The Overlooked Risks Of Deploying Biometric Data In Public Sector Databases In Nigeria: Balancing State Interests And Individual Rights In Data Management.

In today's digital age, the collection and use of biometric data by public institutions has become an integral part of national identity programmes, voter registration processes, border management, and law enforcement operations. Biometric identifiers, such as fingerprints, facial images, iris scans, and voice patterns are uniquely sensitive, as they are tied to an individual's physical identity and, unlike passwords, cannot be changed if compromised. This type of data is permanently identifiable, hard to secure, can rarely deleted or anonymized; making its breach a matter of critical importance.¹

While the use of such data promises enhanced efficiency, security, and accountability in public services, it also introduces significant legal and ethical challenges, particularly concerning privacy, consent, data minimization, and long-term data security.² In Nigeria, public sector agencies have expanded their biometric data collection practices, often without transparent safeguards or robust legal oversight. This raises critical questions about the adequacy of existing data protection frameworks, such as the Nigeria Data Protection Act (NDPA), its Implementation Framework, and whether they sufficiently address the peculiar vulnerabilities of biometric data. Despite the sensitivities of this category of data, public discourse and academic inquiry have largely overlooked the systemic risks and potential abuses associated with its collection and storage by government entities.

This article examines the risks of Biometric Data in Nigeria's public sector. It aims to highlight regulatory gaps, interrogates the boundaries of consent in mandatory government programs, while proposing stronger safeguards that balance state interest with the fundamental rights of individuals.

What is Biometric Data?³

Biometric data is a type of personal data that is collected from an individual's physical or behavioral characteristics. This data is used to identify and verify an individual's identity. Biometric data is collected through various methods, including fingerprint scanning, facial recognition, iris scanning, and voice recognition. This data is then used to create a unique biometric template that can be employed to identify an individual.

There are several types of biometric data, including:⁴

• Fingerprint data
• Facial recognition data
• Iris scanning data
• Voice recognition data
• Hand geometry data

• DNA (blood, skin, bone, saliva, urine, etc.)

• Signature data

How Biometric Data is used in the Nigerian Public Sector⁵

Biometric data such as fingerprints, facial images, iris scans, and voice recognition is increasingly used by public sector institutions in Nigeria to support identity verification, improve service delivery, and to enhance national security efforts. Below are the main ways biometric data is deployed across government programs:⁶

1. National Identity Management System (NIMC:⁷ The National Identity Management Commission (NIMC) uses biometric data (fingerprints, facial images, and digital signatures) in issuing the National Identification Number (NIN) to citizens and residents, to create a centralized and unified identity database.
2. Voter Registration and Election Management (INEC): The Independent National Electoral Commission (INEC)⁸ collects fingerprints and facial data during voter registration to prevent voter fraud and ensure that each eligible voter is registered only once. For instance, the Bimodal Voter Accreditation System (BIVAS) relies on fingerprint and facial recognition during elections to verify voters' identity.
3. Passport and Immigration Services (NIS):⁹ The Nigeria Immigration Service collects biometric data (fingerprints and photos) during the international passport application and renewal process for identity verification and border control. The data collected is often used at entry and exit points and shared with international security databases.
4. Social Investment and Welfare Programs: Some public programs, such as the Conditional Cash Transfer (CCT) or N-Power, require beneficiaries to enroll biometric information to reduce fraud and ensure that funds reach the intended recipients for authentication of beneficiaries and elimination of duplicate or ghost beneficiaries.
5. Bank Verification Number (BVN) – CBN/NIBSS:¹⁰ Although coordinated with the banking sector, the Bank Verification Number (BVN) is backed by public institutions like the Central Bank of Nigeria (CBN) and relies on fingerprints and facial images to link individuals to a unique biometric identity across multiple bank accounts in order to reduce financial fraud.
6. Law Enforcement and Criminal Justice: Biometric data is used by the Nigerian Police, Immigration, and intelligence agencies for, criminal identification and investigations, forensics, border control and security watchlists, etc.

Some of this data may be collected from crime scenes, arrests, or during background checks.

BIOMETRIC DATA RECOGNITION IN NIGERIA.¹¹

In Nigeria, several laws and regulations recognise and provide for biometric data, but none offer a single, comprehensive framework specifically dedicated to it. Instead, biometric data is addressed within broader data protection and identity management laws. Some of these regulations and sector-specific laws and guidelines include Nigeria Data Protection Act (NDPA) 2023, sector-specific laws and guidelines like the National Identity Management Commission (NIMC) Act 2007 and NDP ACT General Application and Implementation Directive (GAID) 2025. It is observed that biometric data collected is often mandatory, raising concerns around consent, transparency, and long-term data protection. There is often limited public awareness of how this data is processed, stored, or shared, especially across agencies or with third-party vendors. In many cases, data protection safeguards are weak or inconsistently enforced, increasing the risk of data misuse or data breach.

a.) Nigeria Data Protection Act (NDPA) 2023

Biometric data is treated under the interpretation section of the NDPA as sensitive data for the purpose of uniquely identifying a natural person. The Act does not provide a detailed definition or explanation of what biometric data specifically entails.¹² It fails to define whether biometric data includes fingerprint data, facial recognition data, iris scanning data, voice recognition data, hand geometry data, DNA (blood, skin, bone, saliva, urine, etc.), signature data.

This lack of specificity has created ambiguity in how biometric data is interpreted, regulated, or litigated especially when new biometric technologies emerge. However, below is what the Act says about sensitive data, which is presumed to apply to biometric data.

1. Sensitive Personal Data: This is defined under the interpretation section of the Act¹³ to include, 'data relating to religious or other beliefs, sexual orientation, health, race, ethnic or social origin, trade union membership, criminal record, or any other personal data which may be used to identify a person or are of a sensitive nature, including genetic and biometric data.'
2. Conditions for processing: section 30(1)¹⁴ provides that a data controller or processor shall not process sensitive personal data unless the data subject gives explicit consent, or the processing falls under specified public interest, legal obligations, or protection of vital interest grounds. This means that they must obtain explicit consent from individuals before collecting or processing their biometric data, unless one of the exceptions applies.
3. Data Protection Impact Assessment (DPIA): The Act¹⁵ requires that when processing is likely to result in high risks to rights and freedoms, particularly with sensitive personal data like biometrics, the controller must conduct a Data Protection Impact Assessment (DPIA) to assess the nature and extent of associated risks and to put necessary remedial measures in place prior to embarking on such processing.

b.) Sector-Specific Laws and Guidelines

In addition to the provisions contained in data protection laws, some sectoral laws touch on biometric data:

1. National Identity Management Commission (NIMC) Act 2007: This Act does not use the term "biometric data" directly in every section, but it clearly provides for the collection and use of biometric information as part of Nigeria's identity management system. It empowers NIMC to establish and maintain a National Identity Database and to issue a National Identity Number (NIN) to citizens and legal residents. The Act provides as follows;

2. NDP ACT General Application and Implementation Directive (GAID) 2025: While biometric data is not expressly mentioned in the GAID, and sensitive personal information is not explicitly defined, the Directive does refer to "sensitive data" in several provisions. In the absence of a standalone definition within the GAID, it is appropriate to rely on the definition provided in the NDPA, which the GAID is designed to implement and give effect to.

Consistent with this approach, Article 18 of the GAID states that "without prejudice to the provisions of the NDPA and in addition to other circumstances in which consent may be required under this GAID or by operation of law, consent is required for the processing of sensitive personal data." Furthermore, Article 28¹⁹ makes it clear that a Data Protection Impact Assessment (DPIA)²⁰ is mandatory where the processing involves sensitive or highly personal data. This underscores the risk associated with such data and the importance of preemptive safeguards.

BIOMETRIC DATA AND PRIVACY CONCERNS IN NIGERIA.²¹

Biometric data, by its nature, is personal and permanently linked to an individual's identity. In Nigeria, the increasing collection and use of biometric identifiers such as fingerprints, facial images, and iris scans by government institutions has raised significant privacy concerns, particularly in a landscape where regulatory enforcement remains weak and public awareness is limited.

1.) Lack of Explicit Consent: One of the most pressing privacy issues is the lack of explicit consent. Citizens are often compelled to submit biometric data as a precondition for accessing essential services, such as national identity cards, passports, voter registration, or social welfare benefits. In these contexts, consent is not freely given but imposed, undermining the individual's right to make informed decisions about their personal data.²² While it is true that alternative lawful basis such as legal obligation or contractual necessity can justify the collection of biometric data, particularly in employment or welfare contexts, this does not negate the critical need for robust safeguards and transparency. Biometric data is uniquely sensitive, it is permanent, irreplaceable, and highly susceptible to misuse. Therefore, even when collected without relying on consent, its use must be narrowly tailored, proportional to the purpose, and accompanied by clear accountability mechanisms. The real issue lies in the systemic imbalance where citizens are effectively coerced into surrendering their biometric data to access essential services, without meaningful alternatives or safety controls. This challenges the foundational principles of data protection and raises legitimate concerns about the idea that individuals should have the power to decide when, how, and for what purpose their personal data is collected and used. If people are being forced to give up data without choice, that right is being weakened or eroded.

2.) Inadequate Legal Safeguards: Although Nigeria has made progress with the Nigeria Data Protection Act (NDPA) 2023, there is still a lack of sector-specific implementation guidelines and robust enforcement mechanisms. Many public institutions operate without clear data protection policies, resulting in weak safeguards for biometric data. This regulatory gap leaves citizens vulnerable to unauthorized access, data sharing, and long-term misuse.

3.) Further Processing without Consent: There is growing concern that biometric data collected for one legitimate purpose may be used for unauthorized secondary purposes, such as mass surveillance or political profiling, a phenomenon known as 'function creep'.²³ In the absence of judicial oversight or transparent data governance, there is a real risk that biometric data could be weaponized against citizens, especially in politically sensitive or insecure environments.²⁴

4.) Data Breaches and Lack of Accountability: Nigeria has experienced multiple data breach incidents, including leaks of sensitive citizen information from government databases. For instance, recently a lady called out the Nigeria Immigration Service after her application form was used to wrap akara (Beans Cake) to a stranger.²⁵ Also, during the 2019 general elections, there were allegations that voter information stored on smart card readers could be accessed by unauthorized actors due to poor encryption protocols.²⁶

Between 2021-2022, reports surfaced that a third-party platform was offering access to the National Identity Database for a fee. Allegations suggested that biometric and personal information tied to NINs were being exposed or sold. This raised serious concerns about weak API security, third-party access, and the centralization of biometric data without sufficient encryption or oversight.²⁷

Biometric data, once compromised, cannot be changed or revoked like a password as they are permanently linked to the owner. Despite this, there are few effective mechanisms for public notification, redress, or compensation when such breaches occur amplifying the privacy threat.

5.) Centralization and Data Security Risks: The centralization of biometric data in large national databases (e.g., NIMC, INEC, or immigration systems) makes them high-value targets for cybercriminals. Without world-class security infrastructure and independent audits, these databases are at heightened risk of infiltration, leading to mass identity theft and digital exploitation.

6.) Low Public Awareness and Digital Literacy: Many Nigerians are not fully aware of how their biometric data is being used or the rights they have under the NDPA. This lack of awareness reduces public scrutiny and makes it difficult for citizens to challenge privacy violations or to demand accountability from public institutions.

Proposed Safeguards for Balancing State Interests and Individual Rights

To ensure that biometric data collection by the Nigerian public sector serves legitimate public interests without infringing on citizens' fundamental rights, the following stronger safeguards are proposed:

1.) The Need for More Comprehensive Data Protection Law: Nigeria should consider amending its existing federal data protection legislation, i.e., the Nigeria Data Protection Act (NDPA) 2023 to include more comprehensive and explicit provisions governing the collection, use, and safeguarding of biometric data. Such an amendment should classify biometric data as sensitive personal information and set out clear provisions for its processing by public authorities, including lawful basis, retention limits, and the rights of data subjects.²⁸ Alternately, the Nigeria Data Protection Commission (NDPC) should issue detailed interpretative guidance or a code of practice specifically addressing:

• What constitutes biometric data
• Lawful use scenarios
• Prohibited use (e.g., surveillance without legal basis)
• Security Standards for storage and transmission etc.

2.) Mandatory Data Protection Impact Assessments (DPIAs):²⁹ Public institutions should be legally required to conduct a Data Protection Impact Assessment prior to launching any biometric data project. DPIAs would help evaluate privacy risks, provide a justification for the necessity of biometric collection, and ensure that data processing aligns with the principles of proportionality and minimal intrusiveness.

3.) Purpose Limitation and Legal Clarity: Biometric data should be collected only for clearly defined, lawful purposes, and reused strictly within those limits. The law should explicitly prohibit 'function creep', that is, the further processing of data for unrelated surveillance, profiling, or political monitoring, without legal authority or judicial oversight.³⁰

4.) Transparent and Informed Consent Mechanisms: Where biometric data collection is not mandated by law, public bodies must obtain clear, informed, and voluntary consent from individuals. Consent forms should be written in plain language, and individuals should be informed about the specific purpose, data retention period, and whether third parties will access their data. Importantly, there should be an option to opt out or seek alternatives where feasible.³¹

5.) Right to Redress and Independent Oversight: A well-resourced, independent Nigeria Data Protection Commission (NDPC) should oversee biometric data practices in the public sector. Citizens should be able to file complaints, challenge misuse, and seek remedies when their data rights are violated. The NDPC should have the power to audit, investigate, and impose sanctions on non-compliant public bodies.

6.) Robust Security Standards: Government agencies should implement strict technical safeguards such as:

• End-to-end encryption of biometric data
• Role-based access controls
• Secure storage infrastructure and
• Regular vulnerability assessments and penetration testing.

This would assist in reducing the risks of breaches and unauthorized access.

7.) Defined Data Retention and Deletion Policies: The law should mandate that biometric data collected by public agencies be retained only for as long as necessary,³² after which it must be securely deleted, or alternatively pseudonymized, where on-going access verification is desired. This helps prevent the indefinite retention of sensitive data and limits exposure to potential abuse.

8.) Leveraging Blockchain for Secure Biometric Infrastructure³³

Blockchain's decentralized and tamper-resistant feature offers promising potential for enhancing data integrity, transparency, and auditability. If appropriately adapted, it could serve as a secure framework for managing biometric and other sensitive personal data housed in government/public databases, enabling access controls, immutable access logs, and user consent mechanisms. However, further analysis would be required to assess the technical feasibility, regulatory alignment, and scalability of such a system within Nigeria's public sector infrastructure. Nonetheless, this is certainly a direction worth exploring in the pursuit of a more robust and trustworthy data protection framework.

8.) Public Transparency and Accountability: Agencies collecting biometric data should be required to publish privacy policies, DPIAs, and annual data protection reports. This enhances transparency, builds public trust, and holds data controllers accountable to both the public and the regulator.

Conclusion

As Nigeria advances the digital identity infrastructure and expands the use of biometric technologies in public service delivery, the need to address the associated privacy risks becomes increasingly urgent. Biometric data, while offering undeniable benefits in identity verification and fraud prevention, also presents unique challenges due to its sensitive and irreversible nature.

The Nigeria Data Protection Act (NDPA), 2023, though evolving, remains inadequate to fully protect individuals from potential misuse, over-collection, unauthorised sharing, or breaches of their biometric information. Without deliberate safeguards—such as strict purpose limitation, informed consent, independent oversight, and robust data security measures, the collection of biometric data by public institutions risks infringing on citizens' fundamental rights to privacy and dignity.

Without strong legal frameworks, technical safeguards, and public oversight, the collection of biometric data by government entities will continue to pose a serious threat to privacy, civil liberties, and data protection.

Footnotes

1 Sterling Miller, 'The basics, usage, and privacy concerns of biometric data' < https://legal.thomsonreuters.com/en/insights/articles/the-basics-usage-and-privacy-concerns-of-biometric-data> accessed on June 26^th 2025.

2 Ayang Macdonald, 'Biometrics implementation for Public Uses Expanding in Nigeria' available at < https://iarjset.com/wp-content/uploads/2024/07/IARJSET.2024.117106.pdf> accessed on June 26^th 2025.

3 Arpan Nanavati, 'What is Biometric Data? Available at < https://www.cimphony.ai/insights/what-is-biometric-data definition-types-and-importanceBiometric Data>, accessed on June 27th, 2025.

4 Article 19.Org., 'When Bodies Become Data: Biometric Technologies and Freedom of Expression' available at < https://www.article19.org/wp-content/uploads/2021/05/Biometric-Report-P3-min.pdf> accessed on June 26th 2025.

5 Ibid (n4).

6 Africa-China Reporting Project, 'Determining the implications of biometric technologies on Nigerian startups' available at < https://africachinareporting.com/determining-the-implications-of-biometric-technologies-on-nigerian-startups/> accessed on June 26^th, 2025.

7 Section 15, National Identity Management Commission (NIMC) Act 2007.

8 Section 47, Electoral Act, 2022 (including INEC Regulations and Guidelines for the Conduct of Elections (2022).

9 Section 17, Immigration Act, 2015.

10 Article 1.5, Regulatory Framework for Bank Verification Number (BVN) Operations and Watchlist for the Nigerian Banking Sector.

11 Temitayo Ogunmokun, 'Assessing Data Protection in Nigeria: A look at Biometric Identity, Surveillance, Encryption and Anonymity and CyberCrimes' available at < https://paradigmhq.org/wp-content/uploads/2022/01/Assessing-data-protection-in-NigeriaFinal.pdf> accessed on June 28th, 2025.

12 Section 65, Nigeria Data Protection Act (NDPA) 2023.

13 Ibid.

14 See, Nigeria Data Protection Act (NDPA) 2023.

15. See, Nigeria Data Protection Act (NDPA) 2023.

16 Section 5, National Identity Management Commission Act (NIMC) 2007.

17 National Identity Management Commission Act (NIMC) 2007.

18 Ibid.

19 See, NDPA General Application and Implementation Directive (GAID) 2025.

20 A Data Privacy Impact Assessment (DPIA) is mandated under Section 28 of the NDP Act when data processing may likely result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context, and purposes.

21 Ebelogu, Oluyemi,Oluwasegun and Faki Ageebee, 'Privacy Conerns in Biometrics' available at < https://www.ieeesem.com/researchpaper/Privacy_Concerns_in_Biometrics.pdf> accessed on June, 28^th 2025.

22 Section 25, Nigeria Data Protection (NDPA) Act, 2023.

23 'Function Creep', also called Mission Creep, refers to the gradual and unauthorised expansion of the use of data beyond the original purpose for which it was collected.

24 Section 24, Nigeria Data Protection (NDPA) Act, 2023.

25 GistReel.Com's Post, available at < https://www.facebook.com/GistReelOnline/posts/lady-calls-out-nigeria- immigration> accessed on June 27^th 2025.

26 Ugwuozor Samuel Ifeanyi, 'Evaluating the Impact of Electronic Card Readers on Nigeria General Elections: 2015-2019' Dosr Journal of Current Issues in Arts and Humanities available at https://eprints.gouni.edu.ng/4252/1/IDOSR-JCIAH-7142-512021.-Ugwuozor-P1.pdf accessed on July 1st, 2025,

27 Justice Okamgba, 'NIMC facing multiple unauthorised accesses to NIN data – Stakeholders' available at <https://punchng.com/nimc-facing-multiple-unauthorised-accesses-to-nin-data-stakeholders/#google_vignette> accessed on July 1^st, 2025.

28 Poornima R, and Jasmine K., 'Biometrics in Society: Privacy Security and Equality' available at < https://iarjset.com/wp-content/uploads/2024/07/IARJSET.2024.117106.pdf> accessed on June, 27^th 2025.

29 Section 28 Nigeria Data Protection (NDPA) Act, 2023.

30 Section 24(c).

31 Ibid.

32 Section 24(d) Nigeria Data Protection (NDPA) Act, 2023.

33 Thomas Lambart, 'The Role of Blockchain Technology in Personal Data Protection' available at https://pdtn.org/blockchain-in-data-> accessed on July 1st, 2025.