WARDC DATA PROTECTION AND PRIVACY POLICY

1. Scope

This Policy applies to all personal data processed by Women Advocates Research and Documentation Centre (WARDC). It covers the processing activities of:

  • All WARDC staff, management, volunteers, interns, and consultants.
  • Partners, contractors, and service providers who process personal data on WARDC’s behalf.
  • Beneficiaries, survivors, programme participants, research participants, donors, and stakeholders whose data WARDC collects or processes.
  • Users of WARDC’s website, digital platforms, and online services.

This Policy applies to all forms of data processing, whether electronic, paper-based, audiovisual, or otherwise, and covers all WARDC offices and operations.

2. Introduction

Women Advocates Research and Documentation Centre (WARDC) is a non-profit civil rights organisation committed to advancing human rights, gender equality, equity, rule of law, accountability, and social justice in Nigeria.

In the course of delivering legal aid, survivor support services, research, advocacy, and capacity-building programmes, WARDC processes personal data, including sensitive personal data. WARDC is committed to ensuring that such data is processed lawfully, fairly, transparently, and securely.

This Policy outlines how WARDC collects, uses, stores, shares, transfers, and protects personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA) and, where applicable, international data protection standards, including the EU GDPR and UK GDPR.

3. Definitions

For the purpose of this Policy:

  • Personal Data: Any information relating to an identified or identifiable individual.
  • Sensitive Personal Data: Includes data relating to health, sexual life, gender-based violence, biometric data, children’s data, and other information requiring enhanced protection under the NDPA.
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
  • Data Subject: The individual whose personal data is processed.
  • Data Controller: WARDC, which determines the purpose and means of processing.
  • Data Processor: Any third-party processing data on behalf of WARDC.
  • Data Breach: Any unauthorized access, disclosure, alteration, loss, or destruction of personal data.
  • DPIA: Data Protection Impact Assessment.

4. Data Protection Principles

WARDC processes personal data in accordance with the following principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

4.1 Categories of Personal Data We Collect

WARDC may collect:

4.1 Identity Information

Name, gender, age, nationality, identificationdetails.

4.2 Contact Information

Phone number, email address, residential address, 

4.3 Case and Survivor Information (Sensitive Personal Data)

Details relating to:

  • Gender-based violence
  • Sexual abuse
  • Health and psychological records
  • Legal case files

4.4 Programme Participation Data

Training attendance, advocacy participation, community outreach records.

4.5 Donor and Partner Data

Contribution records, financial information, contractual details.

4.6 Website and Digital Data

IP address, browser type, cookies, analytics data.

4.7 Media Content

Photographs, audio, or video recordings (with consent).

5. How We Collect Personal Data

Data is collected through:

  • Legal aid clinics and case intake processes
  • Counselling sessions
  • Online forms and registrations
  • Surveys and research activities
  • Programme and event attendance records
  • Direct communication (phone, email, social media)
  • Cookies and analytics tools
  • Partnerships and donor engagement

6. Lawful Basis for Processing

WARDC processes personal data on the following legal grounds under NDPA:

Data CategoryLawful Basis
Survivor case data (sensitive)Explicit consent, vital interest, public interest, legal obligation
Legal aid servicesPerformance of service requested
Donor dataContractual necessity, legitimate interest
Staff/consultant dataEmployment/contractual obligation
Website cookiesConsent
Children’s dataParental/guardian consent, vital interest where applicable

Where sensitive personal data is processed, WARDC applies enhanced safeguards and relies on explicit consent or other lawful grounds permitted under NDPA.

7. Purpose of Processing

WARDC processes personal data to:

  • Provide legal aid and survivor support services
  • Deliver advocacy and empowerment programmes
  • Conduct research and documentation
  • Communicate with stakeholders
  • Comply with donor and statutory obligations
  • Improve services and digital platforms

8. Data Sharing and Disclosure

WARDC does not share personal data.

Data may be shared only when necessary:

  • With referral partners supporting survivors
  • With service providers under Data Processing Agreements
  • With consultants conducting evaluations under confidentiality agreements
  • With government or law enforcement where legally required
  • With donors where reporting obligations apply (using anonymised data where possible)

All third parties are contractually bound to confidentiality and security standards.

9. International Data Transfers

Where personal data is transferred outside Nigeria for:

  • Cloud storage
  • Donor reporting
  • Research collaboration

WARDC ensures:

  • Compliance with NDPA requirements
  • Adequacy decisions or approved safeguards
  • Standard contractual clauses or data-sharing agreements
  • Equivalent levels of protection by recipient organisations

No international transfer occurs without appropriate safeguards.

10. Data Retention

WARDC retains personal data only as long as necessary for lawful purposes.

Indicative retention periods include:

  • Legal case files: 7–10 years after closure
  • Financial/donor records: Minimum 7 years
  • HR records: Duration of engagement + 6 years
  • Website analytics: 12–24 months

WARDC maintains an internal Data Retention Schedule approved by management.

Data is securely deleted, anonymized, or archived when no longer required.

11. Data Security Measures

WARDC implements administrative, technical, and physical safeguards, including:

  • Access control and role-based permissions
  • Password protection and secure authentication
  • Encryption where appropriate
  • Secure cloud storage agreements
  • Locked physical file storage
  • Staff confidentiality agreements
  • Regular security reviews

12. Children’s Data

WARDC does not knowingly collect personal data from children under 18 without parental or guardian consent unless processing is required in the child’s vital interest or safeguarding context.

Enhanced confidentiality safeguards apply to minors, particularly survivors of abuse.

13. Data Subject Rights

Under the NDPA 2023, individuals have the right to:

  • Access their data
  • Request correction
  • Request deletion
  • Withdraw consent
  • Object to processing
  • Request data portability
  • Lodge complaints with the Nigeria Data Protection Commission (NDPC)

WARDC will respond to data subject requests within 30 days of receipt, subject to identity verification.

Requests may be submitted via the contact information provided below.

14. Data Protection Impact Assessments (DPIAs)

WARDC conducts DPIAs for high-risk processing activities, particularly those involving:

  • Sensitive survivor data
  • Large-scale research data collection
  • Children’s data
  • New digital platforms

DPIAs are reviewed by the Data Protection Officer.

15. Data Breach Response Procedure

15.1 Reporting

All staff must immediately report suspected breaches to the DPO.

15.2 Assessment

The DPO will assess:

  • Nature and scope
  • Categories of affected data
  • Risk to individuals

15.3 Notification

Where a breach poses risk to individuals:

  • The NDPC will be notified within 72 hours of awareness.
  • Affected individuals will be informed without undue delay.
  • Donors or partners will be notified where required.

15.4 Remediation

Corrective actions will be implemented and documented to prevent recurrence.

16. Governance and Accountability

16.1 Management Responsibilities

Management ensures:

  • Compliance with NDPA
  • Adequate resourcing
  • Annual policy review
  • Staff training
  • Support for the DPO

16.2 Staff Responsibilities

All personnel must:

  • Maintain confidentiality
  • Follow access controls
  • Report breaches
  • Participate in training

16.3 Partners and Contractors

All external parties must:

  • Sign Data Processing Agreements
  • Maintain security safeguards
  • Report breaches promptly

17. Data Protection Officer (DPO)

WARDC designates a Data Protection Officer responsible for:

  • Monitoring compliance
  • Advising staff and management
  • Conducting audits
  • Coordinating breach response
  • Serving as liaison with NDPC

The DPO reports directly to senior management and operates independently.

18. Policy Review and Updates

This Policy shall be reviewed annually or earlier where required by legal, technological, or operational changes.

Updated versions will be published with revised effective dates.

19. Contact Information

Women Advocates Research and Documentation Centre (WARDC)
Lagos Office: No. 22 Afariogun Street, Off Obafemi Awolowo Way, Ikeja Underbridge, Lagos
Abuja Office: No. 17 Iwopin Close, Off Ondo Street, Behind Area 1 Shopping Complex, Garki Abuja
Abeokuta Office: Ifeolu Close, Off Igbore Street, Behind Ijeja Stadium, Abeokuta

Email: info@wardcnigeria.org
Phone: +2348180056401, +2348055951858
Website: www.wardcnigeria.org