An investigation by the Foundation for Investigative Journalism (FIJ) has revealed that four major Nigerian data-collecting institutions — the National Bureau of Statistics (NBS), National Examinations Council (NECO), Corporate Affairs Commission (CAC), and Nigeria Inter-Bank Settlement System (NIBSS) are failing to comply with key data protection requirements, thereby exposing Nigerians to potential privacy violations.
FIJ’s findings are based on a review of the agencies’ published privacy policies, measured against the standards set by the Nigeria Data Protection Act 2023.
Missing Contact Channels and Accountability Gaps
The report highlights that none of the agencies provides clear contact details for their data protection officers or designated complaint channels. The Corporate Affairs Commission (CAC) was found to have an especially unclear privacy policy, failing to properly identify the entity responsible for data processing.
Limited or Non-Existent User Rights
FIJ also found that data subject rights such as access, correction, deletion, and objection are either poorly explained or entirely absent.
While National Examinations Council (NECO) allows limited corrections before examinations, it does not provide for data deletion. The Nigeria Inter-Bank Settlement System (NIBSS) mentions communication preferences but does not clearly address broader rights. Both National Bureau of Statistics (NBS) and Corporate Affairs Commission (CAC) reportedly provide little guidance on how users can exercise their rights.
Incomplete Disclosure of Data Collection
The investigation further shows inconsistencies in how the agencies disclose the types of data they collect. While NECO and NIBSS provide relatively detailed descriptions, the National Bureau of Statistics (NBS) does not clearly outline the categories of personal data it gathers, raising concerns about informed consent.
No Clear Data Retention Policies
According to FIJ, none of the agencies adequately states how long personal data is retained. NECO describes examination data as permanent, while NIBSS refers vaguely to retention for legal and business purposes. The NBS and CAC do not address retention timelines at all.
Concerns Over Drafting Quality
FIJ also observed that the Corporate Affairs Commission (CAC) privacy policy contains placeholder text and incomplete references, suggesting that it may have been published without proper review.
Legal Implications
Under the Nigeria Data Protection Act 2023, organisations are required to clearly disclose how personal data is collected, processed, stored, and protected. The gaps identified by FIJ indicate potential non-compliance with these statutory obligations.
The report underscores growing concerns about data governance and accountability among public institutions responsible for handling sensitive personal and financial information of Nigerians.
Legend: Yes Partial No
| Requirement | NBS | NECO | CAC Portal | NIBSS |
|---|---|---|---|---|
| Identity of Controller | Yes | Yes | No | Yes |
| Contact Details | No | Partial | No | No |
| Lawful Basis | Partial | Partial | Partial | Partial |
| Purpose of Processing | Partial | Yes | Yes | Yes |
| Data Categories | No | Yes | Yes | Yes |
| Third Parties | Partial | Partial | Yes | Yes |
| Retention Period | No | Partial | No | Partial |
| User Rights | Partial | Partial | Partial | Partial |
| Complaint Mechanism | No | No | No | No |
| Security Measures | Partial | Partial | Partial | Yes |