Skip to content
PHB/Public Health Bureau
ENEnglishSign inCreate an HPN →
Legal DSAR

Your data rights and how to use them.

Under the Nigeria Data Protection Act 2023 you have five rights over your personal data held by PHB. This page explains each one, how to exercise it, and what happens next.

Make a request →Privacy notice
Your rights

Five rights under the NDPA 2023.

01

Right of access

You can request a full copy of the personal and health data PHB holds about you, including the audit log. We will provide it in a readable format.

30 days from verified request
02

Right to rectification

If data we hold is inaccurate or incomplete, you can request that we correct it. Clinical data can only be corrected in consultation with the originating provider.

30 days from verified request
03

Right to portability

You can request your health record as a FHIR R4 bundle — a machine-readable format compatible with any FHIR-conformant system. Usable for transferring your record to another provider.

30 days from verified request
04

Right to object

You can object to processing of your data for purposes beyond your direct care — for example, anonymised research or aggregate reporting. We will stop unless we have compelling legitimate grounds.

Immediate on request; resolved within 30 days
05

Right to erasure

You can request deletion of your personal data. This hard-locks your account permanently. See "Erasure, explained honestly" below for what this means in practice.

30 days from verified request
How to make a request

Two paths. Both work.

Whether you use the app or email, we verify your identity before processing — to protect you from someone else requesting your data.

In-app (for logged-in patients)

Go to Settings → Privacy → Data rights. Select the right you want to exercise. Confirm your identity with your PIN or biometric and submit.

PHB app · Web: phbhealth.com/privacy · USSD: *894# → 6 → Data rights
By email

Email dpo@phbhealth.com with subject “DSAR — [your right]”. Include your full name, HPN and a means of identity verification. We will respond within 24 hours to confirm receipt.

Timelines

What happens and when.

Receipt acknowledgementWe confirm we have received your request and verify your identity.Within 24 hours
Identity verificationWe verify your identity via in-app biometric/PIN or out-of-band code. This protects you from impersonation requests.Within 3 business days
ProcessingWe process the request — export, correction, deletion, or objection as appropriate.Within 30 days of verification
Complex requestsFor requests involving multiple data categories or providers, we may extend by a further 30 days. We will notify you if this applies.Up to 60 days total
Erasure, explained honestly

What erasure means and what it doesn’t.

Important: erasure is permanent and irreversible.

A deletion request hard-locks your PHB account immediately — all active sessions are ended and login is permanently disabled. Your Health Point Number is sealed. This cannot be undone.

What is deleted: your identifiable personal data — name, contact details, profile — is removed from active systems within 30 days of the request.

What is retained by law: the audit log and financial transaction records are retained for the statutory period required by the NDPA 2023 and Nigerian financial regulations. This data is sealed and inaccessible except to regulators with a lawful basis. PHI (diagnoses, prescriptions, clinical notes) is never silently retained in a way that links back to you — it is sealed with the record.

Why we are honest about this: erasure is one of your rights and we support it. But we will not pretend the process is simple or reversible when it is not. If you have questions before submitting a deletion request, contact dpo@phbhealth.com first.

Exercise your rights.

Use the app or email the DPO. Both paths are fully operational.

dpo@phbhealth.com →