offices for official or non-official purposes
(collectively “NITDA services”). This Policy governs the use of NITDA services and
intervention projects by our users and stakeholders unless otherwise agreed through
written contract. We may amend this Privacy Policy at any time by posting a revised
version on our website, or placing such notice at conspicuous points at our office
facilities. The revised version will be effective 7-days after posting.
3.0 Your Personal InformationWhen you use NITDA Services, we collect information sent to us by your computer,
mobile phone or other electronic access device. The automatically collected
information include but not limited to- data about the pages you access, computer IP
address, device ID or unique identifier, device type, geo-location information,
computer and connection information, mobile network information, statistics on page
32
views, traffic to and from the sites, referral URL, ad data, standard web log data, still
and moving images.
We may also collect information you provide us including but not limited to-
information on web form, survey responses account update information, email,
phone number, organization you represent, official position, correspondence with
NITDA support services and telecommunication with NITDA. We also collect
information about your transactions, enquiries and your activities on our platform or
premises.
We may also use information provided by third parties like social media sites.
Information about you provided by other sites are not controlled by NITDA and we
are therefore not liable for how they use it.
4.0 What we do with your personal informationThe purpose of our collecting your personal information is to give you an efficient,
enjoyable and secure customer experience. We may use your information to:
4.1Provide NITDA services and support;
4.2process applications and send notices about your transactions to requisite
parties;
4.3verify your identity;
4.4resolve disputes, collect fees, and troubleshoot problems;
4.5manage risk, or to detect, prevent, and/or remediate fraud or other potentially
prohibited or illegal activities;
4.6detect, prevent or remediate violations of Laws, Regulations, Standards,
Guidelines and Frameworks;
4.7 improve the NITDA Services by implementing aggregate customer preferences;
4.8measure the performance of the NITDA Services and improve content,
technology and layout;
4.9 to trail information breach and remediate such identified breaches
4.10 manage and protect our information technology and physical infrastructure;
4.11 contact you at any time through your provided telephone number, email
address or other contact details;
5.0 CookiesCookies are small files placed on your computer’s hard drive that enables the
website to identify your computer as you view different pages. Cookies allow
33
websites and applications to store your preferences in order to present contents,
options or functions that are specific to you. Like most interactive websites, our
website uses cookies to enable the tracking of your activity for the duration of a
session. Our website uses only encrypted session cookies which are erased either
after a predefined timeout period or once the user logs out of the platform and closes
the browser. Session cookies do not collect information from the user’s computer.
They will typically store information in the form of a session identification that does
not personally identify the user.
6.0 How we protect your personal informationWe store and process your personal information on our computers in Nigeria. Where
we need to transfer your data to another country, such country must have an
adequate data protection law. We will seek your consent where we need to send
your data to a country without an adequate data protection law. We protect your
information using physical, technical, and administrative security measures to reduce
the risks of loss, misuse, unauthorized access, disclosure and alteration. Some of
the safeguards we use are firewalls and data encryption, physical access controls to
our data centers, and information access authorization controls.
7.0 How We Share your information within NITDA and other usersDuring your interaction with our website or premises, we may provide other
Ministries, Departments, Agencies (MDA), other organs of government, private
sector operators performing government functions, with information such as your
name, contact details, or other details you provide us for the purpose of performing
our statutory mandate to you or third parties.
We work with third parties, especially government agencies to perform NITDA
mandate and services. In doing so, a third party may share information about you
with us, such as your email address or mobile phone number.
You accept that your pictures and testimonials on all social media platforms about
NITDA can be used for limited promotional purposes by Us. This does not include
your trademark or copyrighted materials.
From time to time we may send you relevant information such as news items,
enforcement notice, statutorily mandated notices, essential information to aid our
performance of our mandate. We may also share your personal information in
compliance with National or international laws; crime prevention and risk
management agencies and service providers.
34
8.0 SecurityWe will always hold your information securely. To prevent unauthorized access to
your information, we have implemented strong controls and security safeguards at
the technical and operational levels. This site uses Secure Sockets Layer/Transport
Layer Security (SSL/TLS) to ensure secure transmission of your personal data. You
should see the padlock symbol in your URL address bar once you are successfully
logged into the platform. The URL address will also start with https:// depicting a
secure webpage. SSL applies encryption between two points such as your PC and
the connecting server. Any data transmitted during the session will be encrypted
before transmission and decrypted at the receiving end. This is to ensure that data
cannot be read during transmission.
NITDA has also taken measures to comply with global Information Security
Management Systems (ISMS) we therefore have put in place digital and physical
security measures to limit or eliminate possibilities of data privacy breach incidents.
9.0 Data Confidentiality RightsYour information is regarded as confidential and will not be divulged to any third
party except under legal and/or regulatory conditions. You have the right to request
sight of, and copies of any and all information we keep on you, if such requests are
made in compliance with the Freedom of Information Act and other relevant
enactments. While NITDA is responsible for safeguarding the information entrusted
to us, your role in fulfilling confidentiality duties includes, but is not limited to,
adopting and enforcing appropriate security measures such as non-sharing of
passwords and other platform login details, adherence with physical security
protocols on our premises, dealing with only authorized officers of the Agency.
10.0 Links to Other Websites and PremisesCertain transaction processing channels may require links to other websites or
Organisations other than ours. Please note that NITDA is not responsible and has no
control over websites outside its domain. We do not monitor or review the content of
other party’s websites which are linked from our website or media platforms.
Opinions expressed or materials appearing on such websites are not necessarily
shared or endorsed by us, and NITDA should not be regarded as the publisher of
such opinions or materials. Please be aware that we are not responsible for the
privacy practices, or content of these sites. We encourage our users to be aware of
when they leave our site and to read the privacy statements of these sites. You
35
should evaluate the security and trustworthiness of any other site connected to this
site or accessed through this site yourself, before disclosing any personal
information to them. NITDA will not accept any responsibility for any loss or damage
in whatever manner, howsoever caused, resulting from your disclosure to third
parties of personal information.
11.0 Governing LawThis Privacy Policy is made pursuant to the Nigeria Data Protection Regulation
(2019) or any other relevant Nigerian laws, regulations or international conventions
applicable to Nigeria. Where any provision of this Policy is deemed inconsistent with
a law, regulation or convention, such provision shall be subject to the overriding law,
regulation or convention.
COUNTRIES WITH ADEQUATE DATA PROTECTION LAWSSN COUNTRY SUMMARY OF LAW REMARK
36
All EU Countries The GDPR principles apply and are adequate
Austria Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden United Kingdom
Angola Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) and the Protection of Information Systems and Networks Law (Law no. 7/17, 16 February 2017).
DPL establishes Agência de Proteção de Dados (APD) as Angola’s Data Protection Authority.
1 Argentina Personal Data Protection Law 2000 (Law No. 25,326) applies to any person or entity in the country that
National Authority: Agency for Access to Public
37
deals with personal data. Information established pursuant to Decree 746 of 2017
2 Australia Federal Privacy Act 1988 is based on 13 APPs (Australian Privacy Principles) that cover transparency and anonymity; the collection, use and disclosure of data; maintaining the quality of data; and the data subject’s rights. Australia has regional and sectoral privacy laws supplementing the FPA.
Brazil General Data Protection Law 2018 (LGPD) very similar to GDPR. Brazil also has snippets of privacy laws from the Constitution and other statutes such as Consumer Protection Code 1990; Internet Act 2014 etc.
The Amended LGPD created the National Data Protection Authority (ANPD). The law would take effect in August 2020
Canada Private sector is governed by Personal Information Protection and Electronic Documents Act (PIPEDA) 2000 amended in 2008 to include mandatory data breach notification and record-keeping laws. the public sector is governed by the Privacy Act of 1983.
PIPEDA creates the Office of the Privacy Commissioner of Canada
Cape Verde Data Protection Law (Law 133/V/2001 (as amended by Law 41/VIII/2013) and Law 132/V/2001, of 22 January 2001.
The National data protection authority in Cape Verde is the Comissão Nacional de Proteção de Dados Pessoais ('data protection authority').
China Information Technology – Personal Information Security Specification is the latest law on privacy in China. It came into effect in May 2018
Cyberspace Administration of China (CAC) is the data protection authority in China
38
39
DRAFT NATIONAL CLOUD COMPUTING IMPLEMETATION STRATEGY
National Information Technology Development Agency
(NITDA)
2019
40
Table of ContentsCHAPTER ONE: INTRODUCTION............................................................................................................1
1.1 Background..................................................................................................................................1
1.2 The Cloud First Value Proposition................................................................................................1
1.3 National Strategic Intent for Cloud Adoption..............................................................................2
1.4 The Goal......................................................................................................................................2
1.5 Making Cloud Computing Deployment and Service Models Choices...........................................3
CHAPTER TWO:......................................................................................................................................8
STRATEGIES FOR IMPLEMENTING CLOUD COMPUTING POLICY STATEMENTS.....................................8
2.1 Procurement................................................................................................................................8
2.2 Data Classification.......................................................................................................................8
2.3 International Dimensions of Cloud Computing..........................................................................10
2.4 Service Level Agreement and Consumer Protection..................................................................10
2.4 Information Security..................................................................................................................10
2.5 Cloud Interoperability................................................................................................................11
2.7 Migration to The Cloud..............................................................................................................11
2.8 Workforce and Skills..................................................................................................................12
2.9 Vendor Lock-in & Data Withdrawal...........................................................................................12
2.10 Cloud Registration and Certification........................................................................................13
2.11 Cloud Audit and Reporting......................................................................................................13
CHAPTER THREE:.................................................................................................................................15
NIGERIA CLOUD COMPUTING GOVERNANCE......................................................................................15
3.1 National Cloud Governance.......................................................................................................15
3.2 Public Institution Cloud Computing Governance.......................................................................16
CHAPTER FOUR:...................................................................................................................................19
IMPLEMENTATION PLAN.....................................................................................................................19
CHAPTER FIVE:.....................................................................................................................................22
NIGERIA CLOUD COMPUTING POLICY COMPLIANCE AND ENFORCEMENT FRAMEWORK...................22
5.1 Compliance Framework.............................................................................................................22
5.2 General Enforcement Process...................................................................................................24
Appendix.............................................................................................................................................26
Appendix A1.0: Rational for “Cloud First” value proposition...........................................................26
Appendix A2.0: National Strategic Intent for Cloud Adoption.........................................................26
Appendix A3.0: Cloud Computing Areas of Interoperability Guide.................................................27
Appendix A4.0 : Cloud Computing migration steps and requirements............................................28
xli
Appendix 5.0: Focus Areas of cloud computing capacity.................................................................32
Appendix 6.0: Focus areas of vendor lock-in avoidance guide........................................................32
Appendix 7.0: Focus areas of cloud computing certification criteria...............................................33
Appendix 8.0: CSPs Audit Report Metrics........................................................................................33
Appendix 9.0: Explanation of proposed cloud computing governance model for PIs and SMEs.....34
Definitions.......................................................................................................................................37
Table 1.0: A Guide for Choosing Cloud Computing Service Model........................................................4Table 2.0: Cloud Service Model and Delivery Model Matrix..................................................................6Table 3.0: Template for calculating data security and sensitivity..........................................................9Table 4.0:Strategy Implementation road map (Short-term)................................................................19Table 5.0: Strategy Implementation road map (Medium-term)..........................................................19Table 6.0: Strategy Implementation road map (Long-term)................................................................20Table 7.0: Specialized Strategies.........................................................................................................21
Figure 1.0:Categories of Cloud Deployment Model...............................................................................3Figure 2.0: Cloud Computing Service Model as recognized by Nigeria Cloud Computing Policy...........4Figure 3.0 Information security levels...................................................................................................9Figure 4.0: National Cloud Computing Governance............................................................................16Figure 5.0: Organisational Cloud Computing Governance Model........................................................18Figure 6.0:Enforcement framework....................................................................................................23Figure 7.0:Cloud Migration Decision framework.................................................................................29
xlii
CHAPTER ONE: INTRODUCTION
1.1 BackgroundThe National Information Technology Development Agency has developed Nigeria Cloud Computing
Policy to address the challenges of acquiring and deploying computing resources in the most
efficient manners in the public sector. The Nigeria Cloud Computing Policy constitutes set of policy
statements that articulates the government’s strategic plan and direction for cloud computing
adoption in the public sector and by Small and Medium Enterprises (SMEs) that provide ICT-enabled
services to the Government. Implementing the Policy requires actions by various and relevant
stakeholders in the cloud computing space. The National Information Technology Development
Agency (NITDA) develops this Cloud Computing Implementation Strategy as a guide for the Agency,
Public Institutions (PIs), Small and Medium Enterprises (SMEs) and other relevant stakeholders to
implement Nigeria Cloud Computing Policy.
The strategy includes strategic initiatives critical to implementing all the statements issued in the
Policy as well as an implementation framework. The implementation framework includes
implementation plan, compliance and enforcement framework. The strategic initiatives and the
provisions in the compliance and enforcement framework are informed by the challenges, the goal,
the “Cloud First” value proposition and the expected outcomes of cloud adoption as explained in
the Nigeria Cloud Computing Policy.
1.2 The Cloud First Value PropositionThe country socio-economic activities and businesses are increasingly dependent on Information
Communication Technology (ICT). The need to make these computing resources available and
accessible is critical to the country’s continuous growth and sustainable development. The country’s
Economic Recovery and Growth Plan (ERGP) recognizes information technologies as an enabler for
promoting a digital-led growth. Digital-led growth cannot happen except the country has policy
direction peculiar to her environment for supporting the government and SMEs to acquire and
deploy computing resources in the most efficient manner.
The “Cloud First” value proposition is aimed at promoting cloud computing as a “first choice”
consideration for acquiring and deploying computing resources by public institutions and SMEs that
provide digital-enabled services to the government except where the cause of deployment is related
to national security concerns or cloud is not the best option politically and economically.
43
PIs and their IT/ICT departments/units should get themselves aware of the cloud capabilities and
resources necessary to meet their business objectives and expectations as part of adoption process.
Therefore, the National Cloud Computing Policy is recommending the concept of “Cloud First” to
acquiring and deploying computing resources in the public sector and among SMEs that provide
digital-enabled services to the government.
NOTE: There would be strong consideration for Indigenous CSPs while implementing the Cloud
First Value Proposition except where cloud requirements or capabilities do not exist locally. At the
same time, the cloud service provision would be highly competitive.
The rationale for Cloud First value proposition are based on the following:
1. Reduced Capital Cost;
2. Efficiency;
3. Digital Service Innovation;
4. Elasticity; and
5. Information Security
See Appendix A 1.0 for explanation on the rationale for Cloud First value proposition
1.3 National Strategic Intent for Cloud Adoption The strategic intent for cloud adoption in hinged on the following:
1. Responsive and efficient public service delivery;
2. Public sector digital transformation;
3. Local ICT industry development and growth, including SMEs;
4. Resources Savings; and
5. Opportunities to better manage human resources
See Appendix 2.0 for explanation on the national strategic intent for cloud adoption
1.4 The Goal The goal of this Policy is to ensure a 30% increase in adoption of cloud computing by 2024 among
Federal public institutions (FPIs) and SMEs that provide digital-enabled services to the government.
The policy also targets 35% growth in cloud computing investments by 2024.
In specific, the cloud computing policy is to achieve the following objectives by 2024:
44
1. enabling environment for the private sector to increase cloud computing infrastructure
investments by 35%;
2. clear direction and programs that ensure attainment of 30% increase in cloud adoption and
migration by the public sector and SMEs that provide service for the government; and
3. enabling and competitive business environment for Nigerian cloud service providers (CPS)
and/or cloud service consulting (CSC) to operate efficiently and profitably in the cloud market
place.
The cloud computing policy provides key facts that support the need for cloud adoption by PIs and
those SMEs that provide IT-enabled services to the government. These facts are hinged on the need
for efficiency and real time access to computing resources required by the government to provide
highly accessible and quality services to the populace.
1.5 Making Cloud Computing Deployment and Service Models Choices
The Cloud Computing Policy recognizes three internationally well-known cloud deployment and
service models each. Public Institutions and SMEs that are willing to adopt cloud computing would
need to make strategic choices for deployment models and services that meet their business
objectives and computing requirements. The following will help PIs and SMEs make these strategic
decisions.
The Policy recognizes three deployment models and they are categorized as follows in figure 1.0
based on the level of data sensitivity.
45
Level of Data SensitivityDeployment Model
Combination of Sensitive and Non-sensitive Data with mix of mission and non-mission critical application
Public or Non-Sensitive or Non-Confidential Data and Non mission critical applications
Sensitive Data (National Information Security Data) and mission critical applications
Hybrid Cloud
Public Cloud
Private Cloud
Figure 3.0:Categories of Cloud Deployment Model
The service models are described as presented in figure 2.0.
Figure 4.0: Cloud Computing Service Model as recognized by Nigeria Cloud Computing Policy.
Source: Ray Rafaels
Table 1.0 presents the risk and responsibility that PIs and SMEs must note before making a service
model choice. It also prescribes the level of Information Technology (IT) expertise required to
implement each service model and the category of PIs that should opt for it. In addition, it also
make recommendation for PIs based on the level of data generated (either sensitive or otherwise)
and the level of their control on computing resources on the choice of a cloud service model.
PIs are categorized into the following three levels of expertise:
1. High IT Expertise
2. High to Moderate IT Expertise
3. Less IT Expertise
Table 3.0: A Guide for Choosing Cloud Computing Service Model
46
Delivery Type Risk and responsibility Prescription for PIs or SMEs
IaaS Cloud consumer builds the application
without worrying about the
infrastructure requirements.
The security responsibility is equally
divided between the cloud service
provider and the cloud consumer.
In this model, the risk is segregated and
layered. It is also a shared risk model.
Data
IaaS option is suitable for PIs who generate
sensitive data (especially citizens’ data), use
or keep other PIs’ data.
Control
No control over IT infrastructure
(networking, servers, virtualization) but
have control over operating systems, storage
and deployed applications. A bit of control
over of select networking components (e.g.
host firewalls).
Level of IT Expertise:
High
PaaS The cloud consumer brings the
application expertise along with
licenses, data, and resources, and
consumes the platform shell.
This model is used by consumers who
either lack infrastructure skills or want
to save on high capital expenditure
(capex)
The security responsibility starts to tilt
more towards the cloud provider.
However, the service provider bears
higher risk than consumer as the
provider supports more layers.
Similar to IaaS, this is a shared risk
Data
PaaS option is suitable for PIs who use or
keep other PIs’ data. They can also generate
data (either sensitive or not) but not as
much as in the case of IaaS.
They build software applications in-house
(either through their personnel or
outsourced).
Recommended for SMEs that build software
applications for the government
Control
PIs have control over the configurations of
the application development and hosting
environment and fair control over IT
platforms.
47
model, No control over IT infrastructure.
Level of IT Expertise
High to Moderate IT Expertise
SaaS
The cloud consumer does not have the
necessary skills, time, or resources to
setup an application ecosystem and
manage it.
No upfront capex requirement.
The security responsibility is mostly
with the cloud provider. The consumer
is mainly responsible for securing the
client-side vulnerabilities.
The service provider bears most risk.
Data
SaaS option is suitable for PIs who does not
frequently generate data (either sensitive or
not) or use other PIs generated data. They
are more concern about their operational
efficiency.
Recommended for SMEs that provide cloud
service consulting and manage cloud
applications for PIs.
Control
No control over IT infrastructure and
platforms. Less control over application.
Level of IT Expertise
Less IT expertise
The business objectives and computing availability requirements by PIs and SMEs are broadly
categorized into Data Security and Service Availability. These are the major factors for choosing a
deployment model and the corresponding service model. The table 1.0 presents relationship
between the models. It guides PIs and SMEs to make choices that meet their computing
requirements based on data security and service availability.
Table 4.0: Cloud Service Model and Delivery Model Matrix
Service
Model
SaaS PaaS IaaS
Delivery
Model
Private Data security requirements
by consumers are low but
Data security requirements by
consumers are between high
Data security requirements
by consumers are very high
48
high level of service
availability requirements
expected from cloud
providers.
Vice versa between
providers & consumers
and moderate with high to
moderate level of service
availability requirements
expected from cloud
providers.
Vice versa between providers
& consumers
and the level of service
availability requirements
expected from cloud
providers is high.
Vice versa between
providers & consumers
Public Data security requirements
by consumers are low and
level of service availability
requirements expected from
cloud providers are between
low and moderate.
Vice versa between
providers & consumers
Data security requirements by
consumers are moderate to
high and level of service
availability requirements
expected from cloud
providers are high to
moderate.
Vice versa between providers
& consumers
Data security requirements
by consumers are moderate
and level of service
availability requirements
expected from cloud
providers is high.
Vice versa between
providers & consumers
Hybrid Data security requirements
by consumers are between
low to moderate and level of
service availability
requirements expected from
cloud providers are
moderate to high.
Data security requirements
by consumers are high to
moderate and the level of
service availability
requirements expected from
cloud providers are moderate
to high.
Data security requirements
is high to moderate and
level of service availability
requirements expected from
cloud providers are high.
49
CHAPTER TWO:
STRATEGIES FOR IMPLEMENTING CLOUD COMPUTING POLICY STATEMENTS
There are statements in the Cloud Computing Policy that require certain actions to be taken by
NITDA, PIs, CSPs, and other relevant stakeholders. Implementation of the actions will lead to
actualization of the Policy goal and objectives. The actions demand certain strategies for their
implementation and the strategies are further broken down into strategic initiatives.
Therefore, this chapter presents critical statements/issues in the Nigeria Cloud Computing Policy and
implementation strategy(ies) for each statement. Strategic initiatives are proposed to implement
each strategy. Each of the statement is presented as follows.
2.1 Procurement Traditional purchasing practices and contract terms may hinder the scalable, cost-effective, and
innovative nature of cloud computing. Procurement is a central issue in the development of cloud
computing. Nigerian procurement law supports a yearly procurement contract whereas cloud
service contracts are structured on a “pay as you go” basis. To ensure cloud adoption growth, this
challenge must be addressed appropriately. The following strategies and their strategic initiatives
will be adopted.
Strategy 1.0
Development of cloud procurement regulation.
Strategic Initiatives
The following strategic
1. BPP and NITDA, in consultation with relevant stakeholders, will develop Cloud Procurement
Regulation.
50
2. BPP and NITDA will monitor and ensure compliance to the provision of the regulation
Strategy 2.0
Establishment of Digital Marketplace
Strategic Initiatives
1. Design and develop Nigerian Cloud Digital Marketplace.
2. NITDA, in collaboration with relevant stakeholders, will set up governance structure, business
models and operational plan for Nigerian Cloud Digital Marketplace.
2.2 Data ClassificationPIs are going to have vastly different types of information and the information will contain varying
levels of sensitivity. The Nigeria Cloud Computing Policy proposed data classification as presented in
Figure 2.0. A detailed explanation is available in the Policy.
Figure 5.0 Information security levels
For proper implementation of this data classification by PIs and SMEs that provide service for
government, the following strategy shall be taken into consideration.
Strategy 3.0
Development of a cloud data classification guide. This will assist cloud stakeholders to classify cloud
data.
Strategic Initiatives
1. NITDA, in consultation with relevant stakeholders, will provide a data classification guide based
on data classification framework in the Policy and other parameters. The guide will be put on
the Nigerian Cloud Digital Marketplace.
51
NOTE: The table 3.0 provides template for cloud stakeholder to properly classify their cloud
data.
Table 5.0: Template for calculating data security and sensitivity.
Classification Criteria Min. - Max. Score Max. Score
Critical National Data/Information
(Including National Security Info)
=3 (Mandatory) 3
Data containing Personally Identifiable
Persons
=3 (Mandatory) 3
High level =3, Medium Level = 2 and
Low Level = 1
Transactional Data with certain level of
Business/operational Information
Between 1 and 3 3
Limited =1, Serious = 2 and Severe or
Catastrophic = 3
Confidentiality Between 1 and 3 3
Integrity Between 1 and 3 3
Availability Between 1 and 3 3
Total Score
2.3 International Dimensions of Cloud ComputingStrategy 4.0
Development of a balanced data localization and cross-border data flow guidelines
Strategic Initiatives
1. NITDA will develop cross-border data flow guidelines for efficiency purposes.
2. Provide CSPs’ identification framework based on cross-border data flow guidelines
2.4 Service Level Agreement and Consumer ProtectionThe quality and reliability of services become important as PIs and SMEs migrate to the cloud. It is
important to ensure the right of consumers and service takers are protected in the cloud space.
Strategy 5.0
Develop an SLA Template for Cloud engagement
Strategic Initiatives
52
a. NITDA will collaborate with relevant cloud stakeholders to develop SLA template for Cloud
engagement
b. NITDA will make the SLA template available on the digital marketplace
Strategy 6.0
Stakeholders’ collaboration for the protection of consumers’ rights.
Strategic Initiatives
1. NITDA will engage and partner with Federal Competition and Consumer Protection
Commission (FCCPC) and other relevant stakeholders to ensure monitoring, compliance and
enforcement with the provisions of consumer protection in the Cloud Computing Policy.
2.4 Information SecurityThe goal of information security in the cloud environment is to protect the confidentiality, integrity
and availability of government data. Therefore, in order to ensure information security, cloud service
providers must put measure in place to ensure data confidentiality, integrity and availability.
Strategy 7.0
Development of a National Cloud Computing Security Guidelines
Strategic Initiatives
1. NITDA, in collaboration with relevant stakeholders, will develop national cloud computing data
security guidelines.
2.5 Cloud InteroperabilityThe Nigeria Cloud Policy will enable rapid adoption and the growth of cloud computing. Many CSPs
will operate in the space and consumers of cloud services might want to port from one CSP to
another. The following strategy will be adopted to manage interoperability requirements in addition
to adoption of Nigeria e-Government Interoperability Framework (Ne-GIF) and ISO/IEC 17203:2011
as specified in the Nigeria Cloud Computing Policy.
Strategy 8.0
Development of Nigeria cloud interoperability guidelines
Strategic Initiatives
1. NITDA, in collaboration with relevant stakeholders, will develop Nigeria cloud
interoperability guidelines. The guide will provide direction for cloud consumers to navigate
53
cloud interoperability requirements. It will consider important areas of interoperability as
prerequisite requirements for choosing a CSP and ensuring cloud interoperability.
See consideration for interoperability requirements in Appendix A3.0 as focus areas of the
guidelines
2. NITDA will make Nigeria cloud interoperability requirements available on digital marketplace
2.7 Migration to The CloudMoving to the cloud requires orchestrated migration plan to mitigate risks that are involved. The
following strategy will be implemented to ensure PIs and SMEs migrate to the cloud successfully.
Strategy 9.0
Develop cloud migration guide for PIs and SMEs
Strategic Initiatives
1. NITDA, in collaboration with relevant stakeholders, will develop cloud migration guide. The
guide will serve as a template to be followed by PIs and SMEs while migrating to the cloud.
The cloud migration guide will consider important steps for cloud migration. In the
meantime, consumers are advised to be guided by the following migration steps or
requirements.
See consideration for Cloud Computing migration steps and requirements in Appendix A4.0 as
focus areas of the guidelines
2. NITDA will publish the cloud migration guide on digital marketplace portal.
3. NITDA will monitor cloud migration through the IT project clearance committee and other
monitoring mechanisms.
2.8 Workforce and SkillsCloud adoption means complete change in the way information technologies are acquired and
deployed by PIs and SMEs. Also, the change cuts across organisation processes and people. The
people are going to play a major role in the adoption process and they are the main drivers. If the
people with the right skills are not involved or participated in the cloud adoption processes, the
objectives of the exercise might be defeated. Effective cloud adoption by PIs will depend on
54
developing talent and acquiring professional IT credentials. The strategy for building the right skills
among the public sector workforce and SMEs is highlighted as follows.
Strategy 10.0
Facilitate the development of special skills for cloud computing in the public sector and among
targeted SMEs.
Strategic Initiatives
1. Partnership with private sector (training outfits) and development partners to build cloud
capacity of PI personnel and SMEs
See Appendix 5.0 for focus areas of cloud computing capacity
2. Partnership with strategic organisations such as (SMEDAN etc.) to build cloud adoption skills
and capacity for targeted SMEs.
2.9 Vendor Lock-in & Data WithdrawalCircumstance might warrant PIs or SMEs to migrate from one CSP to another or using multiple CSPs
to accomplish business objectives. Also, data sovereignty and localization regulation requirements
might warrant PIs and SMEs that provide service to the public sector move government data and
their hosting platforms to the shore of the country at any time. Therefore, PIs and SMEs should avoid
vendor lock-in and ensure data withdrawal is possible any time it is mandatory. The following
strategy will be adopted to avoid vendor lock-in and ensure data withdrawal is seamless.
Strategy 11.0
Develop vendor lock-in avoidance guide
Strategic Initiatives
1. NITDA will provide a cloud vendor lock-in avoidance guide.
See Appendix 6.0 on focus areas of vendor lock-in avoidance guide
2.10 Cloud Registration and CertificationTo guarantee trust, build confidence of cloud consumers and ensure there is sanity in the cloud
computing space, NITDA will register and certify indigenous CSPs having met certain standards. A
55
certified Indigenous CSPs will be the beneficiaries of “Nigeria Cloud First Policy”. NITDA will adopt
the following strategies to implement CSPs registration and certification.
Strategy 12.0
Registration of Indigenous CSPs
Strategic Initiatives
1. NITDA will establish registration process for CSPs
2. Registration of Indigenous CSPs.
Strategy 13.0
Develop National Cloud Certification Criteria based on international standards and best practices
Strategic Initiatives
1. NITDA will develop National Cloud Certification Criteria
See Appendix 7.0 for the focus areas of certification criteria
2. NITDA will publish the Cloud Certification Criteria on Nigerian Cloud Digital Marketplace.
3. NITDA will certify Indigenous CSPs based on the Certification Criteria
2.11 Cloud Audit and ReportingThe Nigeria Cloud Computing Policy requires a CSP to provide satisfactory audit reports or respond
to audit requests by NITDA or other statutory bodies. The following strategies will be adopted to
implement the cloud audit and reporting requirements.
Strategy 14.0
Establish cloud system audit and reporting process.
Strategic Initiatives
1. Audit and reporting process. NITDA will establish audit and reporting process for Indigenous
CSPs.
2. Annual voluntary report: NITDA shall request CSPs to provide voluntary annual audit report.
See Appendix 8.0 for assessment metrics that would form part of the CSPs reporting template
56
CHAPTER THREE:
NIGERIA CLOUD COMPUTING GOVERNANCE
3.1 National Cloud GovernanceIn order to ensure coordination of cloud computing project and procurement within and across PI
and SMEs that provide IT-enabled services to the government, it is important to institutionalize a
governance structure that helps to govern cloud implementation from planning, architecture to
deployment, that allows seamless switching from one CSP to another and unclouding in the case of a
need in a more sustainable manner. Cloud services need to be adopted as an integral part of the
organization’s existing operating model. The absence of governance structure that establishes
standards and provides clear direction and consistency in managing cloud services can undermine
cloud benefits and then create unforeseen risks (security, privacy and financial), complexity rather
than interoperability and simplicity.
The proposed national cloud computing governance establishes structure upon which the goal and
objectives of Nigeria Cloud Computing Policy would be achieved. It is a structure that governs
implement strategic initiatives established by the “Cloud Computing Implementation Strategy”.
Figure 4.0 presents the proposed national computing governance at the Federal level.
57
58
Providing Cloud Service to FPIs & SMEs
CPSs
Implement cloud computing projects
FPIs and SMEs
Provide cloud procurement regulation with support for
cloud purchasing models
Bureau of Public Procurement (BPP)
Promote cloud competitive market and consumer protection
Federal Competition and Consumer Protection Commission (FCCPC)
-Coordinating implementation across FPIs; Clearing cloud projects by FPIs; regulating
cloud computing space; facilitating strategic partnerships and investments and carrying out cloud computing assessment
NITDA
Putting cloud computing as part of National IT deployment plan
Budget & National Planning
supervising policy implementation and
promoting investment
FMC
Promoting National Vision for Cloud Computing (Leadership)
Presidency
Figure 6.0: National Cloud Computing Governance
3.2 Public Institution Cloud Computing GovernanceAside the national governance, each FPI or SME that provides IT-enabled service to the government
is expected to develop its cloud governance structure internally in order to ensure IT acquisition and
deployment aligns with the national goal and its business objectives.
Adopting cloud creates shift in the responsibilities of IT/ICT departments- shift from technicality to
contract negotiation, establishing key performance indicators to vendor management. This shift in
responsibilities contributes to IT department’s changing role from operators of technology to
governors of systems and processes. And it requires establishing a cloud governance model that
everyone must follow.
Cloud governance model will enable IT and the business to collaborate in defining the right strategy
for configuration, migration, management and disposition of cloud services. It defines roles and
responsibilities and holds PIs to account for IT investment decisions and resource management for
cloud computing adoption. The cloud governance will manage unnecessary complexity and cost
increase that can arise from uncoordinated procurement of cloud services. It enables IT/ICT
department and the business to collaborate in defining the right strategy for configuration,
migration, management and disposition of cloud services.
However, IT personnel will need to acquire new skills as they transition from operators and
tacticians to vendor managers and governors. These skills, as itemized in the section on workforce
and skills, include understanding not only contractual obligations and service management, but also
new and emerging technologies and processes that may help to better manage cloud services.
Governance structure in each PI and SME will need to span the three pillars of people, process and
technology and encompass the entire cloud life cycle, from identification and configuration to
migration, management and decommission.
59
NOTE: PIs and SMEs are advised to follow and be guided by this governance model while
deploying and migrating to the Cloud. All the cloud life cycle should be planned and governed by
the cloud governance domain putting in mind the people, process and technology.
Figure 7.0: Organisational Cloud Computing Governance Model
See Appendix 9.0 for the explanation on the cloud computing governance model for PIs and SMEs
60
CHAPTER FOUR:
IMPLEMENTATION PLAN
The first implementation road map to achieve the goal of the Nigeria Cloud Computing Policy spans
a period of five (5) years (between 2019 and 2024) and is divided into short, medium and long term
respectively. Table 4.0, 5.0, 6.0
Table 6.0:Strategy Implementation road map (Short-term)
S/n Strategy Strategic Initiatives Major Action by
Implementation Timeline (2019-2021)
1.0 Strategy 1.0.Development of cloud procurement regulation.
1. BPP and NITDA, in consultation with relevant stakeholders, will develop Cloud Procurement Regulation.
2. BPP and NITDA will monitor and ensure compliance to the provision of the regulation
BPP & NITDA
2019
2.0 Strategy 3.0 Development of a data classification guide
1. Provision of data classification guide based on data classification framework in the Policy and other parameters.
NITDA 2019
3.0 Strategy 4.0Development of a balanced data localization and cross-border data flow guidelines
1. NITDA will develop cross-border data flow guidelines.
2. Provide CSPs’ identification framework based on cross-border data flow guidelines
NITDA 2019
4.0 Strategy 5.0Develop an SLA Template for Cloud engagement
1. Development SLA template for Cloud engagement
NITDA 2019-2021
5.0 Strategy 7.0Development of a National Cloud Computing Security Guidelines
1. Development of national cloud computing data security guidelines.
NITDA & ONSA
2020-2021
6.0 Strategy 9.0Develop cloud migration guide for PIs and SMEs
1. Development of cloud migration guide
NITDA 2020
7.0 Strategy 12.0Registration of Indigenous CSPs
1. Establishment of registration process
2. Registration of Indigenous CSPs
NITDA 2020-2021
61
8.0 Strategy 13.0 Develop National Cloud Certification Criteria based on international standards and best practices
1. Development of National Certification Criteria
2. Certification of Indigenous CSPs
NITDA 2021
Table 7.0: Strategy Implementation road map (Medium-term)
S/n Strategy Strategic Initiatives Major Action by
Implementation Timeline (2022-2023)
1.0 Strategy 11.0Develop vendor lock-in avoidance guide
1. Development of vendor lock-in avoidance guide
NITDA
2.0 Strategy 2.0.
Establishment of Digital Marketplace
1. Design and development of Nigerian Cloud Digital Marketplace.
2. Setting up of governance structure, business models and operational plan for Nigerian Cloud Digital Marketplace.
3. Publication of cloud migration guide on Nigerian digital marketplace portal
4. Publication of Cloud Certification Criteria on Nigeria Cloud Digital Marketplace
5. Publication of cloud SLA on Nigeria Cloud Digital Marketplace
NITDA 2022
3.0 Strategy 14.0Establish cloud system audit and reporting process.
1. Establishment of audit and reporting process for Indigenous CSPs
2. Request for CSPs annual voluntary report
NITDA 2022-2023
4.0 Strategy 10.0Facilitate the development of special skills for cloud computing in the public sector and among targeted SMEs
1. Partnership with private sector (training outfits) and development partners to build cloud capacity of PI personnel and SMEs
2. Partnership with strategic organisations such as (SMEDAN etc.) to build cloud adoption skills and capacity for targeted SMEs.
NITDA & CPS
NITDA & SMEDAN
2022-2023
62
Table 8.0: Strategy Implementation road map (Long-term)
S/n Strategy Strategic Initiatives Responsibility Implementation Timeline (2024)
1.0 Strategy 8.0Development of Nigeria cloud interoperability requirements
1. Develop Cloud interoperability guidelines
2. Publish the cloud interoperability requirements on digital marketplace
NITDA 2023
2.0 Strategy 6.0 Stakeholders’ collaboration for the protection of consumers’ rights.
1. Monitoring, compliance and enforcement with the provisions of consumer protection in the Policy
NITDA & FCCPC
2020-2024
3.0 Strategy 9.0Develop cloud migration guide for PIs and SMEs
1. Monitoring of cloud migration by PIs through NITDA’s IT clearance committee
NITDA 2019-2024
Table 9.0: Specialized Strategies
S/n Strategy Strategic Initiatives Responsibility Implementation Timeline (2019-2024)
1.0 Cloud Computing Readiness Assessment
1. Conduct cloud computing readiness assessment across all sectors of the economy
NITDA 2019-2020
2.0 Promotion of Cloud Migration
1. Monitor and enforce compliance with Cloud First value proposition by FPIs and SMEs
2. Extension cloud computing adoption programs to sub-national PIs
3. Provision of cloud migration technical assistance to FPIs through NITDA IT clearance committee
NITDA 2019-2024
3.0 Cloud Computing Code of Conduct
1. Development of Indigenous Cloud Computing Code of Conduct
CSPs & NITDA
2022-2024
4.0 Promotion of Investment in Cloud Computing Systems in Nigeria
1. Provision of incentives to Indigenous CSPs
2. Encourage and creation of enabling environment for Cloud Computing investments
NITDA, CSPs, BPP
2020-2024
5.0 Monitor, comply and Enforce
1. Continuous monitoring, compliance and enforcement of the provision of the Nigeria Cloud Computing Policy and compliance framework
NITDA, BPP & FCCPC
2019-2024
63
CHAPTER FIVE:
NIGERIA CLOUD COMPUTING POLICY COMPLIANCE AND ENFORCEMENT FRAMEWORK
5.1 Compliance FrameworkThe Nigeria Cloud Computing Policy states the following:
1. The CSP shall maintain the utmost integrity to protect the data and meet the security
requirements set forth by NITDA; and
2. Data shall not be stored, shared, processed, or modified by CSP in any way that
compromises the integrity of the data.
Therefore, NITDA shall ensure compliance and enforce the above statements through the following
compliance and enforcement framework.
1. NITDA shall identify and register all CSPs operating in Nigeria through registration process and
guidelines.
2. NITDA shall certify CSPs operating in Nigeria based on the NITDA Cloud Certification Criteria to
be provided on Nigerian Cloud Digital Marketplace.
3. NITDA will develop and maintain database of all CSPs and their services on the digital
marketplace platform.
4. CSPs shall be required to submit report to NITDA annually or as it may be requested
5. Where applicable, PIs and SMEs shall ensure compliance to the provision of the Cloud
Computing Policy and/or compliance framework
6. NITDA shall, in the next 3 years shall ensure implementation of the strategies and strategic
initiatives in this document
7. NITDA shall employ the following compliance tools:
Self-Reporting: NITDA will provide templates and technology platform for self-reporting or filings by
CSPs.
In the absence of technology platform, CSPs or any other entity shall submit physical copy of the
report to NITDA in the following manner:
I. The report shall be addressed to the Director General of NITDA.
64
II. The Director General shall direct the department responsible for regulation, monitoring
and enforcement to handle the report.
III. The report shall clearly specify the following:
a. The full name of the entity;
b. Title of the report
A soft copy of the report, as indicated above, can be submitted to NITDA’s official email:
Verification: Where necessary, NITDA shall verify audit information submitted by CSPs and PIs to
ensure its accuracy, veracity and validity.
Monitoring: NITDA shall institute a systematic, continual or periodic, active or passive observation of
CSPs and PIs’ cloud systems to ensure compliance with general rules and processes laid down.
Audit: Where necessary, NITDA shall investigate or examine records, processes and procedures of
CSPs and PIs to ensure they are in compliance with the requirements of the policy and/or
compliance framework. This will be based on NITDA’s established cloud system audit and reporting
process
8. If there is any breach of the provision of the policy and compliance framework, NITDA shall
enforce it through the following enforcement process or framework:
Figure 8.0:Enforcement framework
Surveillance: Where necessary, NITDA shall institute specific and deliberate monitoring exercise to
identify breach with the policy and/or compliance framework.
65
Complaint Filing: Where necessary, NITDA may wish to accept complaint filing by NITDA’s personnel
or any interested parties of non-compliance with the provisions of the Policy and/or compliance
framework. The complaints must meet the following requirements:
I. A complaint must be filed in writing, either on paper or electronically.
II. A complaint must name the person or entity that is the subject of the complaint and
describe the acts or omissions believed to be in violation of the applicable provision(s) of
the policy and framework.
Investigation: NITDA will investigate any complaint filed against a CSP or PI when a preliminary
review of the facts indicates a possible violation of the provision(s) of the cloud policy and/or
compliance framework. In the case of third party filing, NITDA shall investigate any complaint filed by
third parties and may also do so based on a special audit or “spot check”.
Administrative Sanctions: Where NITDA has ascertained that a CSP is in breach of any of the
provisions of the cloud policy and compliance framework, NITDA may issue and order for
compliance. NITDA may also issue other administrative orders to include::
I. Suspension of service pending further investigations;
II. Order for CPS in breach to appear before a panel to determine level of liability;
III. Issue public notice to warn the public to desist from patronizing or doing business with
the CPS; and
IV. Refer the CSP in breach to other Self-Regulatory Organization (SRO) for appropriate
sanctions
Criminal Sanction: Where NITDA has determined that a CPS is in breach of the cloud policy and
compliance framework; it may seek to sanction officers of the organization as provided for in Section
17(x) of NITDA Act 2007. NITDA shall seek a fiat of the Honorable Attorney General of the
Federation (HAGF) or may file a petition with any sanction authority in Nigeria. This may include; the
Economic and Financial Crimes Commission (EFCC), the Department of State Security (DSS), the
Nigerian Police Force (NPF), the Independent Corrupt Practices Commission (ICPC) or the Office of
National Security Adviser (ONSA) among others.
5.2 General Enforcement Process
Table 10.0:Cloud Computing General Enforcement
66
S/n Enforcement Activity Description of Action
1 Documentation of
Breach
4. At this stage it is required that a report, memo, petition or complaint is officially submitted to NITDA through the office of the Director General of NITDA.
5. The Document must be duly signed by an Officer of NITDA or the external complainant.
6. For external complaint; the document must be written and signed by an Individual either in personal capacity or a group (of persons or companies) or registered entity (registered with the CAC).
2 Request for Additional Information and Investigation
If it appears NITDA is not sufficiently briefed or may need further information to arrive at a conclusion of breach of the policy and/or compliance framework, the following procedure should be employed:
iv. “Request for Additional Information" should be issued to either the complainant, the alleged violator or any other party who maybe in a position to provide clarity on facts of the allegation of breach.
v. Invite relevant parties for an “Investigation Meeting” to elicit facts to established breach.
vi. “Request for Investigation in partnership with law enforcement agencies.
3 Continuation or Termination of Enforcement Process
Where NITDA is satisfied that there is a prima facie evidence on a breach, the NITDA can:
3. Request for a response from the violator stating the allegations against them;
4. In the event NITDA finds the explanations of the alleged violator coherent and sufficient, NITDA will respond to the allegation and enforcement will be terminated
4 Notice of Enforcement Where NITDA is satisfied that a breach of the Cloud Computing Policy and/or compliance framework has occurred;
3. NITDA will then issue a “Notice for Enforcement”” citing the specific breach and demand mandatory compliance within a specific time frame from the date of the service of notice. (30 days or 60 days as the case of breach may demand).
4. NITDA may issue an administrative fine or penalty in line with extant regulation
5 Issuance of Public Notice (OPTIONAL)
NITDA may consider issuing a public statement warning the public and other agencies of Government of the dangers of dealing with a violator who has breached the provision(s) of the Cloud Computing Policy and/or compliance framework
6 Request for Sanction C. Where a violator does not take steps to address breach or consult with NITDA as to what steps to be taken to remedy breach after the period stated in the "Notice for
67
Enforcement"; orD. Where the Regulation only provides for sanction of violator in
accordance with Section 17x NITDA Act;E. NITDA may file an official Petition or Notice for Sanction to
the Office of the Attorney General of the Federation, citing stating the following:
V. Original complaint;VI. Enforcement process initiated by NITDA; and
VII. Implication of the action of the violator to the development of ICT in Nigeria.
VIII. A copy of the notice should be copied to the Presidency and the Office of the Secretary of Government of the Federation (OSGF).
9. NITDA shall ensure PIs and SMEs put appropriate governance structure in place for Cloud project
implementation.
68
Appendix
Appendix A1.0: Rational for “Cloud First” value proposition1. Reduced Capital Cost: The reduction in capital cost can be achieved through initial cost of
acquiring and deploying IT infrastructure and other computing resources, hiring of technical
personnel, maintaining and managing resources as well as taking advantage of economy of
scale offer by the Cloud;
2. Efficiency: Efficiency is realized through real time and on-demand self-provisioning of
computing resources. Cloud computing offers public institutions and SMEs the needed agility
for responsive digital service delivery. NITDA has noticed epileptic nature of digital service
delivery in the country with respect to certain critical government services. Once traffic gets to
the peak for a particular digital service, citizens/government customers begin to experience
delay in getting the service. This would be greatly eradicated through strategic adoption of
cloud computing;
3. Digital Service Innovation: Digital service innovation will be highly promoted through adoption
of cloud because of the edge gained as result of cloud efficiency;
4. Elasticity: Cloud has ability to provide customize computing services as needed. Computing
service can be shrunk or grown based on demand. This will help public institutions and SMEs
pay as use thus reducing waste of computing resources.
5. Information Security: Due to security requirements to protect data of businesses and certain
government operations, Cloud Service Providers (CPSs) are deploying the latest security
measures and controls on the cloud. CPSs have capabilities to offer the best security and
implement Business Continuity Plans than individual organisations with server rooms and data
centers.
69
Appendix A2.0: National Strategic Intent for Cloud Adoption1. Responsive and efficient public service delivery and public sector digital transformation:
Government agencies will leverage cloud to provide responsive and efficient public service in a
transparent manner. This includes the ability to provide better healthcare, social amenities,
justice, public safety, and education services among others.
2. Local ICT industry development and growth, including SMEs: Cloud technologies will create a
competitive advantage in favour of small to medium enterprises (SMEs) that provide
computing service to the Government. By adopting cloud technology, SMEs hold immense
potential for generating employment opportunities, development of indigenous technology,
diversification of the economic and forward-integration with established sectors such as
banking, telecommunication, oil and gas among others.
3. Resources Savings: Migrating to the cloud can help streamline processes in many public
institutions in Nigeria. Systems are too dispersed among organisations, creating inherent
inefficiencies in the national public IT architecture. Instead of consolidating these services
under a central government platform, which may be too rigid to meet the needs of individual
organisations’ applications, contracting cloud services can both drive efficiencies and enhance
the customisation of IT service solutions. Also, cost savings will be expressed through:
4. Opportunities to better manage human resources: Qualified IT professionals are a scarce
resource in Nigeria and around the world. Using those resources to handle routine issues like
server maintenance, patching, and other low-level support activities is wasteful of their
training, experience, and talent. By moving these process-oriented tasks to cloud service
providers, public institutions can invest in their human resources to re-train them for value-
adding skills and activities, such as customised application development and innovative
services.
Appendix A3.0: Cloud Computing Areas of Interoperability Guide
Consumers and CSPs should be aware of the following areas of interoperability.
I. Data Portability;
II. Application Portability;
III. Platform Portability;
IV. Application Interoperability;
V. Platform Interoperability;
VI. Management Interoperability; and
70
VII. Publication & Acquisition Interoperability
In addition, the guide will also consider the following as prerequisite requirements for
choosing a CPS:
I. Standard user interfaces, APIs, protocols and data formats for SaaS;
II. Open cloud technologies for platform and application dependencies for PaaS;
III. Standard or widely accepted application packaging formats such as Open
Virtualization Format (OVF), Cloud Data Management Interface (CDMI) and Docker for IaaS. Also, open and/or standard business interfaces and APIs will be
considered;
IV. The use of standard enterprise integration tools such as Cloud Management
Platform (CMP) to manage integration, interoperability and portability between
multiple cloud and on-premise services;
V. Support for standard security technologies;
VI. Service-oriented architecture (SOA) design principles; and
VII. Standard enterprise access management capabilities
Appendix A4.0 : Cloud Computing migration steps and requirements
These steps or requirements are going to form part of the cloud migration guide:
Identification of what cloud services (SaaS, PaaS, and/or IaaS) and data will be provided and
establish from where the services will be provided.
I. Establishment of where the migration will occur.
a. In-house data center (on premise) – owned and operated by the organization.
b. External data center (off premise)– outsourced to a commercial cloud service
provider.
II. Definition of what cloud deployment model will be used:
a. Public cloud – available for use by the general public and located on the premises of
the cloud service provider.
b. Private cloud – the cloud infrastructure is dedicated to a specific organization or
community of customers. The community might be from a community of
organizations that share common concerns (e.g., missions, security, policy,
compliance guidelines, etc.). It may be located on the premises of the customer or
the cloud service provider.
71
c. Hybrid cloud – a combination of two or more of the above cloud deployment
models – public, community, or private.
III. Development of migration/implementation approach
a. Conduct a Proof of Concept and define a set of requirements for implementation.
b. Implement in full or phases. That is implement all requirements at once or
incremental phases based on a cost vs benefits vs risk analysis to define the
implementation strategy. It is recommended that phased approach is used.
c. Phasing strategies may include the following:
i. Implement a set of requirements based on priorities that have an
immediate operational impact and are achievable in the specified
time
ii. Migrate low risk capabilities first to learn lessons and refine plans
for future increments.
iii. Implement requirements in an evolutionary manner in which
solutions are implemented, evaluated, and improved on
incrementally.
IV. Identify the framework to be used for the migration. The migration framework in
the Nigeria Cloud Computing Policy is recommended.
Figure 9.0:Cloud Migration Decision framework
V. Risk management/mitigation.
a. Identify actual and possible implementation risks that may adversely impact (or are
impacting) implementation, and lay out a mitigation strategy for them.
72
b. Consider risks at the cloud provider’s and cloud customer’s locations as well as the
transport (communications) network connecting them. Also, consider risks in
integrating new cloud technology with legacy systems, networks, infrastructure,
processes, etc.
c. Categorize risks by impact and likelihood to ensure that risks are addressed by
priority.
d. Identify operational risks that may adversely impact the capability once it is
operational. These risks may be due to natural, technological, or human causes.,
and may be universal or geographically dependent.
e. Risk Mitigation.
i. Develop risk mitigation strategies for both implementation and
operational risks.
ii. Determine testing requirements to ensure the new capabilities are
operating as planned/needed.
f. Determine the need for availability and reliability standards, which drive the
following considerations to minimize risks and provide resiliency (the ability to
recover from issues):
i. Need for redundancy of equipment and/or communications paths
(networks).
ii. A continuity of operation plan (COOP) or disaster recovery (DR) plan
and possibly an alternative site in case of long term or catastrophic
failure.
g. Track these risks in a documented Risk Registry that identifies the risks,
priorities, mitigation strategies, responsibilities, dates for resolution, level of
risk, and status.
h. Consider a fall back plan to restore services to their original state in case of
implementation failure.
VI. Involve experts (acquisition and contract officers) early to help define the acquisition
and contract strategy.
a. Determine requirements for acquiring, upgrading, replacing, or eliminating
equipment, software, communications infrastructure, etc. A gap/redundancy
analysis can help with this.
b. Leverage open, vendor-neutral standards to provide open competition and
avoid becoming locked in to a specific vendor.
73
VII. Establish an approach to performance management/measurement
a. Define the expected/required Quality of Service (QoS) metrics in the form of:
i. Describe the expectations for how services will be delivered to the
customer (e.g., reliability, availability, and maintainability
requirements; incident response times; etc.) as itemized in the SLAs
template.
ii. Operating Level Agreements (OLAs) describing the expectations for
how the service delivery organization will work with supporting
organizations.
b. Identify:
i. Specific performance metrics to be captured.
ii. Minimum acceptable threshold values and the targets values.
iii. How they will be captured (i.e., the tools to capture them, and how the
tool will need to be configured).
iv. How and when they will be reported.
VIII. Plan for and acquire the necessary financial and staffing resources to cover the initial
acquisition and implementations costs as well as life cycle sustaining costs.
a. Identified estimated funding required to cover:
i. Acquisition costs:
Data center hardware (infrastructure, storage, services, etc.).
Software (applications, licensing, etc.).
Networking hardware (routers, switches, etc.).
Transport costs.
Support costs (logistics, training, manpower/personnel).
ii. Contract costs.
iii. Life cycle operations and sustainment costs:
O&M costs.
Manpower/personnel.
Logistics.
Training.
Software acquisition or licensing fees.
Life cycle replacement.
74
Facility requirements (e.g., power, air conditioning, cabling, floor
space).
a. Identify new or changed staffing requirements to support the migration and
follow-on O&M. This should address both numbers and skill sets.
b. Ensure necessary funding and staffing are available in time. Cloud migration
budget should be submitted as early as possible to mitigate funding risk.
IX. Identify activities required to transition from the current “As Is” to the new “To Be”
cloud environment.
a. Establish a mechanism to identify and track completion of transition activities.
b. Review/update the relevant processes and governance.
c. Establish training requirements for new technologies, tools, processes,
governance, etc.
d. Establish/update staffing requirements if any changes.
e. Prepare facilities for new equipment or staff, and ensure the facilities can
handle any changes that impact the physical structure (e.g., power, air
conditioning, cabling, etc.)
f. Over-communicate transition events with supported and supporting
organizations.
g. At the time of transition, arrange for turnover of key materials such as
passwords.
X. Identify and plan for security and privacy related activities
a. Define and implement appropriate security controls at both the cloud provider
and cloud consumer locations.
b. Identify cloud security standards, framework, and security/privacy best
practices, such as those developed by the Cloud Security Alliance.
c. Ensure certification, accreditation, or other operating authorization actions are
planned and scheduled, and necessary authorizations to migrate and operate
are in place on time.
Appendix 5.0: Focus Areas of cloud computing capacity
I. In-house cloud set up: The following areas of skills and competencies among others are needed
for PIs’ personnel that are to build internal cloud competencies
a. Concept of Virtualization
75
b. Cloud configuration and Management
c. Cloud Migration planning & implementation
d. Cloud Deployment within Multi-Cloud Environments
e. Cloud Security
f. Database Skills
g. Programming Skills
h. Linux Skills
i. DevOps
j. Quality Assurance
k. Information Security
II. Outsourced Cloud Service:
a. Cloud deployment and service delivery models: Decision on Public, Private and Hybrid
deployment models as well as IaaS, PaaS and SaaS service delivery models.
b. Business and financial skills
c. Enterprise Architecture and Business Needs Analysis
d. Serverless Architecture
e. Cloud Migration planning & implementation
f. Project Management
g. Contract and Vendor Negotiation
h. Security and compliance
i. Data Integration and Analysis
Appendix 6.0: Focus areas of vendor lock-in avoidance guide
The guide shall take into consideration the following:
I. Identify primary Cloud Vendor lock-in Risks
a. Data transfer risk
b. Application transfer risk
c. Infrastructure transfer risk
d. Human resource knowledge risk
II. Criteria for choosing CPS
a. The criteria should include the following:
b. Service Dependencies and Partnerships
c. Contracts, Commercials and SLAs
76
d. Reliability and Performance
e. Security and Compliance
f. Infrastructure Management
g. Migration Support, Vendor Lock in and Exit Planning
h. Certification and Standards (standard interface and APIs)
i. Technologies and Service Roadmap
Appendix 7.0: Focus areas of cloud computing certification criteria
I. set of requirements for virtualization, cloud architecture, operations, performance, security,
interoperability, data privacy, data portability, regulatory compliance and governance by
considering contents and recommendations from:
a. International cloud certification bodies (such as Cloud Security Alliance, Computing
Technology Industry Association, EuroCloud Start Audit among others) suitable for
CPS operating an IaaS, PaaS and/or SaaS cloud service models and also in the areas of
cloud security issues.
b. Industry standard cloud certification such as Certificate of Cloud Security Knowledge,
ISO/IEC 27001:2013, Code of practice for cloud privacy ISO/IEC 27018, Cloud Certified
Professional, CompTIA Cloud Essential among others;
c. Others include Cloud Industry Forum (CIF) Code of Practice, Controls and Assurance
in the Cloud: Using COBIT 5,
Appendix 8.0: CSPs Audit Report Metrics
The evidence of the following assessment metrics will be required and form a template for CSPs
audit report:
I. Security of Cloud Resources
a. Physical Security
b. Hosting & Data Logic Security
c. Authentication & Authorization
d. Cloud users access approval processes
e. Review processes for super and regular users’ access and authorization to cloud
applications
f. Network connections & Data Transmission
77
II. Data protection policies, procedures and practices at both Cloud Service providers and
user organizations.
a. Type and sensitivity of Data sent to and potentially stored in the cloud
b. Compliance to data protection requirements (in line with Nigeria Data Protection
Regulation- NDPR)
c. Evidence of compliance with internationally recognized cloud best practices
d. CPS’ policies and procedures to protect data stored
e. CPS’ evidence of international Cloud certification
f. Level of access (create/read/update/delete) that the CPS’ personnel have to the
data, particularly on sensitive information and other cloud installed and
configured infrastructure, platforms and applications.
III. Risks related to the use of virtual operating system in a multi-tenant cloud.
a. Risk associated with virtualization and multi-tenant environment especially
patched and process for monitoring and patching of known vulnerabilities in
hypervisor technology
b. Assessment of multi CPSs collaboration
c. Protection of logs.
IV. Procedures related to incident management, problem management, change and access
management in context of use of Cloud services.
a. Operational process documentation: policy, procedures, roles and responsibilities.
b. Compliance to Service Level Agreement (SLA).
c. Appropriate use of monitoring tools and reports.
d. Compliance with business continuity plan
V. Comply with national regulatory requirements.
a. Compliance with country’s regulatory requirements such as Nigeria Data
Protection Regulation (NDPR), National Cybersecurity Policy (NCPS)
Appendix 9.0: Explanation of proposed cloud computing governance model for PIs and SMEs
Identification: The identification cycle is a preparatory stage where the computing resources
(network, servers, operating systems, storage, database, programming language, applications,
services etc.) to be procured, acquired and deployed are planned, analysed and documented.
78
Configuration: The configuration stage involves selecting and configuring the computing resources in
alignment with the organization’s business objectives for cloud adoption both at on-premise and in
the cloud respectively. It also involves selecting CSP service options best suited to organization’s
business objectives.
Migration: This involves process of moving data, applications or other business elements from on-
premise to the Cloud Service Providers’ cloud computing environment as well as between CPSs cloud
computing environments. The strategy for cloud migration is prescribed in Migration to the Cloud
section.
Management: The management cycle involves exercise of administrative control over public, private
and hybrid cloud delivery models; IaaS, PaaS and SaaS cloud service models and as well as
management of multiple services across different CSPs. It is recommended that a standard Cloud
Management Tools is adopted. The management may include: self-service capabilities, workflow
automation, cloud analysis among others and it is best governed when there is formal Cloud
Portfolio Management (CPM) in place.
Decomposition: This is a process of decommissioning of cloud services or migrating from the cloud
to on-premise.
The following explains six domains that span the entire cloud lifecycle:
Procurement/Finance management. Adopting cloud require a shift from the traditional budgeting
system which is annual in the public sector. A new cloud procurement regulation should suffice for
cloud financial planning and management. It is recommended that PIs take advantage of the new
procurement regulation to be established by BPP.
NOTE: FPIs should consider appointing a cloud finance subject matter professional who
understands the total cost of ownership of cloud services, can track service consumption and can
provide cost transparency in line with the new cloud procurement regulation.
Cloud service provider management. It’s imperative for PIs/SMEs to have a properly integrated
business ecosystem that enables them have a single view of their cloud services. They are to
understand who is accountable for managing cloud services and establish a framework by which IT
and the business/mandate have a clear understanding of the performance metrics and contract
requirements with cloud vendors.
79
Cloud Portfolio management (CPM): Ability to manage cloud investments requires establishing a
formal framework for Cloud Portfolio Management (CPM). Cloud portfolio management provides a
means by which an organization can control and govern existing services, new services, and well as
the Cloud providers and the relationship with them. PIs/SMEs cloud portfolio should consider
aligning their organizational portfolio more broadly to determine additional opportunities and risks
associated with adding a cloud portfolio. Managing cloud portfolio requires:
2. Provider Relationship Management (PRM): Critical requirements for Cloud Portfolio
Management is to manage the provider relationships. FPIs and SMEs should learn how to
develop strategic relationships with key CSPs and proactively manage the relationship from a
contractual as well as from a technology transfer perspective. This is far more than mere vendor
management performed by the procurement professionals. PRM requires a closer and
collaborative relationship with key CSPs to facilitate advance previews of new services, R&D
collaboration, early trials of new services, as well as joint planning for service adoption.
3. Manage a Portfolio of Cloud Services: Another key requirement of cloud Portfolio Management
is managing many different Cloud services from all providers. All the services in the catalog must
be managed effectively, ensured they are adding value to the organisation strategic objectives.
Portfolio of cloud services requires the following among others:
4. Aggregate Services into a Catalog: as part of the portfolio management process, organisaton’s
available Cloud services must be aggregated into a single cloud catalog for easy management.
5. Manage service equivalent across CSPs: This is to provide redundancy for heavily-used and
mission critical services. This must done in strategic manner.
6. Compare cloud service performance across CSPs: Continually analyse and evaluate relative
service performance of CSPs.
Managing Cloud services using portfolio management best practices will help ensure the best Cloud
solutions and services are available with basis for Cloud pricing arbitrage. Specifically, cloud portfolio
approach will:
i. Streamline the management of multiple cloud resource pools, both public and private;
ii. Avoid lock-in to a particular cloud vendor;
iii. Gain visibility and governance of cloud usage across the enterprise;
iv. Maintain the security and reliability of critical systems in the cloud;
v. Measure cloud resource consumption and enforce budgets;
vi. Prevent waste and optimize spend levels; and
80
vii. Ensure that applications and data are in compliance with both internal policies and
regulations.
Integration/interoperability: The problem of interoperability or integration is caused by the fact
that each vendor's cloud environment supports one or more operating systems and databases, each
cloud contains hypervisors, processes, security, a storage model, a networking model, a cloud API,
licensing models and more. The governance structure by FPIs and SMEs should provide procedures
that ensure integration and interoperability from resource and technology perspectives.
Architecture: Cloud adoption should be reflected in the overall enterprise architecture of each FPI
and that of the country, that is, the Nigeria Government Enterprise Architecture (NGEA) framework.
As such, organizations need to clearly articulate the vision and goals of stakeholders through the
cloud enterprise architecture.
Operations: To sustain cloud service operations, FPIs and SMEs should establish desk office to
address and support cloud-specific issues for a better and seamless user experience. Clear
organization and assignment of authority will set the scope for the appropriate control, escalation
and exception management systems.
81
Definitions
Small Medium and Enterprises (SMEs): refers to enterprises which have an annual turnover
not exceeding Five Hundred Thousand Naira (N500,000).
Public Institutions (PIs): means Ministries, Departments, Extra-Ministerial Departments and
Agencies of Government at Federal, State and Area Council levels.
Federal Public Institutions (FPIs): means Ministries, Departments, Extra-Ministerial
Departments and Agencies of Government at the Federal level.
Cloud Computing: refers to computing model for ubiquitous, convenient, on-demand and
real time network access pool of configurable and rapidly provisioned computing resources
(networks, servers, storage, applications and services among others) required by and
available to FPIs and SMEs to carry out their businesses and operations.
Cloud Service Providers (CSPs): refer to local and/or international cloud computing service
providers rendering service to FPIs and SMEs in Nigeria.
Cloud Stakeholders: Comprised of the PIs, FPIs, SMEs and CSPs
Cloud Migration: refers to the process of moving data, applications, hardware, software,
network infrastructure and/or other business elements and services to a cloud computing
environment.
82
Cloud Adoption: refers to the process or strategy that provides incentives for the public
institutions and SMEs to use the cloud computing for their computing requirements in way
that is efficient and sustainable.
Cloud First Policy: refers to the Federal Government of Nigeria’s strong commitment and
support for cloud computing service adoption, especially from a local cloud service
providers, as a first choice consideration while deploying and accessing computing resources
in the public sector and by the SMEs that provide computing services to the public sector.
In-house/On-premise: refers to computer systems that are located within the physical
confines of Federal Public Institutions and SMEs in Nigeria.
Vendor lock-in: refers to a situation in which FPI or SME using the cloud product or service
of a cloud service provider cannot easily transition to competitor’s cloud product or service.
Public Cloud: Cloud infrastructure provisioned for open use by the general public. It may be
owned, managed, and operated by a business, academic, or government organisation, or
some combination of them.
Private Cloud: Cloud infrastructure provisioned for exclusive use by a single organisation. It
is managed and operated by the organisation, a third party, or some combination of them. It
may be located on- or off-premises.
Hybrid Cloud: Cloud infrastructure which is a composition of two or more distinct private
and public cloud infrastructure, which remain unique entities but are bound together by
standardised or proprietary technology that enables data and application portability.
Infrastructure as a Service (IaaS): refers to a multi-tenant cloud service where consumer
does not manage or control the underlying cloud infrastructure, but has control over
operating systems, storage, deployed applications, and possibly limited control of select
networking components (such as host firewalls).
83
Platform as a Service (PaaS): refers to delivery service where consumer does not manage
or control the underlying cloud infrastructure including networking, servers, operating
systems, or storage, but has control over the deployed applications and possibly application
hosting environment configurations.
Software as a Service (SaaS): refers to delivery ,model where consumer does not manage or
control the underlying cloud infrastructure including network, servers, operating systems,
storage or individual application capabilities, with the possible exception of limited user-
specific application configuration settings
Cloud Data: Refers to data produced or commissioned by government, government
controlled entities or government service providers (e.g. SMEs) which is hosted in the cloud.
The Policy: refers to Nigeria Cloud Computing Policy.
84