This guideline establishes the mandatory principles and procedures for all employees and third-party processors handling personal data on behalf of Momentum Healthcare.
-
Core Data Protection Principles (The Foundation)
All data processing must adhere to the following principles:
|
Integrity & Confidentiality |
Implement robust security measures (technical and organizational) to protect data against unauthorized access, loss, or destruction. |
This is the basis for your security controls (encryption, access limits). |
|
Accountability |
The organization (Controller) must be able to demonstrate compliance with all principles (through records, policies, and audits). |
Mandatory: Maintain a Record of Processing Activities (RoPA). |
|
Principle |
Requirement |
NDPR/GDPR Focus |
|
Lawfulness, Fairness, & Transparency |
Only process data when a valid legal basis is established (Consent, Contract, Legal Obligation, etc.). |
The legal basis for processing sensitive health data must be explicit consent (GDPR Art. 9) or necessary for medical treatment. |
|
Purpose Limitation |
Data collected for one purpose (e.g., appointment scheduling) must not be used for a different, incompatible purpose (e.g., marketing) without new consent. |
Keep processing activities distinct and documented. |
|
Data Minimization |
Collect, store, and process only the minimum amount of personal data strictly necessary to achieve the stated purpose. |
Do not collect details (like spouse’s name or unnecessary history) unless essential for the healthcare service. |
|
Accuracy |
Ensure data is accurate and kept up to date. Establish easy procedures for users to request corrections. |
Employees must verify patient data at every key interaction (e.g., appointment check-in). |
|
Storage Limitation |
Personal data must be retained for no longer than is necessary. |
Define and enforce specific retention periods for health records as required by local medical law, and automatically delete data after this period. |
2. Mandatory Procedures for Handling Health Data
A Consent Management (Highest Priority)
- Explicit Consent: Consent for processing sensitive health data must be explicit (e.g., a tick box that the user must actively mark, not pre-ticked).2
- Granularity: Obtain separate consent for different uses (e.g., one consent for treatment, another for research/analytics, if applicable).3
- Withdrawal: Users must be able to withdraw consent as easily as they gave it.4 Processing must cease immediately upon withdrawal, unless another legal basis applies (like a legal obligation to retain medical records).
- Proof of Consent: Keep an auditable record of when, how, and what the user consented to.5
- Data Access and Security
- Principle of Least Privilege: Access to patient data (electronic health records, CRM, emails) must be limited to employees who strictly require it to perform their job duties (e.g., the front desk should not have access to full diagnostic reports).6
- Encryption: All sensitive health data must be encrypted—both in transit (when sending or receiving) and at rest (when stored on servers).7
- Physical Security: Ensure all physical records (if any) are stored in locked cabinets within restricted-access areas.
- Secure Deletion: When retention periods expire, data must be deleted securely, rendering it irrecoverable.
- Data Subject Rights Implementation
Establish formal, documented procedures for handling the following rights requests within the required one-month (30-day) timeframe (as per GDPR):
|
Right |
Employee Action Required |
|
Right of Access |
Verify the user’s identity. Provide a copy of all personal data held, along with information on how and why it is processed. |
|
Right to Rectification |
Promptly correct any inaccurate or incomplete personal data upon verification. |
|
Right to Erasure (“Right to be Forgotten”) |
Delete the user’s data from all systems (including backups) unless there is a legal or contractual reason to retain it (e.g., medical retention law). |
|
Right to Data Portability |
Provide the user’s personal data in a structured, commonly used, machine-readable format (e.g., CSV). |
4. Third-Party Management (Data Processors)
- Due Diligence: Vet any vendor (cloud host, analytics provider, email marketing service) that processes data on your behalf to ensure they also meet NDPR and GDPR security standards.
- 2. Data Processing Agreements (DPAs): A mandatory written contract (DPA) must be in place with every third-party processor. The DPA must specify the data being processed, the purposes, and ensure the processor only acts on Momentum Healthcare’s documented instructions.
- International Transfers: If a processor stores data outside of Nigeria or the EU, ensure the transfer is safeguarded by Standard Contractual Clauses (SCCs) or an Adequacy Decision.9
-
Incident & Breach Response
- Immediate Action: Any employee suspecting a data breach (e.g., lost laptop, phishing email, ransomware, unauthorized access) must immediately report it to the Data Protection Officer (DPO).
- 72-Hour Notification (NDPR & GDPR): The DPO must notify the relevant Supervisory Authority (NITDA in Nigeria, or the relevant EU authority) of a breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.10
- Data Subject Notification: If the breach is likely to result in a high risk to the rights and freedoms of individuals (especially sensitive health data exposure), affected users must be informed without undue delay.
-
Training and Accountability
- Mandatory Training: All employees, and particularly those handling sensitive data (doctors, nurses, admin staff), must receive mandatory, recurring data protection training on NDPR and GDPR requirements.12
- DPO Role: The Data Protection Officer (DPO) monitors compliance, advises the organization, and acts as the contact point for the regulatory authorities and data subjects.13
- Data Audit (NDPR Requirement): The organization must conduct and submit a Data Protection Audit report to the Nigerian regulatory authority (NITDA) annually if it processes the data of 2000+ data subjects in 12 months (or 1000+ in 6 months for certain entities).14
This guideline should be formalized as an internal company policy and distributed to all staff.
Welcome to Momentum Healthcare. By accessing or using our website,
https://www.momentumhealthcare.org/, you agree to be bound by the following Terms of
Use (or “Terms”). If you do not agree to these Terms, please immediately cease using the
site.
1. Acceptance of Terms
Your use of this website, including browsing its content or using its features, constitutes
your full acceptance of these Terms, the accompanying Privacy Policy, and the Cookie
Policy.
2. Eligibility
You must be at least 18 years old to use our services, register an account (if applicable), or
submit any personal or health-related information through the website. By using the site,
you represent and warrant that you meet this age requirement.
3. Permitted Use
You are granted a limited, non-exclusive, non-transferable right to access and use the
website for personal, non-commercial, and legitimate healthcare-related purposes.
You agree not to:
Misuse the website or its content, including introducing viruses, worms, or other
malicious code.
Attempt unauthorized access to any part of the platform, accounts, servers, or
networks.
Use the website for any unlawful purpose or in a way that violates any applicable local,
state, national, or international law.
Interfere with the security or proper functioning of the site.
4. Intellectual Property
All content on the website—including text, articles, graphics, logos, branding, images,
software, and the compilation thereof—is the exclusive property of Momentum Healthcare
or its licensors and is protected by Nigerian, international copyright, trademark, and other
intellectual property laws.
You may not copy, distribute, modify, publicly display, or reproduce any part of the website
content without the express prior written permission of Momentum Healthcare.
5. No Medical Advice on Website (Critical Disclaimer)
The information provided on this website, including all content, articles, and general health-
related commentary, is for general educational and informational purposes only. It is not
intended as, and must not be considered, medical advice, diagnosis, or treatment
recommendation.
Always consult a qualified healthcare professional for any medical concerns or before
making any healthcare decisions. Momentum Healthcare explicitly disclaims any liability for
reliance on the information presented on this website.
6. Limitation of Liability
The website and its content are provided on an “as is” and “as available” basis. Momentum
Healthcare, its directors, employees, partners, and affiliates will not be liable for:
Any decisions you make or actions you take based on content found on the site.
Losses, damages, or injuries arising from service interruptions, technical issues, errors,
or inaccuracies.
Any indirect, incidental, punitive, special, or consequential damages (including lost
profits or lost data), whether based on contract, tort, or other legal theory, even if we
have been advised of the possibility of such damages.
Your use of the site is solely at your own risk.
7. Indemnification
You agree to defend, indemnify, and hold harmless Momentum Healthcare and its officers,
directors, employees, and agents from and against any claims, liabilities, damages,
judgments, awards, losses, costs, expenses, or fees (including reasonable attorneys’ fees)
arising out of or relating to your violation of these Terms or your use of the website.
8. Third-Party Links
This website may contain links to external websites that are not owned or controlled by
Momentum Healthcare. We are not responsible for the content, security, accuracy, or
privacy practices of any third-party websites. You access external links at your own risk.
9. Termination
We reserve the right, in our sole discretion, to suspend or terminate your access to all or any
part of the website for any reason, including, without limitation, any breach of these Terms.
10. Governing Law
These Terms shall be governed by and construed in accordance with the following:
The laws of the Federal Republic of Nigeria, without regard to its conflict of law
principles.
Applicable data protection provisions, including the Nigeria Data Protection Regulation
(NDPR).
Any legal action or proceeding arising under these Terms will be brought exclusively withLegal procedures.
11. Changes to the Terms
We reserve the right to revise and update these Terms from time to time in our sole
discretion. All changes are effective immediately when we post them and apply to all access
to and use of the website thereafter. Your continued use of the website following the posting
of revised Terms means th1at you accept and agree to the changes.
Momentum Healthcare is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your data in compliance with the Nigeria Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR).
-
Data Controller Information
The data controller responsible for the processing of your personal information is: Momentum Healthcare Contact Email: info@momentumhealthcare.org
-
Information We Collect
We may collect the following categories of personal data:
Personal Identication Data
Full name
Email address
Phone number
Address or location
Sensitive Personal Data (Health-Related)
Medical information you voluntarily share
Symptoms, appointment details, or inquiries related to healthcare
Technical & Usage Data
IP address
Browser type and version
Device information
Pages visited, time spent, and site interactions
Cookies and tracking technologies (see separate Cookie Policy)
Communication Data
Email correspondence
Contact form submissions
Customer service interactions
-
Legal Basis for Processing
We process data based on the following legal grounds:
Consent: (GDPR Art. 6(1)(a); NDPR Part 2)
Contract Performance: Processing is necessary for the performance of a contract with you.
Legitimate Interests: Such as service improvement, security, and fraud prevention. Compliance with Legal Obligations: Where we are subject to a legal requirement. Protection of Vital Interests: Especially for health-related data.
Sensitive health data is processed based on explicit consent (GDPR Art. 9(2)(a)) or as necessary for the provision of healthcare or treatment (GDPR Art. 9(2)(h)), ensuring professional secrecy is maintained.
-
How We Use Your Data
Your information may be used to:
Provide, manage, and improve our healthcare-related services
Respond to inquiries and customer support requests
Schedule consultations or services you request
Send updates, reminders, or administrative notications
Improve site performance, analytics, and user experience (based on Legitimate Interests or Consent)
Maintain safety, security, and fraud prevention
Comply with NDPR, GDPR, and other legal obligations
-
Data Sharing & Disclosure
We do not sell personal data. We may share data with the following parties under strict conditions:
Healthcare Professionals or Partners: Only with your explicit consent. Third-Party Service Providers: These parties (e.g., hosting, analytics, security tools) act as Data Processors on our behalf and are strictly bound by contractual agreements to only process data according to our instructions.
Regulatory Authorities: When legally required to comply with law enforcement or governmental requests.
Professional Advisors: (e.g., legal, accounting) under condentiality agreements. 6. Data Storage & Retention
Your data is stored on secure servers with technical and organizational safeguards. We retain personal data only for as long as:
Necessary to fulll the purposes stated.
Required by applicable laws and regulations.
We use the following criteria to determine retention periods:
Health-related data is retained for a period of [Specify the period, e.g., 7 years] after your last interaction, as required by healthcare regulations in our jurisdiction, or until you request deletion, whichever is consistent with our legal obligations. General data is retained for the duration of our relationship and for a short period thereafter to handle queries or comply with relevant statutes of limitation.
-
Your Rights (NDPR & GDPR)
Depending on your location, you have the right to:
Access your personal data.
Request correction of inaccurate information.
Request deletion (“Right to be Forgotten”).
Withdraw consent at any time.
Object to processing (e.g., for direct marketing).
Restrict processing.
Request data portability.
Lodge a complaint with the National Information Technology Development Agency (NITDA – NDPR authority) or your local GDPR Supervisory Authority.
To exercise these rights, or if you have any questions regarding this policy, please contact us at: info@momentumhealthcare.org or contact our Data Protection Officer dabotubobriggs5@gmail .com.
-
Data Security
We use industry-standard security controls such as:
Encryption (at rest and in transit)
Access control and pseudonymization
Secure hosting and rewalls
Regular vulnerability assessments
-
International Data Transfers
If your data is transferred outside Nigeria or the EU, we ensure adequate protection through:
Adequacy Decisions: Transferring data to countries deemed to have adequate protection levels by the EU Commission or Nigerian authorities.
Standard Contractual Clauses (SCCs): Implemented for EU transfers, and NDPR Compliant Cross-Border Transfer Agreements for Nigerian transfers.
Where SCCs are used, we also perform a Transfer Impact Assessment (TIA) and implement supplementary technical and organizational measures to ensure the data maintains an essential equivalent level of protection.
This Cookie Policy explains how Momentum Healthcare uses cookies and similar
technologies (collectively, “cookies”) on our website,
https://www.momentumhealthcare.org/.
1. What Are Cookies?
Cookies are small text files that are downloaded and stored on your device (computer,
smartphone, etc.) when you visit our website. They allow the website to recognize your
device and store information about your preferences or past actions.
2. Types of Cookies We Use and Their Purpose
We use cookies based on the following categories:
A. Strictly Necessary Cookies (Always Active)
Purpose: These cookies are essential for you to navigate the website and use core
functions, such as accessing secure areas, session management, and ensuring security
measures function correctly.
Legal Basis: Legitimate
Interest (GDPR Art. 6(1)(f)). These cookies do not require
consent as they are necessary to deliver the service you explicitly requested.
Examples: Security and Session Management cookies.
B. Performance & Analytics Cookies
Purpose: These cookies help us understand how visitors interact with our website by
collecting information such as the number of visitors, the pages they visit, and traffic
sources.
This data is aggregated and used to improve the website’s performance and
user experience.
Legal Basis: Consent (GDPR Art. 6(1)(a); NDPR Part 2).
These cookies are only set if you
explicitly consent via our cookie banner.
Examples: Google Analytics, or other similar analytics tools.
C. Functional Cookies (Preference)
Purpose: These cookies enable the website to remember choices you make (such as
your username, language, or region) and provide enhanced, more personal features, like
remembering user settings and preference configurations.
Legal Basis: Consent (GDPR Art. 6(1)(a); NDPR Part 2)
Examples: Language preference cookies, user interface setting cookies.
D. Marketing / Tracking Cookies
Purpose: These cookies are used to track user behavior across different websites. They
are used to build a profile of your interests and show you relevant advertisements on
other sites (retargeting).
Legal Basis: Explicit Consent (GDPR Art. 6(1)(a); NDPR Part 2).
These cookies are
disabled by default and are only used if you provide specific, unambiguous consent.
3. Third-Party Cookies
We may allow trusted third-party partners to place cookies on your device when you
interact with our website.
These cookies are set by a domain other than our own.
Examples of Third Parties: Analytics providers, social media integrations (e.g.,
embedded share buttons), or Content Delivery Network (CDN) providers.
Obligations: These third parties act as Data Processors or Joint Controllers and are
contractually required to adhere to strict confidentiality and data protection
obligations, including compliance with NDPR and GDPR tracking standards.
4. How to Control and Manage Cookies
You have the power to control and manage cookies at any time:
Cookie Banner (Primary Method): You can accept, decline, or customize your cookie
preferences (except for Strictly Necessary Cookies) using the control panel provided in
our on-site cookie banner upon your first visit.
Browser Settings: You can modify your browser settings to warn you before accepting
cookies or to refuse all cookies.
The “Help” function in your browser will guide you on
how to do this.
Withdrawal of Consent: You can easily withdraw your consent for Performance,
Functional, and Marketing cookies at any time by revisiting your cookie preferences via
a link provided in the website footer.
Note on Functionality: Blocking or disabling certain cookies, especially Strictly Necessary or
Functional cookies, may impair the basic operation of the website and prevent you from
accessing certain features.
5. Contact
For any questions related to this Cookie Policy or our use of tracking technologies, please
contact us: info@momentumhealthcare.org
Copyright © 2026 Momentum Healthcare. All Rights Reserved.