Select a location

This selection will switch the site from presenting information primarily about Nigeria to information primarily about . If you would like to switch back, you may use location selection options at the top of the page.

Insights

Workplace Surveillance and Employee Rights: Where Should Organisations Draw the Line?

Introduction

In Nigeria's evolving workplace, organisations face a complex challenge: balancing the implementation of effective monitoring systems while respecting employees’ fundamental right to privacy. This challenge has become more pronounced with the promulgation of the Nigeria Data Protection Act, 2023 (NDPA) and the issuance of the General Application and Implementation Directive, 2025 which explains the provisions of the NDPA. The NDPA provides additional obligations for employers who collect and process employee personal data via surveillance tools.

Understandably, security concerns, performance management and regulatory compliance have made employee surveillance inevitable. As such, the pertinent question is no longer whether workplace surveillance is necessary but how to draw the line between legitimate business interests and employees' constitutional right to privacy, as guaranteed under the Nigerian Constitution and data protection laws.

Constitutional and Legal Framework

The approach to privacy in view of workplace surveillance, is anchored in constitutional protections that guarantee privacy rights. Section 37 of the Constitution provides that "the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected". This constitutional foundation provides a fundamental right to privacy that organisations must carefully navigate.

The NDPA has significantly expanded the legal framework governing workplace surveillance. Further to the NDPA, personal data includes any information that relates to an individual. The NDPA provides for the protection of personal data and classifies employees as "data subjects" with specific rights regarding their personal data. Such personal data includes information captured through CCTV systems, email monitoring and other surveillance technologies.

Employers must establish a lawful basis for processing personal data, which in this context, is collected through surveillance systems. The most applicable lawful basis to employee surveillance is the legitimate interest pursued by the organisation. This must, however, be balanced against employee privacy rights guaranteed under the Constitution. This legal requirement transforms surveillance from a unilateral employer decision into a carefully considered process requiring legal justification.

The penalty structure under the NDPA, provides the possibility of negative impacts to the bottom-line of the organization. This no doubt is an additional incentive for compliance. Where the NDPC issues orders pursuant to a breach, failure to comply attracts the following penalties:

  • a fine of up to the greater of ₦10,000,000 (Ten Million Naira) or 2% of the organisation’s annual gross revenue in the preceding financial year, in the case of a data controller or data processor of major importance; or
  • the greater of ₦2,000,000 (Two Million Naira) or 2% of its annual gross revenue in the preceding financial year, in the case of a data controller or data processor not of major importance.
  • Personnel responsible for breaches or non-compliance with NDPC orders may also face terms of imprisonment upon conviction.

The NDPA also imposes a number of key principles and obligations that organisations must navigate when implementing surveillance policies. These include:

  • A transparency requirement that mandates employers to provide clear information to employees about surveillance activities, including the legal bases and purpose(s) for processing collected data. This means that organisations cannot simply install monitoring systems without justification and explicit employee notification.
  • The principle of data minimization requires surveillance activities to be "adequate, relevant and limited to the minimum necessary" for their stated purposes. This compels organisations to critically evaluate whether proposed monitoring measures are proportionate to the risks they intend to address. For instance, installing CCTV in all office areas may be excessive if the primary concern is securing specific high-value assets. The proper deployment of such CCTV cameras would be in the areas where the specific high value assets are located.
  • Storage limitation requirement which provides that personal data collected through surveillance be retained "for not longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed". This means organisations must establish clear retention policies and regularly review surveillance data for deletion.
  • Collected data must be processed and stored securely to avoid any type of unlawful access, loss, damage, destruction, damage or any form of data breach.

Types of Workplace Surveillance and Employee Rights

Workplace surveillance measures encompass a variety of activities aimed at monitoring employee behaviour and work-related activities. These activities often use technologies such as time trackers, internet monitoring, CCTV surveillance, and location tracking amongst others.

CCTV monitoring represents the most visible form of workplace surveillance in Nigeria. The use of CCTV devices is tantamount to processing the personal data of individuals whose images the devices capture. As such, organisations must inform employees about CCTV presence, specify the purposes pursued and explain how the footage will be used. Legitimate purposes may include security and crime detection but same must be balanced against employee privacy expectations.

Employee rights in respect of the processing of their personal data further to surveillance, are extensive under the NDPA. These include the right to:

  • access their personal data. In the case of CCTV surveillance, Employees have the right to access footage in which they appear.
  • challenge the accuracy of personal data collected.
  • request deletion in certain circumstances eg when the data is no longer necessary for the original purpose or is unlawfully processed.
  • to rectify their data collected and processed through monitoring systems.
  • object to processing of their personal data.
  • lodge a complaint with the data protection regulator - the Nigeria Data Protection Commission (NDPC) in respect of the unlawful processing of their personal data

In cases where consent is relied on for processing, employees have the right to withdraw consent for data processing. This may, however, conflict with legitimate security requirements. In such instances, the organization may validly continue the processing of the personal data by relying on other lawful bases such as the pursuit of its legitimate interest – which could include security requirements.

Current Trends

In view of the expansion of remote and hybrid work models accelerated by the COVID-19 pandemic, employers are adopting digital tools that monitor employee activity including internet usage, productivity and location. The aim of such surveillance includes ensuring that employees do their jobs as required. However, the rate of adoption of surveillance tools varies across employers due to financial and infrastructural challenges.

Security concerns also contribute to such monitoring measures with organisations increasingly utilizing biometric access controls, applications and CCTV systems to monitor employee on-site activity to avoid cases of unauthorized access to work computers and theft.

The promulgation of the NDPA and the GAID have provided increased awareness about employee rights and as such, employers are becoming more pressured to ensure compliance.

The regulator saddled with the responsibility of enforcing the NDPA is the NDPC. The posture of the NDPC regarding data protection enforcement remains assertive. It is intensifying oversight, issuing enforcement orders, fines and sanctions against entities that fail to comply with data protection obligations including in respect of workplace surveillance. Although there are limited publicly disclosed complaints about workplace surveillance, the NDPC is reported to take all complaints seriously and investigates breaches promptly.

The Controversy: Security vs. Toxic Environments

The debate over workplace surveillance intensity reflects broader questions about employee trust and workplace culture. Proponents argue that monitoring systems serve legitimate purposes which include security of life and property, deterring misconduct, ensuring compliance with regulatory requirements and providing evidence for disciplinary procedures. These benefits become particularly compelling in industries handling valuable assets or sensitive data.

However, critics contend that surveillance creates a culture of mistrust that ultimately undermines productivity and employee wellbeing. The psychological impact of constant monitoring can reduce creativity, increase employee stress and signal that organisations fundamentally distrust their workforce. This tension is reflected in the NDPA's recognition that employees can object to surveillance processing if they believe it infringes their privacy rights.

Practical Guidelines for Organisations

Moving forward, effective management of workplace surveillance requires a risk-based approach that includes the following steps:

  • Organisations must conduct data privacy impact assessments before implementing new monitoring systems, considering both the necessity and proportionality of surveillance, in addition to its potential impact on employee privacy and workplace culture.
  • Transparency is critical to the implementation of monitoring systems, so, organisations must inform employees about the scope, purpose and presence of such systems. Notices about the use of such monitoring systems should be prominently displayed in workplaces.
  • NDPA-compliant policies should be implemented. Such policies will govern surveillance activities and establish clear procedures for employees to raise privacy concerns and exercise their data protection rights.
  • Regular reviews of the necessity and proportionality of surveillance must also be undertaken.
  • Organisations should also ensure that access to surveillance data is strictly controlled, with surveillance records only accessed by authorized personnel for legitimate employment-related purposes or legal requirements.
  • Lastly, comprehensive training should be provided to employees in respect of surveillance policies.

Conclusion

Successfully managing workplace surveillance under Nigerian law requires organisations to move beyond simple compliance checklists, toward a nuanced understanding of privacy as both a legal requirement and a workplace culture foundation. The most effective approach involves transparent communication with employees about the necessity of the surveillance proposed to be engaged, implementation of robust data protection measures and regular evaluation of whether monitoring practices remain proportionate to their intended purposes. Instead of viewing privacy and security/other legitimate interests as competing interests, organisations should be forward-thinking and note that respecting employee privacy rights often enhances rather than undermines legitimate business objectives. By demonstrating genuine commitment to balancing surveillance needs with data protection, organisations can build the trust necessary for effective workplace relationships while maintaining compliance with Nigeria's evolving data protection landscape.

Should you require advice with respect to employment related issues, please do not hesitate to contact us at [email protected] 

Authors