• Head Office - No. 2, Sam Mbakwe Street, Gudu District, Apo, Abuja.
Email

Privacy Policy for Cedarcrest Hospitals Limited

  HomeCEDARCREST HOSPITALS  |  Privacy Policy for Cedarcrest Hospitals Limited

Privacy Policy for Cedarcrest Hospitals Limited

Cedarcrest Hospitals Limited Privacy Notice Effective Date: January 1, 2026

Cedarcrest Hospitals Limited (“Cedarcrest”, “we”, “us”, or “our”) is committed to protecting your privacy and the confidentiality of your personal and health information. We comply with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR) (where applicable), and the National Health Act 2014 (NHA).

This Privacy Notice explains how we collect, use, disclose, retain, and protect your personal data when you:

  • Visit our website
  • Use the Cedarcrest Mobile App
  • Receive healthcare services, register, book appointments, or interact with us

Contact our Data Protection Officer (DPO): ICT – System Administrator Email: sysadmin.hq@cedarcresthospitals.com

For complaints, contact the Nigeria Data Protection Commission (NDPC) at complaints@ndpc.gov.ng or ndpc.gov.ng.

1. Personal Data We Collect

We collect only necessary data (data minimization principle under NDPA):

  • Identification and Contact: Name, date of birth, gender, phone, email, address, UHID (Unique Hospital Identification Number).
  • Health/Sensitive Data: Medical history, symptoms, diagnoses, test results, treatment plans, biometrics (if applicable).
  • Other: Payment details, referrals, insurer info, usage data (IP, device, browser via logs/cookies).

Health data is “sensitive personal data” under NDPA and receives extra safeguards.

2. How We Collect Data

  • Directly from you (forms, consultations, app registration).
  • Automatically (logs, cookies for security/analytics).
  • From third parties (referrals, labs, insurers — with lawful basis).

3. Lawful Basis and Consent

We process data lawfully under NDPA Section 24:

  • Explicit consent (especially for sensitive health data).
  • Necessity for medical diagnosis/treatment (vital interests/healthcare provision).
  • Legal obligations (NHA record-keeping, public health reporting).
  • Legitimate interests (quality improvement, fraud prevention — balanced against your rights).

Consent is informed, specific, and freely given. You may withdraw it (subject to legal/medical retention), but this may limit services.

4. How We Use Your Data

  • Provide, coordinate, and improve healthcare (diagnosis, treatment, follow-up).
  • Maintain accurate records (NHA requirement).
  • Administer appointments, billing, insurance claims.
  • Communicate updates/reminders.
  • Internal quality audits, analytics (using anonymized/UHID-only data with approval).
  • Prevent fraud/unauthorized access.

We do not use data for unrelated marketing without consent.

5. Sharing and Disclosure

We share data only when necessary and lawful:

  • With involved healthcare professionals or facilities.
  • For referrals, labs, specialists (with consent where required).
  • Insurers/payers for claims.
  • Anonymized/UHID-only data for research/analytics (prior approval, anonymization techniques).
  • As required by law (court orders, public health mandates under NHA).

Third-party processors (e.g., cloud/IT vendors) sign Data Processing Agreements ensuring NDPA compliance. No selling of personal data.

6. Data Security

We use encryption, Role-Based Access Control (RBAC), firewalls, MFA for remote access, secure gateways, and regular audits. Core systems are not directly exposed to the public internet. Breaches are contained, investigated, and notified to you/NDPC per NDPA timelines.

7. Your Data Subject Rights (NDPA)

  • Access your data.
  • Rectify inaccuracies.
  • Erase data (subject to retention obligations).
  • Restrict/object to processing.
  • Portability.
  • Not be subject to solely automated decisions with significant effects.

Submit requests to the DPO. We respond within one month (extendable). Fees may apply for excessive requests.

8. Data Retention

Retained only as necessary:

  • Medical records: Per NHA/professional guidelines (typically 10+ years post-last treatment).
  • Other data: Until purpose fulfilled or consent withdrawn (subject to law). Secure destruction upon expiry (shredding paper; irreversible deletion electronic).

9. Cookies, Logs, and Tracking

Cookies enable functionality/security/analytics. Manage via browser. Logs collect non-personal data (IP, browser) for trends/security.

10. Children’s Data

We do not knowingly collect from children under 13 without parental consent. For minors in care, processing is for vital healthcare interests.

11. Changes and Updates

We may update this Notice. Check our website for the latest.

This Notice supplements any in-person privacy information provided during care.