1. INTRODUCTION AND PURPOSE

 

This Privacy Policy (“the Policy”) is issued by Merry Ehanire Mother and Child Hospital (“the Hospital”), a duly registered health facility in Nigeria, in compliance with:

The Nigeria Data Protection Act (NDPA) 2023

The Nigeria Data Protection Regulation (NDPR) 2019 (as amended)

The National Health Act 2014

The Child Rights Act 2003

The Constitution of the Federal Republic of Nigeria, 1999 (as amended) (particularly Section 37 – Right to Privacy)

The Hospital is committed to safeguarding the confidentiality, integrity, and security of personal data processed through its website. This Policy sets out the lawful basis, scope, and conditions under which data is collected, processed, stored, disclosed, and disposed of.

 

2. SCOPE OF APPLICATION

This Policy applies to all:

Patients (past, present, or prospective)

Parents, guardians, and caregivers

Website visitors and users of the Hospital’s online services (including appointment bookings, telemedicine, payments, and patient portals)

Employees and contractors accessing internal hospital systems through the website

It governs all personal and sensitive data processed through the Hospital’s official website and related online platforms.

 

3. CATEGORIES OF DATA COLLECTED

The Hospital may collect and process the following categories of data:

3.1 Personal Identification Data

Name, date of birth, gender, marital status, and contact details (address, phone, email).

3.2 Medical and Health Data

Patient medical history, maternal/child health records, laboratory and diagnostic test results, prescriptions, imaging, and clinical notes.

3.3 Financial and Transaction Data

Payment card information, insurance details, NHIS/HMO identifiers, billing records, and donation details.

3.4 Digital and Technical Data

Internet Protocol (IP) addresses, device information, geolocation, browser type, session data, cookies, and tracking identifiers.

3.5 Special Category – Children’s Data

Data relating to minors under 18 years is processed strictly in compliance with Section 8 of the Child Rights Act 2003 and Section 25 of the NDPA 2023, requiring verified parental or guardian consent.

 

4. LAWFUL BASIS FOR PROCESSING

The Hospital processes personal data only under lawful grounds, including:

Consent: freely given, specific, and informed consent of the patient or guardian (NDPA 2023, Section 3).

Contractual Necessity: provision of medical and healthcare services under a treatment agreement.

Legal Obligation: compliance with statutory duties under the National Health Act 2014 and regulatory directives.

Vital Interests: life-saving medical intervention in maternal or child emergencies.

Public Interest and Research: anonymised use of data for health research, epidemiological studies, and public health surveillance (per Sections 25–27, National Health Act 2014).

 

5. PURPOSES OF PROCESSING

Data collected shall be used strictly for legitimate purposes, including:

Delivery of medical diagnosis, treatment, and maternal/child healthcare services.

Scheduling, confirming, and reminding patients of appointments.

Processing billing, insurance claims, and online payments.

Managing patient portals, telemedicine services, and secure communications.

Compliance with statutory reporting obligations (e.g., maternal mortality statistics, notifiable diseases).

Quality assurance, internal audits, and regulatory inspections.

Educational and research activities, subject to anonymisation and ethics approval.

Enhancing website functionality and user experience through analytics and cookies.

 

6. DATA SHARING AND DISCLOSURE

The Hospital shall not share personal data with third parties except where lawful and necessary:

Internal Disclosure: Access is restricted to hospital personnel bound by confidentiality agreements.

Third-Party Service Providers: Laboratories, diagnostic centres, IT vendors, insurers, and HMOs, subject to data processing agreements.

Regulatory and Government Agencies: Ministry of Health, National Health Insurance Authority, and law enforcement, where required by law or a court order from a .

Judicial Authorities: Upon production of valid court orders or legal directives.

Research Institutions and NGOs: Only anonymised or aggregated data, preventing identification of individuals.

Cross-Border Transfers: Data transfers outside Nigeria shall comply with Section 41 of the NDPA 2023, ensuring adequate safeguards and prior notification to data subjects.

 

7. DATA SECURITY AND RETENTION

The Hospital shall adopt technical and organisational measures to safeguard personal data:

Encryption, firewalls, and secure servers for digital data.

Physical controls and restricted access to medical records.

Role-based access control for authorised personnel only.

Data minimisation: collecting only what is necessary.

Retention: Medical records shall be retained for a minimum of six (6) years after the last patient encounter, or longer where required by professional standards of the Medical and Dental Council of Nigeria (MDCN).

Disposal: Secure destruction or anonymisation of data after retention periods.

Breach Notification: In accordance with Section 40 of the NDPA 2023, data breaches must be reported to the Nigeria Data Protection Commission (NDPC) and affected individuals within seventy-two (72) hours of becoming aware.

 

8. PROTECTION OF CHILDREN’S DATA

Given the sensitivity of maternal and child care, the Hospital adopts heightened safeguards:

Children’s data shall only be collected with verified parental/guardian consent.

Processing without consent is permissible only in emergencies or where vital interests of the child are at stake.

The Hospital shall not use children’s data for marketing, profiling, or commercial purposes.

Confidentiality of adolescent medical information shall be respected in line with the National Health Act 2014 and professional ethics.

 

9. DATA SUBJECT RIGHTS

In line with the NDPA 2023, patients and website users have enforceable rights, including:

Right of Access – to obtain confirmation and copies of personal data held.

Right to Rectification – to correct inaccuracies.

Right to Erasure (“Right to be Forgotten”) – subject to medical and legal limitations.

Right to Restriction of Processing – in circumstances permitted by law.

Right to Data Portability – to obtain and reuse personal data across services.

Right to Object – to certain forms of processing, including marketing.

Right to Withdraw Consent – at any time, without affecting prior lawful processing.

Right to Complaint – before the Nigeria Data Protection Commission (NDPC) or the competent courts.

Requests for the exercise of rights shall be addressed in writing to the Hospital’s management with responses issued within statutory timelines.

 

10. COOKIES AND TRACKING TECHNOLOGIES

The Hospital’s website uses cookies and similar technologies:

Essential Cookies – required for website functionality.

Analytical Cookies – to monitor traffic and improve services.

Consent Mechanism – users shall be informed upon first access and provided with the option to accept or decline non-essential cookies.

Users retain the right to withdraw cookie consent at any time through browser settings.

 

11. THIRD-PARTY LINKS

The website may contain links to third-party sites. The Hospital disclaims responsibility for the data handling practices of such external sites and advises users to review their privacy policies independently.

 

12. EMERGENCIES

The Hospital’s website is not intended for medical emergencies or urgent clinical communications. Users requiring emergency medical assistance are advised to dial 112 (Nigeria’s national emergency number) or present immediately at the Hospital’s Emergency Department.

 

13. GOVERNING LAW AND JURISDICTION

This Privacy Policy is governed by and shall be construed in accordance with the laws of the Federal Republic of Nigeria. Any dispute arising hereunder shall fall within the jurisdiction of the competent courts of Nigeria.

 

14. UPDATES AND REVISIONS

The Hospital reserves the right to revise or update this Privacy Policy periodically. Updates shall be published on the Hospital’s website and shall take effect immediately unless otherwise stated. Users are encouraged to review this Policy regularly.

 

15. CONTACT INFORMATION

For inquiries, complaints, or requests under this Policy, please contact:

Address: 16 Ruben Agho St, Oka, Benin City 234052, Edo State, Nigeria 

Inquiries: 09113876362 

email address: hello@memach.ng]