g) the policies and practices of the organization for the proper use of personally
identifiable information;
h) organization policies and procedures for privacy and data protection;
i)
the policies and procedures of the organization for monitoring and reporting
violations of privacy and data protection policies; and
j)
the policies and procedures of the organization for assessing the impact of
technologies on the stated privacy and security policies.
3.1.6 Where a Data Controllers processes the personal data of more than 1000 in a
period of six months, a soft copy of the summary of the audit containing information
stated in sections 22 and 35 shall be submitted to the Agency.
3.1.7 On annual basis, a data Controller who processes the personal data of more than
2000 data subjects in a period of 12 months shall, not later than the 15 th of March of the
following year, submit a summary of its data protection audit to the Agency. The data
protection audit shall contain information as specified in sections 22 and 36.
3.1.8 The mass media and the civil society shall have the right to uphold accountability
and foster the objectives of this Regulation.
3.2 ADMINISTRATIVE REDRESS PANEL
3.2.1 Without prejudice to the right of a Data Subject to seek redress in a court of
competent jurisdiction, the Agency shall set up an Administrative Redress Panel under
the following terms of reference:
a) investigation of allegations of any breach of the provisions of this Regulation;
b) invitation of any party to respond to allegations made against it within seven
days;
c) issuance of Administrative orders to protect the subject-matter of the
allegation pending the outcome of investigation; and
d) conclusion of investigation and determination of appropriate redress within 28
working days.
3.2.2 Any breach of this Regulation shall be construed as a breach of the provisions of
the National Information Technology Development Agency (NITDA) Act of 2007.
3.3 LOCAL AND INTERNATIONAL COOPERATION
3.3.1 In relation to foreign countries and international organisations, the Agency and
relevant authorities shall take appropriate steps to:
a) develop international cooperation mechanisms to facilitate the effective
enforcement of legislation for the protection of personal data;
19