The recent controversy surrounding the public disclosure of information relating to actor and
politician Emeka Ike’s voter registration records has reignited important conversations about
privacy, accountability, and data governance in Nigeria.
According to reports circulating in the public domain, information purportedly showing details
of Mr. Ike’s voter registration transfer was publicly disclosed by an aide to the Minister of the
Federal Capital Territory (FCT). The disclosure attracted widespread attention because the
information allegedly originated from an administrative portal of the Independent National
Electoral Commission (INEC), a platform generally understood to be restricted to authorized
personnel.
While the facts remain subject to official verification and no formal findings have yet been
made by INEC or the Nigeria Data Protection Commission (NDPC), the incident provides a
valuable case study for understanding the obligations imposed by the Nigeria Data Protection
Act (NDPA) 2023 and how they compare with internationally recognised standards under the
UK General Data Protection Regulation (UK GDPR).
PERSONAL AND ELECTORAL RECORDS
Under the NDPA 2023, personal data refers to information relating to an identified or
identifiable natural person. Electoral registration records, voter identification information, registration locations, and voter transfer details are all capable of identifying an individual and
therefore constitute personal data.
Similarly, Article 4(1) of the UK GDPR defines personal data broadly as any information relating
to an identified or identifiable natural person. There is no doubt under either legal framework
that voter registration information falls within the scope of protected personal data.
LAWFULNESS, FAIRNESS AND TRANSPARENCY
Section 24 of the NDPA requires personal data to be processed lawfully, fairly, and
transparently and only for specified and legitimate purposes.
This mirrors Article 5(1)(a) of the UK GDPR, which establishes the principle of “lawfulness, fairness and transparency” as a cornerstone of data protection compliance.
In practice, both laws recognise that public bodies may process personal data without consent
where such processing is required by law or necessary for the performance of a public task.
INEC, for example, does not require voter consent to maintain electoral registers because it
performs a statutory function.
However, a distinction must be drawn between lawful collection and lawful disclosure. Data
lawfully collected for electoral administration cannot automatically be disclosed to third parties
for unrelated purposes. Any subsequent disclosure must itself have a lawful basis.
INTEGRITY AND CONFIDENTIALITY
One of the most significant parallels between the NDPA and the UK GDPR lies in their treatment
of security obligations.
Section 39 of the NDPA requires controllers and processors to implement appropriate technical
and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or loss.
Likewise, Article 5(1)(f) of the UK GDPR establishes the principle of “integrity and
confidentiality,” requiring personal data to be processed in a manner that ensures appropriate
security, including protection against unauthorised or unlawful processing.
From a UK Information Governance perspective, if information from a restricted electoral
database were disclosed by an individual without lawful authority, the primary concern would
not simply be the disclosure itself. Investigators would seek to determine:
How the information was accessed;
Whether access controls were effective;
Whether audit logs identified the user responsible;
Whether there had been an insider breach;
Whether organisational safeguards were adequate.
The same governance questions arise under the NDPA
. PERSONAL DATA BREACH ANALYSIS
The NDPA defines a personal data breach as a breach of security leading to unauthorised
disclosure of, or access to, personal data.
Similarly, Article 4(12) of the UK GDPR defines a personal data breach as a breach of security
leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to personal data.
THE SIMILARITIES ARE STRIKING.
Under either regime, the critical issue would be whether the information was disclosed by an
authorised person acting within lawful authority or whether the disclosure resulted from
unauthorised access to a protected system.
If an employee or official at the UK Electoral Commission, for example, accessed voter
registration information without a legitimate work-related reason and passed that information
to a political activist, journalist, or third party, the UK’s Information Commissioner’s Office (ICO)
would likely regard the incident as a serious personal data breach and information governance
failure. The focus would extend beyond the individual who disclosed the information to the
organisation responsible for protecting the data, including whether appropriate technical and
organisational measures were in place to prevent and detect such misuse.
The same principle would apply in the Nigerian context.
ACCOUNTABILITY: THE MISSING LINK
Perhaps the most important lesson from both the NDPA and the UK GDPR is the principle of
accountability.
Section 24 of the NDPA and Article 5(2) of the UK GDPR require organisations not only to
comply with data protection principles but also to demonstrate that compliance.
This means that public institutions must be able to answer fundamental questions:
Who accessed the data?
When was it accessed?
Under whose credentials?
For what purpose was it accessed?
Was the access authorised?
Were adequate safeguards in place?
A mature accountability framework requires audit trails, role-based access controls, monitoring
mechanisms, staff training, and incident response procedures.
BEYOND LEGAL COMPLIANCE
The controversy surrounding the disclosure of Emeka Ike’s voter registration information
should not be viewed solely through a political lens. It raises broader questions about public
trust, institutional accountability, and the protection of personal information held by public
authorities.
Whether in Nigeria under the NDPA or in the United Kingdom under the UK GDPR and the Data
Protection Act 2018, the underlying principle remains the same: individuals entrust public
institutions with their personal data on the understanding that such information will be used
only for legitimate purposes and protected against unauthorised access or disclosure.
Until the facts are independently established, definitive conclusions would be premature. However, the incident serves as a powerful reminder that data protection is not merely about
collecting information lawfully. It is equally about ensuring that access to that information is
controlled, accountable, and capable of withstanding public scrutiny.
In an era where trust in public institutions is increasingly linked to how they manage personal
information, robust information governance is no longer optional. It is essential.
Moses Ani
Information Governance and Data Protection Professional
moses.ubaani@gmail.com
June 2026
A story of courage, wonder, and the transformative power of self-belief; perfect for readers aged 10+ who love adventure. To place order: +234 806 130 3237 | +234 803 582 0870 OR Tap the link to grab a copy:https://www.zeekapublish.com/product/the-magical-life-of-anna
