The Nigeria Data Protection Commission has launched a sweeping investigation into tertiary institutions across the country, stepping up enforcement of the Nigeria Data Protection Act (NDP Act) 2023.

The move signals a shift from advisory oversight to active regulatory scrutiny, as the Commission assesses whether universities, polytechnics, colleges of education and other post-secondary institutions are complying with data protection obligations.

In a statement issued in Abuja, the Commission’s Head of Legal, Enforcement and Regulations, Babatunde Bamigboye, said the exercise is part of the NDPC’s statutory mandate under the NDP Act 2023.

He stressed that the Commission remains committed to protecting the rights and freedoms of citizens, particularly as they relate to personal data processing.

“In line with the objectives of the Act, the Commission remains committed to safeguarding the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999, and to strengthening the legal foundations of Nigeria’s digital economy while ensuring the nation’s trusted and beneficial participation in regional and global economies through the responsible use of personal data (Sections 1(a) and 1(h) of the Act).

“Tertiary institutions, including universities, polytechnics, colleges of education, and other post-secondary institutions, process a significant volume of personal data belonging to students, staff, alumni, research participants, and other stakeholders.

Read Also

“It is therefore imperative that these institutions demonstrate full compliance with the NDP Act,” the statement read.

Bamigboye disclosed that, pursuant to Sections 5(i), 6(a), 6(c), 46(3), and 47(1)–(2) of the Act, Compliance Notices have been issued to selected institutions.

The names of affected institutions were published in national newspapers on 19 February 2026.

The institutions have been given 21 days from the date of the Notice to submit specific documentation, including:

  • Evidence of filing NDP Act Compliance Audit Returns for 2024 (Section 6(d));
  • Evidence of designation or appointment of a Data Protection Officer, including name and contact details (Section 32);
  • A summary of technical and organisational measures implemented to safeguard personal data (Section 39);
  • Evidence of registration as a Data Controller or Processor of Major Importance (Section 44).

The Commission warned that failure to comply may trigger enforcement measures, including Enforcement Orders, administrative fines and/or criminal prosecution in accordance with the NDP Act, 2023.

As part of efforts to strengthen regulatory compliance, the National Commissioner and Chief Executive Officer of the NDPC, Vincent Olatunji, has approved the establishment of a regulatory clinic.

According to Bamigboye, the initiative is designed to encourage a preventive approach to privacy risks and accelerate the correction of identified compliance gaps within the education sector.