NDPR Compliance

1. Our Commitment to NDPR Compliance

NurseOS is fully committed to complying with the Nigeria Data Protection Regulation (NDPR), which was issued in January 2019 pursuant to Section 6(a) of the National Information Technology Development Agency (NITDA) Act 2007. The NDPR establishes a comprehensive framework for the protection of personal data in Nigeria, and as a healthcare technology platform operating primarily in the Nigerian market, we recognize our heightened responsibility to safeguard personal and health data.

This page explains how NurseOS aligns its data processing activities with the requirements of the NDPR and the Nigeria Data Protection Act 2023 (NDPA), which further strengthened data protection in Nigeria. We have appointed a Data Protection Officer (DPO) and established comprehensive data protection policies and procedures to ensure ongoing compliance.

2. Lawful Basis for Processing

Under the NDPR and NDPA, personal data must be processed on a lawful basis. NurseOS processes personal data under the following lawful bases: Consent — where the data subject has given clear and informed consent for specific processing activities; Contractual necessity — where processing is necessary for the performance of a contract to which the data subject is a party; Legal obligation — where processing is necessary for compliance with a legal obligation, including healthcare record-keeping requirements; and Legitimate interest — where processing is necessary for the legitimate interests of NurseOS, provided such interests are not overridden by the rights and freedoms of the data subject.

For clinical and health data specifically, processing is carried out under the lawful basis of providing healthcare services, which is recognized as a legitimate and necessary purpose under both the NDPR and the National Health Act 2014.

3. Data Subject Rights

In accordance with the NDPR and NDPA, NurseOS recognizes and respects the following rights of data subjects: the right to be informed about the collection and use of their personal data; the right of access to their personal data held by NurseOS; the right to rectification of inaccurate or incomplete personal data; the right to erasure ("right to be forgotten") subject to legal retention requirements; the right to restrict processing in certain circumstances; the right to data portability, allowing data subjects to receive their data in a structured, commonly used, and machine-readable format; and the right to object to processing for direct marketing purposes.

To exercise any of these rights, data subjects may contact our Data Protection Officer at privacy@nurseos.com. We will respond to all requests within 30 days as required by the NDPR.

4. Data Processing Safeguards

NurseOS implements appropriate technical and organizational measures to ensure the security of personal data, including: encryption of all personal data at rest using AES-256 encryption; encryption of all data in transit using TLS 1.3; role-based access controls that limit data access to authorized personnel with a legitimate need; multi-factor authentication for all user accounts; regular security audits and vulnerability assessments; employee training on data protection obligations; and data minimization principles ensuring we only collect and process data that is necessary for the stated purpose.

We also maintain a data processing register as required by the NDPR, documenting all categories of personal data processed, the purposes of processing, data retention periods, and the security measures applied to each category.

5. Cross-Border Data Transfers

NurseOS may process personal data outside of Nigeria through our cloud infrastructure providers. In accordance with the NDPR, we ensure that any cross-border transfer of personal data is made only to jurisdictions that provide an adequate level of data protection, or with appropriate safeguards including standard contractual clauses approved by NITDA. We conduct due diligence on all data processors and sub-processors to ensure they meet the data protection standards required by the NDPR.

6. Data Breach Notification

In the event of a personal data breach, NurseOS will notify the National Information Technology Development Agency (NITDA) within 72 hours of becoming aware of the breach, as required by the NDPR. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, we will also communicate the breach to affected individuals without undue delay. Our incident response plan includes procedures for containment, assessment, notification, and remediation of data breaches.

7. Data Protection Impact Assessments

NurseOS conducts Data Protection Impact Assessments (DPIAs) for any new processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. Given the sensitive nature of health data processed on our platform, we conduct DPIAs as a standard practice for all major feature releases and system changes. DPIA results are documented and reviewed by our Data Protection Officer before any new processing activity commences.

8. Contact Us

For any questions about our NDPR compliance or to exercise your data subject rights, please contact our Data Protection Officer: