Your data rights and how to use them.
Under the Nigeria Data Protection Act 2023 you have five rights over your personal data held by PHB. This page explains each one, how to exercise it, and what happens next.
Five rights under the NDPA 2023.
Right of access
You can request a full copy of the personal and health data PHB holds about you, including the audit log. We will provide it in a readable format.
Right to rectification
If data we hold is inaccurate or incomplete, you can request that we correct it. Clinical data can only be corrected in consultation with the originating provider.
Right to portability
You can request your health record as a FHIR R4 bundle — a machine-readable format compatible with any FHIR-conformant system. Usable for transferring your record to another provider.
Right to object
You can object to processing of your data for purposes beyond your direct care — for example, anonymised research or aggregate reporting. We will stop unless we have compelling legitimate grounds.
Right to erasure
You can request deletion of your personal data. This hard-locks your account permanently. See "Erasure, explained honestly" below for what this means in practice.
Two paths. Both work.
Whether you use the app or email, we verify your identity before processing — to protect you from someone else requesting your data.
Go to Settings → Privacy → Data rights. Select the right you want to exercise. Confirm your identity with your PIN or biometric and submit.
Email dpo@phbhealth.com with subject “DSAR — [your right]”. Include your full name, HPN and a means of identity verification. We will respond within 24 hours to confirm receipt.
What happens and when.
What erasure means and what it doesn’t.
A deletion request hard-locks your PHB account immediately — all active sessions are ended and login is permanently disabled. Your Health Point Number is sealed. This cannot be undone.
What is deleted: your identifiable personal data — name, contact details, profile — is removed from active systems within 30 days of the request.
What is retained by law: the audit log and financial transaction records are retained for the statutory period required by the NDPA 2023 and Nigerian financial regulations. This data is sealed and inaccessible except to regulators with a lawful basis. PHI (diagnoses, prescriptions, clinical notes) is never silently retained in a way that links back to you — it is sealed with the record.
Why we are honest about this: erasure is one of your rights and we support it. But we will not pretend the process is simple or reversible when it is not. If you have questions before submitting a deletion request, contact dpo@phbhealth.com first.
Exercise your rights.
Use the app or email the DPO. Both paths are fully operational.
dpo@phbhealth.com →