PUBLIC and private institutions in Nigeria have continued to violate the data protection laws when requiring the submission of personal information through inquiry forms.
On July 3, 2026, the Federal Road Safety Commission opened its 2026 recruitment portal. By Monday, July 6, The ICIR observed that the portal did not publicly disclose to visitors why personal data was being collected, how it would be used, and what measures were being put in place to protect the information obtained.
The ICIR found that while the FRSC main domain has a publicly disclosed privacy policy, a search across the recruitment portal subdomain returned no privacy policy explaining the institution’s data collection practices. This means a government institution had failed to include Nigeria’s data protection requirements on its portal while collecting personal information from members of the public.
However, on Friday, July 10, it was observed that the recruitment portal, which initially published the information without a privacy policy, had been updated with a new privacy policy link on public display.
Founded in 1988, the Federal Road Safety Corps operates in all Nigerian states as well as the Federal Capital Territory and is the leading agency in the country’s road safety administration and management. Its statutory functions include making the highways safe for motorists and other road users, checking the roadworthiness of vehicles, recommending works and infrastructure to eliminate or minimise accidents on the highways, and educating motorists and members of the public on the importance of road discipline on the highways.
What the law says
According to the National Information Technology Development Agency (NITDA), government institutions and private organisations that collect personal data through their websites and digital media are required to have a privacy policy.
Section 2.9 of the NITDA privacy policy states:
All Public Institutions with data processing responsibilities and functions shall have a privacy policy that provides the following details:
a. what constitutes the Data Subject’s consent;
b. description of collectable personal information;
c. purpose of collection of Personal Data;
d. description of technical methods used to collect and store personal information, cookies, JWT, web tokens etc.;
e. access (if any) of third parties to Personal Data and purpose of access;
f. a highlight of the principles stated in the NDPR;
g. available remedies in the event of violation of the privacy policy;
h. the time frame for remedy;
i. any other information relevant to the document; and
j. the mode or medium adopted for data subjects to exercise their rights to provide verifiable consent for the processing of their personal data.
The Nigeria Data Protection Act (NDPA) 2023 also requires data controllers to provide individuals with a privacy notice before or at the time of collecting their personal data.
The notice should, among other things, explain why the data is being collected, the legal basis for processing it, how long it will be retained, and the rights available to the data subject.
Section 27 of the NFPA states:
(1) Before a data controller collects personal data directly from a data subject, the data controller shall inform the data subject of the – (a) identity, residence or place of business of, and means of communication with the data controller and its representatives, where necessary;
(b) specific lawful basis of processing under section 25(1) or 30(1) of this Act, and the purposes of the processing for which the personal data are intended;
(c) recipients or categories of recipients of the personal data, if any;
(d) existence of the rights of the data subject under Part VI;
(e) retention period for the personal data;
(f) right to lodge a complaint with the Commission in accordance with section 46 (1) of this Act; and
(g) existence of automated decision-making, including profiling, the significance and envisaged consequences of such processing for the data subject, and the right to object to and challenge such processing.
Expert weighs in
Johnpaul Nwobodo, a tech expert and Founder of Rooli AI, said that leaving a privacy policy off a recruitment portal while having one on the main website is usually due to both developer oversight and poor IT management. He further explained how these portals are built.
He explained that while the main website of a government agency is usually developed as a managed project with defined contracts, vendors and compliance requirements, recruitment portals are often built separately, sometimes under tight timelines and by different vendors, subcontractors or internal teams.
According to him, because these portals are commonly hosted on subdomains and developed with a focus on handling applications, generating reference numbers and processing payments, they may not automatically include features such as privacy policy pages or undergo the same legal, security and maintenance processes as the agency’s main website.
While Nwobodo agreed that it is usually a developer oversight, he stressed that the deeper failure is governance.
“So, is it developer oversight? Yes, in the narrow sense that a diligent developer should flag it. But the deeper failure is governance. If you look at the Nigeria Data Protection Act 2023, the agency is the data controller. Compliance is the controller’s legal responsibility, not the vendor’s,” he said.
“A properly managed IT function would have a data protection officer or, at a minimum, a compliance checkpoint that reviews anything collecting personal data before it goes live. When a portal ships without a privacy notice, it tells you that the checkpoint doesn’t exist. The privacy policy on the main site is a decoration, as there is a lot of boilerplate out there. The recruitment portal is where the actual data collection happens, and that’s exactly where the policy is missing. It might also seem that compliance was treated as a website feature rather than an organisational practice,” he added.
When asked about the security risks applicants face when government recruitment portals collect personal information without a privacy notice or clear data processing rules, he said the concerns go beyond the absence of the notice itself.
According to him, a missing privacy notice often indicates that other critical data protection measures may also be missing.
“A privacy notice is not just a legal document, it’s evidence that someone thought about the data lifecycle,” he said, and added that “if there’s no notice, there’s usually also no answer to the questions that matter,” including where the data is stored, who has access to it, how long it will be retained and whether it is adequately protected.
He further explained that recruitment portals collect highly sensitive information, including applicants’ names, dates of birth, National Identification Numbers, contact details and educational records, making them attractive targets for identity theft, phishing attacks and recruitment scams if the data is compromised.
The tech expert noted that the absence of a privacy notice also leaves applicants without clear information on how their data will be used, who is responsible for protecting it or how they can exercise their rights under the Nigeria Data Protection Act.
“The uncomfortable truth is that the applicant has no choice. If you want the job, you submit the data. That power imbalance is exactly why the law puts the burden on the controller, and exactly why silence from the controller should worry people,” he concluded.
Zainab Abdulrasaq ia a reporter and a fact-checker with The ICIR. She believes that accountable citizenship starts with an accountable government, which is why she highlights injustice and everyday struggles through her reporting, one story at a time. She adores reading and can be reached via zabdulrasaq@icirnigeria.org and @blackbookishgirl on Instagram/Medium
