Acceptable Use Policy (Nigeria)
ACCEPTABLE USE POLICY
Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 | Nigeria Data Protection Regulation 2019 (NDPR) | Labour Act Cap L1 LFN 2004
Organisation: [Organisation Name]
Address: [Organisation Address]
RC Number: [RC Number]
Effective Date: [Effective Date]
Next Review Date: [Review Date]
1. PURPOSE AND LEGAL BASIS
1.1 [Organisation Name] ("the Organisation") issues this Acceptable Use Policy ("AUP" or "Policy") to govern the use of its information technology systems, networks, devices, and digital resources by all authorised users.
1.2 This Policy is issued pursuant to the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 (the "Cybercrimes Act"), the Nigeria Data Protection Regulation 2019 (NDPR) issued by the National Information Technology Development Agency (NITDA), the Labour Act Cap L1 LFN 2004, and the National Health Act 2014 (where applicable to health data). Violations may attract criminal liability under the Cybercrimes Act 2015 and disciplinary action under the terms of employment.
2. SCOPE
2.1 This Policy applies to: [Covered Persons].
2.2 This Policy covers: [Covered Systems].
2.3 This Policy applies to all use of company IT resources whether from the Organisation's premises, remote locations, home offices, or any other location.
3. PERMITTED USE
3.1 Company IT resources are provided primarily for business purposes. Limited incidental personal use is permitted where it does not: consume excessive bandwidth; interfere with work performance; create security risks; or violate any provision of this Policy.
3.2 All personal use is subject to the same monitoring and logging as business use and confers no expectation of privacy.
4. PROHIBITED ACTIVITIES
4.1 The following activities are strictly prohibited on company IT systems:
(a) Unauthorised access to computer systems or data in violation of Section 6 of the Cybercrimes Act 2015;
(b) Interference with or disruption of computer systems (Section 8, Cybercrimes Act 2015);
(c) Computer-related fraud or financial crime (Section 14, Cybercrimes Act 2015);
(d) Cyberstalking, harassment, or sending threatening communications (Section 24, Cybercrimes Act 2015);
(e) Identity theft or impersonation (Section 22, Cybercrimes Act 2015);
(f) Sending spam or unsolicited commercial communications (Section 20, Cybercrimes Act 2015);
(g) Downloading, installing, or using unlicensed software in violation of the Copyright Act 2004;
(h) Processing personal data outside the scope of an authorised job function, in violation of the NDPR 2019;
(i) Sharing login credentials or allowing unauthorised persons to access company systems;
(j) Connecting unapproved personal storage devices or removable media to company systems;
(k) Accessing, storing, or transmitting obscene, discriminatory, or sexually explicit content;
(l) Transferring personal data outside Nigeria to jurisdictions without adequate data protection, in breach of the NDPR 2019.
5. DATA PROTECTION OBLIGATIONS
5.1 All users who handle personal data must comply with the NDPR 2019. Personal data must be processed only for specified, legitimate purposes authorised by the user's job function.
5.2 Suspected data breaches and IT security incidents must be reported immediately to the Data Protection Officer ([Data Protection Officer]) and to the IT security / incident reporting contact ([Reporting Contact]). The Organisation is required to notify NITDA within 72 hours of a confirmed data breach.
5.3 Users must not store personal data on unencrypted personal devices or transfer personal data to email accounts or cloud services not approved by the IT department.
6. MONITORING AND NO EXPECTATION OF PRIVACY
6.1 [Monitoring Statement]
6.2 Monitoring is conducted for the purposes of security, compliance, performance management, and investigation of suspected violations, consistent with the NDPR 2019 principle of purpose limitation.
7. SECURITY REQUIREMENTS
7.1 All users must comply with the Organisation's password policy, including minimum complexity requirements and periodic rotation.
7.2 Lost or stolen devices must be reported to the IT department and to [Data Protection Officer] immediately.
7.3 Remote access to company systems requires use of the Organisation's approved Virtual Private Network (VPN).
7.4 Sensitive data must be encrypted in transit and at rest in accordance with the Organisation's data classification policy.
8. CONSEQUENCES OF VIOLATION
8.1 Violations of this Policy may result in: [Breach Consequences].
8.2 Violations involving criminal conduct — including offences under the Cybercrimes Act 2015 — will be referred to the Nigeria Police Force Cybercrime Unit, the Economic and Financial Crimes Commission (EFCC), or other relevant law enforcement agencies.
8.3 Disciplinary proceedings will be conducted in accordance with the Organisation's disciplinary procedure and, where applicable, the requirements of the Labour Act Cap L1 LFN 2004 and the jurisdiction of the National Industrial Court of Nigeria (NICN).
9. ACKNOWLEDGEMENT
9.1 All users are required to sign an acknowledgement confirming that they have received, read, and understood this Policy before being granted access to company IT systems.
I, the undersigned, confirm that I have read and understood the Acceptable Use Policy of [Organisation Name] (effective [Effective Date]) and agree to comply with its terms.
Name: ___________________________
Job Title: ___________________________
Department: ___________________________
Date: ___________________________
Signature: ___________________________
Authorised Signatory (Organisation)
________________
Signature
What Is a Acceptable Use Policy (Nigeria)?
An Acceptable Use Policy in Nigeria sets out the rules and standards the organisation expects those it covers to follow.
The legal basis for an AUP in Nigeria derives from several statutes. The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 is the primary federal legislation governing computer-related offences in Nigeria. Sections 6, 8, 14, 20, 22, and 24 of the Cybercrimes Act criminalise unauthorised system access, data interference, computer-related fraud, spam, identity theft, and cyberstalking respectively. An AUP that expressly references these prohibited acts puts employees on notice that violations may result not only in internal disciplinary action but in criminal prosecution before the Federal High Court of Nigeria, which has exclusive jurisdiction over Cybercrimes Act offences.
The Nigeria Data Protection Regulation 2019 (NDPR), issued by the National Information Technology Development Agency (NITDA) under the NITDA Act 2007, requires all data controllers to implement technical and organisational security measures commensurate with the sensitivity of the personal data they process. A well-drafted AUP is a key organisational measure. Organisations that process personal data under the NDPR must file annual Data Protection Audit reports with NITDA through a licensed Data Protection Compliance Organisation (DPCO), and an AUP is expected to feature in those audits.
From an employment law perspective, an AUP incorporated by reference into the employment contract or staff handbook becomes a binding term of employment under the Labour Act Cap L1 LFN 2004. This enables the employer to take disciplinary action — up to and including summary dismissal for gross misconduct — where an employee violates the AUP. Without such documentation, Nigerian employers face challenges in sustaining dismissals before the National Industrial Court of Nigeria (NICN).
Sector-specific frameworks add further weight to the AUP requirement. The Central Bank of Nigeria (CBN) Risk-Based Cybersecurity Framework for Deposit Money Banks and Payment Service Providers requires a documented Information Security Policy and acceptable use controls. The Nigerian Communications Commission (NCC) Cybersecurity Regulations 2022 impose similar obligations on licensed telecommunications operators. Healthcare organisations processing patient data must also consider the National Health Act 2014, which protects patient health records.
The legal framework governing the Acceptable Use Policy (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a Acceptable Use Policy (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.
When Do You Need a Acceptable Use Policy (Nigeria)?
Every Nigerian organisation that provides employees, contractors, visitors, or customers with access to its IT systems needs an Acceptable Use Policy before granting that access.
A technology company in Lagos or Abuja whose employees use company-issued laptops, access internal databases, and communicate via company email needs an AUP to define the boundaries of permissible use, restrict access to client source code and proprietary data, and establish the monitoring framework. Without an AUP, the company has no enforceable basis to discipline an employee who forwards client data to a personal email account — conduct that could also expose the company to NDPR sanctions from NITDA.
A bank or financial institution licensed by the Central Bank of Nigeria needs an AUP as part of its mandatory cybersecurity governance documentation under the CBN Risk-Based Cybersecurity Framework. The Framework requires documented acceptable use controls for all staff with access to core banking systems, payment infrastructure, and customer financial data.
A hospital, clinic, or healthcare provider that maintains electronic patient records needs an AUP to restrict access to patient health information to authorised clinical staff, in compliance with Section 26 of the National Health Act 2014, which creates a statutory duty of confidentiality for health information.
An educational institution that gives students access to computer labs, Wi-Fi networks, and learning management systems needs a student AUP to comply with the Cybercrimes Act 2015 and to protect the institution from liability for cyberbullying or harassment conducted via its infrastructure.
A company onboarding a third-party vendor or contractor who will access company systems, customer data, or proprietary software needs an AUP (or AUP-equivalent provisions in the vendor contract) to define permitted access scope and security obligations, aligned with NDPR data processor requirements.
Parties in Nigeria should prepare a Acceptable Use Policy (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Acceptable Use Policy (Nigeria)
A Nigeria Acceptable Use Policy should contain the following essential components to be both legally effective and practically enforceable.
Scope and applicability: The AUP must clearly identify who is bound by it — all employees (permanent and contract), interns, directors, consultants, vendors, and any other person granted access to company IT systems. The policy should apply to all company-owned or company-leased devices, the corporate network and Wi-Fi, all company email and communication accounts, cloud services provisioned by the company, and any personal devices used to access company systems under a Bring Your Own Device (BYOD) arrangement.
Permitted uses: A clear statement that company IT systems are provided primarily for business purposes, with limited personal use permitted only where it does not interfere with work performance, consume excessive bandwidth, or create security risks. Specify that any limited personal use is subject to the same monitoring and logging as business use.
Prohibited activities: An express list of prohibited conduct, including: unauthorised access to systems (Cybercrimes Act 2015, Section 6); downloading or installing unlicensed software (Copyright Act 2004); accessing, storing, or transmitting obscene or harassing content (Cybercrimes Act 2015, Section 24); sharing login credentials; connecting unapproved storage media; sending spam (Cybercrimes Act 2015, Section 20); processing personal data outside authorised job functions (NDPR 2019); and accessing competitor or confidential client information without authorisation.
Data protection obligations: Reference to the NDPR 2019 and the requirement that all employees who handle personal data do so in accordance with the company's data protection policy, use data only for the specified purpose, and report suspected breaches immediately to the designated Data Protection Officer.
Monitoring and no-expectation-of-privacy: A clear statement that the company reserves the right to monitor, log, intercept, and review all communications and activities conducted on company IT systems at any time, and that employees have no expectation of privacy when using company resources. This notice is necessary both under the Cybercrimes Act 2015 (Section 38) and the NDPR to justify monitoring as a legitimate business purpose.
Security requirements: Password complexity and rotation requirements; prohibition on sharing credentials; screen-lock requirements; requirements to report lost or stolen devices; encryption obligations for sensitive data; and VPN requirements for remote access.
Incident reporting: The procedure for reporting suspected cyberincidents, data breaches, or AUP violations, including the name or role of the person to contact (typically the IT Security Manager or Data Protection Officer) and the timeframe for reporting (NDPR requires notification to NITDA within 72 hours of a data breach).
Consequences and disciplinary action: A statement that AUP violations may result in disciplinary action up to and including summary dismissal for gross misconduct, and that violations involving criminal conduct will be reported to the appropriate law enforcement agency, including the Nigerian Police Force Cybercrime Unit and the Economic and Financial Crimes Commission (EFCC).
Signature and acknowledgement: Each employee should sign an acknowledgement that they have received, read, and understood the AUP. This signed acknowledgement is essential evidence in any subsequent disciplinary proceeding before the National Industrial Court of Nigeria.
Additional compliance elements for a Acceptable Use Policy (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Acceptable Use Policy (Nigeria) (Nigeria) [Legal document template]. Forms Legal. https://forms-legal.com/nigeria/business/policies/acceptable-use-policy-nigeria
"Acceptable Use Policy (Nigeria) (Nigeria)." Forms Legal, 2026, https://forms-legal.com/nigeria/business/policies/acceptable-use-policy-nigeria.
@misc{formslegal-acceptable-use-policy-nigeria,
author = {{Forms Legal}},
title = {Acceptable Use Policy (Nigeria) (Nigeria)},
year = {2026},
howpublished = {\url{https://forms-legal.com/nigeria/business/policies/acceptable-use-policy-nigeria}},
note = {Free legal document template. Based on Companies and Allied Matters Act (CAMA) 2020}
}Also available for these jurisdictions:
Frequently Asked Questions
An Acceptable Use Policy is not expressly mandated by a single statute in Nigeria, but multiple laws make it a practical necessity for any organisation operating IT systems. The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 imposes criminal liability on employees and organisations for unauthorised access, data theft, and cyberstalking committed using company infrastructure. An organisation that has issued a clear Acceptable Use Policy and can demonstrate that a prohibited act was committed in violation of that policy is in a stronger position to avoid vicarious or institutional liability. The Nigeria Data Protection Regulation 2019 (NDPR), issued by the National Information Technology Development Agency (NITDA) under the NITDA Act 2007, requires data controllers to implement technical and organisational measures to protect personal data. A well-drafted AUP that restricts unauthorised data access, requires password security, and prohibits the transfer of personal data outside authorised channels directly satisfies NITDA's organisational-measures requirement. Regulated sectors — including banks supervised by the Central Bank of Nigeria (CBN), telecommunications operators licensed by the Nigerian Communications Commission (NCC), and healthcare providers — face additional sector-specific data security obligations that an AUP helps satisfy.
A Nigerian Acceptable Use Policy should expressly prohibit activities that attract civil or criminal liability under Nigerian law. Under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, the following specific acts are criminal offences and should be listed in the prohibited activities section: unlawful access to computer systems (Section 6); system interference and disruption (Section 8); computer-related fraud (Section 14); cyberstalking and cyber harassment (Section 24); and identity theft (Section 22). The AUP should also prohibit the sending of spam or unsolicited commercial communications in violation of Section 20 of the Cybercrimes Act. Because the NDPR 2019 requires that personal data only be processed for specified, legitimate purposes, the AUP should prohibit employees from processing personal data of customers, staff, or third parties for any purpose beyond their authorised job function. Additional prohibitions should cover: downloading unlicensed software (creating liability under the Copyright Act 2004); accessing social media, streaming, or gaming sites using company bandwidth for non-business purposes; connecting personal storage devices to corporate networks without IT approval; and forwarding confidential company information to personal email accounts. The AUP should clarify that company monitoring of IT systems is permitted and constitutes notice to employees that they have no expectation of privacy when using company resources, consistent with the monitoring provisions of the Cybercrimes Act.
The Nigeria Data Protection Regulation 2019 (NDPR), issued by NITDA, creates binding obligations for all organisations — referred to as data controllers — that collect, store, or process personal data of Nigerian residents. An AUP is one of the primary organisational mechanisms through which a data controller can demonstrate NDPR compliance. The NDPR requires data controllers to implement appropriate technical and organisational measures to protect personal data against unauthorised processing, accidental loss, destruction, or damage. An AUP that restricts access to personal data on a need-to-know basis, mandates strong password protocols, prohibits storage of personal data on unencrypted personal devices, and requires prompt reporting of suspected data breaches to the IT department directly addresses these obligations. The NDPR also requires that personal data not be transferred to a country outside Nigeria unless that country provides adequate data protection, or appropriate safeguards (such as standard contractual clauses) are in place. The AUP should therefore prohibit the transfer of customer or employee personal data to foreign cloud services or email addresses not approved by the IT department. Organisations with annual revenues above NGN 10 million that process personal data are required under the NDPR to file a Data Protection Audit report with NITDA through a licensed Data Protection Compliance Organisation (DPCO). Maintaining a clear, enforced AUP is evidence of organisational commitment that auditors will look for.
An employer in Nigeria can lawfully monitor employee use of company-owned IT systems, including computers, email accounts, internet browsing, and telephone systems, provided that appropriate notice has been given to employees before monitoring begins. The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 permits monitoring of computer systems by persons authorised to do so, and an employer is authorised to monitor its own infrastructure. The critical requirement is that employees must be informed of the monitoring before it occurs. An Acceptable Use Policy that clearly states the organisation reserves the right to monitor, intercept, and review all communications, data, and activities conducted on company systems — and which is signed by or provided to each employee — constitutes adequate notice. The AUP should state that employees have no expectation of privacy when using company IT systems, that company devices remain the property of the employer, and that monitoring may occur at any time. It is also advisable to specify the purposes of monitoring (security, compliance, performance management) to align with the NDPR 2019 principle of purpose limitation. Covert monitoring without prior notice raises issues under the NDPR and could result in the monitored evidence being challenged in disciplinary proceedings. The organisation's monitoring policy should be reviewed by a Nigerian Legal Practitioner to confirm alignment with current NITDA guidelines and any applicable sector-specific directives from the CBN or NCC.
An organisation in Nigeria that fails to maintain adequate controls over employee use of its IT systems faces multiple categories of risk. Under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, Section 38 places obligations on service providers (which includes organisations with internal networks) to maintain logs and cooperate with law enforcement in cybercrime investigations. Failure to do so can result in fines. Under the NDPR 2019, NITDA can impose administrative sanctions for data breaches resulting from inadequate organisational security measures. Published NITDA enforcement actions have resulted in sanctions against Nigerian financial institutions and technology companies for NDPR non-compliance. Under the Labour Act Cap L1 LFN 2004, an organisation without clear written IT conduct rules may face challenges in sustaining disciplinary dismissals of employees who misuse IT resources — employment tribunals have expected employers to demonstrate that employees had clear written notice of prohibited conduct. The Nigerian Communications Commission (NCC) can sanction licensed operators that fail to implement adequate cybersecurity measures under the NCC Cybersecurity Regulations 2022. For banks and financial institutions, the CBN's Risk-Based Cybersecurity Framework requires a documented acceptable use or information security policy as part of the mandatory governance framework. An organisation that proactively maintains a current, signed AUP demonstrates due diligence that reduces regulatory, employment, and reputational risk.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Accident Investigation Report (Nigeria)
A formal Accident Investigation Report for Nigerian workplaces, compliant with the Factories Act Cap F1 LFN 2004, Employee's Compensation Act 2010, and Lagos State Safety Commission requirements. Captures incident facts, root cause analysis, corrective actions, and regulatory notification details.
Accident Report Form (Nigeria)
A first-response Accident Report Form for Nigerian employers to document workplace injuries, near-misses, and dangerous occurrences. Satisfies initial notification requirements under the Factories Act Cap F1 LFN 2004 and Employee's Compensation Act 2010 (NSITF reporting).
Anti-Corruption Policy (Nigeria)
A corporate anti-corruption and anti-bribery policy for Nigerian companies, compliant with the Corrupt Practices and Other Related Offences Act 2000 (ICPC Act), the Economic and Financial Crimes Commission Act 2004 (EFCC Act), the Money Laundering (Prevention and Prohibition) Act 2022, and the UN Convention Against Corruption (UNCAC). Covers facilitation payments, gifts policy, third-party due diligence, and whistleblowing.
Cybersecurity Policy (Nigeria)
A corporate cybersecurity policy for Nigerian organisations compliant with the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, CBN Cybersecurity Framework 2021, NDPC Nigeria Data Protection Act 2023, and the NCC Cybersecurity Regulations. Covers access controls, incident response, data protection, and staff obligations.
Data Consent Form (Nigeria)
A Nigeria-compliant data consent form for collecting freely given, specific, informed, and unambiguous consent for processing personal data under the Nigeria Data Protection Act (NDPA) 2023. Covers purpose specification, data subject rights, withdrawal of consent, and sensitive personal data categories.