Can Nigerian Employers Monitor Employees’ Devices and Emails?

With the growing global reliance on digital tools in the workplace, concerns around employee privacy have intensified as more workers use the internet and other electronic platforms for communication both within and outside work.

Discuss the intersection between:

  1. NDPA;
  2. Labour law;
  3. Workplace privacy.

Introduction

With the growing global reliance on digital tools in the workplace, concerns around employee privacy have intensified as more workers use the internet and other electronic platforms for communication both within and outside work. While many of these communications may appear private, employees often have limited expectations of privacy in practice. Using Nigeria as a case study, the rapid expansion of digital technologies and remote work arrangements has transformed the modern workplace. To safeguard proprietary information, prevent fraud, track productivity, protect intellectual property and corporate assets, many employers deploy comprehensive workplace surveillance mechanisms. These range from monitoring corporate email accounts and analyzing keystrokes, screen capture applications to monitor productivity and installing tracking software on physical devices.

However, this corporate authority does not operate in a legal vacuum. The question of whether employers can monitor employee devices and emails no longer hinges solely on managerial prerogative or implied contractual terms. An employee privacy rights are the rules that limit how extensively an employer can search an employee’s possessions or person; monitor their actions, speech, or correspondence; and know about their personal lives, especially but not exclusively in the workplace. The nature and extent of these protections have become a greater concern in recent years, especially with the growing elements of the digital space. This the brings the question, to what extent can Nigerian employers lawfully monitor employees’ devices and emails without violating privacy and data protection rights?

This article discusses whether employers can legally monitor employee devices and emails, mapping out the precise boundaries of managerial control and employee rights.

The Nigeria Data Protection Act 2023 (NDPA)

The Nigeria Data Protection Act 2023 (NDPA) is Nigeria’s primary personal data protection law, signed into force on 14 June 2023. The NDPA established a comprehensive statutory framework for the collection, processing, storage, and transfer of personal data in Nigeria. For employers, the NDPA directly governs all employee data activities, including time tracking, activity monitoring, attendance records, email logging, and biometric access systems.

Section 1 of the NDPA 2023 establishes a legal framework for the protection of personal data in Nigeria and also promotes lawful, fair, and transparent processing of personal data, while ensuring accountability and trust in data processing activities. The enactment of the NDPA 2023 marked a definitive shift in Nigeria’s data privacy landscape, elevating personal data protection into a comprehensive legal framework overseen by the Nigeria Data Protection Commission (NDPC). The NDPC is an independent regulatory authority responsible for enforcement, guidance, and registration of data controllers and processors. The Commission has the authority to investigate complaints, conduct audits, issue fines, and publish enforcement decisions.

Under the NDPA, an employer is legally defined as a Data Controller, while the employee is the Data Subject. Consequently, any corporate monitoring that collects, stores, or analyzes employee data such as email logs, browser histories, keystrokes, or location tracking constitutes the processing of personal data and must strictly comply with the Act.

The NDPA defines Personal Data as “any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to a identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual”, its definition is broad and captures virtually all employment information.

The NDPA establishes Core principles all data processing must follow. A Data Processor(employer) must:

  1. Ensure monitoring is done transparently and fairly. Secretly monitoring employee devices violates this principle.
  2. Ensure monitoring cannot be conducted for unstated purposes. If devices are monitored for security purposes, using that data for discriminatory disciplinary action against union activities would violate this principle.
  3. Ensure data is not collected beyond what’s necessary for legitimate workplace purposes. Monitoring personal social media accounts accessed on company devices may exceed necessity.
  4. Ensure monitoring data cannot be retained indefinitely. Policies must establish retention periods.
  5. Ensure monitoring systems must be accurate; personal data should not be factually incorrect
  6. Ensure strong security measures are put in place to protect monitoring data from unauthorized access.

The NDPA establishes some lawful bases where an employer can monitor or process an employee’s data. An employee personal data processing is lawful where:

  1. the employee has given and not withdrawn consent for the specific purpose.
  2. the processing is necessary for the performance of a contract to which the employee is a party;
  3. the processing is necessary for compliance with a legal obligation;
  4. the processing is necessary for the protection of vital interests of the employee or another person;
  5. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
  6. the processing is necessary for legitimate interests except where those interest override the fundamental rights and the interests of the data subject or where the employee would not have a reasonable expectation that the personal data would be processed in the manner envisaged or where they are incompatible with other lawful bases of processing.

The NDPA does not require consent as the sole lawful basis for employee monitoring. Employers may rely on

  1. contractual necessity,
  2. compliance with a legal obligation, or
  3. legitimate interest with a documented balancing test as alternative bases. The employer must conduct a balancing test demonstrating that legitimate interests outweigh employee privacy interests.

Employers must obtain explicit, affirmative consent before processing employees’ Consent. If an employee handbook states employees “are deemed to consent to monitoring” unless they opt out, this violates the provisions of the NDPA. Employers must not implement secret or undisclosed monitoring. All monitoring policies must be communicated to employees before or at the start of employment.

Employee Data Rights Under the NDPA includes;

  1. Right of Access
  2. Right to Rectification of incorrect data
  3. Right to Object
  4. Right to withdraw consent
  5. Right to notification of data breaches

The Labour Act (Cap L1 LFN, 2004) & workplace privacy

The Nigeria Labour Act is the principal legislation governing employment in Nigeria, but it notably does not contain explicit provisions directly addressing employee monitoring of devices or emails. This creates a significant regulatory gap.

The Act primarily focuses on employess;

  1. ages and compensation
  2. Working conditions
  3. Medical examinations
  4. Termination procedures
  5. Child labour and apprenticeship

Workplace privacy is fundamentally governed by constitutional protections that safeguard privacy rights. Section 37 of the 1999 Constitution guarantees and protects the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. This constitutional provision establishes a foundational right to privacy that organizations must respect and balance against legitimate business interests when implementing monitoring practices. Employers monitor employee conduct and job performance through various surveillance methods, including digital time-tracking systems, web activity filters, video cameras, and GPS positioning tools.

In Nigeria, CCTV systems are the most prominent surveillance tool in workplaces. Because these cameras capture individuals’ images which constitute personal data. Employers must be transparent about their use. Specifically, they should notify workers of camera locations, state what goals they serve, and clarify how recorded material will be handled. While legitimate reasons exist such as facility security and preventing theft, these must be weighed appropriately against workers’ reasonable expectations of privacy.

The NDPA grants workers substantial protection regarding their personal information collected through surveillance activities. Employees may:

  1. Review their own personal information, including CCTV footage showing themselves.
  2. Dispute the correctness of collected information.
  3. Request that information be removed under certain conditions, for example, when it’s no longer relevant to its original use or has been improperly collected.

The answer to whether Nigerian employers can monitor employees’ devices and emails is therefore yes, but only within carefully defined legal limits. While employers retain a legitimate interest in protecting their systems, safeguarding confidential information, ensuring regulatory compliance and maintaining workplace productivity, those interests do not confer an unrestricted right to intrude into the private sphere of employees.

The Nigeria Data Protection Act 2023 and the constitutional right to privacy under Section 37 of the Constitution require that workplace monitoring be transparent, proportionate and tied to a legitimate purpose. Employers must be able to justify the scope of any monitoring activity, ensure that employees are adequately informed, and implement appropriate safeguards for the collection, use and retention of personal data.

As workplaces become increasingly digital and remote working arrangements continue to evolve, the challenge will not be whether employers can monitor employees, but whether such monitoring is carried out in a manner that respects privacy while advancing legitimate business objectives. The most legally defensible approach is one founded on transparency, necessity and accountability. Ultimately, effective workplace surveillance is not measured by how much information an employer can collect, but by whether it can demonstrate that the information was collected lawfully, responsibly and for a clearly defined purpose.

References

Section 1 Nigeria Data Protection Act (NDPA) 2023

Section 24 Nigeria Data Protection Act (NDPA) 2023

Section 65 Nigeria Data Protection Act (NDPA) 2023

Section 25 Nigeria Data Protection Act (NDPA) 2023

Section 26 Nigeria Data Protection Act (NDPA) 2023

Section 27 Nigeria Data Protection Act (NDPA) 2023

Section 29 Nigeria Data Protection Act (NDPA) 2023

Section 34 Nigeria Data Protection Act (NDPA) 2023

Section 39 Nigeria Data Protection Act (NDPA) 2023

Section 36 Nigeria Data Protection Act (NDPA) 2023

Section 37 1999 Constitution Federal Republic of Nigeria as Amended

The Labour Act (Cap L1 LFN, 2004)

Dentons ACAS-Law, Alicia Adefarasin “Workplace data privacy in Nigeria: Key obligations and rights under the NDPA 2023 and the GAID 2025” https://www.dentonsacaslaw.com/en/insights/articles/2025/july/28/workplace-data-privacy-in-nigeria

Mondaq, Marcus-Okoko & Co, “Employee Privacy: The Nigerian Perspective” http://mondaq.com/nigeria/health-safety/1209462/employee-privacy-the-nigerian-perspective

Nigeria Employee Monitoring Laws: NDPA and Workplace Privacy Compliance Guidehttps://www.employee-monitoring.net/compliance/employee-monitoring-laws-nigeria

DLA Piper Africa, Samuel Salako Olufunmilola Oyinkansola Binuyo and Caleb Nmeribe “Workplace Surveillance and Employee Rights: Where Should Organisations Draw the Line?” https://www.dlapiperafrica.com/en/nigeria/insights/2025/workplace_surveillance_and_employee_rights

The HR Anchor, Mariam Aligbeh, “How Nigeria’s New Data Laws Are Redefining the Role of HR Professionals” < https://thehranchor.ng/how-nigerias-new-data-laws-are-redefining-the-role-of-hr-professionals/>

Mondaq, Chukwuyere Izuogu, “Data Protection Case Review: Chukwunweike Akosa Araka v. Ecart Internet Services Nigeria Limited & Eat ‘N’ Go Limited” < https://www.mondaq.com/nigeria/privacy-protection/1721026/data-protection-case-review-chukwunweike-akosa-araka-v-ecart-internet-services-nigeria-limited-eat-n-go-limited>

Author