Re: INEC’s Response to the Unauthorised Access to Voters’ Database and Disclosure of Voter Data – A Call for Accountability, Transparency, and Stronger Safeguards for Nigeria’s Electoral Infrastructure
The recent unauthorised disclosure of personal data of Mr Emeka Ike by Mr Lere Olayinka, the Senior Special Assistant to the Minister of the Federal Capital Territory (FCT), Mr Nyesom Wike, has raised serious concerns about the integrity of Nigeria’s electoral infrastructure and the protection of citizens’ personal information.
As organisations committed to data protection, digital rights, credible elections, and transparent governance, we commend the Independent National Electoral Commission (INEC) for issuing a timely press release and initiating an investigation.
However, we believe the response falls short of the transparency, urgency, and systemic reforms required under Nigerian law and public expectations, especially as the 2027 election is fast approaching.
INEC’s statement correctly identifies the incident as a case of misuse of authorised access credentials rather than an external hack. It notes that the data was accessed via valid staff credentials during the ongoing Continuous Voter Registration (CVR) exercise and subsequently released without authority.
While we welcome the confirmation that only a specific voter record was involved and that there was no broader compromise of the over 90 million registered voters’ data, this does not diminish the gravity of the breach. Voter records contain sensitive personal information, including photographs, Voter Identification Numbers, registration details, and transfer histories, which, when exposed, can enable harassment, voter intimidation, or manipulation, particularly in a politically charged environment. The fact that the data were published, not just by a random Nigerian, but by a political appointee working for the ruling party, makes it a source of great concern to Nigerians.
The Provisions of Relevant Nigerian Laws That Must Be Implemented by INEC
Under the Nigeria Data Protection Act (NDPA) 2023, INEC, as a data controller, has a duty to implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, disclosure, or misuse. Personal data breaches must be notified to the Nigeria Data Protection Commission (NDPC) within 72 hours where there is a risk to data subjects’ rights. Data subjects should also be informed promptly where the breach is likely to result in high risk. The Act emphasises confidentiality, integrity, and accountability, principles that appear strained when internal credentials are misused to leak information for apparent political purposes.
The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended) criminalises unauthorised access to computer systems or data, even where initial access was authorised but exceeded its scope. Misuse of access credentials to obtain and disclose restricted information attracts significant penalties, including fines and imprisonment. INEC’s identification of the user account through audit trails is a positive step, but swift prosecution of all officials involved, including any external beneficiaries of the leak, is essential to deter future incidents and protect the integrity of future elections and the data privacy rights of all registered voters.
The Electoral Act underscores the sanctity of the voter register and prohibits actions that undermine electoral integrity. Leaking voter data, especially targeting aspirants and candidates or citizens exercising their political rights, erodes public trust in the electoral process ahead of the 2027 general elections. INEC’s reassurance that investigations are ongoing, with cooperation from the Department of State Services (DSS), is noted. However, urging the public to “disregard unfounded speculations” while investigations continue risks appearing dismissive. Citizens have a legitimate right to demand investigations and clarity on how such misuse occurred within a supposedly controlled system and what preventive measures will be implemented.
Beyond the immediate breach, the incident exposes broader institutional vulnerabilities within the management of Nigeria’s electoral data infrastructure. Public confidence in the voter register is a cornerstone of electoral legitimacy, and any perception that voter information can be accessed or deployed for partisan purposes threatens that confidence. As preparations for the 2027 general election intensifies, INEC must demonstrate that not only the current incident being addressed, but also that robust safeguards exist to prevent the misuse of voter data against political opponents, candidates, activists, journalists or ordinary citizens exercising their democratic rights.
We are equally concerned about the potential effect such incidents may have on civic participation. Citizens must be assured that registering to vote will not expose them to political intimidation, surveillance, profiling or retaliation. Nigeria’s constitutional democracy depends on the ability of citizens to participate freely and securely in electoral processes. Any abuse of access to electoral records, particularly by individuals connected to political office or power, must therefore be treated as a matter of significant public interest requiring independent scrutiny, transparent accountability and decisive corrective action.
Our Recommendations
We call on INEC to:
- Provide a detailed public timeline of the incident, including when the breach was discovered, the exact nature of the data exposed, and steps taken to secure the affected individual’s record.
- Set a deadline publicly and publish the outcome of the internal audit and disciplinary actions against implicated staff, while ensuring due process.
- Define steps to strengthen access controls for the CVR system, including immediate revocation of unnecessary privileges after each exercise, multi-factor authentication, and regular independent security audits.
- Engage the Nigeria Data Protection Commission (NDPC) fully and ensure compliance with breach notification requirements under the NDPA 2023.
- Commit to broader reforms, such as enhanced data anonymisation where possible and citizen-facing transparency tools that build confidence in the voter register.
- Work with the police and other law enforcement agencies to arrest and prosecute the enablers and perpetrators.
To the alleged perpetrators and enablers: Weaponising citizens’ personal data for political scoring is unacceptable and unethical in a democratic environment. We stand with affected individual(s) in demanding justice and support calls for legal redress.
Our democracy depends on a trusted electoral management body and an umpire that safeguards both the integrity of elections and the privacy of voters. As Civic-tech organisations and civil society groups, we remain ready to collaborate with INEC, the NDPC, and security agencies to strengthen these systems. We will continue to monitor developments closely and amplify citizens’ voices to demand accountability.
Together, we can protect digital rights and ensure credible elections that reflect the will of the Nigerian people.
Signed:
Policy Shapers
Accountability Lab Nigeria
BudgIT
PROMAD
Brain Builders Youth Development Initiative
Centre for Journalism Innovation and Development (CJID)
Enough is Enough (EiE) Nigeria
