Legal · Data Protection
Privacy Policy
Your privacy matters to us — and, for many of the people who use this platform, it is a matter of safety. This Policy explains, in plain terms, what personal data the Office for Strategic Preparedness and Resilience (OSPRE) collects, why, the lawful bases we rely on, how we protect and share it, how long we keep it, and the rights you hold under the Nigeria Data Protection Act 2023.
We have written it to be read, not just filed. Use the contents to jump to what matters to you — and contact our Data Protection Officer at any time.
Who We Are — the Data Controller
The Office for Strategic Preparedness and Resilience (“OSPRE”, “we”, “us”, “our”) is Nigeria's National Centre for the Coordination of Early Warning and Response Mechanisms, established by Presidential Executive Order 12 pursuant to Article 58 of the ECOWAS Treaty and Article 16 of the 1999 Protocol on Conflict Prevention, Management, Resolution, Peacekeeping and Security.
For the purposes of the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR), OSPRE is the Data Controller for personal data processed through osprenigeria.gov.ng and its associated services. Our Data Protection Officer (DPO) is registered and contactable as set out in section 15.
Scope of This Policy
This Policy applies to personal data we process when you visit our website, submit an incident or early-warning report, contact us, request a resource or publication, apply for partnership, subscribe to updates, or access an authorised staff or partner account. It explains what we collect, why, the lawful bases we rely on, how we protect it, how long we keep it, and the rights available to you.
Our privacy commitment
The Personal Data We Collect
We collect only the data we need for the purposes described in this Policy. Categories include:
| Category | Examples | Source |
|---|---|---|
| Contact & enquiry data | Name, email, phone, organisation, subject and message content | Provided by you (contact form) |
| Incident / early-warning reports | Description, location (state/LGA), category, severity, optional attachments and reporter details — or fully anonymous | Provided by you (report form / SMS) |
| Resource-access data | Name, work email, organisation, role, country and stated purpose when requesting a publication | Provided by you (download request) |
| Partnership data | Organisation, contact person, focus areas and proposal details | Provided by you (partner application) |
| Account & security data (staff/partners) | Credentials, two-factor status, role, login history, device characteristics | Generated on use of authorised areas |
| Technical data | IP address, approximate location, browser/device type, pages visited, timestamps | Collected automatically (see §6–7) |
We do not intentionally collect special-category (sensitive) personal data through public forms. Where a report you submit necessarily contains sensitive information, we process it under the lawful bases in section 5 and apply heightened safeguards.
How & Why We Use Your Data — and Our Lawful Bases
Under the NDPA, we must rely on a lawful basis for each processing purpose. Our principal purposes and bases are:
| Purpose | Lawful basis (NDPA 2023) |
|---|---|
| Coordinating early warning and response to human-security threats; assessing and acting on incident reports | Performance of a task carried out in the public interest / in the exercise of official authority |
| Responding to your enquiries, partnership and resource requests | Consent and/or steps taken at your request |
| Verifying your email before releasing a requested resource (double opt-in) | Consent / legitimate interest in preventing abuse |
| Securing the platform, preventing fraud, intrusion and misuse | Legitimate interest in the security of a critical national service |
| Meeting statutory, audit and record-keeping obligations | Compliance with a legal obligation |
| Sending operational alerts and updates you have opted into | Consent (withdrawable at any time) |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
Protecting Those Who Report
Reporting a threat should never expose you to risk. Our incident and early-warning intake is built to protect reporters:
- Anonymous by choice. You may submit a report without providing your name or contact details. Identifying fields are optional.
- No raw IP retention on reports. To deter abuse without tracking you, we store only a salted, irreversible SHA-256 hash derived from network metadata — never your raw IP address — and it is never exposed.
- Need-to-know handling. Reports are accessible only to authorised analysts under least-privilege access controls and full audit logging.
- Selective, sanitised publication. A report is only ever made public after human review and with identifying detail removed.
If you are in immediate danger
IP Address, Location & Weather
Our public pages can display the local date, time and weather for your approximate location. We have engineered this to be privacy-preserving and sovereign:
- Your approximate location (city/country) is resolved on our own servers using a locally-hosted geolocation database — your IP address is not sent to any third party for this purpose.
- To fetch weather, only approximate coordinates (not your IP or any identifier) are sent to our weather data provider.
- Your live clock is computed in your own browser and no location is stored to your profile.
We also process IP-derived data transiently for security monitoring (e.g. rate-limiting and intrusion detection) as described in section 10.
Data Residency & International Transfers
We prioritise keeping personal data within Nigeria on sovereign infrastructure, and we have deliberately designed privacy-sensitive functions (such as IP geolocation) to run on-premises so data does not leave the country unnecessarily. Where a transfer outside Nigeria is unavoidable, we do so only where the NDPA permits — for example under an adequacy determination, appropriate contractual safeguards, or your explicit consent. For resilience and disaster recovery, we may retain encrypted backup snapshots off-site; these are protected with strong encryption at rest and remain subject to this Policy.
How We Protect Your Data
We apply layered, independently-verified technical and organisational measures, including:
- Encryption in transit. All traffic is served over TLS/HTTPS with HSTS.
- Perimeter defence. A web application firewall (ModSecurity with the OWASP Core Rule Set) and per-endpoint rate-limiting protect against attacks and abuse.
- Strong authentication. Staff access requires two-factor authentication (TOTP); passwords are stored using bcrypt and screened against known-breached-password datasets using a privacy-preserving k-anonymity check.
- Least privilege & auditing. Access is capability-based and re-checked against live records; security-relevant actions are logged; intrusion tripwires and device-anomaly detection are in place.
- Secret, backup & data protection. Application secrets are encrypted at rest, and backup and disaster-recovery snapshots — including any copy held off-site for resilience — are encrypted at rest.
No system can be guaranteed perfectly secure, but we continuously monitor, patch and independently review our controls. If a breach ever affects your rights, we will act — and notify you and the NDPC — as the NDPA requires.
How Long We Keep Your Data
We keep personal data only as long as necessary for the purpose collected, then delete or anonymise it:
| Data | Retention |
|---|---|
| Contact enquiries | Up to 24 months after resolution |
| Resource-access records | Up to 24 months, then aggregated/anonymised |
| Incident reports | As required for coordination and the statutory record; identifying detail minimised at the earliest point |
| Security & audit logs | As required for security and legal obligations, typically up to 12–24 months |
| Authorised accounts | For the life of the account and the period required by Federal record-keeping rules |
Your Rights
Subject to the NDPA, you have the right to:
Access
Obtain confirmation and a copy of your data
Rectification
Correct inaccurate or incomplete data
Erasure
Have data deleted where there is no lawful basis to keep it
Restriction
Limit how we process your data in certain cases
Object
Object to processing based on public interest or legitimate interest
Portability
Receive certain data in a portable format
Withdraw consent
Withdraw consent at any time, going forward
Complain
Lodge a complaint with the NDPC
To exercise any right, contact our DPO (section 15). We respond within the statutory timeframe and will not charge a fee except where the law allows.
Children's Privacy
The platform is intended for adults and is not directed at children. We do not knowingly collect personal data from anyone under 18 without appropriate consent. If you believe a child has provided us data, contact our DPO and we will take appropriate action.
Automated Processing & Analytics
Our reconnaissance and early-warning analytics aggregate and cross-verify publicly-available incident data from multiple independent open sources to produce area-level risk pictures — no single source is treated as authoritative. This analysis concerns events and locations, not the profiling of individual website visitors, and does not make automated decisions producing legal or similarly significant effects about you.
Changes to This Policy
We may update this Policy to reflect changes in law, technology or our services. We will revise the “Last updated” date above and, for material changes, notify registered users. Your continued use after changes take effect constitutes acceptance of the revised Policy.
Contact & Complaints
To exercise your rights, ask a question, or raise a concern about how we handle your data, contact our Data Protection Officer:
Data Protection Contact
Office of the Data Protection Officer
No. 3, Tarkwa Close, Off Monrovia Street, Wuse II, Abuja, FCT, Nigeria
You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
This document forms part of the OSPRE Nigeria legal framework. See also our Privacy Policy, Terms of Use, Acceptable Use Policy, Disclaimer, Copyright / DMCA Policy and Accessibility Statement.