Citadel School of Government (“the School”) is committed to protecting applicants’ personal information in compliance with the Nigeria Data Protection Act 2023 (NDPA) and related regulations. This Data Policy outlines:
a. how we collect, use, store, and protect personal data of applicants;
b. the types of data we collect;
c. the legal basis for processing (including how we obtain consent);
d. our purposes for using the data, retention periods, any third-party access, security measures in place (including oversight by Our Data Protection Officer); and
e. the rights of applicants regarding their data.
Â
We only collect personal data that is necessary for the effective operation of the School of Government and the fulfillment of mission. This typically includes:
a. Identification and Contact Details:Â Full name, date of birth, email address, telephone number, postal address, and other contact information. We may aslo collect identification numbers or copies of ID documents e.g. national ID card or passport for verification.
b. Educational and Academic History: Academic records usch as prior schools attended, degrees or certificates obtained, transcripts, grades, and relevant test scores. We may also collect information provided in your application essay or personal statement and any letters of recommendation or references you submit.
c. Supporting Documentation: Materials to support your application, which might include a resume/Curruculum Vitae, writing samples, or certificates.
d. Other Relevant Information: Any additional data you provide during the admissions process such as employment history, extracurricular achievements, or emergency contact details. In some cases, we may ask for information on health or special needs — this is considered sensitive personal data and will be handled with extra care and explicit consent from you.Â
We do not collect more data than we need. All information is obtained directly from you through application forms or communications, or, where necessary, from third parties you authorize, such as verification agencies or reference providers. We ensure you are informed at the point of collection what data is required versus optional.
Â
Personal data collected from you is used strictly for the purposes for which it was collected, and we do not use it in ways incompatible with those purposes. Specifically, the School uses applicant personal data for:
a. Admissions Processing: We use the information you provide to evaluate your suitability for our programs. This includes reviewing academic qualifications, verifying credentials and references, and making admissions decisions.
b. Enrollment and Academic Records: For admitted applicants who enroll, your data becomes part of your student record. We use it to register you as a student, create student IDs, enroll you in courses, and maintain academic records e.g., grades, progress reports, transcripts, and certificates. This data usage is fundamental to providing you with education and cannot be opted-out if you wish to study with us.
c. Communication: We use contact details to keep you informed throughout the admissions process and beyond. Applicants may receive emails or SMS notifications regarding application deadlines, acceptance letters, payment of fees, orientation schedules, and other relevant updates. With your permission, we might also send newsletters about our School, upcoming events, programs, or opportunities that may interest you. You can opt out of non-essential communications at any time, e.g., unsubscribe from a newsletter.
d. Events and Activities: If you RSVP or sign up for School events such as open days, workshops, seminars, or networking events, we will use your data to organize and manage your participation. We may also send post-event feedback surveys.
e. Administration and Operations: Internally, we use personal data to carry out administrative activities related to admissions and student services. This includes processing application fees or tuition payments, auditing and improving our admissions process, conducting academic research or statistical analysis on applicant data, and ensuring the IT systems supporting our admissions portal are functional and secure.
f. Legal and Regulatory Compliance: We may process and disclose data where necessary to comply with audits, accreditation requirements, or inquiries from regulatory agencies such as the Ministry of Education or the Nigeria Data Protection Commission.
We do not use personal data for any kind of unsolicited marketing to applicants outside of the School’s own communications, nor do we engage in selling or renting your data to third parties. Every use of your information is tied to a legitimate purpose as described above. If we ever need to use your data for a new purpose, we will update this Policy and notify you, and if required, obtain your consent.
Â
We retain personal data only for as long as it is necessary to fulfill the purposes for which it was collected or to satisfy legal or operational requirements. In line with the NDPA’s data minimization and storage limitation principles, the School has defined retention periods for different categories of applicant data:
a. Unsuccessful Applications: If you apply but do not enroll (for example, if you are not offered admission, or you decline an offer), we will keep your application data for a limited period. Typically, we retain such data for one to two admission cycles (for example, the current academic year plus the next) in case you reapply or have queries about the decision. After this period, we securely delete or anonymize your personal data.
b. Enrolled Students: If you are admitted and enroll as a student, your application data becomes part of your student file. We will retain your personal data for the duration of your studies and for a significant period after graduation. Academic records such as transcripts, grades, and degree certifications are kept indefinitely as part of the School’s historical academic archive, since alumni may need verification of their credentials many years later. However, other supporting documents like copies of identity documents or financial records will not be kept longer than necessary. We regularly review the personal data in our custody every academic year and erase or anonymize information that is no longer needed.
c. Mailing Lists and Event Data: If you have consented to be on a mailing list but do not become a student, we will retain your contact information for that purpose until you unsubscribe or withdraw consent. Likewise, data collected for a specific event will be kept until the event concludes and any necessary follow-up is done, then it will be deleted or aggregated for analysis unless you join the School or consent to future contact.
When the retention period for any personal data expires, or if you validly request erasure of your data, we ensure the data is permanently and securely deleted from our systems or properly anonymized. We also ensure that third parties who received the data, e.g., service providers, comply with corresponding deletion requirements.
Â
The School may share or entrust personal data to third-party service providers only for the purposes outlined in this Policy and under strict conditions. Key scenarios where third parties may access applicant data include:
a. Cloud Storage and IT Providers: We use secure cloud-based applications and data storage services to host our admissions portal and databases. Your application information may be stored on servers operated by reputable providers who act on our instructions and implement robust security measures. We ensure any cloud or IT provider we use is compliant with NDPA 2023 and, where data is stored or processed outside Nigeria, that appropriate safeguards such as standard contractual clauses or an adequacy decision are in place for cross-border data transfer.
b. Email and Communication Tools: We may use third-party email platforms or SMS gateways to send bulk communications such as admission announcements or event invitations. These platforms will have access to your email address or phone number strictly to perform the mailing function and not for any other purposes.
c. Analytics and Site Optimization: To improve our admissions website and outreach, we may use analytics tools, e.g., website analytics or application statistics that collect usage data like page visits or form completion rates. These tools might use cookies or similar technologies. However, any analytics data is typically aggregated and not used to identify individual applicants. Where personal data is involved, we ensure it is limited – for instance, using anonymized IDs – and subject to confidentiality. You will be informed via our website cookies notice if any such tools are in use, and where required, we will obtain consent for their operation.
d. Verification and Screening Services: In some cases, we employ external organizations to verify documents and credentials you provide such as examination result verification or credential evaluation services. If we need to share your data like your name, certificate, or transcript with such a service, we will do so only for that explicit purpose and ensure the service is under a duty to protect your information.
e. Legal or Regulatory Disclosure: If a third party such as a government agency, court, or law enforcement requests your data and we are legally compelled or permitted to comply, we will verify the request carefully and only provide what is required by law.
Our Commitment: We make sure that all third-party processors handling applicant data on our behalf sign appropriate data protection agreements beforehand, and that these processors are partners who implement adequate security and agree to confidentiality obligations. They are not allowed to use your data for their own purposes.
Â
We take the security of your personal data very seriously, and the School has implemented a range of technical and organizational measures to prevent unauthorized access, loss, or misuse of personal information:
a. Secure Systems: Applicant data is stored in secure databases with access controls. We use encryption technology to protect personal data during transmission, regular backups are performed to prevent data loss, and those backups are also secured.
b. Access Control: Only authorized personnel with a legitimate need can access applicant data. For example, admissions officers and relevant administrative staff access your application for processing, but each staff member has unique login credentials and their access is limited to the information necessary for their role. We maintain logs of data access and regularly review permissions. Staff are trained to handle data confidentially, and confidentiality agreements are in place.
c. Physical Security: Any physical documents containing personal data such as paper copies of transcripts or IDs, if required, are kept in locked cabinets or secure offices with controlled entry. Access to areas where personal data is stored—servers or archives—is restricted to authorized staff.
d. Breach Preparedness: In the unlikely event of a data breach or security incident, we have a response plan in place. This includes immediate steps to contain the incident, assess the impact, and notify affected individuals and regulators like the Nigeria Data Protection Commission as required by law. We also continuously refine our security protocols to adapt to evolving threats.
As a data subject, you have several important rights regarding your personal data held by the School. We are committed to honoring these rights which include:
a. Right of Access: You have the right to request a copy of the personal data we hold about you and to obtain information about how we process it. Upon request, we will provide you with a summary of your personal information in our records, typically within 30 days.
b. Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or updated.
c. Right to Erasure: This is sometimes called the “right to be forgotten.” You can request that we delete your personal data when it is no longer needed for the purposes for which it was collected, or if you withdraw consent where consent was the basis or object to processing and we have no overriding legitimate grounds to continue.
d. Right to Object or Restrict Processing: You have the right to object to certain types of processing of your data, especially if we are processing under legitimate interests. In some cases, you may also request that we temporarily restrict processing your data – for instance, if you contest the accuracy of the data or the lawfulness of processing, we will limit access to the data until the issue is resolved.
e. Right to Lodge a Complaint: If you believe your data protection rights have been violated or you are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC), which is the regulatory authority established under the NDPA. We encourage you to first contact our DPO to resolve any issue, but you can approach the NDPC at any time. The NDPC may be reached via their official website or contact channels as provided by the government.
Please note that the exercise of these rights is subject to certain legal exemptions. If we are unable to comply with a specific request, we will provide you with a clear explanation of the reasons. However, rest assured, we will never discriminate against or penalize anyone for exercising their data protection rights.
This Data Policy is provided to ensure you, as an applicant, understand how your personal data is handled by Citadel School of Government. By submitting an application or related personal information to us, you acknowledge that you have been informed of our data practices. We encourage you to read this Policy carefully. If anything is unclear, please reach out to our Data Protection Officer for clarification.