1. About this Policy
1. 1 Purpose
Euracare Hospital is committed to ensuring the privacy and confidentiality of your Personal Data.
Euracare Hospital complies with the Nigeria Data Protection Regulation (NDPR) as issued by the National Information Technology Development Agency (NITDA) which was statutorily mandated by the NITDA Act of 2007.
These legal frameworks ensure Euracare Hospital handles your Personal Data (including but not limited to patient health information) in compliance with recommended practices.
The purpose of this Privacy Policy is to clearly communicate to you how Euracare Hospital handles your Personal Data. It will give you a better and more complete understanding of the type of Personal Data that Euracare Hospital holds about you and the way Euracare Hospital handles that information.
Consent
You accept this Privacy Policy and here by give us consent to save, process and use your Personal Data to the extent as allowed by law when you provide us with details of your Personal Data or by clicking on the “accept” button. We may request for further consent in the event that your Personal Data is required to be transferred to a third party or when it is to be further processed in a manner which would require your further consent.
You may withdraw your consent at any time before, during and after we process your Personal Data. Personal Data is information that can be directly used to identify you and includes but is not limited to your name, address, telephone number, email address and any other information of like nature.
We may use and transfer your Personal Data either with your consent, for compliance with a legal obligation to which we are subject or when we have assessed that it is necessary for the purposes of the legitimate interests pursued by us or by a third party to whom it may be necessary to disclose information. We may also use your Personal Data to further develop the quality of our services.
2 How Euracare Hospital Handles your Personal Data
2.1 Euracare Hospital’s Legal Obligation
As mentioned in Part 1 of this Privacy Policy, Euracare Hospital is required to comply with the Nigeria Data Protection Regulation (NDPR). As part of this we are regulated by the National Information Technology Development Agency (NITDA) which acts as Euracare Hospital’s supervisory authority in this regard. Contact details for NITDA are indicated in the table below
By letter: | No. 28, Port Harcourt Crescent, Off Gimbiya Street, P.M.B 564, Area 11 Garki, Abuja, Nigeria |
---|---|
By email: | Info@nitda.gov.ng |
Website: | https://nitda.gov.ng/ |
By telephone: | +234 92 920 263, +2348168401851, +2340752420189 |
NITDA is a public authority which regulates how Euracare Hospital may collect, use, disclose and store Personal Data and how individuals may access and correct Personal Data which Euracare Hospital holds about them. For ease of reference, this Privacy Policy sets out Euracare Hospital’s position with respect to patient and other individuals’ Personal Data separately but we treat each group equally.
2.2 Terms Used
In this Privacy Policy, unless the context otherwise requires:
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person:
“Primary purpose” means the specific function or activity for which the information is collected. Any use or disclosure of the Personal Data for another purpose is known as the “secondary purpose”.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor / Administrator” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
2.3 Who does Euracare Hospital collect information from?
This Privacy Policy applies to Euracare Hospital’s collection and use of Personal Data from patients, visitors, next–of–kin, nominated support persons, referring doctors, all staff both clinical and support services such as Accredited Health Professionals, contracted health professionals, trainees (including medical professionals including registrars, fellows and advanced trainees), approved researchers, students undertaking training placements in our facilities, contractors, suppliers, and service providers engaged by us, medical representatives attending our facilities and other individuals engaged by or providing services to Euracare Hospital.
2.3.1 Patients
In order to provide you with therequired health care services Euracare Hospital will need to collect and use your Personal Data.
2.3.2 Other Individuals
In order to enable Euracare Hospital to engage with you for the relevant primary purpose, Euracare Hospital may need to collect and use your Personal Data. If you provide incomplete or inaccurate information to us or with hold Personal Data from us we may not be able to engage with you as required to meet that primary purpose.
2.4 What information does Euracare Hospital collect?
2.4.1 Patients
We collect Personal Data from you that is reasonably necessary to provide you with health care services and for administrative and internal business purposes related to your attendance at Euracare Hospital.
Often this may include collecting information about your health history, family history, your ethnic background or your current lifestyle to assist the health care team in diagnosing and treating your condition.
We will usually collect your health information directly from you. Sometimes we may need to collect in formation about you from a third party (such as a relative or another health service provider)
Your Personal Data, which may include diagnostic data, will be taken during your engagement with the hospital for the purpose of assisting or recording developments in your treatment. This data may take many forms for example standard laboratory information, sleep studies, image information from areas such as radiology and endoscopy. Euracare Hospital will, in all cases, manage your Personal Data contained in these clinical images in accordance with the Nigeria Data Protection Regulation and this Privacy Policy.
2.4.2 Other individuals
We collect Personal Data from you that is reasonably necessary to engage with you for the primary purpose, including the provision of services by Euracare Hospital, for Euracare Hospital’s functions or activities and for administrative and internal business purposes related to your dealings with Euracare Hospital.
We will usually collect your Personal Data directly from you. Some times we may need to collect information about you from a third party, however we will only do this where it is not reasonable or practical for us to collect this information directly from you.
2.5 How does Euracare Hospital Store your information?
Euracare Hospital may store the Personal Data we collect from you in various forms. Euracare Hospital will comply with the NDPR, and this Privacy Policy, in respect of your Personal Data in whatever form that information is stored by us.
2.5.1 Patients
Storage of Personal Data may be in physical (paper) form and may also include storage through electronic systems for storage of Personal Data(including clinical images taken for diagnostic or treatment purposes) on some diagnostic equipment where you have undergone a diagnostic procedure using such equipment in Euracare Hospital.
2.5.2 Individuals
Personal Data may be stored in various forms including electronic and / or paper systems in accordance with usual practices, and subject to the purposes of your engagement with Euracare Hospital.
2.6 How does Euracare Hospital use your information?
Euracare Hospital only uses your Personal Data for the primary purpose for which you have given the information to us, unless one of the following applies:
The secondary purpose is related (or for sensitive information, directly related) to the primary purpose for which you have given us the information and you would reasonably expect, or we have told you, that your information is usually disclosed for another purpose or to other individuals, organisations or agencies (see related secondary purposes set out below);
- you have consented for us to use your information for another purpose, for example research;
- Euracare Hospital is required or authorised by law to disclose your information for another purpose (see related secondary purposes set out below);
- the disclosure of your information by Euracare Hospital will prevent or lessen a serious and / or imminent threat to somebody’s life, health or safety or to public health or public safety; or
- the disclosure of your information by Euracare Hospital is reasonably necessary for the enforcement of a criminal law or a law imposing a penalty or sanction, or for the protection of public revenue.
Euracare Hospital may use or disclose your Personal Data as specified above via electronic processes, where available or relevant.
Related secondary purposes include:
The following is a list of examples of related secondary purposes for which Euracare Hospital may use your Personal Data, but it is not an exhaustive list.
Patient specific examples:
(a) Use among health professionals to provide your treatment
Modern health care practices mean that your treatment will be provided by a multi–disciplinary team of health professionals working together.
You may be referred for diagnostic tests such as pathology or radiology and our staff may consult with senior medical experts when determining your diagnosis or treatment. With developments in technology (e.g. telemedicine) our staff may consult with health professionals and medical experts, both public and private, located remotely, including outside Euracare Hospital, in relation to your diagnosis or treatment, including by sending health information and clinical images electronically. Our staff may also refer you to other health service providers, both public and private, for further treatment during and following your admission (for example, to a physiotherapist or outpatient for community health services). We may disclose your Personal Data to the relevant provider to the extent required for any such referral (including disclosing that information electronically). Please note that your information might be sent to medical professionals outside of Nigeria.
Your Personal Data will only be disclosed to those health care workers involved in, or consulted in relation to, your treatment and associated administration and to the extent required to meet that purpose.
These health professionals will share your Personal Data as part of the process of providing your treatment.
We will only do this while maintaining confidentiality of this information and protecting your privacy in accordance with the law.
As part of your care, we may be required to disclose your information to third party medical suppliers for the purpose of ordering specific products or to enable appropriate follow up, for example, if you require prosthesis, certain pharmaceutical treatments or other medical implantable products as part of your treatment.
(b) Assessment for provision of health care services
Euracare Hospital may collect your Personal Data for the purpose of assessing your suitability for health care services at a Euracare Hospital. Where Personal Data is collected and you do not become a patient of the hospital, your Personal Data may be retained. Where your assessment has been conducted at the request of your GP, Euracare Hospital will report the outcome of the assessment to that GP as it may be relevant to any on going treatment or care provided to you by them.
Where you undergo assessment or treatment by a third party provider (for example Physiotherapy services) during your admission to a Euracare Hospital for the purpose of transferring your care to that third party, Euracare Hospital may disclose your Personal Data to the third party provider for that purpose.
(c) Your local doctor Euracare Hospital will usually send a discharge summary to your referring medical practitioner or nominated general practitioner following an admission. This is in accordance with international norms and long–standing medical practice and is intended to inform your doctor of information that may be relevant to any ongoing care or treatment provided by them. This discharge summary may be sent to your referring medical practitioner or general practitioner electronically. If your nominated general practitioner has changed or your general practitioner’s details have changed following a previous admission, you must let us know.
(d) Other health service providers
If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment, we will provide a copy of your record to that medical practitioner or health care facility provide this request is processed in the correct manner.
We may provide information about your health records to another medical practitioner or health facility outside Euracare Hospital without your consent in the event of an emergency where your life or health is at risk.
(e) Students and trainees
Euracare Hospital supports the placement of students and trainees at Euracare Hospital and these students and trainees may have access to your Personal Data for the purpose of the placement. Students and trainees on placement at Euracare Hospital are required to comply with the NDPR and our Privacy Policy.
(f) Relatives, guardian, close friends or legal representative
We may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your Personal Data to any such person.
(g) Other common uses
In order to provide the best possible environment in which to treat you, we may also use your Personal Data where necessary for:
- activities such as quality assurance processes and service evaluations to assess standards of care, accreditation, clinical audits, risk and claims management, patient experience and satisfaction surveys and staff education and training;
- invoicing, billing and account management, including storage of provider details on Euracare Hospital billing software; submitting your bill to your insurance company.
- the purpose of complying with any applicable laws –for example, in response to a subpoena or compulsory reporting to State authorities (for example, National Cancer Registry);
- the purpose of sending you standard reminders, for example for appointments and follow–up care, by text message or email to the number or address which you have provided to us; and
- we may anonymise or aggregate the Personal Data that we collect for the purpose of service management; monitoring, planning and development.
- To identify patients that might be suitable for clinical trials / research. Any participation in a trial or research study will require your consent.
(h) Other uses with your consent
With your consent we may also use your information for other purposes such as including sharing your information with your insurance company and research.
Other non–patient specific examples:
(i) CCTV
Euracare Hospital does use camera surveillance systems (commonly referred to as CCTV) throughout our organisation for the purpose of maintaining the safety and security of its staff, patients, visitors and other attendees. Euracare Hospital’s CCTV systems may, but will not always, collect and store Personal Data. Euracare Hospital will comply with the NDPR and this Privacy Policy in respect of any Personal Data collected via its CCTV systems.
(j) Contractors under agreement
Euracare Hospital may provide, or allow access to, Personal Data to contractors engaged to provide professional services to Euracare Hospital’s (e.g. Information Communication Technology providers) or to contractors to whom aspects of our services are outsourced. Where we outsource any of our services or hire contractors to perform professional services within our hospitals this will be done as part of a Service Provider Agreement which contains a Data sharing component that complies with the NDPR and where applicable our Privacy Policy.
(k) Application for accreditation by health professionals
Euracare Hospital collects Personal Data from health professionals seeking accreditation and submitting to the credentialing process. Personal Data provided by health professionals in this context is collected, used, stored and disclosed by Euracare Hospital for the purposes of fulfilling its obligations in connection with the accreditation sought.
(l) Job applications
Euracare Hospital collects Personal Data of job applicants who have responded to an advertised position for the primary purpose of assessing and (if successful) engaging applicants. The purpose for which Euracare Hospital uses Personal Data of job applicants includes:
- managing the individual’s employment, engagement or placement;
- insurance purposes; and
- ensuring that it holds relevant contact information.
Euracare Hospital may also store information provided by job applicants who were unsuccessful for the purposes of future recruitment or employment opportunities and will communicate such periods of storage to them.
(m) Students / Trainees
Euracare Hospital collect Personal Data of students or trainees on placement for the primary purposes of providing the placement and facilitating assessment. The purposes for which Euracare Hospital uses Personal Data of students or trainees include:
- managing the individual’s placement;
- ensuring the quality and safety of clinical care provided to Euracare Hospital patients;
- insurance purposes;
- ensuring that it holds relevant contact information; and
- satisfying its legal obligations including obligations under any placement agreement.
Euracare Hospital may also store information provided by students or trainees following placement for the purpose of future recruitment or employment opportunities.
(n) Education and community engagement
Euracare Hospital may offer opportunities for health practitioners to participate in educational events or seminars for the purpose of continuing professional development or community engagement. When you register for or attend an event, Euracare Hospital may collect your Personal Data for the purpose of providing the service and recording your attendance.
Euracare Hospital may disclose your Personal Data to third parties for the purpose of confirming your attendance at the event including the provision of attendance records or certification.
(o) Clinical Audi
Clinical audit is a quality improvement process that seeks to improve patient care and outcomes through systematic review of care against explicit criteria and the implementation of change. Aspects of the structure, process and outcomes of care are selected and systematically evaluated against specific criteria. Where indicated, changes are implemented at an individual, team or service level, and further monitoring is used to confirm improvement in healthcare delivery. This is described as the audit loop. The key component of clinical audit is that performance is reviewed (or audited) to ensure that what should be done is being done, and if not it provides a framework to enable improvements to be made. Clinical audit is NOT research.
Clinical audit is at the heart of clinical governance.
- It provides the mechanisms for reviewing the quality of everyday care provided to patients with common conditions.
- It builds on a long history of doctors, nurses and other healthcare professionals reviewing case notes and seeking ways to serve their patients better.
- It addresses quality issues systematically and explicitly, providing reliable information;
- It can confirm the quality of clinical services and identify if there is a need for improvement.
Will you tell me if my information is being used in clinical audit?
You will not be contacted directly and you do not need to give your consent if we use your healthcare information for a clinical audit.
This is because your name and personal details are either not used or kept confidential and are not included in the audit findings and audit report.
Sometimes a clinical audit involves patients taking an active part in the audit process and your personal details are an important part of the audit. In this type of audit you will be asked to give your consent.
2.7 Access to and correction of your Personal Data
You have the right to have access to the Personal Data that we hold about you (for patients, this includes health information contained in your health record). You can also request an amendment to Personal Data that we hold about you should you believe that it contains inaccurate information. The request will be reviewed with the relevant parties.
We limit a One–month period to respond to your access request to your Personal Data in our possession. However, if the one month timeline cannot be met or where we determine that the request made by you is excessive in nature, we will take steps to inform you and suggest alternative courses of action such as extension of the time of which to provide the information requested or request for cost for requests of an excessive nature. Euracare Hospital subjects itself to copy the regulatory authority in all such correspondence. Where we cannot act on your request, we will also take steps to inform you of such reason and the options available to you including lodging a complaint with NITDA.
Euracare Hospital will allow access or make the requested changes unless there is a reason under the NDPR or other relevant law to refuse such access or refuse to make the requested changes. Should you wish to obtain access to or request changes to your Personal Data held by Euracare Hospital, please contact our Freedom of Information officeodunayo.akinyemi@euracare.com.ng
2.8 Your Rights
Euracare Hospital collects Personal Data only for the purposes identified in this Policy and such information cannot be reused for another purpose that is incompatible with the original purpose. The rights you can exercise with respect to your Personal Data with us include but are not limited to the following:
a) request for and access your Personal Data collected and stored by us;
b) withdraw consent to the processing of your personal data at any time. For example, you can withdraw your consent to receipt of our marketing or promotional materials or unsubscribe to our newsletters;
c) object to automated decision making;
d) request rectification and modification of Personal Data kept by us;
e) request for deletion of your Personal Data;
f) be informed of and entitled to provide consent prior to the processing of Personal Data for purposes other than that for which the Personal Data were collected;
g) request that we restrict processing of your Personal Data;
h) request for information regarding any specific processing of your personal data.
2.9 Data Quality
Euracare Hospital will take reasonable steps to ensure that your Personal Data which we may collect, use or disclose is accurate, complete and up–to–date.
2.10 Data Security
Euracare Hospital will take reasonable steps to protect your Personal Data from misuse, interference, loss, unauthorised access, modification or disclosure. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect your privacy.
2.11 Cross border disclosure
Euracare Hospital may enter into arrangements with third parties to store data we collect or to access the data to provide services (such as data processing), and such data may include Personal Data, outside of Nigeria. Euracare Hospital will take reasonable steps to ensure that the third parties do not break the NDPR requirements. The steps Euracare Hospital will take may include ensuring the third party is bound by privacy protection obligations which are the same (or substantially the same) as those which bind Euracare Hospital and requiring that the third party has information security measures in place which are of an acceptable standard and approved by Euracare Hospital.
Furthermore, where necessary, Euracare Hospital will take all steps necessary to comply with the NDPR as regards NITDA’s Adequacy Decision / Whitelist when transferring the Personal Data of Data Subjects to a foreign country.
2.12 Limitation Clause
While Euracare is responsible for safeguarding the data collected, the Data Subject’s role in ensuring confidentiality and protection of data rights includes, but is not limited to, adopting and enforcing appropriate security measures such as non–sharing of passwords and other information that will give a third party access to the data in Euracare’s custody, adherence with physical security protocols on Euracare’s premises and dealing with only authorised agents of Euracare. Euracare is not liable for any breach of Data Subject’s data protection rights arising from the failure of the Data Subject to fulfil the role stated above, the disclosure of sensitive information by the Data Subject or negligence on the part of the Data Subject.
2.13 Breach / Privacy Violation
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, we shall within 72 (Seventy–Two) hours of having knowledge of such breach report the details of the breach to NITDA. Furthermore, where we believe that such breach will be detrimental to your rights and freedoms relative to your Personal Data, we shall within 7 (Seven) days of having knowledge of the occurrence of such breach take steps to inform you of the breach incident, the risk to your rights and freedoms resulting from such breach and any course of action to remedy said breach.
If you feel that your Personal Data has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of your Personal Data, you have a right to lodge a complaint with the National Information Technology Development Agency.
2.14 Governing Law
This privacy policy is made pursuant to and governed by the NDPR and other relevant Nigerian laws, regulations or international conventions on data protection applicable to Nigeria. Where there is a dispute as to the interpretation or application of this privacy policy, the dispute shall be resolved in accordance with the provisions of the NDPR and other relevant Nigerian laws, regulations or international conventions on data protection applicable to Nigeria by submission of same to the Administrative Redress Panel or a court of competent jurisdiction in Nigeria.
3 How to contact Euracare Hospital about privacy issues
3.1 Data Protection Officer
If you have questions or comments about this Privacy Policy, you can contact us:
By Letter: Data Protection Officer, Euracare Hospital, 293 Younis Bashorun street, Victoria Island, Lagos
By email: odunayo.akinyemi@euracare.com.ng
By telephone: 0700 3872 2274
3.2 Complaints
If:
1. Euracare Hospital does not agree to provide you with access to your Personal Data, or
2. You have a complaint about our information handling processes You can lodge a complaint with or contact our Data Protection Officer on the details above or directly with NITDA. Full contact details can be found in section 2.1 above or on their website www.nitda.gov.ng
4. How Euracare Hospital handles your Personal Data when you visit our website
This section of our Privacy Policy explains how we handle your Personal Data which is collected from our website: www.euracare.com.ng (collectively website hereafter)
4.1 Collection
When you use our website, we do not attempt to identify you as an individual user and we will not collect Personal Data about you unless you specifically provide this to us.Sometimes, we may collect your Personal Data if you choose to provide this to us via an online form or by email, for example if you:
– submit a general enquiry via our contacts page
– register for an event or request information, or
– send a written complaint or enquiry to our privacy officer
4.2 Cookies
A “cookie” is a small bit of data our server sends to your browser that allows our server to identify and interact more effectively with your computer. Cookies do not identify individual users, but they do identify your ISP and your browser type.
This website uses temporary cookies. This means that upon closing your browser, the temporary cookie assigned to you will be destroyed and no Personal Data is maintained which will identify you at a later date.
Personal Data such as your email address is not collected unless you provide it to us. We do not disclose domain names or aggregate information to third parties other than agents who assist us with this website and who are under obligations of confidentiality. You can configure your browser to accept or reject all cookies and to notify you when a cookie is used. We suggest that you refer to your browser instructions or help screens to learn more about these functions.
However, please note that if you configure your browser so as not to receive any cookies, a certain level of functionality of the Euracare Hospital website and other websites may be lost.
4.3 Links to third party websites
We may create links to third party websites. We are not responsible for the content or privacy practices employed by websites that are linked from our website. We will only use Personal Data collected via our website for the purposes for which you have given us this information.
We will not use or disclose your Personal Data to other organisations or anyone else unless:
– you have consented for us to use or disclose your Personal Data for this purpose
– you would reasonably expect or we have told you (including via this policy) that your information is used or may be used or disclosed to other organisations or persons for a related (or for sensitive information) or directly related purpose
– the use or disclosure is required or authorised by law
– the use or disclosure will prevent or lessen a serious and / or imminent threat to somebody’s life, health or safety or to public health or public safety,or
– the disclosure is reasonably necessary for law enforcement functions or for the protection of public revenue
If we receive your email address because you sent us an email message, the email will only be used or disclosed for the purpose for which you have provided and we will not add your email address to an emailing list or disclose this to anyone else unless your provide us with consent for this purpose.
4.5 Data Quality
If we collect your Personal Data from our website, we will maintain and update your information as reasonably practical and necessary or when you advise us that your Personal Data has changed.
4.6 Data Security
Euracare Hospital is committed to protecting the security of your Personal Data. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of information. We will take all reasonable steps to prevent your information from loss, misuse and alteration.
4.6 Access and Correction
If you wish to obtain information about how to access or correct your Personal Data collected via our website, please refer to Access and Correction at item 2.7 of this document.
4.8 Retention Periods
Hard copies of Health records at Euracare Hospital are held for five years before being destroyed. Digital records may be retained indefinitely.
We take appropriate measures to ensure that your Personal Data is only processed for the minimum period necessary in line with the purposes set out in this Policy or as required by applicable laws, until a time it is no longer required or has no use. Once your Personal Data is no longer required, we destroy it in a safe and secure manner. We will communicate such duration we need to store your Personal Data. Where this duration cannot be ascertained, the criteria to be used in determining such duration of retention will be communicated to you.
4.9 Changes to our Privacy Policy
Due to constant changes in technology and regulatory requirements, we may need to change our privacy policies or update this Policy from time to time. You will always be able to find the most recent version of our updated privacy policy on this site.