Abstract
Religious organisations in Nigeria occupy a revered position in society. They are not just centres of worship but also custodians of extensive personal information: baptismal and marriage registers, donation and tithe records, membership directories, counselling notes, as well as adults' and children's data. These records frequently contain highly sensitive information such as religious affiliation, ethnicity, health status, sexual life, or children's personal data, all of which are recognised as sensitive personal data under the Nigeria Data Protection Act (NDPA) 2023. Yet compliance with data protection obligations among religious organisations remains weak. This is typically not due to deliberate disobedience, but rather, a societal perception rooted in Nigeria's deeply religious culture that places churches, mosques, and other religious institutions on a moral pedestal, separate from ordinary regulation.
This perception ignores the fact that religious organisations are registrable under the Companies and Allied Matters Act (CAMA) 2020 as incorporated trustees and are obligated to comply with the NDPA 2023. While the General Application and Implementation Directive ("GAID") 2025 exempts them from registration as Data Controllers of Major Importance, Article 6(2) clarifies that they remain subject to the substantive obligations of the NDPA.
This article argues that religious organisations are unequivocally bound by the NDPA 2023. By outlining the regulatory scope of data protection in Nigeria, this article makes the case that religious organisations must comply with Nigeria's data protection regime. It is a call to action directed at the Nigeria Data Protection Commission ("NDPC") but more importantly at religious leaders and congregants alike to embrace compliance as both a legal duty and an extension of their moral obligation.
Introduction
Nigeria is one of the world's most religious nations, and religious organisations are often seen as moral authorities. This cultural perception seems to have created a widespread, though misplaced, belief that religious organisations should be treated differently from other organisations or corporate entities. Three main factors reinforce this view.
First, the high moral standing expected of religious leaders creates an assumption of inherent trustworthiness, obscuring the need for regulatory oversight. Second, there is limited awareness that religious bodies are incorporated entities under CAMA 2020. While they may enjoy tax exemptions on their revenues because of their charitable activities, they remain subject to corporate law obligations such as periodic annual returns filing. Third, many do not recognise that churches, mosques and in fact any fellowships act as custodians of highly sensitive data. They routinely collect and process information that falls within the NDPA's strictest category of sensitive data.
The sensitive nature of the information entrusted to clerics has historically necessitated a practice of confidentiality, which has created an informal culture of privacy within religious organisations. However, such practices, being non-codified, now need to be strengthened and formalised through statutory regulation to ensure consistency and legal accountability.
The NDPA 2023 leaves no room for ambiguity. Section 2 establishes that its provisions apply to all data controllers and processors domiciled, resident, or operating in Nigeria, with the sole broad exemption being data processed for strictly personal or household purposes. In comparison, the European Union's General Data Protection Regulation (EU-GDPR) 2016 recognises a limited carve-out for religious organisations.[1] The organisations may process personal data only where such processing is carried out in the course of legitimate activities with appropriate safeguards, relates solely to current or former members or individuals in regular contact with the organisation, and is not disclosed externally without the consent of the data subjects.
Furthermore, Article 91 of the EU-GDPR requires religious organisations which had "comprehensive rules" on privacy and data protection prior to the EU-GDPR must ensure those rules are brought into alignment with the EU-GDPR standards and remain subject to the supervisory oversight of an Independent Supervisory Authority. Although framed as an exception, Article 91 reinforces the expectation that religious organisations comply fully with EU-GDPR principles.
Scholarly commentary has also underscored the compliance obligations of religious organisations. All things considered, especially from the angle of global best practice, it is abundantly clear that, irrespective of their moral authority or spiritual mission, religious organisations are bound to comply with the NDPA.
Unpacking The NDPA 2023
The NDPA 2023 is a landmark piece of Nigerian legislation that establishes a comprehensive national framework for protecting personal data. Its provisions apply broadly to all data controllers and processors domiciled, resident, or operating in Nigeria, as well as to foreign entities processing the personal data of Nigerians. By framing its application in such broad terms, the legislation closes the door to claims of exemption based on sector, size, or purpose. Religious organisations, like all other incorporated bodies, fall within this scope.
Exemptions under the NDPA 2023 are limited. Section 3(1) specifies that the law does not apply only where data is processed by an individual strictly for personal or household purposes. This exception reflects only the most private contexts, in which data is handled without organisational structure. Religious organisations, by contrast, are structured bodies that routinely process the data of others on a scale and for purposes that go beyond the private or household sphere.
A critical aspect of the NDPA 2023 is its treatment of sensitive personal data. The NDPA 2023 prohibits the processing of information such as religious beliefs, ethnicity, health status, sex life, or children's data unless specific conditions are met. For religious organisations, processing may be permissible where it is carried out in the course of legitimate activities, subject to appropriate safeguards, relates solely to members or regular contacts, and is not disclosed externally without consent. Notably, this framework does not exempt religious organisations; instead, it acknowledges their unique role while holding them to high compliance standards.
Considering that a large portion of their clerical activities, by nature, involves categories of data the Act is designed to protect, it should be abundantly clear why religious organisations cannot be exempted from its obligations under the NDPA.
The NDPA 2923 further imposes broad principles of accountability for data protection, requiring that personal data must be:
- Processed lawfully, fairly, and transparently;
- Collected for specified, explicit, and legitimate purposes;
- Adequate, relevant, and limited to what is necessary;
- Accurate and kept up to date;
- Retained no longer than is necessary; and
- Secured against unauthorised or unlawful processing, accidental loss, destruction, or damage.
These principles establish the baseline of sound data protection governance, which religious organisations, as both data controllers and processors, are required to uphold.
GAID 2025: Clarifying Exemptions And How To Stay Compliant
The GAID 2025 provides a practical framework for the effective implementation of the NDPA 2023. One key provision worth noting is Article 5(1)(e), which gives religious organisations a pass from having to register as Data Controllers or Processors of Major Importance (DCPMI). But here's the thing: this exemption is not quite a complete pass. Article 6(2) makes it crystal clear that exempt entities still need to fully comply with the core rules and substantive obligations laid out in the NDPA 2023.
Under the GAID 2025, religious organisations are required to comply with obligations that mirror those in the NDPA 2023, though without the additional burden of registration. Article 7 emphasises the key compliance measures expected of all controllers and processors, including:
- Conducting compliance audits at appropriate intervals;
- Maintaining clear and accessible privacy policies;
- Training staff and volunteers on data protection practices;
- Implementing organisational and technical safeguards proportionate to the risks they face; and
- Respecting the rights of data subjects, including rights of access, rectification, and erasure.
Article 41 anchors data protection within an ethical framework, requiring all controllers to uphold human dignity and prohibiting discriminatory processing, including on grounds of religion. Religious organisations often hold the most reliable records of individuals' religious affiliations, making it vital that such data is safeguarded in line with this provision. While the GAID 2025 exempts them from registration, it nonetheless subjects them to the full spectrum of data protection obligations under Nigerian law.
On reflection, the NDPC should consider amending the GAID 2025 to exclude religious bodies from the DCPMI registration exemption list, given the sensitive and high-risk nature of the data they collect or have access to. The DCPMI guidelines are tiered according to the volume and flow of information received, with compliance obligations adjusted accordingly. While small organisations may handle data that may be too inconsequential to warrant registration, Nigeria is home to some of the world's largest religious organisations, with members numbering in the millions. The magnitude of data under their control places them at significant risk of exploitation by data harvesters and cybercriminals. For this reason, the NDPC ought to at the minimum require religious bodies to adopt stringent protections and robust compliance protocols.
Compliance Deficits And Risks
Despite the clarity of the law, most religious organisations in Nigeria lag significantly in data protection compliance. Only a handful have formal privacy policies, while most rely on outdated or informal practices. The compliance gap is not the outcome or consequence of deliberate defiance. Instead, it flows from the entrenched perception that religious organisations are morally self-regulating and stand above the reach of ordinary law. GAID 2025's exemption from registration reflects this perception. However, sentiment cannot override statute. Religious organisations, like any other corporate entity under CAMA 2020, are subject to legal duties, and the NDPA 2023 makes it clear that these duties include the protection of personal data.
Let's consider these common scenarios:
- A mosque collects detailed health histories of members during premarital counselling but stores the records in open filing cabinets accessible to anyone who enters the office. If such records were misplaced or accessed without authorisation, the individuals concerned could suffer embarrassment, stigma, or even discrimination within their community.
- A church records tithes and donations, including names, addresses, and contact details of members, in unsecured spreadsheets casually shared among clerical staff. If that information were leaked or hacked, congregants could become targets of fraudsters or identity thieves, and the church itself could lose the trust of its members, who might begin to hold back their financial contributions.
- A youth fellowship posts photos and videos of children's activities on social media without parental consent. If such images were misused or fell into the wrong hands, children could be exposed to risks of online exploitation, and parents could lose confidence in the fellowship's ability to safeguard their families.
Bringing this into the real world, just recently, on 26th August 2025, the Church of England experienced a major data breach as the personal details of nearly 200 abuse survivors were leaked in a data breach from a scheme that was set up to offer them compensation. This is an organisation home to over 85 million members worldwide. Unfortunately, this case is not the first of its kind.
Also, sometimes in 2016, the British and Foreign Bible Society faced a cyber-attack which exposed the data of over 400,000 of its donors. At the time, they were fined £100,000 by the British Information Commissioner's Office (ICO), who criticised them for failing to take "appropriate technical and organisational steps" to protect their supporters' personal data. Because the attack took place in 2016, before the GDPR and the Data Protection Act 2018 came into effect, the case was dealt with under the old data protection rules.
Each of these scenarios illustrates the gap between clerical practice and responsible data handling. The risks are not abstract: they touch directly on people's dignity, financial security, and safety. Beyond harming individuals, they threaten the credibility of religious organisations themselves, undermining the very trust on which their mission depends.
Call To Action: Religious Organisations And Congregants
The responsibility for data protection compliance cannot rest solely on the shoulders of religious organisations. It is, at its core, a societal project. Nigerians must recognise that protecting personal data is as essential to human dignity as freedom of religion or freedom of expression. The public must shed the assumption that religious organisations are above the law and embrace the reality that, like all incorporated entities, they are bound by the same legal standards that apply to every other organisation.
For religious organisations, this means acknowledging their role as data controllers and implementing safeguards accordingly. Compliance begins with awareness; leaders must first understand that their clerical activities involve sensitive personal data, and that this triggers legal duties under the NDPA 2023. From there, practical steps should follow, such as adopting privacy policies, appointing a Data Protection Officer, training clerical staff and volunteers, restricting access to sensitive records, and obtaining meaningful consent before sharing or publishing personal data. These steps are neither complex nor alien; they mirror the ethical responsibilities that faith communities already espouse.
For congregants, the task is to play an active role in demanding accountability. Members of faith communities must ask questions: How is my data stored? Who has access to it? What safeguards are in place? They must also insist on consent before their data is used and exercise their rights to access and correction under the NDPA 2023. In this way, congregants can help build a culture of compliance from the ground up, pressing their leaders to meet both moral and legal obligations.
For the broader public and regulators, the call is to normalise the expectation that religious organisations must comply with data protection laws. Regulators must enforce compliance fairly and consistently, avoiding both selective scrutiny and undue deference. Legal professionals and civil society must amplify awareness, educating communities that protecting personal data is not an optional courtesy but a mandatory legal duty. True societal change will come when compliance with data protection is seen not as a burden imposed by statute but as an ordinary part of governance and accountability. By shifting expectations in this way, it can ensure that religious organisations and indeed all organisations embrace compliance as a norm.
Conclusion
Religious organisations in Nigeria cannot stand apart from the law. The NDPA 2023 applies to all data controllers and processors, and the GAID 2025 is clear that exemption from registration does not mean exemption from compliance. The challenge, however, seems to lie less in the text of the law than in the mindset of society. Nigerians are deeply religious, and the high moral status of clerical institutions has fostered a subconscious impression that churches, mosques, and other religious entities are self-regulating moral communities beyond or separate from the reach of "secular" regulation. This perception is reinforced by cultural deference to religious leaders and the historical lack of regulatory scrutiny in this sector. Yet no matter how revered their social standing, religious organisations are not immune from the risks that poor data practices pose to individuals or the liabilities that breaches impose under law.
The dangers are real; they could not only expose members of faith communities to harm but also potentially erode the present trust in institutions tasked with nurturing moral and spiritual life. Compliance with the NDPA 2023 should therefore be seen as an extension of religious organisations' moral mission. Just as clerical leaders safeguard the souls of their congregants, so too must they safeguard the dignity, privacy, and personal security of their data. In truth, the alignment between law and faith here is natural: both call for stewardship, responsibility, and respect for the humanity of others. The responsibility also falls upon regulators to enforce standards fairly and consistently, and upon the general public to shed the assumption that religious organisations are above legal scrutiny. The rule of law thrives only when it applies universally, and religious organisations, like all others, must be seen and must see themselves as bound by it.
By embracing compliance, religious organisations will not only meet their legal obligations under the NDPA 2023 but also strengthen their moral authority. They will model the principle that obedience to law and obedience to conscience are not contradictory but mutually reinforcing. The societal perception of religious organisations as morally above legal scrutiny must yield to the legal reality: they are data controllers and processors whose clerical activities involve sensitive personal data. Compliance with the NDPA 2023 is not only a statutory duty but also a moral imperative consistent with their mission to uphold the dignity of their members. In so doing, they will set a precedent for a society in which faith and law converge to safeguard both trust and human dignity.
REFERENCES
- Nigeria Data Protection Act, 2023 [Online] Available at https://ndpc.gov.ng/resources/#.
- General Application and Implementation Directive, 2025 [Online] Available at https://ndpc.gov.ng/wp-content/uploads/2025/07/NDP-ACT-GAID-2025-MARCH-20TH.pdf.
- Companies and Allied Matters Act, 2020 [Online] Available at https://www.cac.gov.ng/wp-content/uploads/2020/12/CAMA-NOTE-BOOK-FULL-VERSION.pdf.
- General Data Protection Regulation, 2016 [Online] Available at: https://gdpr-info.eu/.
- Giovanni Buttarelli 'Personal Data Protection in churches and religious organisations' Speech to a Conference organised by the Polish Inspector for Personal Data Protection, Cardinal Stefan Wyszyński University of Warsaw, Opole University and the University of Szczecin [Online]https://www.edps.europa.eu/sites/default/files/publication/16-02-25_personal_data_protection_church_warsaw_en.pdf Accessed on 29th August, 2025.
- Mark Jones 'Data Protection Law and Your Church' Edward Connor Solicitors [Online] https://www.edwardconnor.com/2021/09/23/data-protection-law-and-your-church/ Accessed on 29th August, 2025.
- TRT World 'Church of England admits major data breach as personal details of nearly 200 abuse survivors leaked' [Online] https://www.trtworld.com/world/article/f41de9227bd6 Accessed on 30th August, 2025.
- Laura Sherratt 'The Bible Society's Data Beach: What Can We Learn?' [Online] https://www.blakemorgan.co.uk/the-bible-societys-data-breach-what-can-we-learn-2/ Accessed on 30th August 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.