By Tolulope Idowu
In May 2024, E. Haruna submitted a Freedom of Information Request to the Nigeria Data Protection Commission (NDPC) to clarify which entities are exempt from registration under the Nigeria Data Protection Act 2024. The NDPC responded on June 7, 2024, through a letter signed by Adanma Isamade, the Commission’s Acting Head of Legal, Enforcement, and Regulations. The letter revealed that faith-based organizations, including churches and mosques, are excluded from registration under the Guidance Notice issued by the NDPC.
This exemption has sparked significant controversy due to its numerous implications:
1. Mandatory Registration: According to Section 44 of the NDPA, registration is mandatory for all controllers of major importance. Section 65 further specifies that this importance is determined by the volume of personal data processed and its significance to society.
2. Societal Impact: The NDPC’s exemption of faith-based organizations overlooks the substantial influence and large followings of religious institutions in Nigeria which in relation to the Act poses great significance. While creating a separate class for them might be considered, a total exemption is problematic.
3. Contradiction with Guidance Notice: The exemption contradicts the NDPC’s own Guidance Notice, which outlines criteria for entities that must register. These criteria include the sensitivity of the personal data they handle, their use of third-party servers or cloud computing for data processing, and the need for accountability. Many churches and mosques, due to their handling of sensitive
Given these points, the NDPC’s decision appears to undermine the spirit and letter of the Data Protection Act. Faith-based organizations manage significant amounts of personal data, making their exclusion from registration not only inconsistent but potentially dangerous. As illustrated by cases like that of the Jehovah’s Witnesses, Mormon Church data breach, the duty of accountability and susceptibility to data breaches underscores the need for their inclusion under the Act’s purview just as indicated and exemplified in Ireland Anglican Church’s Data Privacy Guide.
In conclusion, it is imperative for the NDPC to revisit its Guidance Notice and ensure it aligns with the objectives of the Data Protection Act. The Commission should focus on major data controllers and avoid burdening smaller entities struggling to comply. This realignment would better serve the interests of data protection and societal accountability in Nigeria.
FacebookTwitterWhatsAppLinkedInGmail