INTRODUCTION
In an era marked by digital connectivity, governments must walk a delicate line between the public’s right to know and individuals’ right to privacy. Nigeria has adopted two significant statutes to address these competing interests. The Freedom of Information Act (FOI Act) of 2011 establishes a legally enforceable right of access to public records, emphasizing transparency and accountability in governance. The Nigeria Data Protection Act (NDPA) of 2023 focuses on protecting personal data and regulating how government agencies and private entities handle it.
Given that both laws operate concurrently, it is imperative to examine how they interact, where tensions may arise and the steps needed to ensure transparency does not come at the expense of privacy.
OVERVIEW OF THE FOI ACT
The FOI Act grants every person, regardless of motive, the right to access information held by public institutions.[1] When a request is made, the public institution must respond in writing within seven days, either providing the information or explaining why access is denied;[2] wrongful denial is punishable by a fine of 500,000 Naira on the defaulting officer or institution.[3]
The FOI Act also protects personal privacy by exempting from disclosure personnel, client and tax records and other files containing personal information; these can only be released if the individual consents or if disclosure is clearly in the public interest. Additional exemptions cover national defence and international affairs, law enforcement records, third-party trade secrets,
[1] Section 1 of the FOI Act, Elukpo V. Medical Director, FMC, Lokoja (Supra) (Pp 10 – 10 Paras A – D)
[2] Section 7 (1) of the FOI Act.
[3] Section 7 (5) of the FOI Act.
commercial data, and other privileges, but even these can be overridden when the public interest in disclosure outweighs the harm of releasing the information.[4]
OVERVIEW OF THE NDPA
The NDPA, enacted in June 2023, establishes a comprehensive legal framework for the protection of personal data and creates the Nigeria Data Protection Commission. The Act’s objectives include safeguarding fundamental rights, ensuring fair and lawful processing, and establishing a robust supervisory framework.[5]
The law applies to any entity processing personal data in Nigeria or about Nigerian residents, even if the processor is based overseas.[6] The law further requires that personal data be processed fairly, lawfully and transparently for specified purposes;[7] kept accurate and only for as long as necessary;[8] and protected with appropriate security measures.[9]
The NDPA recognises lawful bases for processing, including consent, contract performance, compliance with legal obligations, the protection of vital interests, public interest or legitimate interests, provided these do not override the data subject’s rights.[10] Individuals are granted rights to access their data, withdraw consent, object to automated decision‑making, and port their data, and controllers must conduct data privacy impact assessments for high‑risk processing.[11]
Importantly, the Act’s obligations are exempt[12] when personal data is processed by competent authorities for law enforcement, national security, public health or journalism, provided these activities respect constitu[1] Section 1 of the FOI Act, Elukpo V. Medical Director, FMC, Lokoja (Supra) (Pp 10 – 10 Paras A – D) [1] Section 7 (1) of the FOI Act.
[4] Section 7 (5) of the FOI Act.
[5] Section 11 – 19 of the FOI Act
[6] Section 1 of the NDPA.
[7] Section 3 (2) C of the NDPA.
[8] Section 24 (1) (a) and (b) of the NDPA.
[9] Section 24 (1) (c) and (d) of the NDPA.
[10] Section 24 (2) of the NDPA.
[11] Section 25 (1) (a) of the NDPA.
[12] Section 28 of the NDPA.
[1] Section 3 of the NDPA
[1] Section 45 (1) of the Constitution
[1] Section 3 of the NDPA
[1] (2025) LPELR-80300(CA)
[1] Section 11 of the FOI Act.
[1] Section 12 of the FOI Act.
[1] Section 14 of the FOI Act.
[1] Section 15 of the FOI Act.
[1] Section 16 of the FOI Act.
[1] Section 17 of the FOI Act.
[1] Section 19 of the FOI Act.
[1] Section 24-30 of the NDPA
tional rights and proportionality.
TENSION AND COMPLEMENTARITY
Both statutes are grounded in constitutional principles: the FOIA implements citizens’ right to access information while the NDPA protects the right to privacy. Because the FOIA was enacted more than a decade earlier, it emphasises disclosure with limited privacy safeguards. The FOIA’s personal information exemption protects specific categories of sensitive records and offers public interest overrides, leaving gaps in how to handle modern digital data.
The NDPA fills this gap by defining personal data broadly to cover any information relating to an identifiable individual and imposing strict processing requirements and accountability obligations on data controllers. Consequently, government bodies responding to FOIA requests must now consider whether releasing records would breach the NDPA’s fairness and security principles. For example, disclosing personnel files or surveillance footage under FOIA could conflict with the NDPA’s requirement to process only data necessary for specified purposes and to avoid unauthorised disclosure. Conversely, the NDPA’s exemptions for law enforcement and national security reflect a recognition that transparency in the public interest and legal accountability should not be compromised.
Both laws therefore require public institutions to balance competing interests, making case‑by‑case assessments of whether disclosure is justified and whether anonymisation or redaction can mitigate privacy risks.
FINDING BALANCE BETWEEN THE FOI ACT AND THE NDPA: TRANSPARENCY AND ACCOUNTABILITY VS. PRIVACY
The principles of accountability and transparency form the foundation of the FOI Act, which grants the public a broad right to access records held by any public institution. It obliges agencies to respond to requests within seven days and imposes fines on officials for wrongful denials. The underlying assumption is that transparency fosters participatory democracy and limits corruption.
The NDPA pursues a different constitutional imperative: protecting individuals’ privacy and preventing misuse of personal data. It establishes an independent Data Protection Commission and requires data controllers and processors to handle personal information fairly, lawfully and for specified purposes. It also applies extraterritorially to any entity processing data about persons in Nigeria.
These principles can conflict. While the FOI Act encourages broad disclosure, the NDPA imposes strict controls on how personal data may be collected, used and shared. Because the FOI Act predates the NDPA, it does not contain detailed mechanisms for balancing privacy interests against the public interest in disclosure. As a result, FOI Act requests could pressure agencies to release sensitive personal data such as beneficiary lists from a government humanitarian programme unless officials exercise discretion and apply redactions or anonymisation.
WHEN THERE IS A CONFLICT BETWEEN THE FOI ACT AND THE NDPA, WHICH SHOULD PREVAIL?
The answer is not entirely clear and would likely depend on the context. The Constitution[13] allows restrictions on privacy where they are reasonably justifiable in the interests of defence, public safety, order, morality, or public health. The NDPA[14] similarly exempts processing by competent authorities for law enforcement, national security, public health, journalism, or the establishment of legal claims. These provisions mean a public body may disclose personal data in response to a FOIA request if a compelling public interest exists, but routine disclosures must still comply with NDPA principles such as data minimisation and lawful basis.
ASSESSMENT OF FOI EXCEPTIONS AND THEIR ADEQUACY IN PROTECTING PERSONAL DATA
The FOI Act contains several exceptions designed to protect certain categories of information from disclosure. Specifically, Section 14 of the Act provides a comprehensive instance of where requests will be denied because it involves personal information such as client records and tax. The denial of access to public records involving personal information has been affirmed in cases such as Incorporated Trustees of PAACA V. A-G. Federation[15], where the Court of Appeal held that an attorney-client privilege is protected under the FOI Act being an exempted information, further recognising that privacy must be balanced against transparency.
However, the FOI Act, however, does not provide detailed guidance on how privacy interests should be weighed against the public interest in disclosure. The lack of balancing mechanism leaves public officials uncertain about how to reconcile overlapping obligations under both statutes, often resulting to inconsistent application.
The NDPA, by contrast, provides a comprehensive framework for determining when disclosure is lawful. Personal data may only be shared if there is a valid legal basis such as consent, contractual necessity, a legal obligation or a legitimate
[13] Section 45 (1) of the Constitution
[14] Section 3 of the NDPA
[15] (2025) LPELR-80300(CA)
public interest and the disclosure is necessary and proportionate. Data controllers must also conduct privacy impact assessments and implement security measures. These requirements give agencies a structured way to assess whether releasing information under the FOIA would breach privacy rights.
EXEMPTED DOCUMENTS AND THEIR ALIGNMENT OR DIVERGENCE FROM NDPA PROTECTIONS
Beyond privacy, the FOI Act exempts certain classes of documents under Sections 11 to 19. These documents include records affecting international affairs and the defence of the Federal Republic of Nigeria,[16] law enforcement and investigation,[17] personal information of citizens,[18] trade secrets and commercial or financial information where such are proprietary, privileged or confidential,[19] privileged communications,[20] research or course materials,[21] and documents relating to examinations, building plans, and library records.[22] These exemptions protect legitimate interests but were drafted before Nigeria adopted a comprehensive data-protection regime. They do not reflect modern data‑protection principles such as purpose limitation and data minimization.
Under the NDPA, disclosure of personal data to third parties, including through FOI requests, constitutes data processing and must comply with the NDPA’s principles. They must also check whether a recognised exemption applies, such as those for public health, national security, or law enforcement. Consequently, even if a document falls outside the FOIA’s exemptions, agencies must still evaluate whether releasing it would violate NDPA obligations, creating a dual compliance requirement that ensures transparency does not override privacy.
CHALLENGES TO DATA PROTECTION COMPLIANCE UNDER THE NDPA
[16] Section 11 of the FOI Act.
[17] Section 12 of the FOI Act.
[18] Section 14 of the FOI Act.
[19] Section 15 of the FOI Act.
[20] Section 16 of the FOI Act.
[21] Section 17 of the FOI Act.
[22] Section 19 of the FOI Act.
In practice, public institutions qualify as data controllers or processors when they collect, use, store, or disclose personal data in the course of their official functions. The NDPA[23] imposes obligations to ensure that all data processing activities are lawful, fair, and transparent and only for specified, legitimate purposes. Most agencies, however, lack the legal expertise and technical tools to determine whether requested records contain protected personal data. The FOI’s seven‑day response window exacerbates this challenge: there is little time to search, review and redact complex electronic records.
Awareness and training are also limited. Without clear protocols, officials may either over‑disclose personal data or refuse legitimate requests to avoid sanctions, undermining both transparency and privacy. The NDPA’s broad definition of personal data and its stringent conditions may encourage risk‑averse behaviour, frustrating the FOIA’s goal of open governance.
RECOMMENDATIONS
The FOI Act should be updated to incorporate data protection principles, broaden the definition of personal information to match the NDPA’s scope and clarify the FOI Act requests must comply with the data protection obligations. The NDPA should in turn acknowledge legitimate transparency demands and provide guidance on handling FOIA disclosures.
The establishment of clear operational protocols for processing FOI Act requests involving personal data by public institutions. These should include protocols for redaction, anonymisation and weighing public interest factors, as well as templates for data privacy impact assessments when releasing potentially sensitive data.
[23] Section 24-30 of the NDPA
Public institutions should be trained in both FOIA compliance and data protection principles. This includes technical skills for searching and extracting digital records, understanding lawful bases under the NDPA, and implementing security measures to prevent breaches.
Civil society groups should be involved in monitoring compliance with both laws, and public are to be educated about their rights to access public information and protect their personal data. Robust enforcement mechanisms, including meaningful fines and mandatory publication of disclosure decisions, will encourage institutions to respect both transparency and privacy obligations.
CONCLUSION
Nigeria’s commitment to both transparency and privacy reflects broader democratic values and the realities of a digital economy. To prevent the FOI Act and NDPA from working at cross purposes, legislators, regulators and public institutions must harmonise their implementation. A reformed legal framework that incorporates robust privacy safeguards into freedom of information processes will enhance government accountability while protecting citizens’ data.
The NDPA’s principles should inform FOI Act responses, and the FOI Act’s public interest considerations should guide the NDPA’s exemptions. When transparency and data protection are treated as complementary, not competing, rights, both individuals and public institutions will benefit.
