By Moses Ani
The recent controversy surrounding the public disclosure of information relating to actor and politician Emeka Ike’s voter registration records has reignited important conversations about privacy, accountability, and data governance in Nigeria.
According to reports circulating in the public domain, information purportedly showing details of Mr. Ike’s voter registration transfer was publicly disclosed by an aide to the Minister of the Federal Capital Territory (FCT). The disclosure attracted widespread attention because the information allegedly originated from an administrative portal of the Independent National Electoral Commission (INEC), a platform generally understood to be restricted to authorized personnel.
While the facts remain subject to official verification and no formal findings have yet been made by INEC or the Nigeria Data Protection Commission (NDPC), the incident provides a valuable case study for understanding the obligations imposed by the Nigeria Data Protection Act (NDPA) 2023 and how they compare with internationally recognised standards under the UK General Data Protection Regulation (UK GDPR).
Personal Data and Electoral Records
Under the NDPA 2023, personal data refers to information relating to an identified or identifiable natural person. Electoral registration records, voter identification information, registration locations, and voter transfer details are all capable of identifying an individual and therefore constitute personal data.
Similarly, Article 4(1) of the UK GDPR defines personal data broadly as any information relating to an identified or identifiable natural person. There is no doubt under either legal framework that voter registration information falls within the scope of protected personal data.
Lawfulness, Fairness and Transparency
Section 24 of the NDPA requires personal data to be processed lawfully, fairly, and transparently and only for specified and legitimate purposes.
This mirrors Article 5(1)(a) of the UK GDPR, which establishes the principle of “lawfulness, fairness and transparency” as a cornerstone of data protection compliance.
In practice, both laws recognise that public bodies may process personal data without consent where such processing is required by law or necessary for the performance of a public task. INEC, for example, does not require voter consent to maintain electoral registers because it performs a statutory function.
However, a distinction must be drawn between lawful collection and lawful disclosure. Data lawfully collected for electoral administration cannot automatically be disclosed to third parties for unrelated purposes. Any subsequent disclosure must itself have a lawful basis.
Integrity and Confidentiality
One of the most significant parallels between the NDPA and the UK GDPR lies in their treatment of security obligations.
Section 39 of the NDPA requires controllers and processors to implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or loss.
Likewise, Article 5(1)(f) of the UK GDPR establishes the principle of “integrity and confidentiality,” requiring personal data to be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing.
From a UK Information Governance perspective, if information from a restricted electoral database were disclosed by an individual without lawful authority, the primary concern would not simply be the disclosure itself. Investigators would seek to determine:
How the information was accessed;
Whether access controls were effective;
Whether audit logs identified the user responsible; Whether there had been an insider breach;
Whether organisational safeguards were adequate.
The same governance questions arise under the NDPA.
Personal Data Breach Analysis
The NDPA defines a personal data breach as a breach of security leading to unauthorised disclosure of, or access to, personal data.
Similarly, Article 4(12) of the UK GDPR defines a personal data breach as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
The similarities are striking.
Under either regime, the critical issue would be whether the information was disclosed by an authorised person acting within lawful authority or whether the disclosure resulted from unauthorised access to a protected system.
If an employee or official at the UK Electoral Commission, for example, accessed voter registration information without a legitimate work-related reason and passed that information to a political activist, journalist, or third party, the UK’s Information Commissioner’s Office (ICO) would likely regard the incident as a serious personal data breach and information governance failure. The focus would extend beyond the individual who disclosed the information to the organisation responsible for protecting the data, including whether appropriate technical and organisational measures were in place to prevent and detect such misuse.
The same principle would apply in the Nigerian context.
Accountability: The Missing Link
Perhaps the most important lesson from both the NDPA and the UK GDPR is the principle of accountability.
Section 24 of the NDPA and Article 5(2) of the UK GDPR require organisations not only to comply with data protection principles but also to demonstrate that compliance.
This means that public institutions must be able to answer fundamental questions:
Who accessed the data?
When was it accessed?
Under whose credentials?
For what purpose was it accessed?
Was the access authorised?
Were adequate safeguards in place?
A mature accountability framework requires audit trails, role-based access controls, monitoring mechanisms, staff training, and incident response procedures.
Beyond Legal Compliance
The controversy surrounding the disclosure of Emeka Ike’s voter registration information should not be viewed solely through a political lens. It raises broader questions about public trust, institutional accountability, and the protection of personal information held by public authorities.
Whether in Nigeria under the NDPA or in the United Kingdom under the UK GDPR and the Data Protection Act 2018, the underlying principle remains the same: individuals entrust public institutions with their personal data on the understanding that such information will be used only for legitimate purposes and protected against unauthorised access or disclosure.
Until the facts are independently established, definitive conclusions would be premature. However, the incident serves as a powerful reminder that data protection is not merely about collecting information lawfully. It is equally about ensuring that access to that information is controlled, accountable, and capable of withstanding public scrutiny.
In an era where trust in public institutions is increasingly linked to how they manage personal information, robust information governance is no longer optional. It is essential.
Moses Ani
Information Governance and Data Protection Professional
moses.ubaani@gmail.com
June 2026
In this article