Defining Personal Data
NDPA 2023 — Section 65
Personal data means any information relating to an identified or identifiable natural person (the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The key word is "identifiable". Personal data does not have to name someone directly. If a piece of information — on its own or combined with other information — can identify a living individual, it is personal data under the NDPA.
Nigerian Examples
- "Aminu Garba, 24 Ahmadu Bello Way, Kaduna" — Personal data. Name and address together identify a specific person.
- "Patient at General Hospital Enugu with Blood Type O+" — Personal data. A combination of location and medical detail may identify the person in context.
- "07012345678" — Personal data. A mobile number is linked to a registered individual via the NIN/SIM registration mandate.
- "The third employee hired in 2019" — May be personal data depending on the size of the organisation.
- "Company registration number RC123456" — Not personal data. This identifies a legal entity, not a natural person.
The "Identified or Identifiable" Test
Ask yourself two questions about any piece of information:
- Does this information directly name or identify a specific living person?
- Could this information, combined with other information reasonably available, identify a specific living person?
If the answer to either question is yes, you are handling personal data and the NDPA 2023 applies to you.
Mark this unit as read to earn your points and proceed.
Units in this module