Privacy & Cookies Policy
Last updated: May 25th, 2021
Our intent is to collect only the personal information that is provided voluntarily by our patients, customers or online visitors so that we can offer information and/or services to those for specific and legitimate purposes. Please review this Privacy Notice to learn more about how we collect, use, share and protect the personal information that we obtain. Our Privacy Notice may change at any time but it will be updated on our website. It is accepted that your continued use of our online platforms will mean that you agree to the changes.
- Data Protection Policy
The MHCCCL’s Information Protection Policy (IPP) applies to personal information processed by the Hospital as a data controller and as described in this policy. The policy explains what information we collect about our customers, how we use that information, who we share it with, the circumstances under which we may share it and what steps are taken to make sure it stays private and secure. The policy also clearly outlines the right of customers in respect of information collected in the course of business.
It is important to know that the policy continues to apply even if the customer agreement for our services with MHCCCL ends and it covers any service which customers have with MHCCCL e.g. consultancy, surgery, health assessment, pediatrics, dialysis, endoscopy, physiotherapy and rehabilitation services, among others.
- Collection and Use of Personal Information
2.1. What we collect
Your personal information is not used for purposes other than those listed in this document, unless we obtain your permission, or unless otherwise required by law. In general we collect and generate the following information:
- Individual personal information (e.g. name, previous names, blood group, health status, genotype, date and place of birth, etc.).
- Individual personal contact details (e.g. address, email address, landline, fax and/or mobile numbers).
- Identity information (e.g. photo ID, passport, utility bill, national ID card and/or nationality).
- User authentication login and subscription data (e.g. login credentials for online rending of our Hospital services).
- Financial information.
- Information about the ways you interact with MHCCCL (e.g. channels used, geographic information, software used and information concerning your complaints).
- Any information received from external authoritative registers required for compliance purposes.
- Information captured in customer documentation or data exchange such as application forms or advice documents or via telephone (e.g. records of advice).
- Marketing and promotional information (e.g. details of the services we offer and your preferences).
- Cookies and similar technologies used to remember your preferences and tailor content.
- Data or records of correspondence related to relevant exchanges of information (e.g. emails).
- Information to fulfill regulatory obligations (e.g. transaction details, user activity).
- Information from other entities (e.g. relevant transaction information).
- Information from third parties providing information to identify and manage fraud.
- Closed circuit television (CCTV) in and around MHCCCL facilities (these may collect photos or videos of you).
- Other information about you that is voluntarily provided by filling in online forms or by communicating with us, whether face-to-face or via other available channels (e.g. by phone, email, online).
2.2 Why we collect it and the Legal Grounds
MHCCCL generally collects only the personal information necessary to fulfill your request and to provide the requested and/or agreed services. Where additional, optional information is sought, you will be notified of this at the point of collection. The applicable law allows us to process personal information, so long as we have a ground under the law to do so. It also requires us to tell you what those grounds are. As a result, when we process your personal information, we will rely on one of the following processing conditions:
- Performance of a contract: This is when the processing of your personal information is necessary in order to perform our obligations under a contract but also to be able to complete our acceptance procedure so as to enter into a contract;
- Legal obligation or for public interest: This is when we are required to process your personal information in order to comply with a legal obligation, such as keeping records for complying with any tax obligations, regulatory purposes, or providing information to a public body or law enforcement organization;
- Legitimate interests: where necessary, we may process information about you where there is a legitimate interest for us or a third party with respect to your health interests, except where such interests are overridden by your interests, fundamental rights and freedoms; or you expressly deny.
- Consent: We may occasionally ask you for specific permission to process some of your personal information for some or more specific purposes such as research and studies, and we will only process your personal information in this way if you so agree.
- What constitutes consent? Your consent is given when you consume our services, navigate our website, tick our online forms or boxes, subscribe to our email alerts, and attend our online/offline events and other events, or when you voluntarily submit your personal data to us.
- How do you withdraw your consent? You may withdraw your consent at any time by unsubscribing to our email alerts or other digital platforms or by contacting the MHCCCL Data Protection Officer (DPO) via IT@marigoldhospital.ng
In general we process, transfer and disclose your information to:
- Provide you with our healthcare services (including via online platforms).
- Verify your identity (e.g. for authentication purposes).
- Deal with your transactions or carry out instructions.
- Perform data analytics and understand your preferences and how you use the provided services.
- Keep record keeping and accountability.
- Meet compliance and legal obligations such as to comply with the extant Data regulatory framework.
- Manage our relationship with you (including any activities you agree to).
- Obtain reports of an online problem (e.g. with the MHCCCL site).
- Enforce or defend the rights of a member, staff or customer of MHCCCL.
- For internal operational support and administrative purposes (e.g development of our service, audit and risk management).
- Ensure security and Organizational continuity.
- For service quality management and service improvement.
- Correspond with third parties (e.g. vendors, HMO, regulators and intermediaries).
- To facilitate dissemination of information about our association and events.
- For the purpose of registration and participation at our online and offline events.
- To respond to and build on any feedback you send us.
2.3 Retention of Information
We will only retain your personal data for the duration of 20 years for the purposes set out in this policy or our contract with you; and will only be destroyed before this expiration period when you exercise your right to request deletion of personal data, or otherwise required by law.
After expiration of any of the aforementioned periods as applicable, your personal data will be irreversibly destroyed. This allows us to comply with legal and regulatory requirements or fulfill our legitimate purposes. If we do not need to retain information for a period of time, we may destroy, delete or anonymize it more promptly. Any personal data held by us will be kept by us until such time that you notify us that you no longer wish to receive this information.
2.4 Storage of Information
2.5 Sharing Information
We do not share personal information with unaffiliated third parties, except if necessary for our legitimate professional and business needs, to carry out your requests, and/or as required or permitted by law. These include:
- Service providers: MHCCCL works with reputable partners and service providers so they can process your personal information on our behalf where required. MHCCCL will only transfer personal information to them when they meet our standards set in our third party information security policy on the processing of data and security. We only share personal information that allows them to provide their services.
- Courts, law enforcement or regulatory bodies: MHCCCL may disclose personal information in order to respond to requests of courts, government or law enforcement entities or where it is necessary to comply with applicable laws, court orders or rules, or government regulations.
- Audits: Disclosures of personal information may also be needed for data privacy or security audits and/or to investigate or respond to a complaint or security threat.
As such information may be transferred and disclosed to authorities, law enforcement, government, persons acting on your behalf, payment recipients, beneficiaries, intermediaries, other financial institutions, lenders and holders of security over any property relevant to MHCCCL, payment service providers, technology providers, support service providers, etc. We may also share aggregated or anonymized information with partners such as research groups, universities or advertisers.
2.6 Automated Decisions and Profiling
We do not use automated systems to make automated suggestions or decisions, including profiling, based on personal information we have, or that are allowed to collect from other authorized sources, about you. All personal data we collect have human involvement.
2.7. Further Processing
We sometimes process personal data for purposes other than those for which the personal data were initially collected where the processing is compatible with the purposes for which the personal data were initially collected. In order to ascertain whether the processing for another purpose is compatible with the purpose for which the personal data were initially collected:
- Any link between the original and proposed new purposes.
- The context in which data have been collected (in particular the relationship between us and your reasonable expectations).
- The nature of the data (particularly whether they are sensitive data or criminal offence data).
- The possible consequences of the proposed processing.
- The existence of safeguards (including encryption). Where the data subject has given consent or the processing is based on the law we are allowed to further process the personal data irrespective of the compatibility of the purposes. Where we intend to process the personal data for a purpose other than that for which they were collected, we will provide you, prior to that further processing, with information on that other purpose and other necessary information.
3.0 Automatic Collection Cookies & IP Addresses
Cookies may be placed on your computer or internet-enabled device whenever you visit MHCCCL online. This allows the site to remember your computer or device and serves a number of purposes.
Your selection will be saved in a cookie and is valid for a short period (e.g. 90 days). If you wish to revoke your selection, you may do so by clearing your browser’s cookies. Although most browsers automatically accept cookies, you can choose whether or not to accept cookies via your browser’s settings (often found in your browser’s Tools or Preferences menu). You may also delete cookies from your device at any time. However, please be aware that if you do not accept cookies, you may not be able to fully experience some of our web sites’ features.
Cookies by themselves do not tell us your email address or otherwise identify you personally. In our analytical reports, we may obtain other identifiers, but this is for the purpose of identifying the number of unique visitors to our web sites and geographic origin of visitor trends, and not to identify individual visitors. MHCCCL may also collect and use the geographical location of your computer or mobile device. This location data is collected for the purpose of providing you with information regarding services which we believe may be of interest to you based on your geographic location, and to improve our location-based products and services.
By navigating on our web sites and accepting cookies or entering your login details to access areas reserved for registered users, you agree that we can place these cookies on your computer or internet enabled device.
3.2 IP Addresses
An IP address is a number assigned to your computer whenever you access the internet. It allows computers and servers to recognize and communicate with one another. IP addresses from which visitors appear to originate may be recorded for IT security and system diagnostic purposes. This information may also be used in aggregate form to conduct web site trend and performance analysis.
4.0 Your Rights
4.1 Data Subject Rights
MHCCCL may ask for your permission for certain uses of your personal information, and you can agree to or decline those uses. If you opt-in for particular services or communications, such as an e-newsletter you will be able to unsubscribe at any time by following the instructions included in each communication. If you decide to unsubscribe from a service or communication, we will try to remove your information promptly, although we may require additional information before we can process your request.
In general if you have submitted personal information to MHCCCL, you have the following rights:
- The right to access information about you and to obtain information about how it is processed.
- The right to request that your information is corrected if it is inaccurate or incomplete.
- The right to request that your information is erased (depending on the circumstances and agreements in place).
- We may continue to retain your information if another legitimate reason for doing so exists. You have the right to have you personal data erased if:
- The personal data is no longer necessary for the purpose which it was originally collected or processed for.
- MHCCCL is relying on consent as the lawful basis for holding the data, and you withdraw your consent.
- MHCCCL is relying on legitimate interests as the basis for processing, you object to the processing of your data, and there is no overriding legitimate interest to continue this processing.
- MHCCCL has processed the personal data unlawfully (i.e. in breach of the lawfulness requirement).
- It has to be done to comply with a legal obligation.
- The right to request that we restrict our processing of your information if the information provided to MHCCCL are not accurate, the processing is unlawful and your request for erasure is opposed or when we no longer need your data for the purpose of processing but they are required by you for the establishment, exercise or defence of legal claims.
- The right to withdraw your consent to our processing of your information (depending on the circumstances and agreements in place). We may continue to process your information if another legitimate reason for doing so exists.
- The right to receive certain information you have provided to us in an electronic format and / or request that it is transmitted to a third party. This applies when:
- The lawful basis for processing this information is consent or for the performance of a contract.
- The right to ask us not to process your personal data for marketing purposes. Prior to collecting data, we will usually inform you if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data.
- The right to lodge a complaint with the Data Protection Regulatory Authority, for example the National Information Technology Development Authority (NITDA) if you think that MHCCCL has not processed your personal data in accordance with data protection legislation.
You can exercise your rights by contacting us using the details set out in the “Questions and Enforcement” section. We will make all reasonable and practical efforts to comply with your request, if it is consistent with applicable laws and regulations. In such a case every effort to comply within one month shall be made or to inform you of refusal and the basis of this, or of an extension to the period to comply.
5.0 Other Relevant Information
5.1 Data Security
MHCCCL has security policies and procedures in place to protect personal information from unauthorized loss, misuse, alteration, or destruction. Despite MHCCCL’s best efforts, however, security cannot be absolutely guaranteed against all threats. To the best of our ability, access to your personal information is limited to those who have a need to know and they are required to maintain the confidentiality of such information. A series of technology and Cyber Security platforms and solutions are utilized to protect data within the MHCCCL environment including, but not limited to perimeter security mechanisms, end point security mechanisms, encryption, etc.
5.2 Your Responsibilities
You are responsible for ensuring that the information provided to MHCCCL on your behalf is accurate and up to date, and you must inform us if anything changes as soon as possible. If you provide information for another person on your account, you must direct them to this notice and ensure they also agree to us using their information.
5.3 Questions and Enforcement
If you are not satisfied with the response you receive, you may escalate your concern to the Data Protection Commissioner by visiting their website at www.nitda.gov.ng or email – email@example.com but this is without prejudice to your right to file an action in a court of law. The time frame for remedies may be determined by a court of competent jurisdiction or the regulator.
5.4 Children’s Privacy
Please note that our services apply to children irrespective of age. We knowingly collect personally identifiable information from Children under the age of 18, under the strict supervision and consent of the child’s parent, guardian or legal custodian.
5.4 Links to Other Websites
5.5 Governing Principles of our Data Processing
We guarantee that your personal data shall be:
- collected and processed in accordance with specific, legitimate and lawful purpose consented to by you; provided that: a further processing may be done only for archiving, research or statistical purposes for public interest;
- restricted to you and shall not be transferred to any person or entity except as required by law;
- it is adequate, accurate and without prejudice to the dignity of human person;
- Stored only for the period within which it is reasonably needed, and;
- Secured against all foreseeable hazards/breaches such as theft, cyberattack, etc.