Categories of Personal Data: Ordinary and Sensitive
Not all personal data carries the same risk. The NDPA 2023 creates two distinct categories, each with different obligations for organisations that process them.
Ordinary Personal Data
The baseline category. Includes everyday identifiers: names, addresses, phone numbers, email addresses, transaction records. Standard processing obligations apply.
Sensitive Personal Data (Special Categories)
Attracts significantly stricter protections. Processing requires a higher standard of legal justification. Listed exhaustively in Section 30 of the NDPA 2023.
The Special Categories Under Section 30
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where used to uniquely identify a person — e.g., fingerprints for BVN registration)
- Health or medical data
- Data concerning sex life or sexual orientation
A Practical Note for Nigerian Organisations
Many Nigerian organisations handle sensitive data without realising it. A hospital's patient records are health data. An HR system recording religion for public holidays processes religious belief data. A fintech that captures BVN for facial recognition processes biometric data. If your organisation handles any of these, you face enhanced obligations under Section 30.
Mark this unit as read to earn your points and proceed.
Units in this module