- with Senior Company Executives, HR and Finance and Tax Executives
- in United States
- with readers working within the Automotive, Business & Consumer Services and Consumer Industries industries
Introduction
On the 19th day of February, 2026, the Nigeria Data Protection Commission (the “NDPC”) issued a Compliance Notice to 649 institutions of higher learning across Nigeria; specifically, federal, state, and private universities, polytechnics, colleges of education and other similar institutions.
The Notice requires the affected institutions to, within 21 (twenty-one) days provide evidence regarding the:
i. filing of their 2024 Data Protection Compliance Audit Returns;
ii. appointment a Data Protection Officer;
iii. implementation of adequate technical and organisational measures; and
iv. registration as Data Controllers or Data Processors of Major Importance under the Nigeria Data Protection Act, 2023 (the “NDPA”).
The compliance notice issued by the NDPC is a wakeup call to educational institutions (“Institutions”) to comply with their obligations under the NDPA.
Institutions are massive collectors, processors, and controllers of data. Data may be processed for various reasons, including sorting out accommodation, carrying out disciplinary actions, employment and administration of staff, processing admissions, marketing and promotion of the Institution and maintaining a functional alumni network.
In light of the NDPC’s ongoing probe, these routine data processing activities now represent potential compliance risks where adequate safeguards and general data governance culture that complies with the NDPA are not in place.
Institutions process the following types of data:
1. Personal Data: This is defined simply under the NDPA as any information relating to an identified or identifiable natural person. Data that falls under this category includes basic identification information of students or employees, such as names, residential addresses, dates of birth, parents’ or guardians’ contact details, and academic records (including grades, attendance records, disciplinary actions, and past academic history). For Institutions carrying out any of their processes online, this also extends to data such as IP addresses and cookies.
2. Sensitive Data: This refers to a special category of personal data that reveals or relates to information about an individual which is more vulnerable and requires extra protection due to its nature. Data that fall within this category for Institutions include health records such as disabilities, allergies, outcomes of counselling and psychological assessments, ethnicity, religious or philosophical beliefs.
Data Protection Obligations for Institutions
As the academic, administrative and operational endeavours of Institutions continue to be heavily reliant on data, especially as these endeavours are increasingly digitalised today, Institutions owe certain obligations to their data subjects. These obligations go beyond mere compliance with the NDPA. It is a legal duty to respect and protect the privacy rights of data subjects as guaranteed under the 1999 Constitution of Nigeria.
These data subjects include prospective students, current students, staff members, parents or guardians and alumni. It is therefore essential that Institutions recognise, honour and actively safeguard the rights of these data subjects in all processing activities.
Below are the key data protection obligations that Institutions are required to uphold in relation to data subject:
a. Transparency Obligations: Institutions must ensure that data subjects are adequately informed about the personal data collected, the purpose of collection, the intended use, retention period and any third parties with whom such data may be shared.
b. Access Facilitation Obligations: Institutions are required to establish mechanisms that enable data subjects to request and obtain access to their personal data held by the Institution, at no cost except as permitted under the NDPA.
c. Data Accuracy and Rectification Obligations: Data subjects have the right to request the correction of any inaccurate or incomplete personal data held by an institution, and Institutions are required to take reasonable steps to ensure that such data is accurate and up to date and to promptly correct or update any inaccurate or incomplete data upon request.
d. Erasure Obligations: Data subjects may request the deletion of their personal data where it is no longer necessary or where consent has been withdrawn, and Institutions (subject to lawful retention obligations) must implement processes to delete or anonymise personal data where it is no longer necessary for the purpose for which it was collected, or where consent has been withdrawn.
e. Obligation to Restrict Processing: When a data subject requests that an Institution cease to process his/her data for certain purposes such as unsolicited marketing messages from alumni unions or profiling students for targeted promotions, the Institution must honour this right and cease to process such data. The Institution is also required to put in place measures that enable the data subjects to object to certain types of processing and must cease such processing upon a valid request.
f. Data Portability Obligations: Data subjects are entitled to receive their personal data in a structured format and request its transfer to another data controller, and Institutions are required to facilitate such reasonable request at no cost to the data subject.
Good Data Protection Practices
1. Consent: Consent is a crucial consideration in data processing under the NDPA. Before processing data, Institutions must obtain freely given, specific, informed and unambiguous consent.
Consent is unambiguous when it reflects a clear, specific and informed choice made by the data subject through an affirmative action. A good example of this is when a university includes a checkbox that is not pre-ticked on its admission portal, stating: “I consent to the processing of my personal data for the purpose of evaluating my application.” The applicant must actively tick the box before submitting—this is clear and unambiguous. However, when the box appears pre-ticked, this shall be interpreted as failing to actively demonstrate unambiguous consent. The need for consent also applies when dealing with sensitive personal data, such as student health records, biometric information (e.g. fingerprints or facial scans), disability status or religious affiliation.
Institutions handling minors, such as primary and secondary schools, must not process the data of underage data subjects without first obtaining proper consent from their parents or guardians, and institutions are expected to take reasonable steps to verify age and authority, for instance, using a valid ID documentation.
This obligation extends to photographs and video recordings of students. Where a student is identifiable, such images constitute personal data under the NDPA. Institutions must therefore obtain prior, informed and unambiguous consent before capturing or using such materials for promotional or public-facing purposes. General notices or clauses buried in admission forms will not suffice, particularly where the data subject is unaware of how the content will be used or disseminated.
2. Appointing a Data Protection Officer (DPO): Institutions are required to appoint a DPO to advise and guide their data processing activities in line with the NDPA, especially as it has to do with the analysis of processing efforts to determine whether same requires consent. The DPO will also guide the institution’s mandatory registration with NDPC and work alongside licensed Data Protection Compliance Organisations to facilitate the conduct of annual data protection compliance audits and filing of audits returns as required by the NDPA.
3. Data Protection Impact Assessments (DPIAs): Institutions should conduct DPIAs, especially when they intend to introduce new technologies or systems in their data processing activities. This includes deploying new (or updating existing) online learning platforms, biometric verification systems, or digital student portals. DPIAs help the institution to assess and address possible data protection risks in advance.
4. Documentation: Where online platforms, websites, or digital portals are used, Institutions must develop and maintain a clear, NDPA compliant privacy policy and cookie policy. These policies must explain the scope of data collection, purpose, retention, and sharing practices. For Institutions that transfer data across borders; for example, sending student records to foreign partner universities, scholarship boards abroad, or international exam bodies, such policies must also address how these transfers are lawfully handled under the NDPA.
5. Data Security: Some Nigerian universities have been reported in the media for careless handling of student data, such as having porous online platforms which hackers have exploited to retrieve data of students and staff members; and dumping printed academic works bearing personal information of students in open spaces during storage overhauls. Therefore, for physical records, locked storage units and secure locations are essential. Institutions must also invest in secure document destruction tools like shredders to ensure files are properly disposed of, rather than casually discarded in waste bins. For digital records, institutions must use secure servers, encryption technologies, regular data backups, and invest in reliable cybersecurity measures.
Also important is access control. Only qualified staff members with a clear need-to-know should be granted access to student or staff data. Institutions should also avoid using free or cheap software solutions that provide limited or no protection.
6. Vetting Third Parties: When partnering with third parties, such as software providers, cloud storage companies, or verification service providers, Institutions must assess and confirm that these vendors have a strong data protection culture and comply with the NDPA. This is key because vendors could also process or store sensitive data on behalf of the institution. The contracts with these vendors must be thoroughly reviewed to confirm that data protection concerns are addressed in line with the NDPA and best practices.
7. Comprehensive Staff Training: Regular and mandatory data protection training must be provided for all staff, including academic, administrative, IT and support personnel. Special emphasis must be placed on the correct handling of sensitive data, especially health records, to prevent unauthorised disclosure, embarrassment, or harm to data subjects. Institutions must also promote a strong culture of privacy awareness across board, so that every staff member understands their role in data protection.
Conclusion
Given the vast volume and sensitive nature of data processed by Institutions, there is a critical and weighty obligation to implement robust technical and organisational safeguards to ensure the confidentiality, integrity and safety of such data within their care. Nigerians are becoming increasingly aware of their data privacy rights, and a growing number of individuals now comprehend the concept of personal data and are starting to take legal action in response to the mishandling of their personal information. This growing awareness should serve as a wake-up call to Institutions especially as the risks associated with non-compliance can include reputational damage, financial penalties and potential legal action.
Data protection must become a primary consideration within every educational establishment, as Institutions that ignore their obligations may soon find themselves as cautionary tales.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
