The Joint Admissions and Matriculation Board (JAMB) has issued a strict warning to Computer-Based Test (CBT) centres across Nigeria, prohibiting them from copying or storing the personal data of candidates who registered for or took part in the Unified Tertiary Matriculation Examination (UTME). The move comes as part of efforts to enforce Nigeria’s data protection laws.
In an official statement, JAMB cautioned that any CBT centre found retaining candidate information without proper authorisation would face legal consequences. The board stressed that violating the Nigeria Data Protection Commission (NDPC) regulations is a criminal offence, and ignorance will not be accepted as an excuse.
This warning serves as a final notice to all CBT centres to ensure strict compliance with national data privacy standards. JAMB reiterated that the possession of candidates’ data by unauthorised operators constitutes a breach of the law.
The warning follows the recent rollout of the Nigeria Data Protection Act – General Application and Implementation Directive (NDP Act-GAID), introduced by the NDPC. This framework provides detailed guidance for data controllers and processors to align with national laws. Full implementation is scheduled for September 2025, with a six-month transition period to allow organisations time to comply.
The directive, soon to be published on the NDPC’s website, outlines key requirements for data protection. These include the lawful basis for data processing, respect for data subjects’ rights, rules on cross-border data transfers, and the obligation to submit compliance audit reports. It also introduces a grievance mechanism known as the Standard Notice to Address Grievance (SNAG), which allows individuals to demand corrective action directly from data handlers without initially involving the NDPC.
According to the NDPC’s Chief Executive Officer, Nigeria’s strengthened data protection efforts aim to give over 230 million citizens the power to take action when their data rights are violated. The education sector, which handles massive amounts of personal information, is one of the key areas of concern.
Since launching enforcement activities, the NDPC has investigated more than 1,000 data protection cases across different sectors, including finance and digital lending. By June 2024, the commission had imposed over N400 million in fines on seven companies for data breaches.
In a move to deepen capacity and improve compliance, the NDPC signed a Memorandum of Understanding with Mastercard in May 2025 to enhance Nigeria’s data protection framework and support the training of professionals in the sector.
