The rise of smartphones and affordable internet in Nigeria has driven a major digital shift. Consumer data now fuels services like public administration, banking, and advertising. However, this surge in data collection brings significant privacy and security concerns.
Nigerians are often required to share personal data, such as through NIN or BVN verification. Without strong protection policies, this opens the door to identity theft and loss of public trust. The need for clear data privacy measures is urgent.
This article explains key concepts related to data protection, consent, and retention. It will also outline what data is collected, how it’s used, and the laws that govern it, particularly the Nigerian Data Protection Act
Data Protection Legislation in Nigeria
The Nigeria Data Protection Commission (NDPC) enforces the Nigeria Data Protection Act (NDPA), which provides a legal framework for data privacy for all Nigerian citizens and residents.
Here is a summary of the mandate:
- Safeguard the rights of individuals to data privacy
- Ensure data processing practices protect personal data and privacy.
- Strengthen Nigeria’s digital economy and ensure its participation in regional and global markets through the secure and trusted use of personal data.
e-citizen.ng relies on recognised lawful bases for data processing such as consent, legal obligation, and contract. We process various categories of your data based on the type of engagement you have with us.
Personal data refers to any information that can identify a person, directly or indirectly, such as their name, ID number, location, online ID, or traits like physical or social identity.
All companies handling personal data in Nigeria must:
- Exercise extra care with sensitive data, as misuse could harm individuals.
- Process data fairly, lawfully, and transparently, clearly explaining the purpose to users.
- Collect data only for clear, lawful reasons and avoid using it beyond those stated purposes.
You should keep in mind that while the NDPA is there to protect personal data, there are certain exceptions to when, how, and who can access your data.
The Act exempts data controllers (an entity that decides why and how personal data is collected, used, and stored) or data processors (an entity that processes personal data only on behalf of the controller) from its provisions when data is processed for criminal justice, national security, public health emergencies, public interest publications, or legal proceedings.
- As a data subject (you whose data we’re talking about), you have the following rights:
- Right to be informed
- Right to access
- Right to rectification
- Right to object to processing
- Right to report to a supervisory authority
- Right to restrict processing
- Right to data portability
- Right to be forgotten
- Right not to be subjected to automated decision making
Consent
Getting clear permission from users is a key part of data protection. Consent must be given freely, clearly, and with full understanding. It can’t be assumed from silence or pre-selected options. It can be written, spoken, or electronic.
Companies don’t need consent to use information already public, but private or sensitive data still requires direct permission before being shared.
In such cases, platforms like e-citizen.ng follow Nigeria’s data protection rules and will ask for your consent before sharing your private data.
Data Retention
Data retention refers to the total period a corporate entity or organisation can store your personal data to meet legal, regulatory, and statutory requirements.
This retention period, as stated by the NDPA, for ‘personal data’ should not be longer than necessary to achieve its lawful purposes. Data controllers are responsible for establishing clear data retention and deletion policies to ensure that data is deleted or anonymized when it is no longer needed.
The table below shows various types of data and their retention period on e-citizen.ng
| Type of data | Retention period | Reason for retention | Data source |
| User details, such as a new or pre-existing user’s name, address, email, phone number, and password | Retained until the user deletes or deactivates their account | User authentication and KYC verification | NIMC, CAC, FRSC, Credit bureaus |
| System logs, like verification history, access logs, transaction history, etc. | Until the user deletes or disables their account | Activity logs and record keeping | e-citizen.ng |
| Basic identity | At most 24 hours | Retained while awaiting consent or after verification to allow users to view verified identities within that period | NIMC |
| Financial credit information | 7 days | None | Credit bureaus |
| Corporate entity verification | Indefinite | No restriction | CAC |
| Vehicle registration identity | 7 days | Terms of agreement | FRSC, NMVTIS |
It’s important to know that e-citizen.ng will delete identity verification results from its database after the retention period.
Factors That Determine Data Retention Period
Several factors determine the retention period of personal data collected from e-citizen.ng. These include;
- The company’s demand to retain the data for the same purpose
- An express request to delete the data collected by the Data Subject, i.e., the e-citizen verification service user, except if there’s an ongoing investigation or a subsisting contract
- Specific retention period requirement or statutory implication
- If the company has other lawful reasons to keep the data for an extended period
Data Collection on e-citizen.ng
At e-citizen.ng, we take user privacy seriously. This is why we’ve implemented a strict data collection and consent policy to safeguard users from any violation of their fundamental rights.
e-citizen.ng collects only essential information necessary to carry out successful verification on the platform. Our consent policy ensures that consent requests are sent to data subjects (via email, SMS, or WhatsApp) before processing personal data for identity verification purposes.
Types of data collected and processed by e-citizen.ng
- Identity, including your name and National Identification Number (NIN)
- Communication data, like your address, phone number, email, and IP address
- User history on e-citizen.ng
- Information revealed by third parties
- Billing and payment records, including your debit card details
How e-citizen.ng collects and stores personal data
- System logs
- Filled-out forms on the website and mobile app
- Data retrieval from third parties via API
- Cookies
Conclusion
Understanding data protection in Nigeria helps you make well-informed decisions about how your data is handled, guaranteeing your privacy and security. Before giving consent for data collection and processing, make sure you confirm the intended use of the collected details, the parties involved, and the potential risks.
e-citizen.ng temporarily stores users’ personal information after providing verification results. It considers international standards and uses the best practices to protect data collected and stored on its database.