Political parties are modernising membership systems, but Nigeria’s strongest identifier – the NIN – and allegations of coerced data collection raise urgent questions under the Nigeria Data Protection Act 2023. This piece explains the risks, the law, and the way forward for citizens, political structures, and regulators.

Nigeria’s political parties are embracing technology – online membership portals, electronic registration and digital databases – promising efficiency, transparency and stronger grassroots organisation. In principle, that shift is welcome. Yet recent reporting around a major party’s membership e-registration initiative raises a hard question: can a political party modernise without turning citizens’ personal data into collateral damage?

On 23 January 2026, The Punch reported that the All Progressives Congress (APC) launched a nationwide membership e-registration exercise and that participants must be 18 or older and possess a valid National Identification Number (NIN) to complete registration [1]. Separately, reports have circulated alleging that some civil servants in parts of Enugu State were pressured to submit their NIN and other personal details for party-related registration, with threats tied to salary payment or employment; the APC in Enugu publicly denied these allegations and described membership registration as voluntary [2].

This article uses those reports as a mirror, not a weapon. The goal is not partisan finger-pointing. It is to ask, respectfully but firmly: what does Nigeria’s data protection law require when political actors collect personal data at scale – especially a high-risk identifier like NIN – and what happens when consent is not truly voluntary?

Why NIN is not ‘just another field’ on a registration form

A NIN is a unique, persistent identifier used across government and private-sector services. In privacy terms, it is not merely a number; it is a key that can link a person across many systems. If stored widely, copied casually, or compromised, a NIN can become an enabler for identity theft, impersonation, SIM-swap attempts, account takeover, and other forms of fraud.

Nigeria’s risk environment makes the stakes higher. The National Identity Management Commission (NIMC) has warned Nigerians against disclosing NINs to unauthorised persons or organisations and has linked unauthorised collection to fraud and legal consequences [6][7]. In addition, a recent UNODC cybercrime assessment highlights the prevalence of scams and fraud patterns affecting Nigerians and Nigeria-linked threat activity [8]. When any organisation – commercial, governmental, or political – collects NIN at scale, it is not a routine administrative choice. It is a security and public-trust decision.

Does the NDPA 2023 apply to political parties and pre-election activities?

In general, yes. Political parties are typically within scope when they process personal data in Nigeria. The Nigeria Data Protection Act 2023 (NDPA) establishes principles and obligations for personal data processing and creates the Nigeria Data Protection Commission (NDPC) as the regulator [3]. Membership registration, supporter databases, communications lists, volunteer rosters and online portals are common examples of ‘data controller’ activities.

The NDPA contains exemptions in limited contexts, but party membership registration and political mobilisation are not automatically exempt merely because they relate to politics or elections [3]. The NDPC’s General Application and Implementation Directive (GAID) provides further implementation guidance and reinforces that the NDPA is intended to apply across sectors, subject to its stated exceptions [4].

The biggest legal and ethical problems raised by ‘NIN-as-a-must’ party registration

1) Lawful basis: what justifies collecting NIN?

The NDPA requires that personal data be processed on a lawful basis and in line with core principles such as fairness, transparency, purpose limitation and data minimisation [3]. A party may argue that NIN is needed to prevent duplicate registrations, improve record integrity, or validate identity. But the legal and ethical test is necessity: is the full NIN truly required to achieve that purpose, or can verification be done with less intrusive alternatives?

2) Consent must be genuinely free – coercion destroys consent

If a citizen freely chooses to join a party and voluntarily supplies data, that is one scenario. But if data is demanded under threat – especially threats tied to salaries, promotion, or continued employment – then consent becomes questionable. Under modern privacy standards, consent cannot be meaningful where an individual has no real choice or fears retaliation for refusal. The NDPA recognises that consent must be freely given and that controllers should not force or unduly condition access to something on consent that is not necessary [3].

3) Political affiliation is sensitive personal data

Party membership data is inherently sensitive because it can reveal political affiliation. Sensitive data attracts stricter handling expectations, stronger safeguards and heightened accountability. A political party database is not merely names and phone numbers; at scale, it can become a detailed map of political identity. That demands careful governance, clear limits, and strong security.

4) Transparency: Nigerians must be told the full story of their data

Transparency is not a formality; it is the foundation of trust. Before collecting personal data, a controller should provide a clear notice explaining who controls the database, what will be collected, the purposes, the lawful basis, how long data will be retained, who will have access, and how individuals can exercise their rights or complain [3]. For party e-registration, this should be written in plain language (and, ideally, in major Nigerian languages) and be accessible on the registration portal and in offline registration centres.

5) Security and breach response: NDPA imposes real duties

The NDPA expects appropriate technical and organisational measures to protect personal data, especially where high-risk identifiers and sensitive data are involved [3]. A party collecting NIN should operate with banking-level seriousness: access control, encryption, audit logs, staff training, vendor governance, and an incident response plan. Where a breach is likely to pose risk to individuals, the NDPA includes notification expectations to the regulator within set timelines and, in high-risk cases, communication to affected individuals [3].

6) Purpose limitation: ‘membership’ data must not become ‘surveillance’ data

The NDPA requires data to be collected for specific and legitimate purposes and not further processed in ways incompatible with those purposes [3]. If party registration data later becomes a tool for intimidation, discriminatory treatment in public services, unlawful profiling, or unchecked sharing with third parties, the harm is not only legal – it is democratic.

If identity verification is needed, it must be done safely

Identity verification is not illegitimate. The question is how to do it in a way that respects citizens and reduces fraud risk. NIMC has promoted consent-based approaches to identity authentication, including the NIN Authentication Service (NINAuth) [6]. Where available and appropriate, verification models that reduce data retention and rely on consent-driven checks can lower risk compared with mass collection and storage of full NINs.

Practical safeguards for party e-registration

• Avoid storing full NIN unless strictly necessary; where possible, verify without retention.
• Publish a clear privacy notice: controller identity, lawful basis, purpose, data sharing, retention, and complaint route.
• Separate party operations from public office powers to prevent real or perceived coercion.
• Appoint a Data Protection Officer and conduct a Data Protection Impact Assessment (DPIA) for high-risk processing [3].
• Lock down security: encryption, access controls, audit logs, vetted vendors, and staff training.
• Provide simple processes to withdraw consent, object, correct information, and request deletion where appropriate [3].

Civil servants and ‘involuntary processing’: where the risk becomes existential

The most troubling dimension of the public conversation is the allegation that data submission could be tied to pay or job security. Where political registration is perceived to be linked to employment decisions, the privacy issue becomes inseparable from constitutional and democratic values: political choice is a matter of conscience.

Even when allegations are denied, the remedy for public trust is clear governance. Public institutions should ensure that no salary, promotion, or employment action is linked to party registration or political data submission. If identity information is required for legitimate public administration purposes, it must be processed under clear legal authority and institutional safeguards – not under partisan structures.

What Nigerians can do: core rights in plain language

• Ask who is collecting your data, why, and for how long.
• Request access to your information and ask for corrections where data is wrong.
• Withdraw consent (where consent is the basis) and object to certain processing.
• Ask whether full NIN will be stored or only verified, and whether it will be shared.
• Report suspected coercion, unlawful disclosure, or unsafe practices to the NDPC.

The regulator’s role: from awareness to visible guardrails

The NDPC is empowered under the NDPA to promote compliance, receive complaints, investigate, issue compliance orders, and apply administrative penalties where appropriate [3]. In politically sensitive processing, visible guardrails are essential to prevent a race-to-the-bottom in data practices.

The NDPC can also provide clarity by issuing specific advisories for political parties on membership registration, lawful basis expectations, consent and coercion, security minimums, and DPIA requirements for high-risk processing [4]. Where party processing occurs at significant scale, obligations relating to ‘data controllers and processors of major importance’ and registration expectations may become relevant in practice [5].

A final clarion call: modern politics must not mean ‘privacy by sacrifice’

Nigeria is building a digital future – e-government, digital identity, online services, and modern political mobilisation. But that future will collapse under distrust if citizens believe their NIN can be demanded, traded, or weaponised.

Political parties are pillars of democracy, but democracy is not merely voting; it is also the freedom to belong, not belong, or change allegiance without fear. The path forward is practical: collect less, explain more, secure what you collect, respect choice, and allow the regulator to set clear, enforceable standards.

If we get this right, Nigeria can prove that digital politics can be efficient and dignified. If we get it wrong, we risk turning the nation’s most sensitive identifiers into fuel for fraud, intimidation and long-term civic mistrust.

El-shaddai Ikeh is a Data Protection & Technology Lawyer

References

1. [1] The Punch, “APC unveils nationwide membership e-registration” (23 Jan 2026).
2. [2] The Punch, “APC refutes forcing Enugu workers to register as members” (21 Jan 2026).
3. [3] Nigeria Data Protection Act 2023 (official PDF hosted by CERT-NG).
4. [4] Nigeria Data Protection Commission, “Nigeria Data Protection Act (NDP Act) 2023 – General Application and Implementation Directive (GAID) 2025” (20 Mar 2025).
5. [5] Nigeria Data Protection Commission, “Updated Guidance Notice on Registration of Data Controllers and Data Processors of Major Importance” (2024).
6. [6] National Identity Management Commission (NIMC), “NIMC Launches NIN Authentication Service (NINAuth)” (Press Release).
7. [7] The Punch, “Don’t sell your NIN, NIMC warns Nigerians” (10 Apr 2025).
8. [8] UNODC, “Cybercrime Assessment – Nigeria 2025” (report).
9. [9] BusinessDay, “Nigeria ranked 110th worldwide for fraud protection in 2025 global index” (24 Oct 2025).
10. [10] INTERPOL, “Africa Cyberthreat Assessment Report 2025” (report).

Editor note: URLs for the cited items are available on request; key items include PunchNG (items [1] and [2]), NDPC (items [4] and [5]), CERT-NG (item [3]), NIMC (item [6]), UNODC (item [8]) and INTERPOL (item [10]).