NDPC Demands Answers from INEC Over Alleged Voter Data Breach

The Nigeria Data Protection Commission has formally requested clarification from the Independent National Electoral Commission regarding an alleged breach of voter data, raising fresh concerns about the security of sensitive electoral information weeks ahead of scheduled off-cycle elections.

Regulator Acts on Alleged Breach Report

The Nigeria Data Protection Commission confirmed it had written to INEC seeking detailed explanations about the reported data breach. Vanguard News first reported the development, citing concerns that voter records may have been accessed without authorisation. NDPC officials stated the inquiry forms part of their mandate to ensure compliance with the Nigeria Data Protection Act 2023. The commission has given INEC a deadline to provide full documentation of its data processing activities.

The data protection regulator operates under the Federal Ministry of Communications, Innovation and Digital Economy. Its intervention comes at a sensitive time, with multiple regional elections approaching across Nigerian states.

INEC Data Systems Under Review

INEC maintains one of the largest databases of Nigerian citizens, containing biometric information, residential addresses, and voter registration details for more than 84 million registered voters. The commission processes this data continuously ahead of elections, raising questions about who might have gained access and for what purpose.

The electoral body has previously invested heavily in its biometric voter management system, introduced ahead of the 2015 general elections. Officials within INEC have defended their data security protocols, though critics argue that ageing IT infrastructure remains vulnerable to intrusion.

Legal Framework and Compliance Requirements

The Nigeria Data Protection Act 2023 imposes strict obligations on organisations handling personal data. INEC, as a public body processing sensitive voter information, falls squarely within the Act's scope. The legislation requires data controllers to implement appropriate security measures and notify the regulator within 72 hours of discovering a breach.

Failure to comply can result in fines of up to 10 million naira or 2% of annual revenue, depending on the nature of the violation. NDPC has powers to conduct audits, issue enforcement notices, and restrict data processing where it identifies non-compliance.

Precedents Set by Earlier NDPC Actions

This is not the first time the commission has pursued a major institution. Earlier investigations targeted fintech companies and telecommunications providers following reported leaks of customer information. Those cases established NDPC's willingness to demand accountability from large-scale data processors.

The regulator has previously faced criticism for limited enforcement capacity. Observers will be watching to see whether this inquiry into INEC results in meaningful action or stalls amid institutional complexity.

Security Concerns for Upcoming Elections

Off-cycle governorship elections are scheduled in several states within the coming months. Electoral integrity campaigners worry that any data breach could undermine public confidence in the voting process. Political parties also rely on voter data for campaign operations, making the unauthorised sharing of such information particularly sensitive.

INEC officials have not publicly confirmed whether a breach actually occurred. The commission's legal team is expected to respond to NDPC's request in writing. The next formal step will likely involve NDPC reviewing INEC's data processing records and security documentation.

Broader Implications for Data Governance

The case highlights ongoing tensions between Nigeria's digital transformation ambitions and its ability to protect citizen data. The country has seen steady growth in digital financial services, e-government platforms, and online identity systems. Each of these creates new repositories of personal information that require robust protection.

Civil society organisations have long argued that Nigeria needs stronger institutional capacity to enforce data protection standards. The NDPC-INEC confrontation could either reinforce the regulator's credibility or expose its limitations, depending on how it unfolds.

What Happens Next

INEC officials have indicated they will cooperate fully with the NDPC inquiry. A formal response from the electoral commission is expected within the regulator's specified timeframe. NDPC will then assess whether the explanation satisfies its concerns or whether further investigation, potential sanctions, or mandatory security upgrades are warranted.

Citizens should watch for any public statement from either organisation in the coming weeks. If NDPC determines that a reportable breach occurred, it may require INEC to notify affected voters directly. The outcome of this process will signal how seriously Nigeria's data protection regime treats institutions that fail to safeguard personal information.

See Also

• Miguel's Controversy: Russia's Espionage or a Web of Lies?
• Senegal's Vegetable Farms: A Vital Link Between Britain and West Africa

Author

Uchenna Obi

Uchenna Obi covers technology, digital infrastructure, and the startup economy across Africa. From fintech in Lagos to fibre rollout debates in Nairobi, he tracks how technology is changing the economic and social landscape of the continent.

Based in Lagos, Uchenna has interviewed founders, policymakers, and investors shaping Africa's tech scene. He writes about artificial intelligence adoption, mobile payments, e-government services, and the regulatory challenges facing digital businesses. He holds a background in computer science and journalism from Covenant University.