By | YOUNG, D
The Nigeria Data Protection Commission’s decision to issue compliance notices to 649 higher institutions marks a serious shift in regulatory enforcement across the education sector. What may appear at first glance to be a routine compliance exercise is, in reality, a strong signal that the era of soft reminders is giving way to stricter scrutiny and possible sanctions.
The affected institutions have been given 21 days to submit four key items. These include evidence that they filed their 2024 compliance audit returns, proof that they have appointed or designated a Data Protection Officer, a summary of the technical and organisational measures they have put in place to protect personal data, and evidence of registration as a Data Controller or Data Processor of Major Importance.
This development matters because tertiary institutions handle a vast amount of personal data every day. They collect and store student admission records, academic transcripts, biometric details, staff files, payroll information, medical records, research data, alumni databases, and digital access credentials. In many cases, they also work with third party vendors that manage portals, payment platforms, learning systems, and identity verification tools. That makes them major custodians of personal information and natural subjects of close regulatory oversight.
The NDPC’s notice is therefore not random. It reflects the legal obligations already imposed by the Nigeria Data Protection Act, 2023. Under the law, organisations that qualify as data controllers or processors of major importance are expected to register with the Commission, appoint a qualified Data Protection Officer, maintain adequate safeguards for the data they hold, and file annual compliance audit returns. For universities, polytechnics, colleges of education, and similar institutions, these are no longer optional governance choices. They are statutory duties.
What stands out in the latest move is the nature of the documents being requested. The Commission is not merely asking institutions to say they are compliant. It wants evidence. That distinction is crucial. A school may claim to value privacy, but the regulator is now asking for proof that compliance exists in practice and on record. It wants to see filings, appointments, systems, and registration status.
This points to a broader issue in Nigeria’s higher education system. Many institutions may have some level of operational control in place, such as password protection, limited access to records, or basic IT security. But many may struggle to show structured compliance in documentary form. A number of institutions may not have a formally appointed Data Protection Officer. Others may not have filed the required audit returns. Some may not even know whether they fall within the category of major importance under the law. In a regulatory environment that now demands documentation, those gaps could prove costly.
The warning attached to the notice is equally important. Failure to comply may trigger enforcement action, including administrative sanctions, fines, and potential criminal consequences where legal orders are ignored. This raises the stakes significantly for affected institutions. It also sends a message to other sectors that data protection enforcement in Nigeria is becoming more active, more targeted, and less tolerant of weak internal controls.
For tertiary institutions, the real test will be whether they can move quickly from informal practice to formal compliance. The institutions most exposed are likely those with fragmented governance structures, weak records management, and limited coordination between ICT units, registry departments, bursaries, medical centres, and external service providers. Where data flows across many offices without a central compliance framework, the risk of failure rises sharply.
The NDPC’s intervention may also have a useful long term effect. It could force institutions to take privacy governance more seriously, improve their record keeping, strengthen vendor oversight, and establish clearer lines of accountability. That would be good for students, staff, researchers, and the institutions themselves. In a sector where personal data is often spread across paper files, outdated systems, and multiple service providers, stronger controls are overdue.
Still, the notices also expose a hard truth. Data protection in Nigeria cannot succeed through legislation alone. It depends on institutions having the capacity to understand their obligations, organise their compliance structures, and maintain evidence that can withstand regulatory inspection. Many schools may now find that their greatest weakness is not a lack of awareness, but a lack of readiness.
This is why the NDPC’s action should be seen as more than an administrative exercise. It is an enforcement milestone. The Commission is no longer asking higher institutions whether they know the law. It is asking them to prove they have obeyed it.
For the education sector, that changes the conversation entirely.
—
Destiny Young is an information technology executive and certified data governance and privacy engineer.
