“The walls have ears, and the trees have eyes.” — African Proverb
In an era where the workplace is increasingly digital and data-driven, the question of how employers collect, process, and share employee data is no longer a matter of operational detail; it is a question of trust, compliance, and strategy.
The evolving regulatory environment in Nigeria, coupled with global expectations on data privacy, is forcing organisations to rethink how they handle employee information. While employers have legitimate reasons for collecting data, ranging from payroll and performance management to health and background checks, the rise of new technologies and digital tools has exposed gaps in how that information is safeguarded and shared.
“Organisations that show respect for employee privacy send a message of professionalism, transparency, and ethical leadership. In the long run, this helps with talent retention, brand reputation, and corporate resilience.”
The National Data Protection Regulation (NDPR), introduced in Nigeria in 2019, was a pivotal moment. It created obligations for employers to justify data collection, obtain informed consent, ensure accuracy, and put safeguards in place against unauthorised access or sharing. But compliance has been uneven, especially among small and mid-sized enterprises that lack structured HR or legal departments.
Many Nigerian employers still treat employee data as a proprietary asset rather than a protected right. In some instances, sensitive information, such as medical history, religion, or next-of-kin contact, is casually stored in unsecured formats or shared with third parties without due process.
The risk is not only legal but also reputational. A breach of employee trust can quickly turn into a viral scandal, and regulatory sanctions are no longer idle threats.
Recent enforcement actions by the Nigeria Data Protection Commission (NDPC) have begun to send a clear signal. Organisations that mishandle personal data, including employee records, face real consequences, including fines, audits, and public reprimand. In one notable case, a digital services firm was sanctioned for failing to obtain lawful consent before sharing staff performance data with external partners.
For HR professionals, the new reality demands both technical awareness and ethical clarity. Employee data is no longer “internal information”; it is personal data, protected by law and subject to scrutiny. Decisions about who can access personnel files, who may process payroll data, and how long recruitment records are stored must be made with clear policies and traceable systems.
The complexity increases when employers work with third parties such as payroll vendors, background check firms, or outsourced HR providers.
Here, the legal doctrine of “joint data controllers” may apply, meaning both the employer and the service provider are liable for any data breach.
Read also: Nigeria targets N13.8bn from data protection in 2025
Contracts with vendors must now include data protection clauses, processing agreements, and clarity on breach notification protocols.
One area that continues to raise concern is pre-employment background screening. While it is standard practice to verify credentials and conduct due diligence, some employers go beyond reasonable checks, probing into social media activity, medical history, or previous salary information without consent. This is not only intrusive but also potentially illegal under the NDPR. Employers must ensure that the scope of background checks is proportional, relevant, and authorised.
Similarly, employers must tread carefully when sharing data with regulators or auditors. Even statutory disclosures, such as pension submissions or tax reports, must be done in a way that limits exposure. The principle of data minimisation is key: only the data required should be shared, and it should be encrypted or anonymised where possible.
Transparency also matters. Employees should be informed, in clear language, about what data is being collected, why, and for how long it will be retained. HR departments must develop privacy notices, establish retention policies, and provide mechanisms for employees to request corrections or deletions of outdated records.
The transition to remote and hybrid work has introduced further vulnerabilities. Employee monitoring software, productivity dashboards, and cloud-based file sharing raise new questions about surveillance and consent. Just because something is technologically possible does not mean it is legally or ethically acceptable. Employers must strike a balance between operational efficiency and the right to privacy.
Ultimately, compliance with data protection laws is not merely about avoiding fines; it is about building trust. Organisations that show respect for employee privacy send a message of professionalism, transparency, and ethical leadership. In the long run, this helps with talent retention, brand reputation, and corporate resilience.
Nigeria is not alone on this journey. Globally, data protection frameworks are converging toward a common principle: personal data belongs to the individual. The employer is merely a custodian, with duties, responsibilities, and limitations. Nigerian organisations that embrace this principle will not only avoid regulatory headaches; they will lead the future of responsible employment.
The African proverb reminds us that in the world of secrets, someone is always listening. As employee data becomes the new currency of workplace intelligence, discretion, security, and consent must become core pillars of HR practice.
Dr. Olufemi Ogunlowo is the CEO of Strategic Outsourcing Limited and writes on workforce policy, ethical employment practices, and regulatory compliance for BusinessDay.
