g. the policies and practices of the organization for the proper use of
personally identifiable information;
h. organization policies and procedures for privacy and data protection;
i.
the policies and procedures of the organization for monitoring and
reporting violations of privacy and data protection policies; and
j.
the policies and procedures of the organization for assessing the impact of
technologies on the stated privacy and security policies.
(6) Where a Data Controller processes the Personal Data of more than 1000 in a
period of six months, a soft copy of the summary of the audit containing
information stated in 4.1(5) shall be submitted to the Agency.
(7) On annual basis, a Data Controller who processed the Personal Data of more
than 2000 Data Subjects in a period of 12 months shall, not later than the 15th of
March of the following year, submit a summary of its data protection audit to the
Agency. The data protection audit shall contain information as specified in 4.1(5).
(8) The mass media and the civil society shall have the right to uphold accountability
and foster the objectives of this Regulation.
4.2
ADMINISTRATIVE REDRESS PANEL
(1) Without prejudice to the right of a Data Subject to seek redress in a court of
competent jurisdiction, the Agency shall set up an Administrative Redress Panel
under the following terms of reference;
(2) Investigation of allegations of any breach of the provisions of this Regulation;
(3) Invitation of any party to respond to allegations made against it within seven
days;
(4) Issuance of Administrative orders to protect the subject-matter of the allegation
pending the outcome of investigation;
(5) Conclusion of investigation and determination of appropriate redress within
twenty-eight (28) working days; and
(6) Any breach of this Regulation shall be construed as a breach of the provisions of
the National Information Technology Development Agency (NITDA) Act of 2007.
19
NIGERIA DATA PROTECTION REGULATION