- within Privacy topic(s)
- with readers working within the Business & Consumer Services industries
- within Privacy, Finance and Banking and Consumer Protection topic(s)
- in United Kingdom
Abstract
This article examines the legal and practical importance of data minimisation and retention under Nigeria's modern data protection framework, with particular reference to the Nigeria Data Protection Act 2023 (the "Act" and the General Application and Implementation Directive (GAID) 2025. It argues that data minimisation is not merely a drafting principle in a privacy notice or a box-ticking compliance exercise, but a core governance discipline that directly affects legality, proportionality, cybersecurity exposure, records management, and regulatory defensibility. The article also places the Nigerian position in dialogue with broader international standards, especially UK data protection guidance, to show that a "collect less, keep less" approach is both locally grounded and globally intelligible. It concludes that organisations that reduce unnecessary collection and define retention with precision are often in a stronger position not only to comply with the law, but also to reduce breach impact, improve data quality, and build trust.
1. Introduction: a small form, a big problem
Picture a Tuesday afternoon in Lagos. A compliance team is midway through a review when they hit a major red flag. They pull up a basic onboarding form for something as simple as internet or waste disposal service, only to find the provider is asking for everything, from IDs and Mother's maiden name to the customer's BVN and next-of-kin. It's total data overkill for a simple subscription. When asked why all that information is needed, the answer is familiar: "Let us just have it there. It may be useful later." That single sentence captures one of the most persistent weaknesses in privacy governance across organisations. It is not always bad faith. Quite often, it is habit. But in legal terms, habit is not a lawful basis.
Modern data protection law has moved sharply away from the culture of speculative collection. In Nigeria, that shift is now unmistakable. The Act requires personal data to be collected for specified, explicit and legitimate purposes, to be adequate, relevant and limited to the minimum necessary, and to be retained no longer than necessary for the lawful basis for which it was collected or further processed. The GAID 2025 then adds practical interpretation, explaining that "minimum necessary" means the least possible data essential to fulfil the stated purpose.
The message is clear enough in plain English: if an organisation cannot explain why it needs a category of data, it should be very slow to collect it. If it can no longer justify keeping it, it should be very ready to delete or irreversibly de-identify it. This is where minimisation and retention cease to be abstract principles and become everyday legal discipline.
2. The legal framework
The legal framework governing data minimisation and data retention in Nigeria is derived from a combination of statutes, subsidiary regulations, and regulatory guidance. These instruments collectively establish the principles that guide how personal data may be collected, processed, stored, and retained by both public and private entities. Among these, the most significant legislative development is the enactment of the Act.
NIGERIA DATA PROTECTION ACT 2023: This legislation was signed into law on 12 June 2023, constitutes Nigeria's primary legal framework for the protection of personal data. The legislation has a broad territorial scope. It applies not only to data controllers and processors operating within Nigeria but also to entities located outside the country where they process the personal data of individuals who are located in Nigeria. This extraterritorial application reflects a growing international trend in data governance, aligning Nigeria's approach with global data protection frameworks.
Central to the Act is Section 24, which requires that personal data be collected only for specific, explicit and lawful purposes, limited to what is adequate, relevant and strictly necessary for those purposes, and retained only for as long as is required to achieve the objective for which it was obtained. These requirements reflect the core principles of data minimisation and storage limitation, and they operate not as aspirational standards but as legally enforceable duties.
The significance of section 24 lies in the fact that it connects three matters that organisations often try to treat separately: purpose, quantity, and duration. In reality, they are legally linked. The narrower and clearer the purpose, the easier it is to justify the data set. The weaker the purpose, the harder it becomes to defend both collection and retention. A controller cannot simply say, "we may need it one day." The law expects the purpose to be specified, explicit and legitimate now, not imagined later.
The GAID is especially helpful because it gives practical meaning to the statutory words. It states that "adequate" means appropriate quantity and quality; "relevant" means materially useful and indispensable; and "minimum necessary" means the least possible data essential to the fulfilment of the specified purpose. On retention, it says that where data is kept solely for record purposes, the organisation should determine the minimum data relevant and necessary for that purpose, and any residue no longer needed should be properly destroyed or irreversibly de-identified. It also says the retention policy must be communicated to data subjects.
That is a strong regulatory position. It leaves little room for indefinite retention by inertia. It also means that organisations operating in Nigeria should not treat "data retention policy" as a mere internal administrative note. It is part of legal compliance architecture.
The legal framework governing data minimisation and data retention in Nigeria is derived from a combination of statutes, subsidiary regulations, and regulatory guidance. These instruments collectively establish the principles that guide how personal data may be collected, processed, stored, and retained by both public and private entities. Among these, the most significant legislative development is the enactment of the Act.
NATIONAL INFORMATION TECHNOLOGY DEVELOPMENT AGENCY ACT 2004: The National Information Technology Development Agency (NITDA) Act 2024 established the National Information Technology Development Agency and vested it with responsibility for developing policies and regulatory frameworks for Nigeria's information technology sector. Historically, this mandate included the issuance of the Nigeria Data Protection Regulation 2019, which served as the country's primary data protection instrument prior to the enactment of the Nigerian Data Protection Act 2023. Although the direct regulatory responsibility for data protection has since shifted to the NDPC, the NITDA Act remains part of the broader statutory framework of Nigeria's digital governance architecture and continues to shape policy development within the technology sector
CYBERCRIMES (PROHIBITION, PREVENTION, ETC.) ACT 2015, (AS AMENDED): The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 introduces a distinct regulatory obligation in relation to data retention. In particular, section 38 requires service providers to retain traffic data and subscriber information for a minimum of two years. This creates an apparent tension with the storage limitation principle under the Nigeria Data Protection Act 2023, which requires that personal data be retained only for as long as necessary for the purposes for which it was collected.
Organizations that fall within the scope of both frameworks, particularly telecommunications operators, internet service providers, and digital platform companies, must therefore adopt a careful structured compliance approach. In practice, this is usually addressed through a targeted retention policy under which only the specific categories of data required by section 38 are retained for the statutory period. This helps ensure that the legal obligation does not become a basis for indiscriminate or indefinite retention of personal data across the organisation.
CENTRAL BANK OF NIGERIA REGULATIONS: The Central Bank of Nigeria (CBN) requires banks and financial service providers to retain customer due diligence and transaction records for at least five years after the end of the business relationship or completion of the transaction. This obligation is further reinforced by section 8(1) (a) of the Money Laundering (Prevention and Prohibition) Act 2022, which imposes statutory record keeping requirements on financial institutions. Under that provision, relevant customer and transaction records must be retained for a minimum of five years. Even so, organizations must design their retention schedules in a way that satisfies these minimum regulatory requirements without treating them as a justification for the indefinite storage of personal data.
3. Why minimisation matters more than many organisations realise
We often talk about data minimisation like it is just a box to tick for privacy compliance. In reality, that's only half the story. It is actually a design principle, a security principle, a records management principle, and a litigation-risk principle. The moment an organisation starts hoarding more data than it actually needs, the cracks start to show.
First, the legal justification falls apart. If a controller relies on contract, the question becomes whether the collected data is actually necessary to perform the contract. If it relies on legitimate interests, the necessity and balancing exercise becomes more difficult where the organisation has collected excessive material. If it relies on consent, the quality of that consent may be questioned where the request is bundled, broad or disproportionate. The problem is not only the existence of data. It is the absence of a disciplined explanation for why it is there.
Secondly, excessive collection weakens proportionality. The Act requires an assessment of necessity and proportionality where a data privacy impact assessment (DPIA) is required for high-risk processing. That means a controller should not leap straight to technical safeguards without first asking whether the volume and type of data being processed are justified at all. In practice, many DPIAs are strongest where the first control is reduction of the data set itself.
Thirdly, excessive collection is the parent of excessive retention. Once data enters multiple folders, inboxes, vendor tools, spreadsheets and backups, it becomes harder to trace, harder to review, and harder to delete. One can see this in organisations that still carry years of examination scripts, old CVs, unneeded medical records, stale onboarding files, redundant CCTV exports and legacy customer profiles simply because no deletion trigger was ever built. From a governance standpoint, that is not prudent record keeping. It is unmanaged accumulation. The Act gives data subjects the right to erasure where the data is no longer necessary or where there is no other lawful basis to retain it.
To view the full article clickhere
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
