Lagos State Privacy Policy

Back to Home

1. Introduction

As a State Government, Lagos State (LASG) must meet its contractual, statutory, and administrative obligations. We are committed to ensuring that the personal data of our residents and service users is handled in accordance with the data protection regulation.

This privacy notice tells you what to expect when LASG collects personal information about you. It applies to all service users. However, the information we will process about you will vary depending on your specific involvement with LASG.

If we are requesting your personal data, it is because it is necessary and relevant to the service or function being performed. As such, if you withhold information, it is likely that we will not be able to perform the service or function, or there will be a delay in doing so.

LASG is the controller for this information unless this notice specifically states otherwise, and its Data Protection Officer can be contacted at dataprotection@lagosstate.gov.ng

2. Collection of Information

The personal data processed by LASG in order to perform its official tasks includes but not limited to:

• Names, titles, aliases, and photographs
• Contact details such as telephone numbers, addresses, vehicle registration and email addresses
• Gender, age, marital status, nationality, education/work history, place of birth, academic/professional qualifications, hobbies, family composition, and dependents
• Social care records for adults and children in our care
• Financial identifiers such as bank account numbers, BVN, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers
• Residency identifiers such as LASRRA number, National Identification Number (NIN)

We also process Sensitive Personal Data such as criminal convictions, racial or ethnic origin, mental and physical health records, details of injuries, medication/treatment received, political beliefs, trade union affiliation, genetic data and biometric data.

These types of data are described in the Nigerian Data Protection Act (NDPA) as "Sensitive data" and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.

We process sensitive personal data in the following circumstances:

• For the provision of social care to children and adults
• Where it is needed in order to carry out our specific legal obligations.
• Where it is needed for a matter of substantial public interest (such as in the case of a threat to public health)

Sometimes we may process this type of personal data in relation to legal claims or to protect your vital interests (or someone else's vital interests), and you are not capable of giving your consent. This also applies where you have already made the information public.

3. Use of Personal Data

We may use your Personal Data, including non-public Personal Data as follows but not limited to:

• To deliver public services including to understand your needs, to provide the services that you request, and to understand what we can do for you and inform you of other relevant services
• To confirm your identity
• To contact you
• To help us to build up a picture of how we are performing
• To prevent and detect fraud and corruption in the use of public funds and, where necessary, for the law enforcement functions
• To enable us to meet all legal and statutory obligations and powers including any delegated functions
• To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice, from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments, and as necessary to protect individuals from harm or injury
• To protect the use of public funds
• To maintain our own accounts and records
• To seek your views, opinions or comments
• To notify you of changes to our facilities, services, events and staff and other role holders
• To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other new projects or initiatives
• To process relevant financial transactions including grants and payments for goods and services supplied to the State
• To allow the statistical analysis of data so we can plan the provision of services

LASG is based in Nigeria and the information we collect is governed by the Nigeria Data Protection Act (NDPA). By accessing or using the Services or otherwise providing information to us, you consent to the processing and transfer of information in and to Nigeria.

4. Information Sharing

We use a number of 3rd party consultants, vendors and partners to either store personal information or to manage it on our behalf, and also to provide certain services to you. Where we have these arrangements there is always a contract, memorandum of understanding or information sharing protocol in place to ensure that the organization complies with data protection regulation.

We may also need to share data internally between ministries, departments and agencies where this is legal and proportionate.

In addition, there are circumstances when we are likely to share data with other public authorities and organizations where there is a legal basis for doing so, which might include but not limited to:

• Local Governments
• Federal Government
• Health service providers/regulator
• The Police
• FRSC
• Housing associations
• Voluntary and charity organizations

Sometimes we have a legal duty to supply information about people. This is often because we must give that information to courts, including:

• When we take a child into care;
• Court orders; and
• Cases under health emergencies.

In very limited circumstances we may share your personal information when there is a pressing and legal reason for doing so that is more important than protecting your confidentiality, for example, if there a serious risk to an individual's safety. We may share your information:

• For the detection and prevention of crime/fraudulent activity; or
• If there are serious risks to the public, our staff or to other professionals;
• To protect a child; or
• To protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.

This risk must be identified as being serious before we can go against your right to privacy. When we are worried about your physical safety or we feel that we need to take action to protect you or another person from being harmed in other ways, we will discuss this with you and, if possible, get your permission to tell others about your situation.

When using personal data for research purposes, the data will be anonymized to avoid the identification of an individual, unless consent has been given for the use of the personal data.

We do not sell or provide personal information to any other organization for the purposes of direct marketing.

We will seek your consent where we need to send your Personal Data to a country without an adequate data protection law.

5. Security

We will take appropriate steps to make sure we hold records about you (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them. Our security includes:

• Encryption
• Firewall and network security frameworks
• Access controls on systems
• Access controls in offices containing personal/sensitive data
• Security training for all staff
• Data protection awareness for all staff
• Policies and procedures around data protection

6. How long will we keep your personal data?

LASG will only retain and store your data for as long as it is needed for the purpose for which it was collected, or as required by the law, or as dictated by best practice as stipulated by our retention policy. We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 8 years to support audits or provide tax information. We may have legal obligations to retain some data in connection with our statutory obligations as a public authority. We will endeavor to keep data only for as long as we need it, and this means that we will delete it when it is no longer needed

7. Your rights as a data subject

The law gives you certain rights in respect to your Personal Data LASG hold about you. Below is a highlight of some of those rights. At any point while we are in possession of or processing your Personal Data, you, the Data Subject has the following rights:

• RIGHT OF ACCESS – You have the right to request a copy of the information that we hold about you.
• RIGHT TO RECTIFY – You have the right to correct the Personal Data we hold about you that is inaccurate (a legal document backing the claim may be requested).
• RIGHT TO BE FORGOTTEN – In certain circumstances you may ask for the data we hold about you to be erased from our record.
• RIGHT TO RESTRICT PROCESSING – Where certain conditions apply, you have a right to restrict processing of your Personal Data.
• RIGHT TO PORTABILITY – You have the right to have your Personal Data transferred to another organisation.
• LODGE COMPLAINT – You have a right to lodge a complaint about the handling of your Personal Data with the Nigeria Data Protection Commission (NDPC).
• RIGHT TO OBJECT – You have the right to object to the Processing of Personal Data.

NDPC's website has a wealth of useful information in respect of your rights over your Personal Data. If you wish to exercise your rights, you may contact our Data Protection Officer at dataprotection@lagosstate.gov.ng

8. Breach / Privacy Violation

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, LASG shall within 72 (Seventy-Two) hours of having knowledge of such breach report the details of the breach to the Nigeria Data Protection Commission (NDPC).

Furthermore, where we ascertain that such breach is detrimental to your rights and freedoms in relation to your Personal Data, we shall within 7 (Seven) days of having knowledge of the occurrence of such breach take steps to inform you of the breach incident, the risk to your rights and freedoms resulting from such breach and any course of action to remedy said breach.