NDPC commences investigation of tertiary institutions over compliance issues
The Nigeria Data Protection Commission (NDPC) has commenced a sector-wide investigation of tertiary institutions across Nigeria to assess compliance with the provisions of the NDP Act 2023. The Commission said
The Nigeria Data Protection Commission (NDPC) has commenced a sector-wide investigation of tertiary institutions across Nigeria to assess compliance with the provisions of the NDP Act 2023.
The Commission said the probe was in furtherance of its statutory mandate under the Nigeria Data Protection Act (NDP Act 2023).
In a statement issued in Abuja and signed by the Commission’s Head of Legal, Enforcement and Regulations, Babatunde Bamigboye, the NDPC maintained its commitment towards safeguarding the rights and freedom of citizens and ensure the interests of data subjects are protected.
The Commission said, "In line with the objectives of the Act, the Commission remains committed to safeguarding the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999, and to strengthening the legal foundations of Nigeria’s digital economy while ensuring the nation’s trusted and beneficial participation in regional and global economies through the responsible use of personal data (Sections 1(a) and 1(h) of the Act).
"Tertiary institutions, including universities, polytechnics, colleges of education, and other post-secondary institutions, process a significant volume of personal data belonging to students, staff, alumni, research participants, and other stakeholders. It is therefore imperative that these institutions demonstrate full compliance with the NDP Act."
Bamigboye also said based on Sections 5(i), 6(a), 6(c), 46(3), and 47(1)–(2) of the NDP Act, the Commission issued Compliance Notices to certain tertiary institutions in the country.
The names of the affected institutions are published in national newspapers on 19 February 2026, he said.
According to him the affected institutions are required to provide, within twenty-one (21) days of the issuance of the Notice, the following: Evidence of filing NDP Act Compliance Audit Returns for 2024 (Section 6(d)), and Evidence of designation or appointment of a Data Protection Officer, including the name and contact details (Section 32).
Read Also: NDPC probes Temu over alleged data protection violation
Others are a summary of technical and organisational measures implemented for data protection within the institution (Section 39) and Evidence of registration as a Data Controller or Processor of Major Importance (Section 44).
"Failure to comply with the Compliance Notice may result in enforcement actions, including the issuance of an Enforcement Order, the imposition of administrative fines, and/or criminal prosecution in accordance with the NDP Act, 2023," he said.
He added that to strenghten regulatory compliance within the sector under assessment, the National Commissioner/CEO, NDPC, Dr Vincent Olatunji has approved the establishment of a regulatory clinic.
"This will promote preventive approach to privacy risks and foster accelerated remediation of identified gaps in compliance", Bamigboye said.
