By Olumide Babalola, PhD
Over the years, I have unsuccessfully litigated the harmonisation of public databases in Nigeria. A fallout of this is the pending appeal Number CA/ABJ/CV/1460/2025 between Digital Rights Lawyers Initiative and Nigerian Interbank Settlement Systems Plc (NIBSS) on whether the NIBSS is statutorily empowered to manage a database of biometric data of Nigerian citizens, as opposed to NIMC, as well as the issue of privacy.
Hence, when news filtered that the President had assented to the National Identity Management Commission (NIMC) Act 2026 on Friday, 26 June 2026, I was curious about its implications for inter-agency (personal) data governance. After reading a copy of the bill, here are my brief thoughts on the freshly minted piece of legislation from a data protection perspective:
Worthy Reference to Data Protection
Remarkably, section 24(1) requires the NIMC to comply with the Nigeria Data Protection Act, 2023, and data protection best practices in operating the database. The section restricts the use of personal data to the specific purpose for which it was disclosed consistent with purpose limitation principles. The section, however, makes consent the primary gateway for disclosure while emphasising its revocability.
Section 18(8) reinforces the transparency principle by requiring NIMC to inform individuals at the point of registration about how their information will be used, who it will be shared with, and how they can exercise access rights. Keeping up with data minimisation requirements, section 20 limits what an identity document may display, restricting it to the NIN, date of birth, gender, citizenship status, and security feature. Section 25(3) expressly prohibits the Commission from retaining data on the purpose of authentication requests received from third parties in respect of a registrable person. This provision essentially curtails systemic surveillance measures. Interestingly, section 24(7) imposes a duty on anyone who uses or discloses database information to implement appropriate technical and organisational measures.
Data Harmonization
Of particular significance is the provision of section 7(c) to the effect that: “The Commission shall ….serve as the repository of all biometric data capture for the management of identity in the country for proper coordination and harmonisation”. By this provision, NIMC has been effectively designated as the exclusive national custodian of all biometric data gathered for identity management, with the duty to collate, update, and protect that data in a centralised repository. This role is expressly intended to promote proper coordination among all identity-issuing and identity-using agencies, ensuring that their systems align with common frameworks and exchange information efficiently. Ultimately, the Commission shall drive the harmonisation of identity management practices across the country, reducing redundancy, enhancing security, and enabling consistent service delivery for all individuals.
In similar terms, section 8(b) empowers NIMC to “harmonise and integrate the existing identification databases in government agencies and integrate them into the National Identity Database.” Beyond its repository function, this provision further empowers NIMC to undertake the active harmonisation and technical integration of all existing identification databases currently operated by various government agencies, departments, and parastatals. This entails a systematic process of data mapping, de-duplication, record linkage, and alignment to resolve inconsistencies, eliminate redundant entries, and establish a common semantic framework across disparate legacy systems. The ultimate objective is to seamlessly incorporate these agency-specific databases into the National Identity Database, thereby transforming a fragmented collection of siloed registers into a unified, interoperable, and authoritative identity infrastructure that supports secure authentication, efficient service delivery, and evidence-based policymaking across all tiers of government.
Conclusively, the NIMC Act 2026 arrives at a critical juncture in Nigeria’s evolving data governance landscape, and for those of us who have navigated the judicial trenches in pursuit of database harmonisation and privacy protection, it represents both a legislative triumph and a sobering reminder of the work that remains undone. My personal experience litigating the harmonisation of public databases, culminating in the pending appeal in Digital Rights Lawyers Initiative v. NIBSS (supra) has laid bare the institutional rivalries, legal ambiguities, and systemic inertia that have long frustrated efforts to establish a coherent identity management framework.
By designating NIMC as the exclusive repository for all biometric data and mandating the harmonisation and integration of existing government databases, the Act offers a progressively statutory answer to the core question in that appeal. However, I believe legislative clarity, though commendable, does not automatically translate into institutional compliance, unless all stakeholders proactively play their respective roles towards actualising the objectives of the new Act.
The post Ending The Scattergun Approach: An Appreciation Of The Harmonious NIMC Act 2026 From A Data Protection Perspective appeared first on TheNigeriaLawyer.
