The Nigeria Data Protection Commission (NDPC) has commenced an extensive compliance probe involving more than 1,000 education institutions across the country, as part of efforts to strengthen enforcement of Nigeria’s data protection framework.

The affected institutions include universities, polytechnics, colleges of education, private schools, and other learning centres that routinely process large volumes of personal data belonging to students, parents, academic staff, and non-teaching employees.

Regulatory Enforcement Drive

In a public notice issued on Thursday, the Commission said the investigation is part of its ongoing sector-by-sector enforcement strategy. The notice was signed by the NDPC’s Head of Legal, Enforcement and Regulation, Babatunde Bamigboye.

According to the Commission, the initiative is aimed at safeguarding the fundamental rights and freedoms of data subjects, while reinforcing the legal and regulatory foundations of Nigeria’s digital economy through the responsible and trusted use of personal data.

The NDPC noted that the education sector is a critical custodian of sensitive personal information and must therefore operate in strict compliance with the Nigeria Data Protection Act (NDPA) 2023.

21-Day Compliance Deadline

As part of the exercise, the Commission directed the affected institutions to submit, within 21 days, specific compliance documents, including:

1. Evidence of filing their 2024 Data Protection Compliance Audit Returns

2. Proof of designation or appointment of a Data Protection Officer (DPO), with relevant contact details

3. A summary of technical and organisational measures deployed to secure personal data

4. Evidence of registration as a Data Controller or Data Processor of Major Importance, as required under the law

The NDPC stressed that these obligations apply to institutions that process large-scale personal data, particularly data relating to minors and young adults.

Sanctions for Non-Compliance

The Commission warned that institutions that fail to comply with the directive risk facing enforcement orders, administrative penalties, and possible criminal prosecution, in line with the provisions of the NDPA 2023.

It emphasised that data protection compliance is mandatory and that ignorance of the law will not be accepted as a defence.

Rising Data Protection Risks

Education institutions increasingly rely on digital platforms for admissions, examinations, learning management systems, payments, and record-keeping. The NDPC cautioned that weak data protection controls expose data subjects to risks such as identity theft, financial fraud, unauthorised access, and misuse of personal information.

The Commission urged school administrators to proactively strengthen their data governance frameworks, train staff on data protection responsibilities, and engage qualified data protection professionals.

The NDPC reaffirmed its commitment to protecting personal data in Nigeria and ensuring that all sectors of the economy comply with the nation’s data protection laws.