nigeria data protection regulation 2019 ... · web viewregulation or any foreign data protection...

114
[DRAFT] IMPLEMENTATION FRAMEWORK OF THE NIGERIA DATA PROTECTION REGULATION (Page 2-38) AND IMPLEMENTATION STRATEGY OF NIGERIA CLOUD COMPUTING POLICY (Page 39-83) 1

Upload: others

Post on 04-Feb-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

[DRAFT]

IMPLEMENTATION FRAMEWORK OF THE NIGERIA DATA PROTECTION

REGULATION (Page 2-38)

AND

IMPLEMENTATION STRATEGY OF NIGERIA CLOUD COMPUTING POLICY

(Page 39-83)

2019

1

Page 2: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

[DRAFT]

NIGERIA DATA PROTECTION REGULATION 2019:

IMPLEMENTATION FRAMEWORK

July, 2019(Version 1)

2

Page 3: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

ContentsNIGERIA DATA PROTECTION REGULATION 2019: IMPLEMENTATION FRAMEWORK............................4

1. BACKGROUND............................................................................................................................4

2. SUMMARY OF THE NDPR...............................................................................................................4

3. PROPOSED COMPLIANCE APPROACH............................................................................................6

3.1 Criteria for Licensing as DPCO..................................................................................................7

3.2 When Appointment of Data Protection Officer is Required.....................................................8

4.COMPLIANCE FRAMEWORK...........................................................................................................8

4.1 Forms of Compliance...............................................................................................................8

4.2 Compliance Checklist for Data Controllers...............................................................................9

5. ENFORCEMENT FRAMEWORK.....................................................................................................11

5.1 Forms of Enforcement...........................................................................................................11

5.1.2 Complaint Filings.................................................................................................................11

5.1.3 Investigations......................................................................................................................12

5.1.4 Administrative Sanctions....................................................................................................12

5.1.5 Criminal Prosecution...........................................................................................................13

6. ENFORCEMENT PROCESS.............................................................................................................13

7. HOW PERSONAL DATA IS TO BE HANDLED..................................................................................15

7.1 Further Processing.................................................................................................................15

8. DIGITAL CONSENT........................................................................................................................16

8.1 Types of Consent...................................................................................................................16

8.2 Consent Requirement under NDPR.......................................................................................16

8.3 Valid Consent Guide...........................................................................................................17

8.4 Consent to Cookies.............................................................................................................17

9. DATA AUDITS...............................................................................................................................18

9.1 Audit Periods.........................................................................................................................18

9.2 Audit Filing Fees.....................................................................................................................18

9.3 Content of Audit Report........................................................................................................19

9.4 Audit Verification Statement by DPCO...................................................................................20

10. TRANSFER OF DATA ABROAD....................................................................................................21

11. DURATION OF STORAGE OF RECORDS...............................................................................21

12. REPORT OF DATA PRIVACY BREACH...................................................................................22

13. ESTABLISHMENT OF ADMINISTRATIVE REDRESS PANEL....................................................23

14. THIRD PARTY PROCESSORS.................................................................................................24

15. DATA PROTECTION IN MDAs..............................................................................................24

16. RELATIONSHIP WITH ATTORNEY-GENERAL OF THE FEDERATION......................................25

3

Page 4: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

17. CONTINUOUS PUBLIC AWARENESS AND CAPACITY BUILDING...........................................26

ANNEXURE A.......................................................................................................................................26

ANNEXURE B........................................................................................................................................30

SAMPLE PRIVACY POLICY TEMPLATE FOR PUBLIC INSTITUTIONS....................................................30

1.0 Your Privacy Rights................................................................................................................30

2.0 Consent..................................................................................................................................31

3.0 Your Personal Information.....................................................................................................31

4.0 What we do with your personal information.........................................................................32

5.0 Cookies..................................................................................................................................32

6.0 How we protect your personal information..........................................................................32

7.0 How We Share your information within NITDA and other users...........................................33

8.0 Security..................................................................................................................................33

9.0 Data Confidentiality Rights....................................................................................................34

10.0 Links to Other Websites and Premises.................................................................................34

11.0 Governing Law.....................................................................................................................34

COUNTRIES WITH ADEQUATE DATA PROTECTION LAWS................................................................35

Table 1.0: Enforcement Process..........................................................................................................13Table 2.0: NDPR Compliance Template...............................................................................................26

Figure 1.0:NDPR triangular Compliance Model.....................................................................................7Figure 2.0: Enforcement Framework...................................................................................................11

4

Page 5: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

NIGERIA DATA PROTECTION REGULATION 2019: IMPLEMENTATION FRAMEWORK

1. BACKGROUNDThe spate at which Nigerian’s data is being breached by service provider has

assumed an epidemic rate. On a daily basis, personally identifiable

information of Nigerians is being used by unauthorized persons to further their

own interest without the consent of the Data Subject. The Data Protection

Regulation is at present, the most robust data protection framework in Nigeria.

Accordingly, stakeholders have encouraged NITDA to ensure the effective

implementation and enforcement of the Regulation.

2. SUMMARY OF THE NDPRThe NDPR was issued on 25th January, 2019 pursuant to Section 6 (a,c) of

the NITDA Act, 2007. The NDPR was made in recognition of the fact that

many public and private bodies have migrated their respective businesses and

other information systems online. These information systems have thus

become critical information infrastructure which must be safeguarded,

regulated and protected against atrocious breaches. Government further

takes cognizance of emerging data protection regulations within the

international community geared towards security of lives and property and

fostering the integrity of commerce and industry in the data economy.

The principles of the NDPR are enumerated as follows:

a) Lawfulness and Legitimacy: Article 2.1(1a) provides that Personal Data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject.

b) Specific Purpose: In addition to Article 2.1(1a) cited above, Article 3.1(7c) mandates the Data Controller to expressly inform the Data Subject of the purpose(s) of the processing for which the Personal Data are intended as well as the legal basis for the processing. This has hitherto been observed in the breach. This, we believe would change as government is poised to stem the tide of brazen breach of people’s right to privacy.

5

Page 6: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

c) Data Minimization: Data Controllers are expected to collect the minimum required data and avoid unnecessary surplusage. Data that is not useful for the Controller ought not to be collected. No data shall be obtained except the specific purpose of collection is made known to the Data Subject. This principle relates also to the principle on purpose of collection. By insisting that the purpose for collecting or further processing of a data set must be communicated to the Data Subject, the regulation has closed the door to a multitude of potential abuses.

d) Accuracy: The NDPR provides that collected and processed Personal Data shall be adequate, accurate and without prejudice to the dignity of human person (Art. 2.1(b)). The NDPR prohibits the abuse or inaccurate representation of personally identifiable data, even if such data where given with due consent. Data Controllers and processors are required to ensure regular update of personal data in their custody to achieve this.

e) Storage and Security: Data Controllers are required to store data only for the period they are reasonably required to so do. The Regulation does not explicitly provide for a time period because that detail, we believe should be left to contract agreement. However, where such is not specified, the dispute redress mechanisms can specify what would constitute sufficient storage period. The Regulation also places the onus of security on the Data Controller and Processor. Art. 2.1(d) provides- personal data shall be secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.

f) Confidentiality, Integrity and Availability: Article 3 generally enumerates the rights of the data subject. One of the underpinning principles of the NDPR is that data control must comply with basic minimum standards of information security management. The Regulation specifies the role of the Controller and the Data subject in such case.

Compliance and Enforcement: One of the novelties of the NDPR is its

compliance structure. The Regulation creates a nouveau class of

professionals- Data Protection Compliance Organisations (DPCO). A DPCO is

any entity duly licensed by NITDA for the purpose of training, auditing,

consulting and rendering services and products for the purpose of compliance

6

Page 7: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

with this Regulation or any foreign Data Protection Law or Regulation having

effect in Nigeria (See Article 1.3 (xiii)).

This Framework is therefore a general strategic approach to enforcement of

the Regulation. The objectives of the NDPR are to-

a) to safeguard the rights of natural persons to data privacy;

b) to foster safe conduct for transactions involving the exchange of Personal

Data;

c) to prevent manipulation of Personal Data; and

d) to ensure that Nigerian businesses remain competitive in international trade

through the safe-guards afforded by a just and equitable legal regulatory

framework on data protection and which is in tune with best practice.

The NDPR applies to every Data Controller and Data Administrator. A Data

Controller is defined by the Regulation as a person who either alone, jointly

with other persons or in common with other persons or a statutory body

determines the purposes for and the manner in which Personal Data is

processed or is to be processed. A Data Administrator is a person or an

organization that processes data.

3. PROPOSED COMPLIANCE APPROACHThe approach adopted by the Nigeria Data Protection Regulation (NDPR)

considers the Nigerian context and seeks to be implemented in an non-

obstructive, compliance promoting approach. The NDPR uses a triangular

compliance model.

7

Page 8: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Figure 1.0:NDPR triangular Compliance Model

In this model, NITDA would register Data Protection Compliance

Organisations (DPCO) who will provide auditing and compliance services for

Data Controllers. The criteria for licensing DPCOs would be published and

such licensed DPCOs will be listed on NITDA site. Data Controllers who

process personally identifiable information of more than 2000 Data Subjects

are expected to submit a summary of its data protection audit to the Agency

on an annual basis.

3.1 Criteria for Licensing as DPCOA DPCO may be one or more of the following;

Professional Service Consultancy firm IT Service Provider Audit firm Law firm

Which has Data Protection certification or experience in addition to any one of the following-

a) Data Scienceb) Data Protection and privacyc) Information Privacyd) Information Audit

8

NDPR COMPLIANCE

MODEL

DPCOData Controller

NITDA (as National DPO)

Page 9: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

e) Data Managementf) Information security g) Data protection legal servicesh) Information Technology Due Diligence i) EU GDPR implementation and compliancej) Cyber Security/Cyber Security lawk) Data Analytics l) Data Governance

DPCOs are licensed to provide one or more of these services; a) Data protection regulations compliance and breach services for Data

Controllers and Data Administrators

b) Data protection and privacy advisory servicesc) Data protection training and awareness servicesd) Data Regulations Contracts drafting and advisorye) Data protection and privacy breach remediation planning and support

servicesf) Information privacy auditg) Data privacy breach impact assessmenth) Data Protection and Privacy Due Diligence Investigationi) Outsourced Data Protection Officer etc.

3.2 When Appointment of Data Protection Officer is RequiredA Data Controller is required to appoint a dedicated data protection officer

where one or more of the following conditions are present:

a) The entity is a Government Organ, Ministry, Department, Institution or Agency;

b) The core activities of the organization relate to usual processing of large sets of personal data;

c) The organization processes sensitive personal data in the regular course of its business; and

d) The organization processes critical national databases consisting of personal data.

4.COMPLIANCE FRAMEWORK

4.1 Forms of Compliance i. Cooperation: NITDA will, to the extent practicable and consistent with

the provisions of the Act and regulatory instruments, seek the

9

Page 10: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

cooperation of concerned entities in achieving compliance with the

applicable provisions.

ii. Assistance: NITDA may provide technical assistance to concerned

entities to help them comply voluntarily with the applicable provisions.

This is being done through the DPCOs

iii. Self-Reporting: The concerned entity will be required to proactively

provide information to show compliance with the applicable provisions.

iv. Signal Detection: The compliance framework will ensure the proactive

monitoring and evaluation of data provided by concerned entities by

utilizing analytic tools to identify patterns that reflect non-compliance.

4.2 Compliance Checklist for Data ControllersThe Data Controller is the focal point in the data protection value chain. Most

responsibilities for compliance lie with the Data Controller. The following

checklist would guide Controllers to reduce liabilities and fines.

i. Conduct of Information audit: Article 3.1(7) of the NDPR provides what

the audit report should contain.

ii. Legally justifiable basis for processing: Article 2.2 specifies five legal

basis for processing of personal data they are- Consent of Data

Subject; performance of contract; legal obligation; protection of vital

interest or public interest. A controller must identify which basis he is

processing the personal data.

iii. Clear information on data processing: Article 2.5 provides for Publicity

and Clarity of Privacy Policy. It states- any medium through which

Personal Data is being collected or processed shall display a simple

and conspicuous privacy policy that the class of Data Subject being

targeted can understand.

iv. Design System to be data protection compliant: Data Controllers must

show that their systems are built with data protection in mind. Article 2.6

provides- Anyone involved in data processing or the control of data

shall develop security measures to protect data; such measures include

but not limited to protecting systems from hackers, setting up firewalls,

10

Page 11: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

storing data securely with access to specific authorized individuals,

employing data encryption technologies, developing organizational

policy for handling Personal Data…

v. Awareness creation on data protection: continuous capacity building for

staff is a Controller’s duty.

vi. Develop and Circulate an internal Data Privacy Strategy or Policy to

help staff, vendors to understand the Controller’s direction in respect of

managing personal data.

vii. Conduct Data Protection Impact Assessment enroute to compliance or

periodically.

viii. Process of notification of appropriate authority in the event of data

breach

ix. Appoint a Data Protection Officer or assign an appropriate person who

has responsibility to the top-most hierarchy of the Organisation in

respect of data protection

x. Update agreement with third party processors to ensure compliance

with the NDPR.

xi. Design system to make data request and access easy for Data Subjects

xii. Design system to enable Data Subjects easily correct or update

information about themselves.

xiii. Design system to enable Data Subjects easily transfer (port) data to another platform at minimal costs.

xiv. Process for objection to processing of personal data is clearly

communicated to Data Subjects

xv. Procedure for informing and protecting rights of Data Subject where

automated decision is being made on personal data

11

Page 12: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

5. ENFORCEMENT FRAMEWORK

Figure 2.0: Enforcement Framework

5.1 Forms of Enforcement

5.1.1 SurveillanceSurveillance refers to specific, deliberate monitoring carried out to identify breach with the NDPR. This routine activity arises out of the understanding that operators or parties obligated to preform specific task or to comply with provisions of NDPR particularly as it affects Data Subjects may be in deliberate or unconscious breach of the Regulation. Surveillance will aid NITDA to identify breaches of regulatory instruments or coopt other stakeholders to identify and report breaches to the Agency.

5.1.2 Complaint FilingsA Compliance Officer or any person who believes a party is not complying

with any of the provisions of any regulatory instrument may file a complaint

with NITDA. Such complaints must meet the following requirements:

a. A complaint must be filed in writing, either on paper or electronically.

12

Page 13: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

b. A complaint must name the person that is the subject of the complaint

and describe the acts or omissions believed to be in violation of the applicable

provision(s).

c. NITDA may prescribe additional procedures for the filing of complaints,

as well as the place and manner of filing.

5.1.3 InvestigationsNITDA will investigate any complaint filed against a concerned entity when a

preliminary review of the facts indicates a possible violation of the provision(s)

of any regulatory instrument. NITDA may by its officers or through designated

DPCO, investigate any complaint filed by third parties and may also do so

based on a special audit check or “spot check”. Investigation may include a

review of the policies, procedures, or practices of the concerned entity and of

the circumstances regarding any alleged violation. At the time of the initial

written communication with the concerned entity, NITDA will indicate the basis

of the audit.

5.1.4 Administrative SanctionsWhere NITDA, has ascertained through the foregoing tools of enforcement or

by the Administrative Redress Panel established pursuant to Article 4.2 of the

NDPR, that a party is in breach of the NDPR, NITDA may issue and order for

compliance with relevant provision to curtail further breach. NITDA may

additionally prescribe additional sanction in liquidated monetary value. A

decision on the money value shall be based on the severity of the breach, the

number of data subjects affected, opportunity for curtailment left unexplored

and whether the breach is the first by the offending entity. NITDA may also

issue other administrative orders to include:

i. Suspension of service pending further investigations;

ii. Order for parties in breach to appear before a panel to determine

liability of officers in line with Article 4.2;

iii. Issue public notice to warn the public to desist from patronizing or doing

business with the affected party;

13

Page 14: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

iv. Refer the parties in breach to other Self-Regulatory Organization (SRO)

for appropriate sanctions

5.1.5 Criminal ProsecutionWhere NITDA has determined that a party is in grave breach of the NDPR,

especially where such breach affects national security, sovereignty and

cohesion, it may seek to prosecute officers of the organization as provided for

in Section 17(1,3) NITDA Act 2007. NITDA shall seek a fiat of the Honorable

Attorney General of the Federation (HAGF) or may file a petition with any

prosecuting authority in Nigeria, this may include; the Economic and Financial

Crimes Commission (EFCC), the Department of State Security (DSS), the

Nigerian Police Force (NPF), the Independent Corrupt Practices Commission

(ICPC) or the Office of National Security Adviser (ONSA).

6. ENFORCEMENT PROCESS

Table 1.0: Enforcement Process

Enforcement Activity

Description of Action

Documentation of Breach

1. At this stage it is required that a report, memo, petition or complaint is officially submitted to NITDA through the office of the Director General of NITDA.

2. The Document must be duly signed by an Officer of NITDA or the external complainant.

3. For external complaint; the document must be written and signed by an Individual either in personal capacity or a group (of persons or companies) or registered entity (registered with the CAC).

Request for Additional Information and Investigation

If it appears NITDA is not sufficiently briefed or may need further information to arrive at a conclusion of breach of the NDPR, the following procedure would be employed:

i. “Request for Additional Information" would be issued to either the complainant, the

14

Page 15: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

alleged violator or any other party who may be in a position to provide clarity on facts of the allegation of breach.

ii. Invite relevant parties for an “Investigation Meeting” to elicit facts to establish or disprove breach.

iii. “Request for Investigation in partnership with law enforcement agencies.

Continuation or Termination of Enforcement Process

Where NITDA is satisfied that there is a prima facie evidence on a breach, NITDA may:

1. Request for a response from the violator stating the allegations against them;

2. In the event that NITDA finds the explanations of the alleged violator coherent and sufficient NITDA will respond to the allegation and enforcement will be terminated

Notice of Enforcement

Where NITDA is satisfied that a breach of NDPR has occurred;1. NITDA will then issue a “Notice of Enforcement”” citing

the specific breach and demand mandatory compliance within a specific time frame from the date of the service of notice.

2. NITDA may issue an administrative fine or penalty in line with extant regulation

Issuance of Public Notice (OPTIONAL)

NITDA may consider issuing a public statement warning the public and other agencies of Government of the dangers of dealing with a violator who has perpetuated a breach of the NDPR.

Request of Prosecution

A. Where a violator does not take steps to address breach or consult with NITDA as to what steps to be taken to remedy breach after the period stated in the "Notice for Enforcement"; or

B. NITDA may file an official Petition or Notice of Prosecution to the Office of the Attorney General of the Federation, stating the following:

I. Original complaint;II. Enforcement process initiated by NITDA; and

15

Page 16: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

III. Implication of the action of the violator to the development of ICT in Nigeria.

IV. A copy of the notice would be copied to the Presidency and any other relevant organ of government.

7. HOW PERSONAL DATA IS TO BE HANDLEDAccording to Article 2.1.1(a)(i) Data Controllers are to ensure data collected is

specific; legitimate; adequate; accurate; stored for the period reasonably

needed; purpose of collection stated; secured and explicit, unambiguous

consent granted by the Data Subject.

7.1 Further ProcessingArticle 3.1(7)m: Where the Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected, the controller shall provide the Data Subject prior to that further processing with information on that other purpose, and with any relevant further information;Where a Data Controller wishes to further process a data initially collected for

a defined, limited purpose, the Data Controller shall consider the following:

a) Whether there exists a connection between the original purpose and the

proposed purpose;

b) The context in which the data was originally collected;

c) Possible implication of the new processing on the data subject; and

d) Existence of requisite safeguards for the data subject

The above information shall be provided to the Data Subject before the further

processing is done. The further processing may be done if the Data Subject

gives consent based on the new information or the processing is required in

compliance with a legal obligation.

16

Page 17: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

8. DIGITAL CONSENT‘Consent’ of the Data Subject means any freely given, specific, informed and

unambiguous indication of the Data Subject's wishes by which he or she,

through a statement or a clear affirmative action, signifies agreement to the

processing of Personal Data relating to him or her (Article 1.3iii). Consent may

be made through a statement- written, sign or an affirmative action signifying

agreement to the processing of personal data.

8.1 Types of Consenta) Implied Consent: participating and volunteering of data in certain

conditions can be an implied consent.

b) Explicit Consent: Subject gives clear, documentable consent eg. Tick a

box, sign a form, send an email or sign a paper

c) Opt-out Consent: you are in, except you choose to opt-out.

e.g I don’t want to receive XXX newsletter

If the box is left unticked, you will receive the XXX newsletter

Exceptions to the above may be cases of: health emergency, national

security and crime prevention.

8.2 Consent Requirement under NDPRa) Transparency: There must be an explicit privacy policy stating type

of data collected, how processed, who processes, security standard etc;

b) No implied consent: Silence, pre-ticked boxes or inactivity does not

constitute consent;

c) No bundled consent: Separate data consent request from general

terms and conditions. There must be consent for different type of data

use class;

d) Access to data: Subject can request and receive data he gave, how

such is being used, who has access to it. Data Controllers must keep

consent records; and

e) Special category / higher standard consent: Sensitive personal

data such as ethnic, political affiliation, religious beliefs, trade union

17

Page 18: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

membership, biometric, sexual orientation, health and such like requires

specific, higher consent method. A tick of a box would not suffice.

8.3 Valid Consent Guidea) Make your consent request prominent, concise, separate from

other terms and conditions and easy to understand;

b) Include the name of your organization and any third parties, why

you want the data, what you will do with it and the right to

withdraw consent at any time;

c) You must ask people to actively opt-in. Don’t use pre-ticked

boxes, opt-out boxes or default settings;

d) Wherever possible, give granular options to consent separately to

different purposes and different types of processing;

e) Keep records to evidence contract- who consented, when, how

and what they were told;

f) Make it easy for people to withdraw consent at any time they

choose;

g) Keep consent under review and refresh them if anything changes;

and

h) Build regular reviews into your business processes

(Source: UK Information Commissioner’s Office)

8.4 Consent to CookiesThe Use of Cookies on a website or other digital platforms requires consent.

The consent must be freely given, informed and specific. Consent for Cookies

do not necessarily need the ticking of a box or similar methods, the continued

use of a website which has met the following requirements would suffice as

consent:

The information must be clear and easy to understand;

the purpose of the use of the cookies must be provided;

the identity of the person or entity which is responsible for the use of the

cookies must appear;

18

Page 19: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

the possibility of withdrawal of consent must be easily accessible and

be described in the information; and

this information must be easily accessible for the user at all times.

9. DATA AUDITSAudits are investigations or examinations of records, process and procedure of Data Controllers and Processors to ensure they are in compliance with the requirements of the NDPR. The NDPR requires regulated parties to keep and produce a peculiar class of records, logs or databases in accordance with stipulated rules. Failure to maintain these records in the manner provided may lead to harm to others, violation or the commission of a crime. Therefore, NITDA may, on its own carry out scheduled Audits, or may require report of Audits as carried out by DPCOs and may schedule “spot check” or “Special Audits” to ascertain compliance or to identify breaches. Usually these audits or investigations are unscheduled and maybe at a “tipoff “or maybe random to ensure compliance with the NDPR and related laws.

9.1 Audit Periods Article 4.1(7) addresses the period when audit report is to be filed by Data

Controllers. The Article provides as follows:

(7) On annual basis, a Data Controller who processed the Personal Data of more than 2000 Data Subjects in a period of 12 months shall, not later than the 15th of March of the following year, submit a summary of its data protection audit to the Agency. The data protection audit shall contain information as specified in 4.1(5).

Non-filing of Annual Audit report by a Data Controller is a prima facie case of

breach. 15th of March is the Latest date for filing of Annual Data Audit Report.

9.2 Audit Filing FeesEach Controller is expected to file the audit report and pay the following

amount as applicable:

Filing Fees for Annual Audit Reports1. Filing of Report of less than 10,000 Data Subjects N5,000

2 Filing of Report between 10,000-50,000 Data Subjects N10,000

4 Filing of Report of more than 50,000 Data Subjects N20,000

19

Page 20: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

9.3 Content of Audit ReportThe data protection audit shall contain information as specified in Article 3.1(7)

of the Regulation. for clarity, the report shall contain the following:

a) the identity and the contact details of the Controller;

b) the contact details of the Data Protection Officer;

c) the purpose(s) of the processing for which the Personal Data are

intended as well as the legal basis for the processing;

d) the legitimate interests pursued by the Controller or by a third party;

e) the recipients or categories of recipients of the Personal Data, if any;

f) where applicable, the fact that the Controller intends to transfer

Personal Data to a third country or international organization and the

existence or absence of an adequacy decision by NITDA;

g) the period for which the Personal Data will be stored, or if that is not

possible, the criteria used to determine that period;

h) the existence of the right to request from the Controller access to and

rectification or erasure of Personal Data or restriction of processing

concerning the Data Subject or to object to processing as well as the

right to Data Portability;

i) the existence of the right to withdraw consent at any time, without

affecting the lawfulness of processing based on consent before its

withdrawal;

j) the right to lodge a complaint with a relevant authority;

k) whether the provision of Personal Data is a statutory or contractual

requirement, or a requirement necessary to enter into a contract, as well

as whether the Data Subject is obliged to provide the Personal Data

and the possible consequences of failure to provide such data;

l) the existence of automated decision-making, including profiling and,

at least, in those cases, meaningful information about the logic involved,

as well as the significance and the envisaged consequences of such

processing for the Data Subject;

20

Page 21: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

m) Where the Controller intends to further process the Personal Data

for a purpose other than that for which the Personal Data were

collected, the controller shall provide the Data Subject prior to that

further processing with information on that other purpose, and with any

relevant further information; and

n) Where applicable, that the Controller intends to transfer Personal

Data to a recipient in a foreign country or international organization and

the existence or absence of an adequacy decision by The Agency.

A draft standard template for the audit report is attached as Annexure A in this

Framework, the final, Stakeholders agreed version would be adopted by Data

Protection Compliance Organisations (DPCO) in the course of Audit

implementation.

9.4 Audit Verification Statement by DPCOA DPCO shall make the following Audit Verification Statement as a pre-

condition to the filing of an Annual Audit Report or any other report demanded

by NITDA.

I ……………………. Of ………………………………. a licensed Data Protection Compliance Organisation (DPCO) under Article 4.1(4) of the Nigeria Data Protection Regulation (NDPR) hereby make this statement on oath that the Data Audit Report (DAR) herein filed by ……………………… (Name of Organisation) is conducted in line with the NDPR and that it is an accurate reflection of the organisation’s Personal Data Management practice. SIGN LICENSE NUMBER DATE

10. TRANSFER OF DATA ABROADWhere data is being transferred abroad as stipulated in Article 2.11, the

following information is required-

i. The List of Countries where Nigerian citizens personally identifiable

information are transferred in the regular course of business.

ii. The Data Protection laws and contact of National Data Protection

Office/Administration of such countries listed in i) above.

21

Page 22: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

iii. The privacy policy of the Data Controller, compliant with the provisions

of the NDPR.

iv. Overview of encryption method and data security standard

v. Any other detail that assures the privacy of personal data is adequately

protected in the target country.

NITDA shall coordinate transfer requests with the office of the Attorney-

General of the Federation. A ‘white-list’ of jurisdictions shall be compiled and

published on official media of communication. Where transfer to a jurisdiction

outside the White list is being sought, the Data Controller shall ensure there is

a verifiable documentation of consent to one or more of the exceptions stated

in Article 2.12 of the NDPR

11. DURATION OF STORAGE OF RECORDS The length of storage of data shall be determined by:

a) The contract term agreed by parties;

b) Whether the transaction type has statutory implication;

c) Whether there is an express request for deletion by the Data Subject,

where such Subject is not under an investigation which may require the

data; and

d) The cost implication of storage of such data by the Data Controller.

NITDA would consider the above and other circumstances to determine if the

data was stored appropriately and for a reasonable length of time.

12. REPORT OF DATA PRIVACY BREACHIn line with Article 4.1(8) and other relevant provisions, Data Subjects, civil

society or professional organisations or any government Agency may report a

breach of this Regulation to NITDA through an advertised channel. Upon

receipt of this report, the Director General/CEO may direct action to be taken

which may include the following steps:

Contact the Organisation for enquiry;

Review of earlier filed annual report (if any);

Data Protection Regulation Compliance Query;

22

Page 23: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Administrative Action; and

Prosecution

Data Controllers and Administrators also have a duty of Self-Reporting Data

Breaches. The NDPR requires Data handlers to have policies and procedures

for monitoring and reporting violations of privacy and data protection policies

(See Article 4.1(5)j). Data Controllers and Administrators have a duty to report

to NITDA within 72 hours of their knowledge of the breach. The Report shall

include the number of data likely to be affected, cause of breach and remedial

actions being taken.

Notification of Data Breach to NITDA must include the following information:

A description of the circumstances of the loss or unauthorized access or

disclosure

i. The date or time period during which the loss or unauthorized access or

disclosure occurred

ii. A description of the personal information involved in the loss or

unauthorized access or disclosure

iii. An assessment of the risk of harm to individuals as a result of the loss

or unauthorized access or disclosure

iv. An estimate of the number of individuals to whom there is a real risk of

significant harm as a result of the loss or unauthorized access or

disclosure

v. A description of any steps the organization has taken to reduce the risk

of harm to individuals

vi. A description of any steps the organization has taken to notify

individuals of the loss or unauthorized access or disclosure, and

vii. The name and contact information for a person who can answer, on

behalf of the organization, the Agency’s questions about the loss of

unauthorized access or disclosure

23

Page 24: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

13. ESTABLISHMENT OF ADMINISTRATIVE REDRESS PANELIn line with Article 4.2 of the Regulation, NITDA shall establish Administrative

Redress Panels (ARP) as the Director General/CEO may deem appropriate.

The ARP shall be composed of accomplished IT professionals, Public

administrators and lawyers who shall work with the Agency for the purpose of

resolving issues related to the Regulation.

The ARP procedure shall give preference to online dispute resolution

mechanism. Where it is impracticable to adopt such mechanism, the ARP

panel shall be constituted and shall give its opinion within a stipulated period

of time.

The rules of procedure of the ARP shall be drawn up by a Panel of experts.

The ARP Procedure shall however be designed with the following in mind:

a) Principles of fair hearing, fairness and transparency

b) Arguments and case presentations shall be done in writing. The

procedure shall limit oral presentation to the barest minimum

c) The ARP shall in reaching its decision, clearly state the proof of

violation, identify some or all the data subjects affected by the breach

(in an anonymized, pseudonymized or summarized format), the

provision of the Regulation violated and any acts of omission or

commission which exacerbated the breach.

d) In reaching its decision, the Panel may consider whether the indicted

entity has a reputation for data or other criminal or corporate breaches

in the past; the number of employees in its establishment; the impact of

the fine on its overall contribution to the economy. Nothing in this

provision shall however limit the powers of the ARP to discharge its

duties as expected of a typical quasi-judicial panel

14. THIRD PARTY PROCESSORSData Controllers are required to publish a list of third parties with whom the

Data Subject’s data may be shared. This publication which must also be

included in the audit filing report include:

24

Page 25: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

i) Categories of Third-party data recipients eg. Credit Reference

Agencies; Payment Processors; Insurance Brokers; Anti-Corruption

Agencies etc.

ii) Third Party Name

iii) Third Party Jurisdiction

iv) Purpose of disclosure e.g. Fraud Checking; Payment Processing;

Dispute Management; Risk Management; Statutory Requirement etc.

v) Type of Data Disclosed e.g. Name, phone number, address, payment

details; salary details etc.

15. DATA PROTECTION IN MDAsNITDA shall deploy strategies and programmes to improve electronic

governance in public institutions. Federal Public Institutions (FPIs) shall be

given more time to comply with the Regulation. NITDA shall coordinate the

process of improving Data Protection in FPIs through training and process

change management.

Every MDA shall designate a Directorate-level officer as its Data Protection

Officer. Such person shall be responsible for:

Informing and advising the MDA on compliance with NDPR and other

applicable data protection laws and policies

monitoring compliance with the Regulation and with the internal policies

of the organization including assigning responsibilities, awareness

raising and training staff

facilitating the cooperation with relevant stakeholders and acting as

point of contact with NITDA.

Every FPI shall incorporate a Privacy Policy with its website and digital media

platform to assure the privacy of the Data Subjects interacting with the FPI. A

sample Privacy Policy for government Agencies and institutions is available in

Annexure A for guidance.

25

Page 26: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

16. RELATIONSHIP WITH ATTORNEY-GENERAL OF THE FEDERATIONIn accordance with Article 2.12 of the NDPR, where a Data Controller seeks to

transfer data to a foreign country, NITDA shall examine if such country has

adequate data protection law or regulation that can guarantee minimum

privacy for Nigerian citizens’ data. Where there is need for further legal

cooperation from a target country, NITDA may approach the office of Attorney-

General for that purpose. In such circumstance, such data transfer and

storage processes shall be done under the supervision of the Attorney-

General.

Generally, Adequacy Decision shall be issued by NITDA in respect of transfer

to foreign countries if the information specified in paragraph 6 above are

satisfactorily provided by the Data Controller. The Office of the Attorney

General may in its supervisory role prohibit the transfer of Nigerian private

data to certain countries where it is of the opinion that the country’s data

protection regime is inadequate or incompatible with the Nigerian law.

NITDA shall generate a list of countries with acceptable data protection laws,

this list shall be validated by the Attorney-General. Where a Data Controller

seeks to transfer to any country other than the ones listed, then such shall be

subject to further processes to ascertain the protection of Nigerian citizens’

data

17. CONTINUOUS PUBLIC AWARENESS AND CAPACITY BUILDINGNITDA shall engage in continuous organization of seminars, workshops,

conferences and other information dissemination programmes to socialize the

NDPR and improve its public acceptance and compliance.

26

Page 27: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

ANNEXURE ATable 2.0: NDPR Compliance Template

AUDIT TEMPLATE FOR NDPR COMPLIANCE 

NoNDPR Provision

Question Response Comments

1   Accountability and governance

1.1  

Is your top-management aware of the Nigeria Data Protection Regulation (NDPR) and the potential implication on your organisation?  

 1.2  Art. 2.6Have you implemented any information security standard in your organisation before? If YES, specify.  

 1.3  Art. 2.1(d) Do you have a documented data breach incident management procedure

 

 1.4  Art. 1.2Do you collect and process personal information through digital mediums?  

27

Page 28: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

 1.5  Art. 2.6Have you organised any NDPR awareness seminar for your staff or suppliers?  

 1.6  Art. 4.1(5)

Have you conducted a detailed audit of your privacy and data protection practices?  

1.7  Art. 2.5

Have you set out the management support and direction for data protection compliance in a framework of policies and procedures?  

 1.8  Art. 2.1 Do you have a Data Protection compliance and review mechanism?

 

 1.9  Art. 2.6Have you developed a capacity building plan for compliance with data protection for all staff?  

 1.10  Art. 3.1(1) Do you know the types of personal data you hold?  

 1.11  Art. 4.1(5) Do you know the sources of the personal data you hold?  

 1.12  Art. 4.1(5) Who do you share personal data with  

 1.13  Art. 4.1(2) Who is responsible for your compliance with data protection

laws and processes 

 1.14  Art. 1.3

Have you assessed whether you are a Data Controller or Data Administrator/Processor?  

 1.15  Art 4.1(5)

Have you reviewed your Human Resources policy to ensure personal data of employees are handled in compliance with the NDPR?

 

1.16  Art. 2.5(d)

Have appropriate technical and organisational measures been implemented to show you have considered and integrated data protection into your processing activities?

 

 1.17  Art. 4.5

Do you have a policy for conducting Data Protection Impact Assessment (DPIA) on existing or potential projects?  

 1.18  Art. 4.5

Does your DPIA Policy address issues such as: a) A description of the envisaged processing operations b) The purposes of the processing c) The legitimate interest pursued by the controller d) An assessment of the necessity and proportionality of the processing operations in relation to the purposes e) An assessment of the risks to the rights and freedoms of Data Subject f) Risk mitigation measures being proposed to address the risk

 

2   DATA PROTECTION OFFICER/DATA PROTECTION COMPLIANCE ORGANISATION    Art. 4.1(4) Have you appointed a Data Protection Compliance  

28

Page 29: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Organisation (DPCO)?

   Art. 4.1(4)Which kind of service has a DPCO provided for you till date? Hint- Audit, Data Protection Impact Assessment, Data Breach Remediation etc.

 

   Art. 4.1(2) Does your DPCO also perform the role of your DPO?  

2.1  Art. 4.1(2)

Has a Data Protection Officer (DPO) been appointed and given responsibility for NDPR compliance and the management of organisational procedures in line with the requirements of NDPR?

 

   Art. 4.1(4) Do you utilise the same DPCO for Data Protection compliance implementation and audit?

 

2.2  Art. 4.1(3) Have you trained your Data Protection Officer in the last one year?

 

   Art. 4.1(2)Does the Data Protection Officer (DPO) have sufficient access, support and the budget to perform the role?  

   Art. 4.1(2)If the DPO has other job functions, have you evaluated whether there is no conflict of interest?  

   Art. 4.1(2)

Does the DPO have verifiable professional expertise and knowledge of data protection to do the following: a) To inform and advice the business, management, employees and third parties who carry out processing, of their obligations under the NDPR b) To monitor compliance with the NDPR and with the organisation's own data protection objectives c) Assignment of responsibilities, awareness-raising and training of staff involved in processing operations d) To provide advice where requested as regards the data protection impact assessment and monitor its performance e) To cooperate with NITDA as the Supervisory Authority f) To act as the contact point for NITDA on issues relating to data processing

   

2.3  Art. 2.5

Is there a clearly available mechanism (e.g. webpage, etc.) for data subjects that explains how to contact your organisation to pursue issues relating to personal data?  

3   DOCUMENTATION TO DEMONSTRATE COMPLIANCE

3.1  Art. 3.1 Have you documented your data processing activities?  

3.2  Art. 2.5Have you included an appropriate privacy notice in each data collection process, including those done through third parties?  

   Art. 4.1(5) Have you agreed a schedule to review current privacy notices contracts for compliance with NDPR?  

3.3  Art. 2.2Other than the grounds of Consent of an employee, has your organisation recorded other legal grounds on which it processes its employees' data?

 

3.4  Art. 4.1(5)Have you identified what personal data is collected and whether this is collected directly from the data subject or via a third party?

 

29

Page 30: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

   Art. 3.1(7)Does this inventory include data retention periods or do you have a separate data retention schedule?  

3.5  Art. 1.3 Do you have a register of data breaches and security incidents?

 

4  

4.1  Have you carried out a comprehensive review of the various types of processing your organisation perform?  

   

Have you identified lawful basis for your processing activities and documented this?  

   Have you explained the lawful basis for processing personal data in your privacy notice(s)?  

4.2  Have you reviewed how you seek, record and manage consent?  

   Have you reviewed the systems currently used to record consent and have you implemented appropriate mechanisms to ensure an effective audit trail?

 

4.3  

If your organisation offers services directly to children, have you communicated privacy information in a clear, plain way that a child will understand?

 

   Do you adopt data pseudonymisation, anonymisation and encryption methods to reduce exposure of personal data?  

4.4  

Have you identified all the points at which personal data is collected: websites, application forms (employment and other), emails, in-bound and out-bound telephone calls, CCTV, exchanges of business cards and, attendance at events etc?

 

4.5  Do you have procedures for regularly reviewing the accuracy of personal data?  

   Do you have a system for Data Subjects to erase or amend their personal data in your custody?  

4.6  

Have you identified all the ways in which personal data is stored, including backups?  

   Have you evaluated points where data minimisation can be implemented in your data collection process?  

   Have you reviewed your forms and other data collection tools to comply with the NDPR?  

4.7  

Have you identified the purposes for processing personal data, for determining and authorising internal or external access and all disclosures of data?  

30

Page 31: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

4.8  Are your organisational procedures checked to ensure that you can preserve the rights of individuals under the NDPR?  

4.9  

Is there a clearly available mechanism (e.g. webpage, etc.) for data subjects that explains how to contact the organisation to pursue issues relating to personal data?  

4.10  Are all staff trained to recognise and deal with subject access requests?  

4.11  

Have you identified

 

4.12  Do you have a procedure for dealing with subject access requests from third parties?  

4.13  

Has your organisation implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively?  

   Do you have mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms?

 

4.15  Have you trained all staff who deal with personal data about their responsibilities and data protection procedures?  

   Are these responsibilities written into job descriptions?

 

4.17  Have you contracted with any third-party data processors?

 

   If so, are such contracts compliant with the requirements of the NDPR?  

   Have you agreed a schedule to review current contracts for compliance with NDPR?  

4.18  Do you transfer personal data to organisations in countries outside the Nigeria?  

   

If so, do you have in place appropriate contracts and methods of ensuring compliance?  

4.19  Are the countries you transfer data to in the White List of Countries with adequate Data Protection laws?    

   Where the countries are not in the White List have you recorded the basis of transfer?    

4.20  

Do you have in place adequate information systems security  (e.g. as specified in ISO/IEC 27001) and does it include physical, logical, technical and operational measures that ensure the security of processing of personal data?

 

31

Page 32: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

ANNEXURE B

SAMPLE PRIVACY POLICY TEMPLATE FOR PUBLIC INSTITUTIONSThis Privacy policy between The National Information Technology Development

Agency (hereinafter referred to as NITDA) and You, constitutes our commitment to

your privacy on our website, social media platforms and premises.

1.0 Your Privacy RightsThis Privacy Policy describes your privacy rights regarding our collection, use,

storage, sharing and protection of your personal information. It applies to the NITDA

website and all applications, services, tools and physical contact with us regardless

of how you access or use them.

If you are created a username, identification code, password or any other piece of

information as part of our access security measures, you must treat such information

as confidential, and you must not disclose it to any third party. We reserve the right

to disable any user identification code or password, whether chosen by you or

allocated by us, at any time, if in our opinion you have failed to comply with any of

the provisions of these Conditions. If you know or suspect that anyone other than

you know your security details, you must promptly notify us at [email protected]

2.0 ConsentYou accept this Privacy Policy when you give consent upon access to our platforms,

or use our services, content, features, technologies or functions offered on our

website, digital platforms or visit any of our offices for official or non-official purposes

(collectively “NITDA services”). This Policy governs the use of NITDA services and

intervention projects by our users and stakeholders unless otherwise agreed through

written contract. We may amend this Privacy Policy at any time by posting a revised

version on our website, or placing such notice at conspicuous points at our office

facilities. The revised version will be effective 7-days after posting.

3.0 Your Personal InformationWhen you use NITDA Services, we collect information sent to us by your computer,

mobile phone or other electronic access device. The automatically collected

information include but not limited to- data about the pages you access, computer IP

address, device ID or unique identifier, device type, geo-location information,

computer and connection information, mobile network information, statistics on page

32

Page 33: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

views, traffic to and from the sites, referral URL, ad data, standard web log data, still

and moving images.

We may also collect information you provide us including but not limited to-

information on web form, survey responses account update information, email,

phone number, organization you represent, official position, correspondence with

NITDA support services and telecommunication with NITDA. We also collect

information about your transactions, enquiries and your activities on our platform or

premises.

We may also use information provided by third parties like social media sites.

Information about you provided by other sites are not controlled by NITDA and we

are therefore not liable for how they use it.

4.0 What we do with your personal informationThe purpose of our collecting your personal information is to give you an efficient,

enjoyable and secure customer experience. We may use your information to:

4.1Provide NITDA services and support;

4.2process applications and send notices about your transactions to requisite

parties;

4.3verify your identity;

4.4resolve disputes, collect fees, and troubleshoot problems;

4.5manage risk, or to detect, prevent, and/or remediate fraud or other potentially

prohibited or illegal activities;

4.6detect, prevent or remediate violations of Laws, Regulations, Standards,

Guidelines and Frameworks;

4.7 improve the NITDA Services by implementing aggregate customer preferences;

4.8measure the performance of the NITDA Services and improve content,

technology and layout;

4.9 to trail information breach and remediate such identified breaches

4.10 manage and protect our information technology and physical infrastructure;

4.11 contact you at any time through your provided telephone number, email

address or other contact details;

5.0 CookiesCookies are small files placed on your computer’s hard drive that enables the

website to identify your computer as you view different pages. Cookies allow

33

Page 34: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

websites and applications to store your preferences in order to present contents,

options or functions that are specific to you. Like most interactive websites, our

website uses cookies to enable the tracking of your activity for the duration of a

session. Our website uses only encrypted session cookies which are erased either

after a predefined timeout period or once the user logs out of the platform and closes

the browser. Session cookies do not collect information from the user’s computer.

They will typically store information in the form of a session identification that does

not personally identify the user.

6.0 How we protect your personal informationWe store and process your personal information on our computers in Nigeria. Where

we need to transfer your data to another country, such country must have an

adequate data protection law. We will seek your consent where we need to send

your data to a country without an adequate data protection law. We protect your

information using physical, technical, and administrative security measures to reduce

the risks of loss, misuse, unauthorized access, disclosure and alteration. Some of

the safeguards we use are firewalls and data encryption, physical access controls to

our data centers, and information access authorization controls.

7.0 How We Share your information within NITDA and other usersDuring your interaction with our website or premises, we may provide other

Ministries, Departments, Agencies (MDA), other organs of government, private

sector operators performing government functions, with information such as your

name, contact details, or other details you provide us for the purpose of performing

our statutory mandate to you or third parties.

We work with third parties, especially government agencies to perform NITDA

mandate and services. In doing so, a third party may share information about you

with us, such as your email address or mobile phone number.

You accept that your pictures and testimonials on all social media platforms about

NITDA can be used for limited promotional purposes by Us. This does not include

your trademark or copyrighted materials.

From time to time we may send you relevant information such as news items,

enforcement notice, statutorily mandated notices, essential information to aid our

performance of our mandate. We may also share your personal information in

compliance with National or international laws; crime prevention and risk

management agencies and service providers.

34

Page 35: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

8.0 SecurityWe will always hold your information securely. To prevent unauthorized access to

your information, we have implemented strong controls and security safeguards at

the technical and operational levels. This site uses Secure Sockets Layer/Transport

Layer Security (SSL/TLS) to ensure secure transmission of your personal data. You

should see the padlock symbol in your URL address bar once you are successfully

logged into the platform. The URL address will also start with https:// depicting a

secure webpage. SSL applies encryption between two points such as your PC and

the connecting server. Any data transmitted during the session will be encrypted

before transmission and decrypted at the receiving end. This is to ensure that data

cannot be read during transmission.

NITDA has also taken measures to comply with global Information Security

Management Systems (ISMS) we therefore have put in place digital and physical

security measures to limit or eliminate possibilities of data privacy breach incidents.

9.0 Data Confidentiality RightsYour information is regarded as confidential and will not be divulged to any third

party except under legal and/or regulatory conditions. You have the right to request

sight of, and copies of any and all information we keep on you, if such requests are

made in compliance with the Freedom of Information Act and other relevant

enactments. While NITDA is responsible for safeguarding the information entrusted

to us, your role in fulfilling confidentiality duties includes, but is not limited to,

adopting and enforcing appropriate security measures such as non-sharing of

passwords and other platform login details, adherence with physical security

protocols on our premises, dealing with only authorized officers of the Agency.

10.0 Links to Other Websites and PremisesCertain transaction processing channels may require links to other websites or

Organisations other than ours. Please note that NITDA is not responsible and has no

control over websites outside its domain. We do not monitor or review the content of

other party’s websites which are linked from our website or media platforms.

Opinions expressed or materials appearing on such websites are not necessarily

shared or endorsed by us, and NITDA should not be regarded as the publisher of

such opinions or materials. Please be aware that we are not responsible for the

privacy practices, or content of these sites. We encourage our users to be aware of

when they leave our site and to read the privacy statements of these sites. You

35

Page 36: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

should evaluate the security and trustworthiness of any other site connected to this

site or accessed through this site yourself, before disclosing any personal

information to them. NITDA will not accept any responsibility for any loss or damage

in whatever manner, howsoever caused, resulting from your disclosure to third

parties of personal information.

11.0 Governing LawThis Privacy Policy is made pursuant to the Nigeria Data Protection Regulation

(2019) or any other relevant Nigerian laws, regulations or international conventions

applicable to Nigeria. Where any provision of this Policy is deemed inconsistent with

a law, regulation or convention, such provision shall be subject to the overriding law,

regulation or convention.

COUNTRIES WITH ADEQUATE DATA PROTECTION LAWSSN COUNTRY SUMMARY OF LAW REMARK

36

Page 37: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

All EU Countries The GDPR principles apply and are adequate

Austria Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden United Kingdom

Angola Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) and the Protection of Information Systems and Networks Law (Law no. 7/17, 16 February 2017).

DPL establishes Agência de Proteção de Dados (APD) as Angola’s Data Protection Authority.

1 Argentina Personal Data Protection Law 2000 (Law No. 25,326) applies to any person or entity in the country that

National Authority: Agency for Access to Public

37

Page 38: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

deals with personal data. Information established pursuant to Decree 746 of 2017

2 Australia Federal Privacy Act 1988 is based on 13 APPs (Australian Privacy Principles) that cover transparency and anonymity; the collection, use and disclosure of data; maintaining the quality of data; and the data subject’s rights. Australia has regional and sectoral privacy laws supplementing the FPA.

Brazil General Data Protection Law 2018 (LGPD) very similar to GDPR. Brazil also has snippets of privacy laws from the Constitution and other statutes such as Consumer Protection Code 1990; Internet Act 2014 etc.

The Amended LGPD created the National Data Protection Authority (ANPD). The law would take effect in August 2020

Canada Private sector is governed by Personal Information Protection and Electronic Documents Act (PIPEDA) 2000 amended in 2008 to include mandatory data breach notification and record-keeping laws. the public sector is governed by the Privacy Act of 1983.

PIPEDA creates the Office of the Privacy Commissioner of Canada

Cape Verde Data Protection Law (Law 133/V/2001 (as amended by Law 41/VIII/2013) and Law 132/V/2001, of 22 January 2001.

The National data protection authority in Cape Verde is the Comissão Nacional de Proteção de Dados Pessoais ('data protection authority').

China Information Technology – Personal Information Security Specification is the latest law on privacy in China. It came into effect in May 2018

Cyberspace Administration of China (CAC) is the data protection authority in China

38

Page 39: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

39

Page 40: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

DRAFT NATIONAL CLOUD COMPUTING IMPLEMETATION STRATEGY

National Information Technology Development Agency

(NITDA)

2019

40

Page 41: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Table of ContentsCHAPTER ONE: INTRODUCTION............................................................................................................1

1.1 Background..................................................................................................................................1

1.2 The Cloud First Value Proposition................................................................................................1

1.3 National Strategic Intent for Cloud Adoption..............................................................................2

1.4 The Goal......................................................................................................................................2

1.5 Making Cloud Computing Deployment and Service Models Choices...........................................3

CHAPTER TWO:......................................................................................................................................8

STRATEGIES FOR IMPLEMENTING CLOUD COMPUTING POLICY STATEMENTS.....................................8

2.1 Procurement................................................................................................................................8

2.2 Data Classification.......................................................................................................................8

2.3 International Dimensions of Cloud Computing..........................................................................10

2.4 Service Level Agreement and Consumer Protection..................................................................10

2.4 Information Security..................................................................................................................10

2.5 Cloud Interoperability................................................................................................................11

2.7 Migration to The Cloud..............................................................................................................11

2.8 Workforce and Skills..................................................................................................................12

2.9 Vendor Lock-in & Data Withdrawal...........................................................................................12

2.10 Cloud Registration and Certification........................................................................................13

2.11 Cloud Audit and Reporting......................................................................................................13

CHAPTER THREE:.................................................................................................................................15

NIGERIA CLOUD COMPUTING GOVERNANCE......................................................................................15

3.1 National Cloud Governance.......................................................................................................15

3.2 Public Institution Cloud Computing Governance.......................................................................16

CHAPTER FOUR:...................................................................................................................................19

IMPLEMENTATION PLAN.....................................................................................................................19

CHAPTER FIVE:.....................................................................................................................................22

NIGERIA CLOUD COMPUTING POLICY COMPLIANCE AND ENFORCEMENT FRAMEWORK...................22

5.1 Compliance Framework.............................................................................................................22

5.2 General Enforcement Process...................................................................................................24

Appendix.............................................................................................................................................26

Appendix A1.0: Rational for “Cloud First” value proposition...........................................................26

Appendix A2.0: National Strategic Intent for Cloud Adoption.........................................................26

Appendix A3.0: Cloud Computing Areas of Interoperability Guide.................................................27

Appendix A4.0 : Cloud Computing migration steps and requirements............................................28

xli

Page 42: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Appendix 5.0: Focus Areas of cloud computing capacity.................................................................32

Appendix 6.0: Focus areas of vendor lock-in avoidance guide........................................................32

Appendix 7.0: Focus areas of cloud computing certification criteria...............................................33

Appendix 8.0: CSPs Audit Report Metrics........................................................................................33

Appendix 9.0: Explanation of proposed cloud computing governance model for PIs and SMEs.....34

Definitions.......................................................................................................................................37

Table 1.0: A Guide for Choosing Cloud Computing Service Model........................................................4Table 2.0: Cloud Service Model and Delivery Model Matrix..................................................................6Table 3.0: Template for calculating data security and sensitivity..........................................................9Table 4.0:Strategy Implementation road map (Short-term)................................................................19Table 5.0: Strategy Implementation road map (Medium-term)..........................................................19Table 6.0: Strategy Implementation road map (Long-term)................................................................20Table 7.0: Specialized Strategies.........................................................................................................21

Figure 1.0:Categories of Cloud Deployment Model...............................................................................3Figure 2.0: Cloud Computing Service Model as recognized by Nigeria Cloud Computing Policy...........4Figure 3.0 Information security levels...................................................................................................9Figure 4.0: National Cloud Computing Governance............................................................................16Figure 5.0: Organisational Cloud Computing Governance Model........................................................18Figure 6.0:Enforcement framework....................................................................................................23Figure 7.0:Cloud Migration Decision framework.................................................................................29

xlii

Page 43: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

CHAPTER ONE: INTRODUCTION

1.1 BackgroundThe National Information Technology Development Agency has developed Nigeria Cloud Computing

Policy to address the challenges of acquiring and deploying computing resources in the most

efficient manners in the public sector. The Nigeria Cloud Computing Policy constitutes set of policy

statements that articulates the government’s strategic plan and direction for cloud computing

adoption in the public sector and by Small and Medium Enterprises (SMEs) that provide ICT-enabled

services to the Government. Implementing the Policy requires actions by various and relevant

stakeholders in the cloud computing space. The National Information Technology Development

Agency (NITDA) develops this Cloud Computing Implementation Strategy as a guide for the Agency,

Public Institutions (PIs), Small and Medium Enterprises (SMEs) and other relevant stakeholders to

implement Nigeria Cloud Computing Policy.

The strategy includes strategic initiatives critical to implementing all the statements issued in the

Policy as well as an implementation framework. The implementation framework includes

implementation plan, compliance and enforcement framework. The strategic initiatives and the

provisions in the compliance and enforcement framework are informed by the challenges, the goal,

the “Cloud First” value proposition and the expected outcomes of cloud adoption as explained in

the Nigeria Cloud Computing Policy.

1.2 The Cloud First Value PropositionThe country socio-economic activities and businesses are increasingly dependent on Information

Communication Technology (ICT). The need to make these computing resources available and

accessible is critical to the country’s continuous growth and sustainable development. The country’s

Economic Recovery and Growth Plan (ERGP) recognizes information technologies as an enabler for

promoting a digital-led growth. Digital-led growth cannot happen except the country has policy

direction peculiar to her environment for supporting the government and SMEs to acquire and

deploy computing resources in the most efficient manner.

The “Cloud First” value proposition is aimed at promoting cloud computing as a “first choice”

consideration for acquiring and deploying computing resources by public institutions and SMEs that

provide digital-enabled services to the government except where the cause of deployment is related

to national security concerns or cloud is not the best option politically and economically.

43

Page 44: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

PIs and their IT/ICT departments/units should get themselves aware of the cloud capabilities and

resources necessary to meet their business objectives and expectations as part of adoption process.

Therefore, the National Cloud Computing Policy is recommending the concept of “Cloud First” to

acquiring and deploying computing resources in the public sector and among SMEs that provide

digital-enabled services to the government.

NOTE: There would be strong consideration for Indigenous CSPs while implementing the Cloud

First Value Proposition except where cloud requirements or capabilities do not exist locally. At the

same time, the cloud service provision would be highly competitive.

The rationale for Cloud First value proposition are based on the following:

1. Reduced Capital Cost;

2. Efficiency;

3. Digital Service Innovation;

4. Elasticity; and

5. Information Security

See Appendix A 1.0 for explanation on the rationale for Cloud First value proposition

1.3 National Strategic Intent for Cloud Adoption The strategic intent for cloud adoption in hinged on the following:

1. Responsive and efficient public service delivery;

2. Public sector digital transformation;

3. Local ICT industry development and growth, including SMEs;

4. Resources Savings; and

5. Opportunities to better manage human resources

See Appendix 2.0 for explanation on the national strategic intent for cloud adoption

1.4 The Goal The goal of this Policy is to ensure a 30% increase in adoption of cloud computing by 2024 among

Federal public institutions (FPIs) and SMEs that provide digital-enabled services to the government.

The policy also targets 35% growth in cloud computing investments by 2024.

In specific, the cloud computing policy is to achieve the following objectives by 2024:

44

Page 45: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

1. enabling environment for the private sector to increase cloud computing infrastructure

investments by 35%;

2. clear direction and programs that ensure attainment of 30% increase in cloud adoption and

migration by the public sector and SMEs that provide service for the government; and

3. enabling and competitive business environment for Nigerian cloud service providers (CPS)

and/or cloud service consulting (CSC) to operate efficiently and profitably in the cloud market

place.

The cloud computing policy provides key facts that support the need for cloud adoption by PIs and

those SMEs that provide IT-enabled services to the government. These facts are hinged on the need

for efficiency and real time access to computing resources required by the government to provide

highly accessible and quality services to the populace.

1.5 Making Cloud Computing Deployment and Service Models Choices

The Cloud Computing Policy recognizes three internationally well-known cloud deployment and

service models each. Public Institutions and SMEs that are willing to adopt cloud computing would

need to make strategic choices for deployment models and services that meet their business

objectives and computing requirements. The following will help PIs and SMEs make these strategic

decisions.

The Policy recognizes three deployment models and they are categorized as follows in figure 1.0

based on the level of data sensitivity.

45

Level of Data SensitivityDeployment Model

Combination of Sensitive and Non-sensitive Data with mix of mission and non-mission critical application

Public or Non-Sensitive or Non-Confidential Data and Non mission critical applications

Sensitive Data (National Information Security Data) and mission critical applications

Hybrid Cloud

Public Cloud

Private Cloud

Page 46: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Figure 3.0:Categories of Cloud Deployment Model

The service models are described as presented in figure 2.0.

Figure 4.0: Cloud Computing Service Model as recognized by Nigeria Cloud Computing Policy.

Source: Ray Rafaels

Table 1.0 presents the risk and responsibility that PIs and SMEs must note before making a service

model choice. It also prescribes the level of Information Technology (IT) expertise required to

implement each service model and the category of PIs that should opt for it. In addition, it also

make recommendation for PIs based on the level of data generated (either sensitive or otherwise)

and the level of their control on computing resources on the choice of a cloud service model.

PIs are categorized into the following three levels of expertise:

1. High IT Expertise

2. High to Moderate IT Expertise

3. Less IT Expertise

Table 3.0: A Guide for Choosing Cloud Computing Service Model

46

Page 47: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Delivery Type Risk and responsibility Prescription for PIs or SMEs

IaaS Cloud consumer builds the application

without worrying about the

infrastructure requirements.

The security responsibility is equally

divided between the cloud service

provider and the cloud consumer.

In this model, the risk is segregated and

layered. It is also a shared risk model.

Data

IaaS option is suitable for PIs who generate

sensitive data (especially citizens’ data), use

or keep other PIs’ data.

Control

No control over IT infrastructure

(networking, servers, virtualization) but

have control over operating systems, storage

and deployed applications. A bit of control

over of select networking components (e.g.

host firewalls).

Level of IT Expertise:

High

PaaS The cloud consumer brings the

application expertise along with

licenses, data, and resources, and

consumes the platform shell.

This model is used by consumers who

either lack infrastructure skills or want

to save on high capital expenditure

(capex)

The security responsibility starts to tilt

more towards the cloud provider.

However, the service provider bears

higher risk than consumer as the

provider supports more layers.

Similar to IaaS, this is a shared risk

Data

PaaS option is suitable for PIs who use or

keep other PIs’ data. They can also generate

data (either sensitive or not) but not as

much as in the case of IaaS.

They build software applications in-house

(either through their personnel or

outsourced).

Recommended for SMEs that build software

applications for the government

Control

PIs have control over the configurations of

the application development and hosting

environment and fair control over IT

platforms.

47

Page 48: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

model, No control over IT infrastructure.

Level of IT Expertise

High to Moderate IT Expertise

SaaS

The cloud consumer does not have the

necessary skills, time, or resources to

setup an application ecosystem and

manage it.

No upfront capex requirement.

The security responsibility is mostly

with the cloud provider. The consumer

is mainly responsible for securing the

client-side vulnerabilities.

The service provider bears most risk.

Data

SaaS option is suitable for PIs who does not

frequently generate data (either sensitive or

not) or use other PIs generated data. They

are more concern about their operational

efficiency.

Recommended for SMEs that provide cloud

service consulting and manage cloud

applications for PIs.

Control

No control over IT infrastructure and

platforms. Less control over application.

Level of IT Expertise

Less IT expertise

The business objectives and computing availability requirements by PIs and SMEs are broadly

categorized into Data Security and Service Availability. These are the major factors for choosing a

deployment model and the corresponding service model. The table 1.0 presents relationship

between the models. It guides PIs and SMEs to make choices that meet their computing

requirements based on data security and service availability.

Table 4.0: Cloud Service Model and Delivery Model Matrix

Service

Model

SaaS PaaS IaaS

Delivery

Model

Private Data security requirements

by consumers are low but

Data security requirements by

consumers are between high

Data security requirements

by consumers are very high

48

Page 49: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

high level of service

availability requirements

expected from cloud

providers.

Vice versa between

providers & consumers

and moderate with high to

moderate level of service

availability requirements

expected from cloud

providers.

Vice versa between providers

& consumers

and the level of service

availability requirements

expected from cloud

providers is high.

Vice versa between

providers & consumers

Public Data security requirements

by consumers are low and

level of service availability

requirements expected from

cloud providers are between

low and moderate.

Vice versa between

providers & consumers

Data security requirements by

consumers are moderate to

high and level of service

availability requirements

expected from cloud

providers are high to

moderate.

Vice versa between providers

& consumers

Data security requirements

by consumers are moderate

and level of service

availability requirements

expected from cloud

providers is high.

Vice versa between

providers & consumers

Hybrid Data security requirements

by consumers are between

low to moderate and level of

service availability

requirements expected from

cloud providers are

moderate to high.

Data security requirements

by consumers are high to

moderate and the level of

service availability

requirements expected from

cloud providers are moderate

to high.

Data security requirements

is high to moderate and

level of service availability

requirements expected from

cloud providers are high.

49

Page 50: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

CHAPTER TWO:

STRATEGIES FOR IMPLEMENTING CLOUD COMPUTING POLICY STATEMENTS

There are statements in the Cloud Computing Policy that require certain actions to be taken by

NITDA, PIs, CSPs, and other relevant stakeholders. Implementation of the actions will lead to

actualization of the Policy goal and objectives. The actions demand certain strategies for their

implementation and the strategies are further broken down into strategic initiatives.

Therefore, this chapter presents critical statements/issues in the Nigeria Cloud Computing Policy and

implementation strategy(ies) for each statement. Strategic initiatives are proposed to implement

each strategy. Each of the statement is presented as follows.

2.1 Procurement Traditional purchasing practices and contract terms may hinder the scalable, cost-effective, and

innovative nature of cloud computing. Procurement is a central issue in the development of cloud

computing. Nigerian procurement law supports a yearly procurement contract whereas cloud

service contracts are structured on a “pay as you go” basis. To ensure cloud adoption growth, this

challenge must be addressed appropriately. The following strategies and their strategic initiatives

will be adopted.

Strategy 1.0

Development of cloud procurement regulation.

Strategic Initiatives

The following strategic

1. BPP and NITDA, in consultation with relevant stakeholders, will develop Cloud Procurement

Regulation.

50

Page 51: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

2. BPP and NITDA will monitor and ensure compliance to the provision of the regulation

Strategy 2.0

Establishment of Digital Marketplace

Strategic Initiatives

1. Design and develop Nigerian Cloud Digital Marketplace.

2. NITDA, in collaboration with relevant stakeholders, will set up governance structure, business

models and operational plan for Nigerian Cloud Digital Marketplace.

2.2 Data ClassificationPIs are going to have vastly different types of information and the information will contain varying

levels of sensitivity. The Nigeria Cloud Computing Policy proposed data classification as presented in

Figure 2.0. A detailed explanation is available in the Policy.

Figure 5.0 Information security levels

For proper implementation of this data classification by PIs and SMEs that provide service for

government, the following strategy shall be taken into consideration.

Strategy 3.0

Development of a cloud data classification guide. This will assist cloud stakeholders to classify cloud

data.

Strategic Initiatives

1. NITDA, in consultation with relevant stakeholders, will provide a data classification guide based

on data classification framework in the Policy and other parameters. The guide will be put on

the Nigerian Cloud Digital Marketplace.

51

Page 52: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

NOTE: The table 3.0 provides template for cloud stakeholder to properly classify their cloud

data.

Table 5.0: Template for calculating data security and sensitivity.

Classification Criteria Min. - Max. Score Max. Score

Critical National Data/Information

(Including National Security Info)

=3 (Mandatory) 3

Data containing Personally Identifiable

Persons

=3 (Mandatory) 3

High level =3, Medium Level = 2 and

Low Level = 1

Transactional Data with certain level of

Business/operational Information

Between 1 and 3 3

Limited =1, Serious = 2 and Severe or

Catastrophic = 3

Confidentiality Between 1 and 3 3

Integrity Between 1 and 3 3

Availability Between 1 and 3 3

Total Score

2.3 International Dimensions of Cloud ComputingStrategy 4.0

Development of a balanced data localization and cross-border data flow guidelines

Strategic Initiatives

1. NITDA will develop cross-border data flow guidelines for efficiency purposes.

2. Provide CSPs’ identification framework based on cross-border data flow guidelines

2.4 Service Level Agreement and Consumer ProtectionThe quality and reliability of services become important as PIs and SMEs migrate to the cloud. It is

important to ensure the right of consumers and service takers are protected in the cloud space.

Strategy 5.0

Develop an SLA Template for Cloud engagement

Strategic Initiatives

52

Page 53: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

a. NITDA will collaborate with relevant cloud stakeholders to develop SLA template for Cloud

engagement

b. NITDA will make the SLA template available on the digital marketplace

Strategy 6.0

Stakeholders’ collaboration for the protection of consumers’ rights.

Strategic Initiatives

1. NITDA will engage and partner with Federal Competition and Consumer Protection

Commission (FCCPC) and other relevant stakeholders to ensure monitoring, compliance and

enforcement with the provisions of consumer protection in the Cloud Computing Policy.

2.4 Information SecurityThe goal of information security in the cloud environment is to protect the confidentiality, integrity

and availability of government data. Therefore, in order to ensure information security, cloud service

providers must put measure in place to ensure data confidentiality, integrity and availability.

Strategy 7.0

Development of a National Cloud Computing Security Guidelines

Strategic Initiatives

1. NITDA, in collaboration with relevant stakeholders, will develop national cloud computing data

security guidelines.

2.5 Cloud InteroperabilityThe Nigeria Cloud Policy will enable rapid adoption and the growth of cloud computing. Many CSPs

will operate in the space and consumers of cloud services might want to port from one CSP to

another. The following strategy will be adopted to manage interoperability requirements in addition

to adoption of Nigeria e-Government Interoperability Framework (Ne-GIF) and ISO/IEC 17203:2011

as specified in the Nigeria Cloud Computing Policy.

Strategy 8.0

Development of Nigeria cloud interoperability guidelines

Strategic Initiatives

1. NITDA, in collaboration with relevant stakeholders, will develop Nigeria cloud

interoperability guidelines. The guide will provide direction for cloud consumers to navigate

53

Page 54: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

cloud interoperability requirements. It will consider important areas of interoperability as

prerequisite requirements for choosing a CSP and ensuring cloud interoperability.

See consideration for interoperability requirements in Appendix A3.0 as focus areas of the

guidelines

2. NITDA will make Nigeria cloud interoperability requirements available on digital marketplace

2.7 Migration to The CloudMoving to the cloud requires orchestrated migration plan to mitigate risks that are involved. The

following strategy will be implemented to ensure PIs and SMEs migrate to the cloud successfully.

Strategy 9.0

Develop cloud migration guide for PIs and SMEs

Strategic Initiatives

1. NITDA, in collaboration with relevant stakeholders, will develop cloud migration guide. The

guide will serve as a template to be followed by PIs and SMEs while migrating to the cloud.

The cloud migration guide will consider important steps for cloud migration. In the

meantime, consumers are advised to be guided by the following migration steps or

requirements.

See consideration for Cloud Computing migration steps and requirements in Appendix A4.0 as

focus areas of the guidelines

2. NITDA will publish the cloud migration guide on digital marketplace portal.

3. NITDA will monitor cloud migration through the IT project clearance committee and other

monitoring mechanisms.

2.8 Workforce and SkillsCloud adoption means complete change in the way information technologies are acquired and

deployed by PIs and SMEs. Also, the change cuts across organisation processes and people. The

people are going to play a major role in the adoption process and they are the main drivers. If the

people with the right skills are not involved or participated in the cloud adoption processes, the

objectives of the exercise might be defeated. Effective cloud adoption by PIs will depend on

54

Page 55: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

developing talent and acquiring professional IT credentials. The strategy for building the right skills

among the public sector workforce and SMEs is highlighted as follows.

Strategy 10.0

Facilitate the development of special skills for cloud computing in the public sector and among

targeted SMEs.

Strategic Initiatives

1. Partnership with private sector (training outfits) and development partners to build cloud

capacity of PI personnel and SMEs

See Appendix 5.0 for focus areas of cloud computing capacity

2. Partnership with strategic organisations such as (SMEDAN etc.) to build cloud adoption skills

and capacity for targeted SMEs.

2.9 Vendor Lock-in & Data WithdrawalCircumstance might warrant PIs or SMEs to migrate from one CSP to another or using multiple CSPs

to accomplish business objectives. Also, data sovereignty and localization regulation requirements

might warrant PIs and SMEs that provide service to the public sector move government data and

their hosting platforms to the shore of the country at any time. Therefore, PIs and SMEs should avoid

vendor lock-in and ensure data withdrawal is possible any time it is mandatory. The following

strategy will be adopted to avoid vendor lock-in and ensure data withdrawal is seamless.

Strategy 11.0

Develop vendor lock-in avoidance guide

Strategic Initiatives

1. NITDA will provide a cloud vendor lock-in avoidance guide.

See Appendix 6.0 on focus areas of vendor lock-in avoidance guide

2.10 Cloud Registration and CertificationTo guarantee trust, build confidence of cloud consumers and ensure there is sanity in the cloud

computing space, NITDA will register and certify indigenous CSPs having met certain standards. A

55

Page 56: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

certified Indigenous CSPs will be the beneficiaries of “Nigeria Cloud First Policy”. NITDA will adopt

the following strategies to implement CSPs registration and certification.

Strategy 12.0

Registration of Indigenous CSPs

Strategic Initiatives

1. NITDA will establish registration process for CSPs

2. Registration of Indigenous CSPs.

Strategy 13.0

Develop National Cloud Certification Criteria based on international standards and best practices

Strategic Initiatives

1. NITDA will develop National Cloud Certification Criteria

See Appendix 7.0 for the focus areas of certification criteria

2. NITDA will publish the Cloud Certification Criteria on Nigerian Cloud Digital Marketplace.

3. NITDA will certify Indigenous CSPs based on the Certification Criteria

2.11 Cloud Audit and ReportingThe Nigeria Cloud Computing Policy requires a CSP to provide satisfactory audit reports or respond

to audit requests by NITDA or other statutory bodies. The following strategies will be adopted to

implement the cloud audit and reporting requirements.

Strategy 14.0

Establish cloud system audit and reporting process.

Strategic Initiatives

1. Audit and reporting process. NITDA will establish audit and reporting process for Indigenous

CSPs.

2. Annual voluntary report: NITDA shall request CSPs to provide voluntary annual audit report.

See Appendix 8.0 for assessment metrics that would form part of the CSPs reporting template

56

Page 57: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

CHAPTER THREE:

NIGERIA CLOUD COMPUTING GOVERNANCE

3.1 National Cloud GovernanceIn order to ensure coordination of cloud computing project and procurement within and across PI

and SMEs that provide IT-enabled services to the government, it is important to institutionalize a

governance structure that helps to govern cloud implementation from planning, architecture to

deployment, that allows seamless switching from one CSP to another and unclouding in the case of a

need in a more sustainable manner. Cloud services need to be adopted as an integral part of the

organization’s existing operating model. The absence of governance structure that establishes

standards and provides clear direction and consistency in managing cloud services can undermine

cloud benefits and then create unforeseen risks (security, privacy and financial), complexity rather

than interoperability and simplicity.

The proposed national cloud computing governance establishes structure upon which the goal and

objectives of Nigeria Cloud Computing Policy would be achieved. It is a structure that governs

implement strategic initiatives established by the “Cloud Computing Implementation Strategy”.

Figure 4.0 presents the proposed national computing governance at the Federal level.

57

Page 58: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

58

Providing Cloud Service to FPIs & SMEs

CPSs

Implement cloud computing projects

FPIs and SMEs

Provide cloud procurement regulation with support for

cloud purchasing models

Bureau of Public Procurement (BPP)

Promote cloud competitive market and consumer protection

Federal Competition and Consumer Protection Commission (FCCPC)

-Coordinating implementation across FPIs; Clearing cloud projects by FPIs; regulating

cloud computing space; facilitating strategic partnerships and investments and carrying out cloud computing assessment

NITDA

Putting cloud computing as part of National IT deployment plan

Budget & National Planning

supervising policy implementation and

promoting investment

FMC

Promoting National Vision for Cloud Computing (Leadership)

Presidency

Page 59: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Figure 6.0: National Cloud Computing Governance

3.2 Public Institution Cloud Computing GovernanceAside the national governance, each FPI or SME that provides IT-enabled service to the government

is expected to develop its cloud governance structure internally in order to ensure IT acquisition and

deployment aligns with the national goal and its business objectives.

Adopting cloud creates shift in the responsibilities of IT/ICT departments- shift from technicality to

contract negotiation, establishing key performance indicators to vendor management. This shift in

responsibilities contributes to IT department’s changing role from operators of technology to

governors of systems and processes. And it requires establishing a cloud governance model that

everyone must follow.

Cloud governance model will enable IT and the business to collaborate in defining the right strategy

for configuration, migration, management and disposition of cloud services. It defines roles and

responsibilities and holds PIs to account for IT investment decisions and resource management for

cloud computing adoption. The cloud governance will manage unnecessary complexity and cost

increase that can arise from uncoordinated procurement of cloud services. It enables IT/ICT

department and the business to collaborate in defining the right strategy for configuration,

migration, management and disposition of cloud services.

However, IT personnel will need to acquire new skills as they transition from operators and

tacticians to vendor managers and governors. These skills, as itemized in the section on workforce

and skills, include understanding not only contractual obligations and service management, but also

new and emerging technologies and processes that may help to better manage cloud services.

Governance structure in each PI and SME will need to span the three pillars of people, process and

technology and encompass the entire cloud life cycle, from identification and configuration to

migration, management and decommission.

59

Page 60: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

NOTE: PIs and SMEs are advised to follow and be guided by this governance model while

deploying and migrating to the Cloud. All the cloud life cycle should be planned and governed by

the cloud governance domain putting in mind the people, process and technology.

Figure 7.0: Organisational Cloud Computing Governance Model

See Appendix 9.0 for the explanation on the cloud computing governance model for PIs and SMEs

60

Page 61: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

CHAPTER FOUR:

IMPLEMENTATION PLAN

The first implementation road map to achieve the goal of the Nigeria Cloud Computing Policy spans

a period of five (5) years (between 2019 and 2024) and is divided into short, medium and long term

respectively. Table 4.0, 5.0, 6.0

Table 6.0:Strategy Implementation road map (Short-term)

S/n Strategy Strategic Initiatives Major Action by

Implementation Timeline (2019-2021)

1.0 Strategy 1.0.Development of cloud procurement regulation.

1. BPP and NITDA, in consultation with relevant stakeholders, will develop Cloud Procurement Regulation.

2. BPP and NITDA will monitor and ensure compliance to the provision of the regulation

BPP & NITDA

2019

2.0 Strategy 3.0 Development of a data classification guide

1. Provision of data classification guide based on data classification framework in the Policy and other parameters.

NITDA 2019

3.0 Strategy 4.0Development of a balanced data localization and cross-border data flow guidelines

1. NITDA will develop cross-border data flow guidelines.

2. Provide CSPs’ identification framework based on cross-border data flow guidelines

NITDA 2019

4.0 Strategy 5.0Develop an SLA Template for Cloud engagement

1. Development SLA template for Cloud engagement

NITDA 2019-2021

5.0 Strategy 7.0Development of a National Cloud Computing Security Guidelines

1. Development of national cloud computing data security guidelines.

NITDA & ONSA

2020-2021

6.0 Strategy 9.0Develop cloud migration guide for PIs and SMEs

1. Development of cloud migration guide

NITDA 2020

7.0 Strategy 12.0Registration of Indigenous CSPs

1. Establishment of registration process

2. Registration of Indigenous CSPs

NITDA 2020-2021

61

Page 62: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

8.0 Strategy 13.0 Develop National Cloud Certification Criteria based on international standards and best practices

1. Development of National Certification Criteria

2. Certification of Indigenous CSPs

NITDA 2021

Table 7.0: Strategy Implementation road map (Medium-term)

S/n Strategy Strategic Initiatives Major Action by

Implementation Timeline (2022-2023)

1.0 Strategy 11.0Develop vendor lock-in avoidance guide

1. Development of vendor lock-in avoidance guide

NITDA

2.0 Strategy 2.0.

Establishment of Digital Marketplace

1. Design and development of Nigerian Cloud Digital Marketplace.

2. Setting up of governance structure, business models and operational plan for Nigerian Cloud Digital Marketplace.

3. Publication of cloud migration guide on Nigerian digital marketplace portal

4. Publication of Cloud Certification Criteria on Nigeria Cloud Digital Marketplace

5. Publication of cloud SLA on Nigeria Cloud Digital Marketplace

NITDA 2022

3.0 Strategy 14.0Establish cloud system audit and reporting process.

1. Establishment of audit and reporting process for Indigenous CSPs

2. Request for CSPs annual voluntary report

NITDA 2022-2023

4.0 Strategy 10.0Facilitate the development of special skills for cloud computing in the public sector and among targeted SMEs

1. Partnership with private sector (training outfits) and development partners to build cloud capacity of PI personnel and SMEs

2. Partnership with strategic organisations such as (SMEDAN etc.) to build cloud adoption skills and capacity for targeted SMEs.

NITDA & CPS

NITDA & SMEDAN

2022-2023

62

Page 63: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Table 8.0: Strategy Implementation road map (Long-term)

S/n Strategy Strategic Initiatives Responsibility Implementation Timeline (2024)

1.0 Strategy 8.0Development of Nigeria cloud interoperability requirements

1. Develop Cloud interoperability guidelines

2. Publish the cloud interoperability requirements on digital marketplace

NITDA 2023

2.0 Strategy 6.0 Stakeholders’ collaboration for the protection of consumers’ rights.

1. Monitoring, compliance and enforcement with the provisions of consumer protection in the Policy

NITDA & FCCPC

2020-2024

3.0 Strategy 9.0Develop cloud migration guide for PIs and SMEs

1. Monitoring of cloud migration by PIs through NITDA’s IT clearance committee

NITDA 2019-2024

Table 9.0: Specialized Strategies

S/n Strategy Strategic Initiatives Responsibility Implementation Timeline (2019-2024)

1.0 Cloud Computing Readiness Assessment

1. Conduct cloud computing readiness assessment across all sectors of the economy

NITDA 2019-2020

2.0 Promotion of Cloud Migration

1. Monitor and enforce compliance with Cloud First value proposition by FPIs and SMEs

2. Extension cloud computing adoption programs to sub-national PIs

3. Provision of cloud migration technical assistance to FPIs through NITDA IT clearance committee

NITDA 2019-2024

3.0 Cloud Computing Code of Conduct

1. Development of Indigenous Cloud Computing Code of Conduct

CSPs & NITDA

2022-2024

4.0 Promotion of Investment in Cloud Computing Systems in Nigeria

1. Provision of incentives to Indigenous CSPs

2. Encourage and creation of enabling environment for Cloud Computing investments

NITDA, CSPs, BPP

2020-2024

5.0 Monitor, comply and Enforce

1. Continuous monitoring, compliance and enforcement of the provision of the Nigeria Cloud Computing Policy and compliance framework

NITDA, BPP & FCCPC

2019-2024

63

Page 64: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

CHAPTER FIVE:

NIGERIA CLOUD COMPUTING POLICY COMPLIANCE AND ENFORCEMENT FRAMEWORK

5.1 Compliance FrameworkThe Nigeria Cloud Computing Policy states the following:

1. The CSP shall maintain the utmost integrity to protect the data and meet the security

requirements set forth by NITDA; and

2. Data shall not be stored, shared, processed, or modified by CSP in any way that

compromises the integrity of the data.

Therefore, NITDA shall ensure compliance and enforce the above statements through the following

compliance and enforcement framework.

1. NITDA shall identify and register all CSPs operating in Nigeria through registration process and

guidelines.

2. NITDA shall certify CSPs operating in Nigeria based on the NITDA Cloud Certification Criteria to

be provided on Nigerian Cloud Digital Marketplace.

3. NITDA will develop and maintain database of all CSPs and their services on the digital

marketplace platform.

4. CSPs shall be required to submit report to NITDA annually or as it may be requested

5. Where applicable, PIs and SMEs shall ensure compliance to the provision of the Cloud

Computing Policy and/or compliance framework

6. NITDA shall, in the next 3 years shall ensure implementation of the strategies and strategic

initiatives in this document

7. NITDA shall employ the following compliance tools:

Self-Reporting: NITDA will provide templates and technology platform for self-reporting or filings by

CSPs.

In the absence of technology platform, CSPs or any other entity shall submit physical copy of the

report to NITDA in the following manner:

I. The report shall be addressed to the Director General of NITDA.

64

Page 65: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

II. The Director General shall direct the department responsible for regulation, monitoring

and enforcement to handle the report.

III. The report shall clearly specify the following:

a. The full name of the entity;

b. Title of the report

A soft copy of the report, as indicated above, can be submitted to NITDA’s official email:

[email protected]

Verification: Where necessary, NITDA shall verify audit information submitted by CSPs and PIs to

ensure its accuracy, veracity and validity.

Monitoring: NITDA shall institute a systematic, continual or periodic, active or passive observation of

CSPs and PIs’ cloud systems to ensure compliance with general rules and processes laid down.

Audit: Where necessary, NITDA shall investigate or examine records, processes and procedures of

CSPs and PIs to ensure they are in compliance with the requirements of the policy and/or

compliance framework. This will be based on NITDA’s established cloud system audit and reporting

process

8. If there is any breach of the provision of the policy and compliance framework, NITDA shall

enforce it through the following enforcement process or framework:

Figure 8.0:Enforcement framework

Surveillance: Where necessary, NITDA shall institute specific and deliberate monitoring exercise to

identify breach with the policy and/or compliance framework.

65

Page 66: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Complaint Filing: Where necessary, NITDA may wish to accept complaint filing by NITDA’s personnel

or any interested parties of non-compliance with the provisions of the Policy and/or compliance

framework. The complaints must meet the following requirements:

I. A complaint must be filed in writing, either on paper or electronically.

II. A complaint must name the person or entity that is the subject of the complaint and

describe the acts or omissions believed to be in violation of the applicable provision(s) of

the policy and framework.

Investigation: NITDA will investigate any complaint filed against a CSP or PI when a preliminary

review of the facts indicates a possible violation of the provision(s) of the cloud policy and/or

compliance framework. In the case of third party filing, NITDA shall investigate any complaint filed by

third parties and may also do so based on a special audit or “spot check”.

Administrative Sanctions: Where NITDA has ascertained that a CSP is in breach of any of the

provisions of the cloud policy and compliance framework, NITDA may issue and order for

compliance. NITDA may also issue other administrative orders to include::

I. Suspension of service pending further investigations;

II. Order for CPS in breach to appear before a panel to determine level of liability;

III. Issue public notice to warn the public to desist from patronizing or doing business with

the CPS; and

IV. Refer the CSP in breach to other Self-Regulatory Organization (SRO) for appropriate

sanctions

Criminal Sanction: Where NITDA has determined that a CPS is in breach of the cloud policy and

compliance framework; it may seek to sanction officers of the organization as provided for in Section

17(x) of NITDA Act 2007. NITDA shall seek a fiat of the Honorable Attorney General of the

Federation (HAGF) or may file a petition with any sanction authority in Nigeria. This may include; the

Economic and Financial Crimes Commission (EFCC), the Department of State Security (DSS), the

Nigerian Police Force (NPF), the Independent Corrupt Practices Commission (ICPC) or the Office of

National Security Adviser (ONSA) among others.

5.2 General Enforcement Process

Table 10.0:Cloud Computing General Enforcement

66

Page 67: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

S/n Enforcement Activity Description of Action

1 Documentation of

Breach

4. At this stage it is required that a report, memo, petition or complaint is officially submitted to NITDA through the office of the Director General of NITDA.

5. The Document must be duly signed by an Officer of NITDA or the external complainant.

6. For external complaint; the document must be written and signed by an Individual either in personal capacity or a group (of persons or companies) or registered entity (registered with the CAC).

2 Request for Additional Information and Investigation

If it appears NITDA is not sufficiently briefed or may need further information to arrive at a conclusion of breach of the policy and/or compliance framework, the following procedure should be employed:

iv. “Request for Additional Information" should be issued to either the complainant, the alleged violator or any other party who maybe in a position to provide clarity on facts of the allegation of breach.

v. Invite relevant parties for an “Investigation Meeting” to elicit facts to established breach.

vi. “Request for Investigation in partnership with law enforcement agencies.

3 Continuation or Termination of Enforcement Process

Where NITDA is satisfied that there is a prima facie evidence on a breach, the NITDA can:

3. Request for a response from the violator stating the allegations against them;

4. In the event NITDA finds the explanations of the alleged violator coherent and sufficient, NITDA will respond to the allegation and enforcement will be terminated

4 Notice of Enforcement Where NITDA is satisfied that a breach of the Cloud Computing Policy and/or compliance framework has occurred;

3. NITDA will then issue a “Notice for Enforcement”” citing the specific breach and demand mandatory compliance within a specific time frame from the date of the service of notice. (30 days or 60 days as the case of breach may demand).

4. NITDA may issue an administrative fine or penalty in line with extant regulation

5 Issuance of Public Notice (OPTIONAL)

NITDA may consider issuing a public statement warning the public and other agencies of Government of the dangers of dealing with a violator who has breached the provision(s) of the Cloud Computing Policy and/or compliance framework

6 Request for Sanction C. Where a violator does not take steps to address breach or consult with NITDA as to what steps to be taken to remedy breach after the period stated in the "Notice for

67

Page 68: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Enforcement"; orD. Where the Regulation only provides for sanction of violator in

accordance with Section 17x NITDA Act;E. NITDA may file an official Petition or Notice for Sanction to

the Office of the Attorney General of the Federation, citing stating the following:

V. Original complaint;VI. Enforcement process initiated by NITDA; and

VII. Implication of the action of the violator to the development of ICT in Nigeria.

VIII. A copy of the notice should be copied to the Presidency and the Office of the Secretary of Government of the Federation (OSGF).

9. NITDA shall ensure PIs and SMEs put appropriate governance structure in place for Cloud project

implementation.

68

Page 69: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Appendix

Appendix A1.0: Rational for “Cloud First” value proposition1. Reduced Capital Cost: The reduction in capital cost can be achieved through initial cost of

acquiring and deploying IT infrastructure and other computing resources, hiring of technical

personnel, maintaining and managing resources as well as taking advantage of economy of

scale offer by the Cloud;

2. Efficiency: Efficiency is realized through real time and on-demand self-provisioning of

computing resources. Cloud computing offers public institutions and SMEs the needed agility

for responsive digital service delivery. NITDA has noticed epileptic nature of digital service

delivery in the country with respect to certain critical government services. Once traffic gets to

the peak for a particular digital service, citizens/government customers begin to experience

delay in getting the service. This would be greatly eradicated through strategic adoption of

cloud computing;

3. Digital Service Innovation: Digital service innovation will be highly promoted through adoption

of cloud because of the edge gained as result of cloud efficiency;

4. Elasticity: Cloud has ability to provide customize computing services as needed. Computing

service can be shrunk or grown based on demand. This will help public institutions and SMEs

pay as use thus reducing waste of computing resources.

5. Information Security: Due to security requirements to protect data of businesses and certain

government operations, Cloud Service Providers (CPSs) are deploying the latest security

measures and controls on the cloud. CPSs have capabilities to offer the best security and

implement Business Continuity Plans than individual organisations with server rooms and data

centers.

69

Page 70: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Appendix A2.0: National Strategic Intent for Cloud Adoption1. Responsive and efficient public service delivery and public sector digital transformation:

Government agencies will leverage cloud to provide responsive and efficient public service in a

transparent manner. This includes the ability to provide better healthcare, social amenities,

justice, public safety, and education services among others.

2. Local ICT industry development and growth, including SMEs: Cloud technologies will create a

competitive advantage in favour of small to medium enterprises (SMEs) that provide

computing service to the Government. By adopting cloud technology, SMEs hold immense

potential for generating employment opportunities, development of indigenous technology,

diversification of the economic and forward-integration with established sectors such as

banking, telecommunication, oil and gas among others.

3. Resources Savings: Migrating to the cloud can help streamline processes in many public

institutions in Nigeria. Systems are too dispersed among organisations, creating inherent

inefficiencies in the national public IT architecture. Instead of consolidating these services

under a central government platform, which may be too rigid to meet the needs of individual

organisations’ applications, contracting cloud services can both drive efficiencies and enhance

the customisation of IT service solutions. Also, cost savings will be expressed through:

4. Opportunities to better manage human resources: Qualified IT professionals are a scarce

resource in Nigeria and around the world. Using those resources to handle routine issues like

server maintenance, patching, and other low-level support activities is wasteful of their

training, experience, and talent. By moving these process-oriented tasks to cloud service

providers, public institutions can invest in their human resources to re-train them for value-

adding skills and activities, such as customised application development and innovative

services.

Appendix A3.0: Cloud Computing Areas of Interoperability Guide

Consumers and CSPs should be aware of the following areas of interoperability.

I. Data Portability;

II. Application Portability;

III. Platform Portability;

IV. Application Interoperability;

V. Platform Interoperability;

VI. Management Interoperability; and

70

Page 71: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

VII. Publication & Acquisition Interoperability

In addition, the guide will also consider the following as prerequisite requirements for

choosing a CPS:

I. Standard user interfaces, APIs, protocols and data formats for SaaS;

II. Open cloud technologies for platform and application dependencies for PaaS;

III. Standard or widely accepted application packaging formats such as Open

Virtualization Format (OVF), Cloud Data Management Interface (CDMI) and Docker for IaaS. Also, open and/or standard business interfaces and APIs will be

considered;

IV. The use of standard enterprise integration tools such as Cloud Management

Platform (CMP) to manage integration, interoperability and portability between

multiple cloud and on-premise services;

V. Support for standard security technologies;

VI. Service-oriented architecture (SOA) design principles; and

VII. Standard enterprise access management capabilities

Appendix A4.0 : Cloud Computing migration steps and requirements

These steps or requirements are going to form part of the cloud migration guide:

Identification of what cloud services (SaaS, PaaS, and/or IaaS) and data will be provided and

establish from where the services will be provided.

I. Establishment of where the migration will occur.

a. In-house data center (on premise) – owned and operated by the organization.

b. External data center (off premise)– outsourced to a commercial cloud service

provider.

II. Definition of what cloud deployment model will be used:

a. Public cloud – available for use by the general public and located on the premises of

the cloud service provider.

b. Private cloud – the cloud infrastructure is dedicated to a specific organization or

community of customers. The community might be from a community of

organizations that share common concerns (e.g., missions, security, policy,

compliance guidelines, etc.). It may be located on the premises of the customer or

the cloud service provider.

71

Page 72: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

c. Hybrid cloud – a combination of two or more of the above cloud deployment

models – public, community, or private.

III. Development of migration/implementation approach

a. Conduct a Proof of Concept and define a set of requirements for implementation.

b. Implement in full or phases. That is implement all requirements at once or

incremental phases based on a cost vs benefits vs risk analysis to define the

implementation strategy. It is recommended that phased approach is used.

c. Phasing strategies may include the following:

i. Implement a set of requirements based on priorities that have an

immediate operational impact and are achievable in the specified

time

ii. Migrate low risk capabilities first to learn lessons and refine plans

for future increments.

iii. Implement requirements in an evolutionary manner in which

solutions are implemented, evaluated, and improved on

incrementally.

IV. Identify the framework to be used for the migration. The migration framework in

the Nigeria Cloud Computing Policy is recommended.

Figure 9.0:Cloud Migration Decision framework

V. Risk management/mitigation.

a. Identify actual and possible implementation risks that may adversely impact (or are

impacting) implementation, and lay out a mitigation strategy for them.

72

Page 73: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

b. Consider risks at the cloud provider’s and cloud customer’s locations as well as the

transport (communications) network connecting them. Also, consider risks in

integrating new cloud technology with legacy systems, networks, infrastructure,

processes, etc.

c. Categorize risks by impact and likelihood to ensure that risks are addressed by

priority.

d. Identify operational risks that may adversely impact the capability once it is

operational. These risks may be due to natural, technological, or human causes.,

and may be universal or geographically dependent.

e. Risk Mitigation.

i. Develop risk mitigation strategies for both implementation and

operational risks.

ii. Determine testing requirements to ensure the new capabilities are

operating as planned/needed.

f. Determine the need for availability and reliability standards, which drive the

following considerations to minimize risks and provide resiliency (the ability to

recover from issues):

i. Need for redundancy of equipment and/or communications paths

(networks).

ii. A continuity of operation plan (COOP) or disaster recovery (DR) plan

and possibly an alternative site in case of long term or catastrophic

failure.

g. Track these risks in a documented Risk Registry that identifies the risks,

priorities, mitigation strategies, responsibilities, dates for resolution, level of

risk, and status.

h. Consider a fall back plan to restore services to their original state in case of

implementation failure.

VI. Involve experts (acquisition and contract officers) early to help define the acquisition

and contract strategy.

a. Determine requirements for acquiring, upgrading, replacing, or eliminating

equipment, software, communications infrastructure, etc. A gap/redundancy

analysis can help with this.

b. Leverage open, vendor-neutral standards to provide open competition and

avoid becoming locked in to a specific vendor.

73

Page 74: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

VII. Establish an approach to performance management/measurement

a. Define the expected/required Quality of Service (QoS) metrics in the form of:

i. Describe the expectations for how services will be delivered to the

customer (e.g., reliability, availability, and maintainability

requirements; incident response times; etc.) as itemized in the SLAs

template.

ii. Operating Level Agreements (OLAs) describing the expectations for

how the service delivery organization will work with supporting

organizations.

b. Identify:

i. Specific performance metrics to be captured.

ii. Minimum acceptable threshold values and the targets values.

iii. How they will be captured (i.e., the tools to capture them, and how the

tool will need to be configured).

iv. How and when they will be reported.

VIII. Plan for and acquire the necessary financial and staffing resources to cover the initial

acquisition and implementations costs as well as life cycle sustaining costs.

a. Identified estimated funding required to cover:

i. Acquisition costs:

Data center hardware (infrastructure, storage, services, etc.).

Software (applications, licensing, etc.).

Networking hardware (routers, switches, etc.).

Transport costs.

Support costs (logistics, training, manpower/personnel).

ii. Contract costs.

iii. Life cycle operations and sustainment costs:

O&M costs.

Manpower/personnel.

Logistics.

Training.

Software acquisition or licensing fees.

Life cycle replacement.

74

Page 75: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Facility requirements (e.g., power, air conditioning, cabling, floor

space).

a. Identify new or changed staffing requirements to support the migration and

follow-on O&M. This should address both numbers and skill sets.

b. Ensure necessary funding and staffing are available in time. Cloud migration

budget should be submitted as early as possible to mitigate funding risk.

IX. Identify activities required to transition from the current “As Is” to the new “To Be”

cloud environment.

a. Establish a mechanism to identify and track completion of transition activities.

b. Review/update the relevant processes and governance.

c. Establish training requirements for new technologies, tools, processes,

governance, etc.

d. Establish/update staffing requirements if any changes.

e. Prepare facilities for new equipment or staff, and ensure the facilities can

handle any changes that impact the physical structure (e.g., power, air

conditioning, cabling, etc.)

f. Over-communicate transition events with supported and supporting

organizations.

g. At the time of transition, arrange for turnover of key materials such as

passwords.

X. Identify and plan for security and privacy related activities

a. Define and implement appropriate security controls at both the cloud provider

and cloud consumer locations.

b. Identify cloud security standards, framework, and security/privacy best

practices, such as those developed by the Cloud Security Alliance.

c. Ensure certification, accreditation, or other operating authorization actions are

planned and scheduled, and necessary authorizations to migrate and operate

are in place on time.

Appendix 5.0: Focus Areas of cloud computing capacity

I. In-house cloud set up: The following areas of skills and competencies among others are needed

for PIs’ personnel that are to build internal cloud competencies

a. Concept of Virtualization

75

Page 76: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

b. Cloud configuration and Management

c. Cloud Migration planning & implementation

d. Cloud Deployment within Multi-Cloud Environments

e. Cloud Security

f. Database Skills

g. Programming Skills

h. Linux Skills

i. DevOps

j. Quality Assurance

k. Information Security

II. Outsourced Cloud Service:

a. Cloud deployment and service delivery models: Decision on Public, Private and Hybrid

deployment models as well as IaaS, PaaS and SaaS service delivery models.

b. Business and financial skills

c. Enterprise Architecture and Business Needs Analysis

d. Serverless Architecture

e. Cloud Migration planning & implementation

f. Project Management

g. Contract and Vendor Negotiation

h. Security and compliance

i. Data Integration and Analysis

Appendix 6.0: Focus areas of vendor lock-in avoidance guide

The guide shall take into consideration the following:

I. Identify primary Cloud Vendor lock-in Risks

a. Data transfer risk

b. Application transfer risk

c. Infrastructure transfer risk

d. Human resource knowledge risk

II. Criteria for choosing CPS

a. The criteria should include the following:

b. Service Dependencies and Partnerships

c. Contracts, Commercials and SLAs

76

Page 77: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

d. Reliability and Performance

e. Security and Compliance

f. Infrastructure Management

g. Migration Support, Vendor Lock in and Exit Planning

h. Certification and Standards (standard interface and APIs)

i. Technologies and Service Roadmap

Appendix 7.0: Focus areas of cloud computing certification criteria

I. set of requirements for virtualization, cloud architecture, operations, performance, security,

interoperability, data privacy, data portability, regulatory compliance and governance by

considering contents and recommendations from:

a. International cloud certification bodies (such as Cloud Security Alliance, Computing

Technology Industry Association, EuroCloud Start Audit among others) suitable for

CPS operating an IaaS, PaaS and/or SaaS cloud service models and also in the areas of

cloud security issues.

b. Industry standard cloud certification such as Certificate of Cloud Security Knowledge,

ISO/IEC 27001:2013, Code of practice for cloud privacy ISO/IEC 27018, Cloud Certified

Professional, CompTIA Cloud Essential among others;

c. Others include Cloud Industry Forum (CIF) Code of Practice, Controls and Assurance

in the Cloud: Using COBIT 5,

Appendix 8.0: CSPs Audit Report Metrics

The evidence of the following assessment metrics will be required and form a template for CSPs

audit report:

I. Security of Cloud Resources

a. Physical Security

b. Hosting & Data Logic Security

c. Authentication & Authorization

d. Cloud users access approval processes

e. Review processes for super and regular users’ access and authorization to cloud

applications

f. Network connections & Data Transmission

77

Page 78: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

II. Data protection policies, procedures and practices at both Cloud Service providers and

user organizations.

a. Type and sensitivity of Data sent to and potentially stored in the cloud

b. Compliance to data protection requirements (in line with Nigeria Data Protection

Regulation- NDPR)

c. Evidence of compliance with internationally recognized cloud best practices

d. CPS’ policies and procedures to protect data stored

e. CPS’ evidence of international Cloud certification

f. Level of access (create/read/update/delete) that the CPS’ personnel have to the

data, particularly on sensitive information and other cloud installed and

configured infrastructure, platforms and applications.

III. Risks related to the use of virtual operating system in a multi-tenant cloud.

a. Risk associated with virtualization and multi-tenant environment especially

patched and process for monitoring and patching of known vulnerabilities in

hypervisor technology

b. Assessment of multi CPSs collaboration

c. Protection of logs.

IV. Procedures related to incident management, problem management, change and access

management in context of use of Cloud services.

a. Operational process documentation: policy, procedures, roles and responsibilities.

b. Compliance to Service Level Agreement (SLA).

c. Appropriate use of monitoring tools and reports.

d. Compliance with business continuity plan

V. Comply with national regulatory requirements.

a. Compliance with country’s regulatory requirements such as Nigeria Data

Protection Regulation (NDPR), National Cybersecurity Policy (NCPS)

Appendix 9.0: Explanation of proposed cloud computing governance model for PIs and SMEs

Identification: The identification cycle is a preparatory stage where the computing resources

(network, servers, operating systems, storage, database, programming language, applications,

services etc.) to be procured, acquired and deployed are planned, analysed and documented.

78

Page 79: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Configuration: The configuration stage involves selecting and configuring the computing resources in

alignment with the organization’s business objectives for cloud adoption both at on-premise and in

the cloud respectively. It also involves selecting CSP service options best suited to organization’s

business objectives.

Migration: This involves process of moving data, applications or other business elements from on-

premise to the Cloud Service Providers’ cloud computing environment as well as between CPSs cloud

computing environments. The strategy for cloud migration is prescribed in Migration to the Cloud

section.

Management: The management cycle involves exercise of administrative control over public, private

and hybrid cloud delivery models; IaaS, PaaS and SaaS cloud service models and as well as

management of multiple services across different CSPs. It is recommended that a standard Cloud

Management Tools is adopted. The management may include: self-service capabilities, workflow

automation, cloud analysis among others and it is best governed when there is formal Cloud

Portfolio Management (CPM) in place.

Decomposition: This is a process of decommissioning of cloud services or migrating from the cloud

to on-premise.

The following explains six domains that span the entire cloud lifecycle:

Procurement/Finance management. Adopting cloud require a shift from the traditional budgeting

system which is annual in the public sector. A new cloud procurement regulation should suffice for

cloud financial planning and management. It is recommended that PIs take advantage of the new

procurement regulation to be established by BPP.

NOTE: FPIs should consider appointing a cloud finance subject matter professional who

understands the total cost of ownership of cloud services, can track service consumption and can

provide cost transparency in line with the new cloud procurement regulation.

Cloud service provider management. It’s imperative for PIs/SMEs to have a properly integrated

business ecosystem that enables them have a single view of their cloud services. They are to

understand who is accountable for managing cloud services and establish a framework by which IT

and the business/mandate have a clear understanding of the performance metrics and contract

requirements with cloud vendors.

79

Page 80: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Cloud Portfolio management (CPM): Ability to manage cloud investments requires establishing a

formal framework for Cloud Portfolio Management (CPM). Cloud portfolio management provides a

means by which an organization can control and govern existing services, new services, and well as

the Cloud providers and the relationship with them. PIs/SMEs cloud portfolio should consider

aligning their organizational portfolio more broadly to determine additional opportunities and risks

associated with adding a cloud portfolio. Managing cloud portfolio requires:

2. Provider Relationship Management (PRM): Critical requirements for Cloud Portfolio

Management is to manage the provider relationships. FPIs and SMEs should learn how to

develop strategic relationships with key CSPs and proactively manage the relationship from a

contractual as well as from a technology transfer perspective. This is far more than mere vendor

management performed by the procurement professionals. PRM requires a closer and

collaborative relationship with key CSPs to facilitate advance previews of new services, R&D

collaboration, early trials of new services, as well as joint planning for service adoption.

3. Manage a Portfolio of Cloud Services: Another key requirement of cloud Portfolio Management

is managing many different Cloud services from all providers. All the services in the catalog must

be managed effectively, ensured they are adding value to the organisation strategic objectives.

Portfolio of cloud services requires the following among others:

4. Aggregate Services into a Catalog: as part of the portfolio management process, organisaton’s

available Cloud services must be aggregated into a single cloud catalog for easy management.

5. Manage service equivalent across CSPs: This is to provide redundancy for heavily-used and

mission critical services. This must done in strategic manner.

6. Compare cloud service performance across CSPs: Continually analyse and evaluate relative

service performance of CSPs.

Managing Cloud services using portfolio management best practices will help ensure the best Cloud

solutions and services are available with basis for Cloud pricing arbitrage. Specifically, cloud portfolio

approach will:

i. Streamline the management of multiple cloud resource pools, both public and private;

ii. Avoid lock-in to a particular cloud vendor;

iii. Gain visibility and governance of cloud usage across the enterprise;

iv. Maintain the security and reliability of critical systems in the cloud;

v. Measure cloud resource consumption and enforce budgets;

vi. Prevent waste and optimize spend levels; and

80

Page 81: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

vii. Ensure that applications and data are in compliance with both internal policies and

regulations.

Integration/interoperability: The problem of interoperability or integration is caused by the fact

that each vendor's cloud environment supports one or more operating systems and databases, each

cloud contains hypervisors, processes, security, a storage model, a networking model, a cloud API,

licensing models and more. The governance structure by FPIs and SMEs should provide procedures

that ensure integration and interoperability from resource and technology perspectives.

Architecture: Cloud adoption should be reflected in the overall enterprise architecture of each FPI

and that of the country, that is, the Nigeria Government Enterprise Architecture (NGEA) framework.

As such, organizations need to clearly articulate the vision and goals of stakeholders through the

cloud enterprise architecture.

Operations: To sustain cloud service operations, FPIs and SMEs should establish desk office to

address and support cloud-specific issues for a better and seamless user experience. Clear

organization and assignment of authority will set the scope for the appropriate control, escalation

and exception management systems.

81

Page 82: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Definitions

Small Medium and Enterprises (SMEs): refers to enterprises which have an annual turnover

not exceeding Five Hundred Thousand Naira (N500,000).

Public Institutions (PIs): means Ministries, Departments, Extra-Ministerial Departments and

Agencies of Government at Federal, State and Area Council levels.

Federal Public Institutions (FPIs): means Ministries, Departments, Extra-Ministerial

Departments and Agencies of Government at the Federal level.

Cloud Computing: refers to computing model for ubiquitous, convenient, on-demand and

real time network access pool of configurable and rapidly provisioned computing resources

(networks, servers, storage, applications and services among others) required by and

available to FPIs and SMEs to carry out their businesses and operations.

Cloud Service Providers (CSPs): refer to local and/or international cloud computing service

providers rendering service to FPIs and SMEs in Nigeria.

Cloud Stakeholders: Comprised of the PIs, FPIs, SMEs and CSPs

Cloud Migration: refers to the process of moving data, applications, hardware, software,

network infrastructure and/or other business elements and services to a cloud computing

environment.

82

Page 83: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Cloud Adoption: refers to the process or strategy that provides incentives for the public

institutions and SMEs to use the cloud computing for their computing requirements in way

that is efficient and sustainable.

Cloud First Policy: refers to the Federal Government of Nigeria’s strong commitment and

support for cloud computing service adoption, especially from a local cloud service

providers, as a first choice consideration while deploying and accessing computing resources

in the public sector and by the SMEs that provide computing services to the public sector.

In-house/On-premise: refers to computer systems that are located within the physical

confines of Federal Public Institutions and SMEs in Nigeria.

Vendor lock-in: refers to a situation in which FPI or SME using the cloud product or service

of a cloud service provider cannot easily transition to competitor’s cloud product or service.

Public Cloud: Cloud infrastructure provisioned for open use by the general public. It may be

owned, managed, and operated by a business, academic, or government organisation, or

some combination of them.

Private Cloud: Cloud infrastructure provisioned for exclusive use by a single organisation. It

is managed and operated by the organisation, a third party, or some combination of them. It

may be located on- or off-premises.

Hybrid Cloud: Cloud infrastructure which is a composition of two or more distinct private

and public cloud infrastructure, which remain unique entities but are bound together by

standardised or proprietary technology that enables data and application portability.

Infrastructure as a Service (IaaS): refers to a multi-tenant cloud service where consumer

does not manage or control the underlying cloud infrastructure, but has control over

operating systems, storage, deployed applications, and possibly limited control of select

networking components (such as host firewalls).

83

Page 84: NIGERIA DATA PROTECTION REGULATION 2019 ... · Web viewRegulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). This Framework

Platform as a Service (PaaS): refers to delivery service where consumer does not manage

or control the underlying cloud infrastructure including networking, servers, operating

systems, or storage, but has control over the deployed applications and possibly application

hosting environment configurations.

Software as a Service (SaaS): refers to delivery ,model where consumer does not manage or

control the underlying cloud infrastructure including network, servers, operating systems,

storage or individual application capabilities, with the possible exception of limited user-

specific application configuration settings

Cloud Data: Refers to data produced or commissioned by government, government

controlled entities or government service providers (e.g. SMEs) which is hosted in the cloud.

The Policy: refers to Nigeria Cloud Computing Policy.

84