By 
By Osasome, C.O
Privacy regulator warns universities and colleges to comply with Nigeria Data Protection Act as concerns grow over safeguarding sensitive student and staff data.
NDPC Moves to Enforce Data Protection Compliance
The Nigeria Data Protection Commission (NDPC) has intensified enforcement of data privacy regulations by issuing compliance notices to 649 tertiary institutions across Nigeria.
RELATED: Fighting deepfakes and digital harm: NDPC takes on AI abuse to protect privacy and children
The directive, issued on February 19, 2026, affects federal, state, and private universities, polytechnics, colleges of education, and technical colleges nationwide.
The move forms part of a sector-wide investigation aimed at ensuring compliance with the Nigeria Data Protection Act (NDPA 2023), which establishes the legal framework for protecting the personal data of Nigerian citizens.
Institutions listed in the notice have 21 days to submit evidence demonstrating their compliance with the country’s data protection requirements.
Why Data Privacy Regulations Are Critical in Higher Institutions
Higher education institutions are among the largest custodians of sensitive personal data in the country. Universities and colleges routinely process vast volumes of confidential information, including:
- Student academic records
- Admission and identity data
- Staff employment records
- Financial and biometric information
- Research data and intellectual property
Without strict privacy governance, these datasets can become vulnerable to data breaches, identity theft, misuse of personal information, and cyberattacks.
Experts say stronger compliance with data protection laws is essential to ensure trust, accountability, and responsible data management within Nigeria’s higher education ecosystem.
Requirements for Affected Institutions
Under the NDPC directive, institutions must provide the following documentation within 21 days of receiving the notice:
- Evidence of filing 2024 Data Protection Compliance Audit Returns
- Proof of appointment or designation of a Data Protection Officer (DPO)
- A summary of technical and organisational measures implemented to safeguard personal data
- Evidence of registration as a Data Controller or Data Processor of Major Importance
These requirements are designed to ensure that institutions adopt structured systems for managing and protecting personal data.
Consequences of Non-Compliance
The NDPC warned that institutions that fail to comply with the directive could face serious legal and regulatory consequences.
Possible penalties include:
- Issuance of an enforcement order
- Administrative fines
- Criminal prosecution under the Nigeria Data Protection Act
The NDPC has published the list of affected institutions in national newspapers as part of efforts to ensure transparency and sector-wide accountability.
NDPC’s Role in Nigeria’s Data Protection Ecosystem
Established under the Nigeria Data Protection Act, the Nigeria Data Protection Commission serves as the country’s primary regulatory authority responsible for enforcing data privacy laws.
The commission has broad powers to regulate both public and private sector organisations that process personal data.
Key Powers of the NDPC
Investigation and Compliance Oversight
The commission can investigate violations, audit organisations, and issue compliance orders to enforce data protection obligations.
Administrative Sanctions
For major infractions, the NDPC may impose fines of up to ₦10 million or 2% of the organisation’s annual gross revenue, whichever is higher.
Corrective Actions
The regulator can order organisations to delete unlawfully processed data, halt processing activities, or suspend cross-border data transfers.
Legal Enforcement
The commission may obtain court warrants to search premises and digital systems and can refer serious violations to law enforcement authorities for prosecution.
Regulatory Oversight
The NDPC also issues regulations, guidelines, and licensing frameworks for organisations that process personal data.
Strengthening Privacy Culture in Nigeria’s Education Sector
The latest compliance drive signals a growing recognition of the importance of data privacy governance in higher education.
As Nigerian universities increasingly digitise admission systems, academic records, and research platforms, the need for robust privacy policies, cybersecurity frameworks, and regulatory oversight has become more urgent.
By enforcing compliance with the Nigeria Data Protection Act 2023, the NDPC aims to promote a culture of responsible data management, safeguard personal information, and strengthen trust in Nigeria’s digital ecosystem.
