The Nigeria Data Protection Commission has commenced a sector-wide investigation of tertiary institutions across the country over alleged breaches of the Nigeria Data Protection Act, raising fresh compliance pressure on universities and other post-secondary institutions.
In a statement issued on Thursday by the Head of Legal, Enforcement and Regulations at the NDPC, Babatunde Bamigboye, the commission said the exercise was in furtherance of its statutory mandate under the NDP Act 2023 to enforce data protection standards across sectors.
The statement read, “The Nigeria Data Protection Commission, in furtherance of its statutory mandate under the Nigeria Data Protection Act 2023, has commenced a sector-wide investigation of tertiary institutions across Nigeria to assess compliance with the provisions of the Act.”
The commission stated that the move aligns with its responsibility to safeguard the rights and interests of data subjects and strengthen Nigeria’s digital economy through responsible data governance.
“In line with the objectives of the Act, the Commission remains committed to safeguarding the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999, and to strengthening the legal foundations of Nigeria’s digital economy while ensuring the nation’s trusted and beneficial participation in regional and global economies through the responsible use of personal data (Sections 1(a) and 1(h) of the Act),” the statement added.
Need For Investigation
According to the NDPC, tertiary institutions, including universities, polytechnics, colleges of education and other post-secondary institutions, process large volumes of personal data belonging to students, staff, alumni, research participants and other stakeholders, making compliance with the Act imperative.
“It is therefore imperative that these institutions demonstrate full compliance with the NDP Act,” the commission stated.
Citing Sections 5(i), 6(a), 6(c), 46(3), and 47(1)–(2) of the Act, the NDPC disclosed that it had issued Compliance Notices to certain tertiary institutions, with the names of the affected institutions published in national newspapers on February 19, 2026.
The institutions have been given 21 days from the date of issuance of the notice to provide specific documentation, including evidence of filing NDP Act Compliance Audit Returns for 2024 under Section 6(d), evidence of designation or appointment of a Data Protection Officer in line with Section 32, a summary of technical and organisational measures implemented for data protection under Section 39, and evidence of registration as a Data Controller or Processor of Major Importance under Section 44.
Potential Sanctions
The commission warned that failure to comply could trigger enforcement measures.
“Failure to comply with the Compliance Notice may result in enforcement actions, including the issuance of an Enforcement Order, the imposition of administrative fines, and/or criminal prosecution in accordance with the NDP Act, 2023,” the statement said.
To strengthen compliance within the education sector, the National Commissioner and Chief Executive Officer of the NDPC, Dr Vincent Olatunji, approved the establishment of a regulatory clinic to promote a preventive approach to privacy risks and accelerate remediation of identified gaps.
The move signals a tightening of regulatory oversight in Nigeria’s education sector, particularly at a time when institutions increasingly rely on digital platforms for admissions, academic records, research management and alumni engagement, all of which involve the processing of sensitive personal data.
