UNPKG

@tantainnovative/ndpr-toolkit

Version:

Nigeria Data Protection Toolkit — enterprise-grade compliance components for the Nigeria Data Protection Act (NDPA) 2023

github.com/mr-tanta/ndpr-toolkit

mr-tanta/ndpr-toolkit

144 lines (108 loc) 31.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
'use strict';var chunkRFPLZDIO_js=require('./chunk-RFPLZDIO.js');var y="\xABTODO: ",W="\xBB";function c(e){return `${y}${e}\xBB`}function s(e,t,i,n,a){return {id:e,title:t,template:i,order:n,required:a,included:true}}function b(e){return e.filter(t=>t.selected)}function v(e){return {service_delivery:"Service Delivery \u2014 to provide, maintain, and improve the services you have requested from us",marketing:"Marketing \u2014 to send promotional communications where you have opted in to receive them",analytics:"Analytics \u2014 to analyse usage patterns and improve user experience",research:"Research \u2014 to conduct research and development for service improvement",legal_compliance:"Legal Compliance \u2014 to meet our obligations under Nigerian law, including the NDPA 2023",fraud_prevention:"Fraud Prevention \u2014 to detect, prevent, and respond to fraud, security threats, and abuse"}[e]}function P(e,t){let i=e.org.name||c("orgName"),n=e.org.website||c("website"),a=new Date().toISOString().slice(0,10);return s("introduction","Introduction & Scope",`This Privacy Policy explains how ${i} ("we", "us", or "our") collects, uses, stores, and protects personal data when you use our services and visit our website at ${n}. This policy is issued in compliance with the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR). It applies to all personal data processed by ${i}, whether collected online or offline. Effective Date: ${a}. We are committed to protecting your privacy and ensuring that your personal data is handled responsibly and in accordance with applicable data protection legislation.`,t,true)}function w(e,t){let i=e.org.name||c("orgName"),n=b(e.dataCategories),a={identity:"Identity & Contact Information",financial:"Financial Information",behavioral:"Technical & Behavioral Data",sensitive:"Sensitive / Special-Category Data",children:"Children's Data"},o="",d=["identity","financial","behavioral","sensitive","children"];for(let p of d){let r=n.filter(l=>l.group===p);if(r.length>0){o+=` ${a[p]}: `;for(let l of r)o+=`- ${l.label}: ${l.dataPoints.join(", ")}. `;}}return o===""&&(o=` - Personal data categories have not yet been specified. `),s("data-collection","Data We Collect",`${i} collects the following categories of personal data in the course of providing our services. Data may be collected directly from you (e.g. through forms, account registration, or correspondence) or automatically (e.g. through cookies, server logs, and similar technologies). `+o+` We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes described in this policy, in accordance with the NDPA 2023.`,t,true)}function D(e,t){let i=e.org.name||c("orgName"),n=[];return (e.purposes.includes("service_delivery")||e.purposes.length===0)&&(n.push("- Consent: where you have given clear, informed, and voluntary consent for specific processing activities (NDPA Section 25)."),n.push("- Contract: where processing is necessary for the performance of a contract to which you are a party, or to take pre-contractual steps at your request (NDPA Section 25).")),e.purposes.includes("legal_compliance")&&n.push("- Legal Obligation: where processing is required for compliance with a legal obligation to which we are subject under Nigerian law."),e.purposes.includes("fraud_prevention")&&n.push("- Legitimate Interest: where processing is necessary for our legitimate interests (such as fraud prevention and network security), provided those interests are not overridden by your rights and freedoms (NDPA Section 25)."),e.purposes.includes("research")&&n.push("- Public Interest / Research: where processing is necessary for scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards."),n.length===0&&(n.push("- Consent: where you have given clear, informed, and voluntary consent for specific processing activities (NDPA Section 25)."),n.push("- Contract: where processing is necessary for the performance of a contract to which you are a party (NDPA Section 25).")),s("legal-basis","Legal Basis for Processing",`${i} processes personal data under one or more of the following lawful bases as prescribed by the Nigeria Data Protection Act (NDPA) 2023: `+n.join(` `)+` We will always inform you of the specific legal basis applicable to each processing activity at the time of data collection.`,t,true)}function S(e,t){let n=(e.purposes.length>0?e.purposes:["service_delivery"]).map(a=>`- ${v(a)}`).join(` `);return s("data-usage","How We Use Your Data",`We process the personal data we collect for the following purposes: `+n+` We will not process your personal data for purposes incompatible with those stated above without providing you with prior notice and, where required by the NDPA, obtaining your consent.`,t,true)}function C(e,t){let i=e.org.name||c("orgName"),n=e.thirdPartyProcessors,a;return n.length>0?a=`We share personal data with the following third-party processors under data processing agreements that comply with the NDPA 2023: | Processor | Purpose | Country | | --- | --- | --- | `+n.map(d=>`| ${d.name} | ${d.purpose} | ${d.country} |`).join(` `)+` All processors are contractually required to implement appropriate technical and organisational measures to protect personal data.`:a="We do not currently share your personal data with third-party processors. Should this change, we will update this policy and, where required, obtain your consent before any sharing takes place.",s("data-sharing","Data Sharing & Disclosure",`${i} does not sell personal data under any circumstances. `+a+` We may also disclose personal data where required by law, regulation, or valid legal process, including requests from Nigerian regulatory and law enforcement authorities.`,t,true)}function N(e,t){let i=e.org.privacyEmail||c("privacyEmail");return s("data-subject-rights","Your Rights as a Data Subject",`Under the Nigeria Data Protection Act (NDPA) 2023, you are entitled to the following rights regarding your personal data: 1. Right of Access \u2014 You may request confirmation of whether we process your personal data and obtain a copy of that data (NDPA Section 34(1)(a)\u2013(b)). 2. Right to Rectification \u2014 You may request correction of inaccurate or incomplete personal data we hold about you (NDPA Section 34(1)(c)). 3. Right to Erasure \u2014 You may request deletion of your personal data where there is no compelling legal reason for its continued processing (NDPA Section 34(1)(d), Section 34(2)). 4. Right to Restrict Processing \u2014 You may request that we limit the processing of your personal data in certain circumstances (NDPA Section 34(1)(e)). 5. Right to Withdraw Consent \u2014 Where processing is based on consent, you may withdraw that consent at any time (NDPA Section 35), without affecting the lawfulness of processing carried out prior to withdrawal. 6. Right to Object \u2014 You may object to the processing of your personal data where processing is based on legitimate interest or is carried out for direct marketing purposes (NDPA Section 36). 7. Right Not to Be Subject to Automated Decisions \u2014 You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (NDPA Section 37). 8. Right to Data Portability \u2014 You may request to receive your personal data in a structured, commonly used, and machine-readable format (NDPA Section 38). To exercise any of these rights, please contact us at ${i}. We will respond to your request within 30 days (extendable in complex cases per NDPC GAID 2025). If you are unsatisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) under NDPA Section 46(1).`,t,true)}function A(e,t){let i=e.org.privacyEmail||c("privacyEmail"),n=e.org.industry,a="";return n==="fintech"?a=` - Compliance with Payment Card Industry Data Security Standard (PCI-DSS) for cardholder data protection. - End-to-end encryption of financial transactions. - Multi-factor authentication for account access.`:n==="healthcare"?a=` - HIPAA-aligned safeguards for health information, including access controls and audit logging. - Segregation of medical data from other personal data. - Role-based access controls restricting health data to authorised personnel.`:n==="ecommerce"?a=` - PCI-DSS compliant payment processing. - Secure checkout and tokenisation of payment credentials.`:n==="government"&&(a=` - Compliance with Nigeria's Cybercrimes Act 2015 requirements. - Government-grade access controls and audit trails.`),s("data-security","Data Security Measures",`We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: - Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256). - Access controls and least-privilege principles for all systems handling personal data. - Regular security assessments, penetration testing, and vulnerability scanning. - Staff training on data protection obligations and information security best practices. - Incident response procedures aligned with NDPA breach notification requirements (72-hour notification to NDPC).`+a+` While we employ industry-standard safeguards, no method of electronic transmission or storage is entirely secure. If you become aware of any security incident affecting your data, please contact us immediately at ${i}.`,t,true)}function T(e,t){let i=e.org.name||c("orgName"),n=e.org.privacyEmail||c("privacyEmail"),a=[];e.org.address&&a.push(`Address: ${e.org.address}`),e.org.website&&a.push(`Website: ${e.org.website}`);let o=[];e.org.dpoName&&o.push(`Data Protection Officer: ${e.org.dpoName}`),e.org.dpoEmail&&o.push(`DPO Email: ${e.org.dpoEmail}`);let d=o.length>0?` ${o.join(` `)}`:"";return s("contact-info","Contact Information",`If you have questions, concerns, or requests regarding this privacy policy or our data protection practices, please contact us: Organisation: ${i} Email: ${n}`+(a.length>0?` ${a.join(` `)}`:"")+d+` You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been infringed. Nigeria Data Protection Commission Website: https://ndpc.gov.ng Email: info@ndpc.gov.ng`,t,true)}function I(e){return s("children-data-protection","Children's Data Protection",`We recognise the importance of protecting the privacy of children. In accordance with Section 31 of the NDPA 2023, we implement the following safeguards when processing children's personal data: - We do not knowingly collect personal data from children under the age of 13 without verifiable parental or guardian consent. - Where we process data of children between the ages of 13 and 17, we obtain consent from a parent or guardian, taking into account the child's age and maturity. - Parents and guardians may request access to, correction of, or deletion of their child's personal data at any time by contacting us. - We limit the collection of children's data to what is strictly necessary for the service provided and do not use it for marketing or profiling. - A Data Protection Impact Assessment (DPIA) is conducted before any new processing activity involving children's data. If we discover that we have inadvertently collected personal data from a child without appropriate consent, we will delete that data promptly.`,e,true)}function x(e){return s("sensitive-data-processing","Sensitive / Special-Category Data",`Certain categories of personal data are considered sensitive under the NDPA 2023 and require additional safeguards. Sensitive data includes information relating to health, biometric identifiers, ethnic origin, religious or political beliefs, and genetic data. We process sensitive personal data only where: - You have given explicit consent for the specific processing purpose. - Processing is necessary to protect your vital interests or those of another person. - Processing is required for the establishment, exercise, or defence of legal claims. - Processing is necessary for reasons of substantial public interest under Nigerian law. Enhanced security measures are applied to all sensitive data, including additional encryption, strict access controls, and enhanced audit logging. Sensitive data is stored separately from other personal data where technically feasible.`,e,true)}function k(e,t){let i=e.thirdPartyProcessors.filter(a=>a.country.toLowerCase()!=="nigeria"),n="";return i.length>0&&(n=` We currently transfer personal data to the following jurisdictions: ${Array.from(new Set(i.map(o=>o.country))).join(", ")}. Each transfer is subject to the safeguards described above.`),s("cross-border-transfers","Cross-Border Data Transfers",`Where we transfer personal data outside Nigeria, we do so in strict compliance with Sections 43 and 44 of the NDPA 2023. We ensure that any cross-border transfer of personal data is subject to one or more of the following safeguards: - The receiving country has been assessed by the NDPC as providing an adequate level of data protection. - We have put in place appropriate contractual safeguards, such as Standard Contractual Clauses approved by the NDPC. - You have provided explicit consent to the transfer after being informed of the associated risks. - The transfer is necessary for the performance of a contract between you and us, or for pre-contractual steps taken at your request. - The NDPC has granted an administrative authorisation for the transfer.`+n,t,true)}function q(e){return s("automated-decision-making","Automated Decision-Making & Profiling",`In accordance with Section 37 of the NDPA 2023, we inform you of any automated decision-making processes, including profiling, that produce legal effects or similarly significant effects on you. Where we use automated decision-making: - We will inform you that automated processing is being used and provide meaningful information about the logic involved. - You have the right to request human intervention in any automated decision. - You have the right to express your point of view and contest the decision. - We will carry out regular reviews of automated decision-making systems to ensure fairness, accuracy, and absence of bias. - We will not base automated decisions solely on sensitive personal data unless you have given explicit consent or the processing is authorised by Nigerian law. You may object to automated decision-making at any time by contacting us using the details provided in this policy.`,e,true)}function R(e,t){let i=e.org.name||c("orgName"),n=e.org.industry,a="";return n==="fintech"?a=` Financial transaction records are retained for a minimum of six (6) years in compliance with the Central Bank of Nigeria (CBN) guidelines and the Money Laundering (Prevention and Prohibition) Act.`:n==="healthcare"?a=` Medical and health records are retained for a minimum of ten (10) years after the last date of treatment, or longer where required by applicable health regulations.`:n==="ecommerce"?a=` Order and transaction records are retained for six (6) years in accordance with Nigerian tax and commercial law requirements.`:n==="education"&&(a=` Student academic records may be retained indefinitely for verification purposes. Other personal data is retained only for the duration of enrolment plus five (5) years.`),s("data-retention","Data Retention Schedule",`${i} retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable Nigerian law. Our retention periods are determined based on the following criteria: - The nature and sensitivity of the personal data. - The purposes for which the data is processed. - Legal, regulatory, and contractual obligations (including NDPA 2023 requirements). - Legitimate business needs such as maintaining records for audits, dispute resolution, and regulatory examinations. General retention periods: - Account data: retained for the duration of your relationship with us, plus three (3) years. - Communication records: retained for two (2) years from the date of correspondence. - Analytics and usage data: retained in identifiable form for twelve (12) months, then aggregated or anonymised.`+a+` When personal data is no longer required, it is securely deleted or irreversibly anonymised in accordance with our internal data retention and disposal policy.`,t,true)}function E(e){let t=1,i=[];return i.push(P(e,t++)),i.push(w(e,t++)),i.push(D(e,t++)),i.push(S(e,t++)),i.push(C(e,t++)),i.push(N(e,t++)),i.push(A(e,t++)),i.push(T(e,t++)),e.hasChildrenData&&i.push(I(t++)),e.hasSensitiveData&&i.push(x(t++)),e.hasCrossBorderTransfer&&i.push(k(e,t++)),e.hasAutomatedDecisions&&i.push(q(t++)),i.push(R(e,t++)),i}var L=[{id:"full-name",label:"Full Name",group:"identity",dataPoints:["first name","last name","middle name","title"],selected:false},{id:"contact-details",label:"Contact Details",group:"identity",dataPoints:["email address","phone number","postal address"],selected:false},{id:"government-ids",label:"Government-Issued Identifiers",group:"identity",dataPoints:["NIN","passport number","driver's licence number","voter's card number"],selected:false},{id:"account-credentials",label:"Account Credentials",group:"identity",dataPoints:["username","hashed password","security questions"],selected:false},{id:"payment-info",label:"Payment Information",group:"financial",dataPoints:["credit/debit card number","bank account number","billing address"],selected:false},{id:"financial-records",label:"Financial Records",group:"financial",dataPoints:["transaction history","account balance","income details"],selected:false},{id:"bvn",label:"Bank Verification Number (BVN)",group:"financial",dataPoints:["BVN"],selected:false},{id:"device-info",label:"Device & Browser Information",group:"behavioral",dataPoints:["IP address","browser type","operating system","device identifiers"],selected:false},{id:"usage-data",label:"Usage & Analytics Data",group:"behavioral",dataPoints:["pages visited","click patterns","session duration","referral source"],selected:false},{id:"location-data",label:"Location Data",group:"behavioral",dataPoints:["GPS coordinates","city","country","timezone"],selected:false},{id:"cookies",label:"Cookies & Tracking Technologies",group:"behavioral",dataPoints:["cookie identifiers","pixel tags","local storage data"],selected:false},{id:"health-data",label:"Health & Medical Data",group:"sensitive",dataPoints:["medical history","prescriptions","health insurance details","disability status"],selected:false},{id:"biometric-data",label:"Biometric Data",group:"sensitive",dataPoints:["fingerprints","facial recognition data","voiceprints"],selected:false},{id:"ethnic-religious",label:"Ethnic Origin & Religious Beliefs",group:"sensitive",dataPoints:["ethnic origin","religious affiliation","political opinions"],selected:false},{id:"child-identity",label:"Child Identity Information",group:"children",dataPoints:["child's name","date of birth","school name","parent/guardian contact"],selected:false},{id:"child-activity",label:"Child Online Activity",group:"children",dataPoints:["content viewed","in-app activity","communications"],selected:false}];function O(){return {org:{name:"",website:"",privacyEmail:"",address:"",dpoName:"",dpoEmail:"",industry:"other",orgSize:"startup",country:"Nigeria"},dataCategories:L.map(e=>chunkRFPLZDIO_js.a({},e)),purposes:[],hasChildrenData:false,hasSensitiveData:false,hasFinancialData:false,hasCrossBorderTransfer:false,hasAutomatedDecisions:false,thirdPartyProcessors:[]}}function u(e,t){return e.sections.some(i=>i.id===t&&i.included)}function h(e,t){var n;let i=e.sections.find(a=>a.id===t&&a.included);return (n=i==null?void 0:i.template)!=null?n:""}function f(e){return e.sections.filter(t=>t.included).map(t=>t.template).join(` `)}var m=[{id:"controller-identity",name:"Controller Identity",ndpaSection:"NDPA Section 24(1)(a)",severity:"critical",points:10,check:e=>{var t,i;return ((t=e.organizationInfo.name)!=null?t:"").trim().length>0&&((i=e.organizationInfo.privacyEmail)!=null?i:"").trim().length>0},gap:()=>({message:"The policy does not identify the data controller. The organisation name and contact email must be provided so data subjects know who is responsible for their data.",fixType:"fill_field",fixLabel:"Add organisation details",suggestedContent:"Provide your organisation's registered name and a valid privacy contact email address in the Organisation Info section."})},{id:"purpose-of-processing",name:"Purpose of Processing",ndpaSection:"NDPA Section 24(1)(b)",severity:"critical",points:10,check:(e,t)=>t.purposes.length>0,gap:()=>({message:"No processing purposes have been selected. The NDPA requires you to clearly state the specific purposes for which personal data is collected and processed.",fixType:"fill_field",fixLabel:"Select processing purposes",suggestedContent:"Select at least one processing purpose (e.g. service delivery, analytics, marketing) in the wizard."})},{id:"lawful-basis",name:"Lawful Basis Identified",ndpaSection:"NDPA Section 25",severity:"critical",points:10,check:e=>u(e,"legal-basis"),gap:()=>({message:"The policy does not include a section identifying the lawful basis for processing. Under the NDPA, every processing activity must be grounded in a lawful basis such as consent, contract, or legitimate interest.",fixType:"add_section",fixLabel:"Add legal basis section",suggestedContent:`We process personal data under one or more of the following lawful bases as prescribed by the NDPA 2023: - Consent: where you have given clear, informed, and voluntary consent. - Contract: where processing is necessary for the performance of a contract. - Legal Obligation: where processing is required by Nigerian law. - Legitimate Interest: where processing is necessary for our legitimate interests, provided they do not override your rights.`})},{id:"data-categories-disclosed",name:"Data Categories Disclosed",ndpaSection:"NDPA Section 24(1)(c)",severity:"critical",points:10,check:(e,t)=>t.dataCategories.some(i=>i.selected),gap:()=>({message:"No data categories have been selected. The NDPA requires you to disclose the categories of personal data you collect (e.g. identity, financial, behavioral data).",fixType:"fill_field",fixLabel:"Select data categories",suggestedContent:"Select the categories of personal data your organisation collects in the Data Collection step of the wizard."})},{id:"recipients-disclosed",name:"Recipients Disclosed",ndpaSection:"NDPA Section 24(1)(e)",severity:"critical",points:10,check:(e,t)=>{if(!u(e,"data-sharing"))return false;if(t.thirdPartyProcessors.length>0){let i=h(e,"data-sharing");return t.thirdPartyProcessors.every(n=>i.includes(n.name))}return true},gap:e=>({message:e.thirdPartyProcessors.length>0?"The data sharing section does not list all third-party processors. Each processor must be named with its purpose and location.":"The policy does not include a data sharing section. Even if you do not share data, you must state this clearly.",fixType:e.thirdPartyProcessors.length>0?"add_content":"add_section",fixLabel:e.thirdPartyProcessors.length>0?"Update sharing section":"Add data sharing section",suggestedContent:"We do not sell personal data. We may share your data with service providers under strict data processing agreements that comply with the NDPA 2023."})},{id:"retention-periods",name:"Retention Periods Specified",ndpaSection:"NDPA Section 24(1)(f)",severity:"critical",points:10,check:e=>u(e,"data-retention"),gap:()=>({message:"The policy does not include a data retention section. The NDPA requires you to specify the period for which personal data will be stored, or the criteria used to determine that period.",fixType:"add_section",fixLabel:"Add retention schedule",suggestedContent:"We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable Nigerian law. When personal data is no longer needed, it is securely deleted or anonymised."})},{id:"data-subject-rights",name:"Data Subject Rights Listed",ndpaSection:"NDPA Sections 34-39",severity:"important",points:7,check:e=>{if(!u(e,"data-subject-rights"))return false;let t=h(e,"data-subject-rights").toLowerCase();return ["access","rectification","erasure","portability","restrict","object"].every(n=>t.includes(n))},gap:()=>({message:"The data subject rights section is missing or does not cover all six NDPA rights: access, rectification, erasure, portability, restriction, and objection.",fixType:"add_content",fixLabel:"Add missing rights",suggestedContent:`Under the NDPA 2023, you have the following rights: 1. Right of Access (Section 34(1)(a)\u2013(b)) 2. Right to Rectification (Section 34(1)(c)) 3. Right to Erasure (Section 34(1)(d), Section 34(2)) 4. Right to Restrict Processing (Section 34(1)(e)) 5. Right to Data Portability (Section 38) 6. Right to Object (Section 36)`})},{id:"right-to-withdraw-consent",name:"Right to Withdraw Consent",ndpaSection:"NDPA Section 25(2)",severity:"important",points:7,check:e=>{let t=f(e).toLowerCase();return t.includes("withdraw")&&t.includes("consent")},gap:()=>({message:"The policy does not mention the right to withdraw consent. Data subjects must be informed that they can withdraw consent at any time without affecting the lawfulness of prior processing.",fixType:"add_content",fixLabel:"Add withdrawal clause",suggestedContent:"You have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw your consent, contact us at the email address provided in this policy."})},{id:"right-to-lodge-complaint",name:"Right to Lodge Complaint with NDPC",ndpaSection:"NDPA Section 40",severity:"important",points:7,check:e=>{let t=f(e).toLowerCase();return t.includes("ndpc")||t.includes("nigeria data protection commission")},gap:()=>({message:"The policy does not mention the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC). Data subjects must be informed of this right.",fixType:"add_content",fixLabel:"Add NDPC complaint reference",suggestedContent:"You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been infringed. Website: https://ndpc.gov.ng"})},{id:"cross-border-safeguards",name:"Cross-Border Transfer Safeguards",ndpaSection:"NDPA Part VIII (Sections 41-43)",severity:"important",points:7,check:(e,t)=>t.hasCrossBorderTransfer?u(e,"cross-border-transfers"):true,gap:()=>({message:"Cross-border data transfers are indicated but the policy lacks a section describing the safeguards in place. The NDPA requires disclosure of transfer mechanisms and adequacy assessments.",fixType:"add_section",fixLabel:"Add cross-border section",suggestedContent:"Where we transfer personal data outside Nigeria, we ensure compliance with Part VIII (Sections 41-43) of the NDPA 2023 by implementing appropriate safeguards, including adequacy assessments and Standard Contractual Clauses."})},{id:"automated-decision-disclosure",name:"Automated Decision-Making Disclosure",ndpaSection:"NDPA Section 37",severity:"important",points:7,check:(e,t)=>t.hasAutomatedDecisions?u(e,"automated-decision-making"):true,gap:()=>({message:"Automated decision-making is indicated but the policy does not include a section disclosing this. The NDPA requires you to inform data subjects about automated decisions, including the logic involved and the right to human intervention.",fixType:"add_section",fixLabel:"Add automated decisions section",suggestedContent:"We use automated decision-making in certain processes. You have the right to request human intervention, express your point of view, and contest automated decisions, in accordance with Section 37 of the NDPA 2023."})},{id:"children-data-protection",name:"Children's Data Protection",ndpaSection:"NDPA Section 31",severity:"recommended",points:5,check:(e,t)=>t.hasChildrenData?u(e,"children-data-protection"):true,gap:()=>({message:"Children's data processing is indicated but the policy does not include a dedicated children's data protection section. The NDPA requires enhanced protections including parental consent for children under 13.",fixType:"add_section",fixLabel:"Add children's data section",suggestedContent:"We do not knowingly collect personal data from children under the age of 13 without verifiable parental or guardian consent. Parents and guardians may request access to, correction of, or deletion of their child's data at any time."})},{id:"dpo-contact-info",name:"DPO Contact Information",ndpaSection:"NDPA Section 30",severity:"recommended",points:5,check:e=>{var t,i;return ((t=e.organizationInfo.dpoName)!=null?t:"").trim().length>0&&((i=e.organizationInfo.dpoEmail)!=null?i:"").trim().length>0},gap:()=>({message:"The Data Protection Officer (DPO) contact information is not provided. While not always mandatory, appointing a DPO and publishing their contact details is strongly recommended under the NDPA.",fixType:"fill_field",fixLabel:"Add DPO details",suggestedContent:"Provide the full name and email address of your Data Protection Officer in the Organisation Info section."})},{id:"security-measures",name:"Security Measures Described",ndpaSection:"NDPA Section 28",severity:"recommended",points:5,check:e=>u(e,"data-security"),gap:()=>({message:"The policy does not describe the technical and organisational security measures in place to protect personal data. Describing these measures builds trust and demonstrates NDPA compliance.",fixType:"add_section",fixLabel:"Add security section",suggestedContent:"We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, regular security assessments, and incident response procedures aligned with NDPA breach notification requirements."})},{id:"policy-effective-date",name:"Policy Effective Date",ndpaSection:"NDPA Section 24",severity:"recommended",points:5,check:e=>e.effectiveDate>0,gap:()=>({message:"The policy does not have an effective date set. An effective date is important for version control and for data subjects to know when the policy was last updated.",fixType:"fill_field",fixLabel:"Set effective date",suggestedContent:"Set the policy's effective date to the date you intend to publish it."})}];function B(e,t){let i=m.reduce((r,l)=>r+l.points,0),n=0,a=[],o=[];for(let r of m)if(r.check(e,t))n+=r.points,o.push(r.id);else {let l=r.gap(t);a.push(chunkRFPLZDIO_js.a({requirementId:r.id,requirement:r.name,ndpaSection:r.ndpaSection,severity:r.severity},l));}let d=Math.round(n/i*100),p;return n>=100?p="compliant":n>=80?p="nearly_compliant":p="not_compliant",{score:n,maxScore:i,percentage:d,rating:p,gaps:a,passed:o}} exports.a=y;exports.b=W;exports.c=E;exports.d=L;exports.e=O;exports.f=B;