Skip to content
app.phb.health › Trust › NDPC disclosures

NDPC disclosures.

Updated 1 June 2026 NDPA 2023 · data controller Reg. NDP-2026-0341
NDPA 2023 · data controller · updated June 2026

This page is the public-facing disclosure required of any data controller under the Nigeria Data Protection Act 2023. It is written for three audiences at once — regulators, DPOs, and privacy-conscious patients — and tries to be useful to all three without being legalistic.

01Data controller

Public Health Bureau Limited is the registered data controller for every channel where PHB is reached (app, web, USSD, IVR, on-site at connected facilities). Registered office: Lagos. NDPC registration: NDP-2026-0341.

Joint controllers (NHIA, an HMO, an employer programme, a research partner) are listed against the specific data flows they touch, with their own NDPC registration numbers, in /privacy § 5.

02Data Protection Officer

Reach our DPO at dpo@phb.health. We respond within 5 working days for general enquiries, and immediately for breach reports. You have an unconditional right to escalate to the NDPC at any time — that route is never gated by us, and we won’t ask you to “try our process first”.

03Lawful bases

  • Consent — every record share is consent-bound, scoped, time-bounded, and revocable.
  • Vital interests — break-glass reads in an emergency (unconscious patient, ambulance) — patient is force-notified the moment they can be reached.
  • Legal obligation — per-subject court orders only; we publish the count quarterly.
  • Contract — operational data needed to deliver the service you signed up for.

04Where data lives

Primary in NG-WEST (Lagos), continuously mirrored to NG-NORTH (Abuja). No cross-border replication. We do not use any cloud service that requires data to leave Nigeria.

Cross-border transfer. We will not transfer your personal data outside Nigeria without your explicit, written, per-purpose consent. There is no “legitimate interests” catch-all.

05Your rights, & how to use them

Under the NDPA 2023 you have, and we deliver, the following rights:

  • Access & portability — FHIR bundle and PDF, ≤ 30 days, free.
  • Rectification — by amendment (not deletion) of the original entry, so audit stays intact.
  • Erasure — ≤ 30 days, except clinical data covered by medical-records law.
  • Objection — to any non-essential processing, with a specific reason or none at all.

06Breach notification

We notify the NDPC within 72 hours of becoming aware of a notifiable personal-data breach. We notify affected subjects without undue delay, in plain language, with a specific description of what was accessed and what we’ve done about it. We don’t hide breaches behind weasel words.

07Retention

Audit log: append-only, 7 years. Clinical data: per Nigerian medical-records law (typically 21 years for adult records, longer for paediatrics). Operational data (wallet, claims): per finance and tax law. Marketing data: deleted within 30 days of an erasure request.