Section 37 of the Nigerian Constitution (1999) provides that; “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”[1]. Unfortunately, there is currently not one comprehensive data privacy or personal information protection law in Nigeria that sets out detailed provisions on the protection of the privacy of individuals and citizens. This calls for the passing of a law dealing specifically with issues of data privacy and the protection of the Nigerian citizen’s private information and details of such required law have been made to the Nigerian legislature.

Given current technological trends the world over, and such that has been adapted within Nigeria, it is clear that Section 37 of the Nigerian Constitution as a stand-alone right without strict rules of engagement on how these rights can be protected and exercised is no longer enough protection for citizens.

This is the second installment in a 3-part article that will deal with this topic exhaustively. (See Part 1 here, and Part 2 here)



The Childs Right Act, No. 26 of 2003 (the Child Rights Act):This law regulates the protection of children i.e. persons under the age of 18 years. The Act limits access to information relating to children in certain circumstances.

Section 8 of the Child Right Act guarantees every child’s entitlement to privacy, family life, home, correspondence, telephone conversation and telegraphic communications, while section 205(2) prohibits the publication of any information that will lead to the identification of a child offender, and requires that the records of child offenders be kept strictly confidential and closed to third parties except in certain limited circumstances.

The Freedom of Information Act No. 4 of 2011 (FOI Act):The FOI Act was created to, amongst many other things, make public records and information more freely available and to provide for public access to public records and information however the FOI Act limits the access to information in certain situations. The Act defines personal information as “any official information held about an identifiable person but does not include information that bears on the public duties of public employees and officials”.

Section 14 of the FOI Act, states that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available.

Furthermore, Section 16 of the FOI Act provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege and journalism confidentiality privilege).

While these provisions of the FOI Act are a welcome development the obvious snag in the data protection provisions of the FOI Act is that it only applies to personal information in the custody of public agencies and institutions in Nigeria. It does not protect personal information in the custody of private organisations, such as telecommunication, banking and insurance companies.

This lacuna challenges the individual in search of all-inclusive data protection legislation, to look elsewhere, including the courts.


It is imperative to note that there are little or no precedents in the Nigerian legal system dealing with issues of data privacy and identity theft. While this may appear a plus for the justice system, in truth the situation should be a cause for concern.

However, going by the decision of the Nigerian Court of Appeal in the case of HABIB (NIG) BANK LIMITED v KOYA[1], it appears that an individual citizen whose data is collected, retained and managed by any public or private institution may bring an action in tort of negligence against such public or private institution if it can be established that:

  • Upon collation of personal data of individuals, the collating institution or its personnel owes a duty of care to such individual whose personal data is being collated, stored and managed by them;
  • If the collating institution or its personnel fails to safeguard and protect the personal data of such individuals with the standard of care reasonably required and applied by other collating institutions and their personnel in that business, such that the personal data are compromised for any purpose, which results in calculable damage to the individual whose personal data are compromised; and
  • The said individual can establish that the loss he/she suffered was as a result of the breach of the duty of care to protect his personal data by the collating Institution.


While this in itself is no legislation, it is important to note that it lays down a judicial precedent for the protection of individual rights to data protection, this is however not enough to ensure adequate protection and regulation of personal information and data privacy.

In the modern world, with all of the social media outlets and technological advancements available, Identity Theft and data fraud is a real threat to any growing economy and population such as Nigeria. It is has thus become imperative that Nigerian lawmakers direct energies towards creating a comprehensive Law which will ensure that citizens feel safe and protected with the access to and usage of the their private information and data.

PLEASE NOTE: This article is for general information only. It is not offered as advice, on any particular matter, whether legal, procedural or otherwise. 

We’d love to read your comments in the section below, or send us an email via the contact page.



[1] Constitution of the Federal Republic of Nigeria (Promulgation) Act, Chapter C23, Laws of the Federation of Nigeria 2004 (as amended)

[2] Section 1.6 NITDA Guideline, Version 3.1, September 2013

[3] Section 2.1 NITDA Guidelines, Version 3.1, September 2013

[4] Section 2.1(4) NITDA Guidelines, Version 3.1, September 2013

[5] Note Similarity with Sections 17 & 18 of the POPI Act

[6] Note Similarity with Sections 19(1) of the POPI Act

[7] Note Similarity with Section 13(1) of the POPI Act

[8] Section 35(3) General Consumer Code Practice for Telecommunications Services

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *