By Adewale Edun

The controversy surrounding the publication of Nollywood actor Emeka Ike’s voter registration details has once again brought the issue of personal data protection into the national spotlight. While political disputes are not new to Nigeria, the disclosure of what appears to be information sourced from the Independent National Electoral Commission (INEC) database raises questions that go far beyond politics.

At the centre of the debate is a simple but important question: how did information held by a public institution find its way into the public domain, and who should be held accountable? For many Nigerians, the incident is not merely about one individual’s voter record. It is about confidence in the institutions entrusted with managing some of the country’s most sensitive information. This again brings about the criticality of data – both citizens’ data and infrastructural data. Every citizen who registers to vote provides personal details with the expectation that such information will be used solely for electoral purposes. This trust forms the foundation of every voter registration exercise. Once that trust is weakened, the consequences extend beyond the affected individual and begin to undermine confidence in the electoral process itself.

Reports indicate that the information disclosed included personal registration details and images associated with a voter record. INEC has maintained that there is currently no evidence of an external cyber attack against its systems. If this position is ultimately confirmed, the concern shifts from hacking to something arguably more troubling: the possibility of unauthorised internal access or misuse of legitimate privileges.

In information security circles, there is a well-established principle that organisations are often more vulnerable to insider threats than external attackers. Modern security technologies can effectively defend against many external threats, but they are far less effective when an individual with authorised access chooses to misuse that access. This distinction is important. A successful cyberattack may indicate weaknesses in technology.

An insider misuse incident, however, points to weaknesses in governance, oversight, accountability and organisational culture. For a database as sensitive as the national voter register, access should be tightly controlled, monitored and audited. Every access request should leave a trace. Every query should be attributable to a specific user. Every privileged account should be subject to heightened scrutiny. These are not optional security measures; they are basic requirements for protecting critical national information assets.

The incident also raises important data protection questions. Nigeria’s data protection framework places obligations on organisations that collect and process personal information. Public institutions are not exempt from these responsibilities. Any processing, sharing or disclosure of personal information must be supported by a lawful basis and must remain consistent with the purpose for which the information was originally collected. Citizens who provide information during voter registration do not do so with the expectation that those details may later be used in political exchanges on social media. Whether the disclosure was intentional, accidental or facilitated by an unauthorised party is a matter for investigators to determine. What is already clear, however, is that public confidence depends on a transparent and credible explanation.

The challenge facing INEC extends beyond identifying who may have accessed the record. The Commission must also reassure Nigerians that robust safeguards are in place to prevent similar occurrences in the future. This includes demonstrating that access controls function effectively, that audit logs are maintained and reviewed, that privileged users are appropriately monitored, and that any violations are met with meaningful consequences.

The role of the Nigeria Data Protection Commission (NDPC) also becomes relevant should investigations establish that personal data was disclosed without lawful authority. The Commission’s mandate includes ensuring compliance with Nigeria’s data protection obligations and promoting accountability among data controllers and processors, another opportunity for NDPC to display competence.

Equally important is the broader governance lesson for public institutions. The digital transformation of government services has created enormous opportunities for efficiency and citizen engagement. However, every digital platform is ultimately built on trust. Citizens are willing to provide information only when they are confident that those entrusted with it will act responsibly. Once that confidence is damaged, rebuilding it becomes significantly more difficult. This is why the current controversy should not be viewed solely through a political lens. It is fundamentally an issue of governance, privacy, accountability and public trust.

Regardless of where the investigation ultimately leads, Nigerians deserve clear answers. They deserve to know whether proper procedures were followed, whether any laws were breached, and what measures will be taken to prevent a recurrence. The integrity of a nation’s voter register is not simply an electoral matter. It is a matter of national confidence. Protecting it requires more than technology; it requires leadership, transparency and an unwavering commitment to accountability.

As the investigations continue, the focus should remain on one principle above all others: public institutions hold citizens’ information in trust, and that trust must never be taken for granted.
Edun is a lawyer.