The processing of next-of-kin information is a common feature of organisational data practices in Nigeria, particularly in employment, healthcare, insurance, financial services, and education. Such information typically includes names, contact details, and relationship to a primary data subject. While this data is routinely collected, it raises an important compliance question under Nigeria data protection law: on what lawful basis may a data controller process the personal data of a next of kin who has not directly provided consent?
Next-of-kin details constitute personal data within the meaning of the NDPA, as they relate to an identifiable natural person other than the primary data subject. The fact that the information is supplied indirectly does not remove it from the scope of the Act. Accordingly, any processing of such data must comply with the general data protection principles and must be anchored on a lawful basis recognised under the NDPA.
The Nigeria Data Protection Act 2023 (“NDPA”) and the General Application and Implementation Directive, 2025 (“GAID“) provides a structured legal framework for answering this question. Crucially, the NDPA does not require consent in all circumstances of personal data processing. Rather, it establishes multiple lawful bases upon which data processing may be justified, subject to the principles of necessity, proportionality, and respect for fundamental rights.
Lawful Bases for Processing under Section 25 of the NDPA
Section 25(1) of the NDPA and Article 16 of GAID sets out the lawful bases for processing personal data which includes:
- Consent
- Contractual performance
- Compliance with a legal obligation
- Protection of vital interests
- Performance of a task in the public interest/official authority, and
- Legitimate interests.
Compliance with a Legal Obligation
Section 25(1)(b)(ii) permits processing where it is necessary to comply with a legal obligation. Article 22 of the General Application and Implementation Directive 2025 (“GAID”) clarifies that a legal obligation may arise from a statutory duty, a court order, or responsibilities incidental to a legal requirement. In regulated sectors, organisations may be required by law or regulation to maintain next-of-kin information for safety, welfare, or record-keeping purposes. Where such obligations exist, processing must be strictly limited to what the law requires and must respect the constitutional right to privacy under sections 37 and 45 of the 1999 Constitution, as expressly recognised by the GAID
This basis applies where a specific law, court order, or duly issued administrative directive explicitly mandates the collection of next-of-kin data. Article 22 of the GAID imposes stringent safeguards. The obligation must be “reasonably justifiable in a democratic society” for aims like public safety or health, per Section 45 of the 1999 Constitution (Article 22(3), GAID). Processing must be strictly limited to the legal minimum and not become a “voyage of discovery” (Article 22(4)). Controllers must critically assess such demands, potentially relying on their Data Protection Officer’s written opinion regarding the competence of the authority and the proportionality of the request (Article 22(6)).
Examples: Employees’ Compensation Act, Pension Reform Act
Protection of Vital Interests
Section 25(1)(b)(iii) of the NDPA recognises vital interest as a lawful basis for processing. Article 24 of the GAID elaborates that this basis is particularly applicable where circumstances do not permit the data subject to give consent and where processing is necessary to protect life or livelihood. Next-of-kin data is most clearly justified under this basis in emergency situations, such as medical crises, workplace accidents, or death. The GAID emphasises that failure to process such data in these circumstances may render a controller negligent or reckless, provided the processing is necessary and proportionate.
Legitimate Interests
Section 25(1)(b)(v) of the NDPA allows processing for the purposes of legitimate interests pursued by a data controller or a third party. However, Section 25(2) introduces important limitations: the interest must not override the fundamental rights and freedoms of the data subject, must be compatible with other lawful bases, and must align with the reasonable expectations of the data subject. Article 26 of the GAID further tightens this framework by requiring data controllers to carry out a Legitimate Interest Assessment (LIA)[1] before relying on this basis. Controllers must demonstrate necessity, proportionality, transparency, and the prioritisation of privacy by design and by default. In the context of next-of-kin data, legitimate interest is commonly relied upon to justify maintaining emergency contact information, provided the data collected is minimal, securely stored, and not repurposed for unrelated activities.
This is often the most flexible and appropriate initial basis for collecting next-of-kin data for purposes like emergency contact. It is not a blanket justification; it requires a rigorous three-part test per Section 25(2) and Article 26.
- Purpose Test: The controller must identify a real and legitimate interest (e.g., ensuring employee safety, facilitating emergency response).
- Necessity Test: It must be shown that processing the next of kin’s specific data is necessary for that interest.
- Balancing Test: Crucially, the controller’s interest must not override the fundamental rights and freedoms of the next of kin. This involves considering whether the data subject would have a “reasonable expectation” of such processing (Section 25(2)(c)).
Evaluation, Proportionality and Transparency
Article 23 of the GAID underscores the importance of evaluating lawful bases through the lens of necessity, proportionality, duty of care, and access to redress. Data processing must pursue a legitimate aim and adopt measures that are proportionate to that aim, with a bias in favour of protecting fundamental rights. Even where consent is not relied upon, data controllers remain under an obligation to ensure transparency and fair processing, including informing data subjects directly or indirectly about how their data is used.
Conclusion
Under the Nigerian data protection regime, the processing of next-of-kin data is not unlawful merely because the next of kin has not provided consent. The NDPA 2023 clearly recognises multiple lawful bases particularly contractual necessity, legal obligation, vital interests, and legitimate interests that may justify such processing. The GAID 2025 reinforces this position by imposing rigorous standards of assessment, proportionality, and constitutional compliance. Ultimately, lawful processing of next-of-kin data depends not on consent alone, but on careful selection, documentation, and application of the appropriate lawful basis, coupled with transparency and respect for fundamental rights.
