The Nigeria Data Protection Commission (NDPC) has commenced a sector-wide audit of tertiary institutions to enforce compliance with the Nigeria Data Protection Act (NDP Act) 2023. The exercise targets universities, polytechnics, colleges of education, and other post-secondary institutions that process large volumes of personal information.
The move signals a shift from advisory oversight to active regulatory scrutiny, as the Commission assesses whether these institutions are complying with their data protection obligations.
In a statement issued in Abuja, the Commission’s Head of Legal, Enforcement and Regulations, Babatunde Bamigboye, said the exercise forms part of the NDPC’s statutory mandate under the NDP Act 2023.
He stressed that the Commission remains committed to protecting the rights and freedoms of citizens, particularly in relation to personal data processing.
“In line with the objectives of the Act, the Commission remains committed to safeguarding the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999. It also seeks to strengthen the legal foundations of Nigeria’s digital economy while ensuring the nation’s trusted and beneficial participation in regional and global economies through the responsible use of personal data (Sections 1(a) and 1(h) of the Act).
“Tertiary institutions, including universities, polytechnics, colleges of education, and other post-secondary institutions, process a significant volume of personal data belonging to students, staff, alumni, research participants, and other stakeholders. It is therefore imperative that these institutions demonstrate full compliance with the NDP Act,” the statement read.
Bamigboye disclosed that, pursuant to Sections 5(i), 6(a), 6(c), 46(3), and 47(1)–(2) of the Act, Compliance Notices have been issued to selected institutions. The names of the affected institutions were published in national newspapers on 19 February 2026.
According to him the affected institutions are required to provide, within twenty-one (21) days of the issuance of the Notice, the following: Evidence of filing NDP Act Compliance Audit Returns for 2024 (Section 6(d)), and Evidence of designation or appointment of a Data Protection Officer, including the name and contact details (Section 32).
Others are a summary of technical and organisational measures implemented for data protection within the institution (Section 39) and Evidence of registration as a Data Controller or Processor of Major Importance (Section 44).
The Commission warned that failure to comply may trigger enforcement measures, including Enforcement Orders, administrative fines, and/or criminal prosecution in accordance with the NDP Act 2023.
As part of efforts to strengthen regulatory compliance, the National Commissioner and Chief Executive Officer of the NDPC, Vincent Olatunji, has approved the establishment of a regulatory clinic.
According to Bamigboye, the initiative is designed to encourage a preventive approach to privacy risks and accelerate the correction of identified compliance gaps within the education sector.
