NDPA 2023 Compliance for Nigerian Healthcare Providers: What You Need to Know

What is the NDPA and why it matters for hospitals

The Nigeria Data Protection Act (NDPA) 2023 replaced the earlier Nigeria Data Protection Regulation (NDPR) 2019 and established a comprehensive legal framework for data protection in Nigeria. For healthcare providers, this law governs how you collect, store, process, and share patient data — and the penalties for getting it wrong are severe.

Under the NDPA, patient health records are classified as sensitive personal data, which attracts the highest level of protection. Healthcare providers who process sensitive data must comply with stricter requirements than businesses handling ordinary personal data.

The 8 key NDPA requirements for hospitals

1. Lawful basis for processing

You must have a clear legal basis for processing patient data. In healthcare, the most common bases are consent (the patient agrees) and vital interest (emergency treatment where consent cannot be obtained). Document which basis applies for each type of data processing in your facility.

2. Patient consent management

Consent must be freely given, specific, informed, and unambiguous. This means your registration forms need clear, plain-language explanations of what data you collect, why you collect it, who you share it with, and how long you keep it.

Practical steps:

• Update your patient registration form to include a clear consent statement
• Ensure consent is captured before any data entry — not as an afterthought
• Record the date, time, and method of consent capture
• Provide a mechanism for patients to withdraw consent

3. Data subject rights

Patients have the right to access their records, correct inaccurate data, request deletion of their data (with clinical exceptions), object to data processing, and receive their data in a portable format. Your staff must know how to handle these requests.

4. Data Protection Officer (DPO)

Healthcare facilities that process large volumes of sensitive data may be required to appoint a Data Protection Officer. Even if not strictly required for smaller clinics, having a designated person responsible for data protection is a best practice.

5. Data breach notification

If patient data is breached (stolen, lost, or accessed by unauthorised persons), you must notify the Nigeria Data Protection Commission (NDPC) within 72 hours and affected patients without undue delay if the breach poses a high risk to their rights.

What counts as a breach:

• A laptop with patient records is stolen
• Paper files are left in an unsecured location
• A staff member accesses records they are not authorised to view
• Patient data is sent to the wrong email address
• A ransomware attack encrypts your database

6. Data minimisation

Collect only the patient data you actually need for clinical care. If you do not need a patient's religion, ethnic group, or political affiliation for treatment, do not collect it.

7. Storage and retention

Patient data must be stored securely with appropriate technical measures (encryption, access controls, backups). Retention periods should follow clinical guidelines — the MDCN recommends retaining medical records for at least 10 years after the last patient encounter.

8. Cross-border data transfers

If your HMS stores data on servers outside Nigeria (common with cloud-based systems), you must ensure the destination country has adequate data protection measures or that appropriate safeguards are in place.

The compliance checklist

Here is a practical checklist for Nigerian clinic owners:

Registration and Consent

• Update patient registration forms with NDPA-compliant consent language
• Implement a system to record consent timestamps
• Create a process for handling consent withdrawal requests

Access Controls

• Implement role-based access control so staff only see data relevant to their role
• Use unique login credentials for every staff member (no shared accounts)
• Enable automatic session timeout after inactivity
• Maintain audit logs of who accessed which patient records and when

Data Security

• Encrypt patient data at rest and in transit
• Use HTTPS for all web-based systems
• Implement regular automated backups with tested recovery procedures
• Use strong password policies and consider two-factor authentication

Breach Response

• Create a written data breach response plan
• Designate a breach response team with clear roles
• Test the response plan at least once per year
• Pre-draft notification templates for the NDPC and patients

Staff Training

• Train all staff on data protection basics during onboarding
• Conduct annual refresher training on NDPA requirements
• Document all training with attendance records

Vendor Management

• Review your HMS vendor's data processing agreement
• Confirm where patient data is stored (country and data centre)
• Verify the vendor's security certifications and breach notification procedures

How a digital HMS helps

A properly configured hospital management system makes NDPA compliance significantly easier than paper-based operations. Digital systems can enforce role-based access controls, generate comprehensive audit trails, encrypt data automatically, capture consent electronically with timestamps, and produce data subject access reports on demand.

The key is choosing an HMS that was designed with Nigerian data protection requirements in mind — not a system built for another jurisdiction that has been superficially adapted.

What happens if you do not comply

The NDPA empowers the Nigeria Data Protection Commission to issue fines of up to 2% of annual gross revenue or ₦10 million (whichever is higher) for data controllers and up to 1% of annual gross revenue or ₦2 million for data processors. Beyond fines, a data breach can destroy patient trust and damage your clinic's reputation in ways that take years to recover from.

Compliance is not just about avoiding penalties — it is about demonstrating to your patients that their most sensitive information is in safe hands.