The BeyHealth Privacy Policy


Last updated: 31 January 2019 

We Value Your Privacy 

At BeyHealth Consulting LTD, we take your privacy seriously and treat your personal information with the highest level of confidentiality. Our Privacy policy (together with our Terms and Conditions) sets out the basis upon which we will process any personal information we collect from you, or that you provide to us. It describes what type of personal information we collect, how we collect it, how we protect it and under what circumstances we may share that information with a third party. It also tells you how you can access, change and limit our sharing of your personal information.  

We have a short version of this privacy policy (just in case you don’t have enough time at the moment to read the full text). However, we do encourage you to read the more extended version for a detailed explanation of the rights and obligations associated with our handling of your data. 

Short Version 

BeyHealth Consulting LTD collects your information only with your consent. We collect the minimum amount of personal data necessary to fulfil the purpose of your interaction with us. We do not sell personal information that you give to us to third parties and will only use this information to provide you with a service and in accordance with the terms and conditions described in this Privacy Policy.  

Our medical education services are based in Nigeria and are directed primarily toward users and subscribers in Africa. If you are accessing our services from within Nigeria and the European Economic Area (EEA), you may have certain rights in accordance with the Nigeria Data Protection Regulation (NDPR) 2019 and the EU General Data Protection Regulation (GDPR) 2016.  

We place various cookies on your browser to understand how you’re using, and, (our websites) and how we can then customise our service to offer you an experience that aligns with your needs. Some of these cookies are from third party applications that provide us with analytical data concerning your visits to our website, and some are tools that enable you to share our content at your discretion on social media platforms of your choice or to facilitate your online registration for one of our conferences, workshops or seminars.  

If you prefer not to consent to the use of cookies while on our website, you can opt out here – Change your cookie preferences. 



Longer Version 


This Privacy Policy is intended to explain how your personal information will be handled by BeyHealth Consulting Limited (‘BeyHealth’we’, ‘our’ and ‘us’) of 1st Floor, Jabita Court, Plot 136, Alake Onile-Ere Crescent, Gbagada, Lagos, Nigeria.  

It sets out the personal information relating to you (‘Personal Data’) that will be collected and processed by BeyHealth in the context of your engagement with the company through,, and (its Websites), the platform and services provided thereon, and events held for the benefit of clients, partners and subscribers (‘Attendees’) attending its conferences, seminars and workshops (‘Events’) at designated physical locations and venues (collectively referred to as ‘BeyHealth Services’).  

The policy applies to the processing of personal data that is conducted wholly or partly by automated means. It also applies to the processing of data other than by automated means, and of personal data which forms part of or is intended to form part of, a filing system or database.  

It outlines the legal rights and obligations associated with the administration of your personal data and informs you of our procedures for collection, use and disclosure of personal information and what you can do to control how your data is processed.  


Personal Data refers to any information relating to a natural person (‘data subject’) who can be identified or who is identifiable, either directly from the information in question or indirectly from that information in combination with other information. Examples of such identifiers may include a name, an identification number, location data, an online identifier such as an IP address, and other factors that may identify an individual. 

In other words, any information that can be used to identify you personally is Personal Data. BeyHealth Consulting Limited will not sell any personal information that you give to us, including your e-mail address, and will only use this information for internal purposes. 


We may collect and process the following types of personal data: 

  • Personal Information – this includes information such as your name, email address, company, phone number and password. 
  • Device Information – this includes information such as the type of your device, operating system, browser, IP address, traffic and location data, and resources, advertisements and linked websites and other information derived from cookies used on our Websites. Our Cookie policy also gives you information about how we use cookies on our Websites.  
  • Transactional History – this includes information about the date, time, value and number of transactions you make through our website and services. 
  • Miscellaneous – this includes any other information which is provided to us by you (and with your consent). 

You control the information you provide to us. If you choose not to give us this information, we often cannot provide you with the information you are requesting from us. You will, however, able to access and use some parts of our Websites without providing us with your personal data 


We collect personal data from you when you communicate with us, sign-up for our services (including registering for an event), submit an enquiry or request support, subscribe to one of our newsletters or mailing lists or supply personal data through one of our websites or third-party service providers.  


We have no legal obligation to process your personal data, and it is not essential for us to collect this information to protect a vital interest or to fulfil the requirements of a necessary public task. It is unlikely that our legitimate interests in enhancing the efficiency of our website and response to your enquiries could justify an infringement on your fundamental rights and freedoms or a potential negative consequence arising from our processing of your data. Our justification for processing your personal data is based entirely on the following: 

Consent – You have real choice and control over the personal data you provide to us, and our processes are transparent about how you can withdraw your consent. We will require you to positively opt-in to the services and subscriptions we offer to you, and we make our requests clear and specific in every case. This privacy policy tells you about the rights and obligations governing our administration of your consent. 

Contract – It is necessary for us to process your personal data to enter into an agreement with you and to fulfil our commitments in respect of your use of BeyHealth Consulting Limited as a provider of medical education and continued professional development services. We collect, obtain and process your personal data to:  

  • Provide you with access to our website and to authorise your use of web-enabled resources and subscription services available through this platform. 
  • To create an account for you on our website, to process your actions through this account and to manage and administer your account and engagement with our services in accordance with the terms and conditions of our contract with you. 
  • To process your payments through our third-party payment providers. 
  • To contact you in connection with any aspect of our service to you. 


The information you provide to us may be used in any of the following ways: 

  • Marketing and events communication – we send periodic e-mails regarding your subscriptions, event registration and information relevant to our services. 
  • To personalise your experience and the service we offer to you in future (the data you supply helps us better respond to your requirements). 
  • To monitor and improve the services we offer – we continually strive to improve our services based on the information and feedback we receive from you. 
  • To create a more useful and practical environment for you on our Website (your feedback helps improve the content and layout of our Website). 
  • To send you journal articles and other material of relevance to your interests. 
  • To process your paid transactions through our secure third-party payment applications. 
  • Account set-up and administration purposes – to help you register and prepare for upcoming events. 
  • To conduct polls, surveys and feedback requests designed to improve our service. 


We are committed to the safety and security of your information. We have taken reasonable and appropriate steps to prevent unauthorised access to, and misuse of, your personal data. We implement a variety of security measures to prevent data breaches and maintain the safety of your personal data when you submit a request, place an order or access your personal information through our websites.   

We use password-protected directories and databases to safeguard your personal data, and Secure Sockets Layered (SSL) and Transport Layer Security (TLS) technology to ensure your data is fully encrypted and transmitted across the internet securely. All supplied payment card information is transmitted via SSL technology and encrypted into our third-party payment gateway provider databases and only accessible by individuals authorised with exclusive, confidential access rights to such systems.  

We do not store or process any of your card or payment information. Our trusted third-party payment providers process all payment information. Our third-party providers of card payment services and other technological applications adhere to similar standards of online security and information governance, including secure identity verification, secure password protection and electronic two-factor authentication of identity where necessary. We comply strictly with the requirements of these security measures. We have no control over the services provided by these third-party applications and therefore cannot assume responsibility for any misuse of payment card information supplied to these services.  

Where we have provided you with a password to grant you access to specific areas of our website infrastructure, we request that you appreciate that this password is being used as a means of protecting your accounts and personal data held on our system. It is your responsibility to keep your password confidential. We ask that you do not share this information with anyone. If you are sharing a computer with other individuals, you should always log out of the system before leaving the area to prevent subsequent users from gaining unauthorised access to your personal data.  


Your personal data is processed in secure physical locations in Nigeria and stored on secure servers located within the European Economic Area (the EEA’) and the United States. We only transfer and store your personal data in locations that guarantee an internationally accredited level of data security and where there are appropriate safeguards in place to protect your personal data.  


We only retain personal data for as long as is necessary to fulfil the purpose for which it was collected. We expect to keep your personal data for as long as you continue to subscribe to our services and for as long as it remains necessary to maintain a continuous customer relationship with you.  

In general, we may keep your personal data for up to 5 years after the last active date of your account with us. Please note that the duration of storage of personal data may vary between subscribers and may be determined by prevailing legal, regulatory and administrative requirements relevant to your data. Any personal data which is no longer required will be erased/deleted from our records.  


If you have created an account or a personal profile on one of our websites, we would usually provide you with secure access and instructions to update some or all your personal information held on this account. You may be required to contact us if you wish to make amendments to certain aspects of your profile for which general access has not been granted. We may request additional security information to verify your identity at this stage. We reserve the right to deny your request to amend personal data if we are permitted or required to do so by law, or pending such time as you are able to verify your identity. 


You have the right to withdraw your consent for us to use your personal data at any time. This right will be interpreted in conjunction with other rights, responsibilities and obligations governing the administration of your personal data. 

If you would like to correct, amend or delete information about you held by us, or have any questions regarding storage, retention or processing of your personal data, please e-mail us at 


The essential function of our websites is to facilitate medical education and continued professional development among trainee and practising healthcare professionals and the healthcare provider community in Africa. Our Websites and services are therefore designed for business users only and not intended for use by anyone under the age of 18 years.  

We do not routinely verify the age of our users but do realise that an individual under the age of 18 years may attempt to access our website. Our websites do not contain sexually explicit content but may contain material suitable for professional purposes but unsuited to viewing by children and under-aged individuals. If you are a parent or legal guardian of a person under the age of 18 years and have reason to believe that your ward has accessed services provided on our websites, please contact us immediately at the address provided below. We will use reasonable efforts to ensure that any information or personal data collected as a result of this access is removed from our databases. 

If you reside in a jurisdiction in which different age thresholds apply, we ask that you respect the purpose and objectives of our websites and comply in full, with the requirements of this privacy policy. 


The information you provide to us is held in the strictest confidence. We do not sell, trade or transfer your personal data to outside parties. Where necessary, and providing these parties agree to keep this information confidential, we may disclose personal data we collect from and about you to the following third parties.  

Third-Party Service Providers 

All our third-party providers have their own privacy policy and independent security arrangements for safeguarding personal data. We do not assume responsibility and accept no liability for the content and activities of any third-party service provider. Operationally, we use the following services to store and process personal data 

Primary Providers 

  • Team Tito Limited (‘Tito’) – who provide us with event registration services online. 
  • Salesforce – who provide us with customer relationship management, cloud computing, storage and web hosting services. 
  • Amazon Web Services – who provide us with cloud storage for our journal services 
  • WordPress – who provide us with web development services, contact form management and messaging services.  
  • Microsoft Office Online (Office 365) – who provide us with cloud storage services 
  • MailChimp – who provide us with contact management and database services, and e-mail newsletter campaigns.  
  • Google Analytics – who provide us with analytics services that allow us to measure activity on our websites and judge the effectiveness of the material we publish. 

Other Providers that may store some personal information 

  • Apple (via Apple Pay/Apple Wallet) 
  • Gravatar
  • Google Apps 
  • Google Docs 
  • Google Sheets 
  • Google Mail (Gmail) 
  • Google Cloud (and Maps services) 
  • Google Cloud (and Google Maps services) 
  • GitHub 
  • Stripe 
  • PayPal 
  • Falcon IO 
  • Dropbox 
  • Zapier 
  • Typeform 

The list of third-party service providers we use may change from time to time to ensure that we are managing the security of your personal data in the best way possible. We update our list of third-party service providers regularly. The most recent update can be found in the latest version of our privacy policy. 

Statutory bodies, Regulatory Authorities and Law Enforcement 

We may be required to disclose your personal data if such disclosure is necessary to: 

  • Comply with statutory, legal or regulatory obligations and requests.  
  • Protect the rights, property and safety of our customers, the public and ourselves.  

External advisors – such as our lawyers, accountants and auditors may also have access to personal data to the extent permitted by law and necessary to ensure compliance with statutory, regulatory and legal requirements governing the conduct of our business. 

Prospective or actual purchasers of our company or assets – Applies in case of acquisition by, or a merger with a third party. The new business would assume responsibility for providing the website and associated services and retain the right to use your personal data in accordance with the terms of this (or succeeding) privacy policy.   


Our services are based in Nigeria and targeted specifically at individuals in Africa. If you are accessing our websites or using our services from within the European Union (EU) or European Economic Area (EEA), you may have certain rights under the EU General Data Protection Regulation (GDPR) 2016 

  • Right to be Informed 
    You have the right to know if we are processing your personal data, what personal data is being processed, how we use your personal data and your rights in relation to any personal data we hold for you.  
  • Right of Access (‘subject access’) 
    You have the right to access your personal data held by us. You are entitled to make a subject access request verbally or in writing. We will have one month to respond to your request. In most circumstances, we will not charge a fee to deal with such requests. 
  • Right to Rectification 
    You have the right to have any inaccurate personal data we hold about you updated or corrected.  An individual can request rectification verbally or in writing. We will have one calendar month to respond to your request and can, in certain circumstances, can refuse such a request for rectification. 
  • Right to Erasure (also known as the ‘right to be forgotten’) 
    You have the right to request the removal or deletion (‘erasure’) of your personal data if there is no compelling reason for us to continue to hold this information. An individual can make a request for restriction verbally or in writing. We will have one calendar month to respond to a request. The right is not absolute and only applies in certain circumstances.  

You have the right to have your personal data erased if: 

  • The data is no longer necessary for the purpose it was originally collected or processed. 
  • We are relying on consent as the lawful basis for holding your data and you, the individual, withdraw your consent. 
  • We are relying on legitimate interests as our basis for processing, you object to our processing your data, and there is no overriding legitimate reason to continue this processing. 
  • We have collected or processed your personal data unlawfully in the first place. 
  • The data must be erased to comply with a legal obligation. 
  • We have processed the personal data in relation to the offer of information society services to a child. 
  • Right to Restriction of Processing 
    You have a right to ask us to restrict the processing of your personal data. This right is not absolute and only applies in certain circumstances, including if you believe that the personal data that we hold about you is inaccurate or that our use of your personal data is unlawful. You can make a request for restriction verbally or in writing. We will have one calendar month to respond to your request. When processing is restricted, we are permitted to store your data, but will not use it until the issue necessitating the restriction has been resolved.  
  • Right to Data Portability 
    You have the right to request that we provide you with the personal data you have given to us and to use it (across different services) for your own purposes upon receipt. We will provide this data to you within 30 days of your request. To request your personal data, please contact us using the information at the top of this privacy notice. 
  • Right to Object 

You have the right to object to the processing of your personal data in certain circumstances. You can make this objection verbally or in writing. We will have one calendar month to respond to your complaint. You have an absolute right to stop your data being used for the purpose of direct marketing. 

In other cases, your right to object may depend on the purpose and lawful basis for processing your personal data in each case. Your right to object may not be considered absolute if any of the following circumstances exist: 

  • A task carried out in the public interest. 
  • The exercise of official authority vested in us – or, 
  • Where processing is conducted for our own legitimate interests (or those of a third party). 

You will be required to provide specific reasons for objecting to the processing of your data, and we may be able to continue processing if: 

  • We can demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the individual – or,  
  • If the processing is for the establishment, exercise or defence of legal claims. 

In cases of data being processed for scientific or historical research, or statistical purposes, your right to object under GDPR is more limited. We may be able to proceed with processing on the basis of carrying out research or statistical work solely for the performance of a necessary public task carried out in the public interest. We will consider each objection on its own merits and aim always to provide a suitable explanation for our decision. We will inform you of your right to complain to relevant supervisory authorities regarding this process as well as provide you with any information that you may find useful. 


We reserve the right to update our privacy policy to reflect changes in the provision of our services in future. The current privacy policy will remain in effect until an updated policy is published (on this page) to reflect changes in its provisions. Your continued use of our service following any modifications to the privacy policy as published on this page constitutes an acknowledgement of these modifications and your consent to abide and be bound by the terms of the newly modified and published privacy policy. 


If you have any questions regarding this privacy policy, please contact us at: 

BeyHealth Consulting LTD. 

1st Floor, Jabita Court  

Plot 136, Alake Onile-Ere Crescent 

Gbagada, Lagos 




Last updated: 31 January 2019 


All personal data held by us is stored on Salesforce and MailChimp servers in the United States and by Amazon Web Services (via the Tito Services platform). All directory and database passwords are hashed and cannot be retrieved (they must be reset).  

Applications communicating with our website use Secure Sockets Layered (SSL) and Transport Layer Security (TLS) technology to ensure your data is fully encrypted and transmitted across the internet securely. All supplied payment card information is transmitted via SSL technology and encrypted into our third-party payment gateway provider databases and only accessible by individuals authorised with exclusive, confidential access rights to such systems. 


All communication between your browser and our websites is secure and encrypted using HTTPS protocol. If you are using a web browser such as Internet Explorer, Firefox and Chrome, our Websites will display a padlock icon in the address bar to visually indicate that a trusted SSL Digital Certificate is being used during a secure HTTPS connection. 

Because our web pages only support HTTPS protocol, personal data such as your name, e-mail address and credit card details provided on and communicated through our websites is securely encrypted and cannot be intercepted and decrypted by a ‘hacker’ or intruder. 


In the event of a data breach, BeyHealth will conduct a thorough investigate and notify all individuals affected with: 

  • Details of the incident (what happened?) 
  • Personal information (including personal data) compromised 
  • Recommendations for further action (including changes to minimise the risk of a similar occurrence in future) 

An assessment of the likely impact of the data breach will be conducted and communicated appropriately. In the event of a confirmed breach, all passwords relating to data held within our system will be reset.  


If you have any questions regarding this privacy policy, please contact us at: 

BeyHealth Consulting LTD. 

1st Floor, Jabita Court  

Plot 136, Alake Onile-Ere Crescent 

Gbagada, Lagos 




Last updated: 31 January 2019 


Cookies are small pieces of data or text files that are downloaded to your computer or mobile device when you access a website. The text contained in the cookie (often readable by the web server that delivered the cookie to you) generally consists of a sequence of letters and numbers that uniquely identifies your computer or mobile device. 


Yes. Like many other companies, our Website uses cookies to remember your preferences, customise your customer experience and enhance the usefulness of our site to you and others. The information provided through cookies helps us understand how visitors engage with our services online.   

  • Google Analytics cookies 

Google Analytics uses cookies to gather and analyse information about how visitors use the site and helps us refine that experience to serve our clients better. The information generated by the cookies about your IP address and use of our website will be transmitted to and stored by Google on its own managed servers. For more information on how Google collects and processes your data, visit 
You can prevent Google Analytics from using your information by opting out via this link: 

  • Stripe Cookies 

Whenever a customer uses Stripe to make a payment on our website, Stripe sets a cookie as an integral part of its fraud detection protocol to ensure that all transactions processed through its payment gateway are safe and legitimate and comply with its internal requirements for data and financial security.  


  • Identify areas of our website that you have visited. 
  • Remember your preferences, settings, and login details 
  • Personalise content on our website to make it more useful to you. 
  • Analyse your use and patterns of engagement on our website (using Google Analytics). 
  • Understand how you use our website and discover what content is most useful to you.   
  • Assist you in posting comments, questions and requests on our website. 
  • Enable you to share content with social networks. 

You will always be asked to consent to the use of cookies when visiting our website. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. Most web browsers can also be set to disable the use of cookies. However, if you choose to withhold consent or disable access to cookies in your browser settings, you may not be able to access certain features of our website.  


You may be able to disable cookies in your browser using the following information: 

  • Internet Explorer - click to view page [] 
  • Chrome - click to view page [] 
  • Firefox - click to view page [] 
  • Safari - click to view page [] 
  • Opera - click to view page [] 
  • Flash cookies - click to view page [] 
  • Apple Devices - click to view page [] 
  • Android Devices - click to view page [] 


If you have any questions regarding this privacy policy, please contact us at: 

BeyHealth Consulting LTD. 

1st Floor, Jabita Court  

Plot 136, Alake Onile-Ere Crescent 

Gbagada, Lagos 




2. What information do we collect about you?

The personal data that we collect, and process may include:

2.1 basic information such as name, date of birth, employer, title, age, relationship affiliations with a person or organization, next of Kin, height,
weight, temperature;
2.2 contact information such as physical address, email address and
2.3 details of your treatment and care;
2.4 notes and reports about your health;
2.5 technical information (including your IP address): Information obtained
from a visit to our website;
2.6 payment details;
2.7 confidential information generated by us in the course of providing our services;
2.8 details relating to your visits to our hospital; and/or
2.9 any other information relating to you which you may provide to us.

3. How we protect your personal Information

We are committed to protecting your personal information and implementing appropriate technical and organizational security measures to protect it against any unauthorized or unlawful processing and against any accidental loss, destruction or damage. For our Patients, in order to provide this service and to provide ongoing care after discharge, whether to home, another hospital, or into the care of social services, we need to be able to process and share your data appropriately.

Our security policies are attached as Schedule 1 to this Privacy Policy in our INFORMATION SECURITY POLICY

4. How we protect your personal Information

We will only use your personal information if and to the extent that applicable law allows.

4.1 Provision of medical services: we use relevant personal information described above in order to provide you with the requisite medical services.
4.2 Ability to proceed with an offer on our products or covers: We will process your personal information for the purposes of our legitimate interests in determining your ability to proceed with a transaction or agreement so that we have an informed choice should there be an offer. This also has the potential to speed up any subsequent transaction.
4.3 To engage with you in relation to our products and services: we will use your personal information to provide you with the products and services you have requested from us. We will process your personal information in this way if it is necessary for the performance of the contract with us.
4.4 To do all things necessary to comply with our customers’ instructions and our legal obligations to our customers and in compliance with privacy legislation such as NDPR 2019.

We will therefore only process your personal information if:

4.5 you have given your consent (where necessary) to such use or the organization you work for has obtained your consent (where necessary) to share your information with us; or
4.6 if we have a legitimate interest which is not overridden by your interests or your rights and freedoms.
If you have given us your express consent, we may process your personal data for additional purposes. Please note that you may withdraw your consent at any time, you may so wish.

5. If you fail to provide personal data?

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to provide the necessary medical services or perform the contract we have or are trying to enter into with you (for example, to provide you with our products or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

6. How is your personal data collected?

We use different methods to collect data from and about you including through:

6.1 Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
6.1.1 apply for our products or services;
6.1.2 create an account on our website;
6.1.3 subscribe to our service or publications;
6.1.4 request marketing to be sent to you;
6.1.5 enter a competition, promotion or survey; or
6.1.6 give us feedback or contact us.

6.2 Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies [server logs] and other similar technologies. [We may also receive Technical Data about you if you visit other websites employing our cookies.]

7. Sharing your personal data

Irrespective of how we obtain your personal data, it may be shared among all our offices, and other healthcare providers, external medical consultants as the need arises. All our hospital branches will always ensure at least a standard level of data protection is always in place. Where we share your personal data with third parties, we will do this in accordance with applicable data protection laws and will take appropriate safeguards to ensure its protection.

8. Marketing

We would like to send you information about our products and services, and special offers which may be of interest to you. Where we have your consent or it is in our legitimate interests to do so, we may do this by post, email, telephone, text message (SMS) or automated call. We will only ask whether you would like us to send you marketing messages when you tick the relevant boxes. If you have previously agreed to being contacted in this way, you can unsubscribe at any time by using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts.

9. Retaining your personal data

We would like to send you information about our products and services, and special offers which may be of interest to you. Where we have your consent or it is in our legitimate interests to do so, we may do this by post, email, telephone, text message (SMS) or automated call. We will only ask whether you would like us to send you marketing messages when you tick the relevant boxes. If you have previously agreed to being contacted in this way, you can unsubscribe at any time by using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts.

Your rights
In addition to your rights under applicable data protection legislation and where we are authorized or required by applicable law and by our professional obligations, we will provide you, upon request, with a copy of your personal data and we will correct any errors identified by you. Except as provided above, we will not use your data for any automated decision making or any profiling. You also have the right to withdraw your consent for a specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

10. Opting out

You can ask us to stop sending you marketing messages at any time [by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences OR by following the opt-out links on any marketing message sent to you OR by contacting us at any time]. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of [a product/service purchase, warranty registration, product/service experience or other transactions].
You are entitled to remedies for breach of your rights and the NDPR as stated in Schedule 2 to this Privacy Policy titled PERSONAL DATA BREACH & INCIDENT HANDLING PROCEDURE.

11. Cookies

This policy explains what cookies are and how they are used on The DUCHESS websites and applications. We encourage you to read the policy in full so that you understand what information we collect using cookies.

What is a cookie?
A “cookie” is a simple ‘text file’ which typically contains two pieces of information: a site name and a unique user identifier using your Internet Protocol (IP) address, placed onto your device (e.g., computer, smartphone or other electronic device) when you use our website. If you agree, we will store these cookies on your browser or hard drive when you visit our website. We use the following four types of cookies:

Strictly Necessary Cookies
These cookies are essential to make our website work. Without these cookies, our website cannot operate effectively – Examples are; ‘Book an appointment’ and ‘Make an Offer’.
Analytical and Performance Cookies
These cookies allow us to measure and analyze how our customers use the site, to improve both its functionality and your website experience. These cookies do not collect information that identifies you, instead they aggregate masses of data to provide information about how our website is performing.
Functionality Cookies
When you are browsing these cookies remember your preferences and help improve your website experience. These include things like remembering your browsing and language preferences or your chosen image size, meaning we can serve you the best possible experience each time you visit our site.

Targeted Advertising Cookies
These cookies record your visit to our website, the pages you have visited and the links you have followed. We use this information to deliver advertisements which are more relevant to you. For example, location information, products and services status.
By using our website, you agree to us placing these sorts of cookies on your device and accessing them when you visit our website in the future. You can delete any cookies that are already on your device through your browser and opt-out of targeted advertising cookies.
Our Cookies
To make full use of your online experience, your computer or device will need to accept cookies. If cookies are not enabled on your computer or device you will be unable to log in, request a valuation, book viewings, or receive an experience personalized to you.

Controlling the Use of Cookies
You can enable, disable and delete cookies through your browser. If you choose to disable cookies, our website may not operate correctly, and you may not be able to access secure areas of our website. If you choose to delete your cookies, you may have to update your preferences with us again and the experience you receive upon returning to our site for the first time may be slightly degraded until our cookies update with your preferences again.
Click the links below to learn how to manage your cookie preferences through your browser:
Microsoft Internet Explorer
Google Chrome
Mozilla Firefox

12. Changes to our Privacy Policy

We keep our Privacy Policy under regular review and we will place any updates on this web page. This Privacy Policy was last updated on 15 August 2021.


If you would like to exercise any of these rights, please contact us by emailing



The purpose of Information Security for THE DUCHESS INTERNATIONAL HOSPITAL (“The DUCHESS”) is to protect The DUCHESS information assets, regardless of whether these are held in manual or electronic form. This will help to safeguard the reputation of The DUCHESS, to optimize the management of risk and to minimize the impact of Information Security incidents. Implementation of this Policy will provide assurance to the hospital’s patients, stakeholders, partners and data subjects, that their information is held securely and used appropriately by the Hospital, whilst complying with the Nigerian Data Protection Regulation (NDPR) 2019 and satisfying auditors. Furthermore, it is a key enabler for information sharing through enhanced controls e.g. supporting access channel strategy, business continuity planning, citizen focused services, first contact deployment and flexible working.

According to the NDPR, anyone involved in data processing or the control of data shall develop security measures to protect data these measures will include ensuring that information is only available to those that are authorized to gain access, safeguarding the accuracy and completeness of information and processing methods, and assurance that authorized users have access to information and associated assets when this is required.
Information takes many forms. It may be processed and stored on computers or in other electronic form, printed or written on paper, shared through voice or video communications, transmitted through post or electronic means such as e-mail or fax, made available on corporate videos or web sites. Whatever form the information may take, or means

by which it is shared, stored or processed, it should always be appropriately classified and protected according to that classification. Information systems and the information they process and store are a vital asset to the Hospital. Any loss of computer systems or the information they contain could have serious repercussions for The DUCHESS and/or its clients. A breach of security during processing, storage or transfer of data could result in financial loss, personal injury to a member of staff, or patient or client, serious inconvenience, embarrassment, or even legal proceedings against The DUCHESS, and possibly the individuals involved. In order to ensure the confidentiality, integrity and availability of these systems an appropriate level of security must be achieved and maintained. The level of security implemented on each of the various systems will be consistent with the designated security classification of the information and the environment in which it operates.

Information on computer systems will be protected with anti-virus software, which will be updated regularly. Scans will be carried out regularly on all servers, workstations and laptops, and virus definitions will be updated each weekday. Updates and scans will be automatic for every machine and must not be turned off or bypassed.

The DUCHESS will take appropriate steps to prevent, detect, and recover from any loss or incident, whether accidental or malicious, including error, fraud, misuse, damage and disruption to, or loss of computing or communications facilities.

A security risk assessment will be carried out on each information asset to identify the level of protection required. The security and control procedures required will take into account the sensitivity and value of the information.


Information Security promotes trust both internally and externally in shared data and infrastructure. The DUCHESS strategic direction for Information Security is to provide a strong forward-looking information management system that is clearly aligned to The DUCHESS’s corporate vision and strategic priorities. This vision for Information Security reflects its growing role in maintaining trust and confidence both within The DUCHESS and outside.


The DUCHESS Information Security Policy is applicable to:

  1. All The DUCHESS information, information owned by its patients, clients and partners, and information about its clients.
  2. All The DUCHESS members, permanent, contract and temporary personnel, and all third parties, who have access to The DUCHESS premises, systems or information (Users).
  3. All The DUCHESS systems, software, and information created, held, processed or used on those systems or related media, electronic, magnetic, or written/ printed output from The DUCHESS systems.
  4. All means of communicating information, both within The DUCHESS and externally. For example, data and voice transmissions or recordings, post, e-mail, SMS/text, cameras, whiteboards, memory sticks, disks, fax, telex, image/sound processing, videoconferencing, photocopying, flip charts, general conversation etc.
    The IT Manager and DPO are responsible for defining Information Security policy and standards. Department heads and service providers are responsible for implementing policies and standards in their area of jurisdiction. Furthermore, these policies and standards must be included in service level agreements and contracts with IT service providers. Non -compliance with this policy will be dealt with under the relevant The DUCHESS procedures and may result in disciplinary action, termination of contract, or criminal prosecution in the most serious of cases.
    This policy is a living document and thus frequently updated to reflect technological, legal and organizational changes. It should therefore be revisited on a regular basis by all staff of The DUCHESS.


1. Data Protection Officer
The Data Protection Officer is ultimately responsible for ensuring the implementation of this Security Policy. It is the responsibility of all employees to ensure that they conduct their business in accordance with this Policy.

2. All Users
Users of systems and information must:

a. Access only systems and information, including reports and paper documents, to which they are authorized.
b. Use systems and information only for the purposes for which they have been authorized, and only from The DUCHESS ICT controlled
or authorized secure equipment and approved software.
c. Comply with all appropriate legislation, and with the controls defined by the Information Owner, and all The DUCHESS Policies, Standards, Procedures and Guideline.
d. Not disclose confidential information to anyone without the permission of the Information Owner.
e. Keep their passwords and other access credentials secret, and not allow anyone else to use their account, or equipment or media in their care, to gain access to any system or information.
f. Notify their immediate superior, or the DPO of any actual or suspected breach of Information Security, or of any perceived weakness in The DUCHESS Security Policies, Procedures and Practices, Process or infrastructure.
g. Establish the identity and authority of anyone requesting information access or information system access e.g. for servicing or repairs.
h. Familiarize themselves with this Policy, and all applicable supporting Policies, Procedures, Standards and Guidelines. Compliance with this Policy is mandatory, and any employee failing to comply will be subject to disciplinary procedures, revoking of access and/or prosecution in serious cases.
i. If responsible for management of third parties you must ensure that those third parties are contractually obliged to comply with this Policy and are aware that their failure to comply may lead to contract termination &/or prosecution in serious cases.

k. Never leave computers logged into the network unattended unless password protected screen locking is available and has been engaged .
l. Keep your desk clear of all confidential paper files and documents when you are not working on them. Maintain a clear desk policy when leaving your desk unattended for any period of time and out of office hours. Keep all confidential paper files and documents in secure, lockable cabinets.
m. Not take confidential documents or materials home, however, if this is unavoidable, do consider the use of lockable bags or cases when it is necessary to carry paper files or documents in person.
n. Stand at public printers or have documents containing confidential information retrieved immediately so that unauthorized individuals have no opportunity to see the information.
o. Not store confidential electronic files and documents on your computer’s local drive or mail to a personal email address in order to work on them at home.
p. Not use standard USB data sticks or digital drives as portable temporary storage for electronic files and documents. Standard encrypted USB data sticks may be used only after the IT Manager for Information Management has approved a valid business case. If permission is granted, these USB data sticks may only be purchased from Procurement.
q. Purchase all new laptops, mobile phones, and any other hand-held devices capable of storing data, through the IT Manager to allow encryption software to be installed prior to being released to you. This ensures that the device is protected should it be lost or stolen. Any existing The DUCHESS owned laptops or portable devices should be returned to the IT Manager who will make appropriate arrangements to have the encryption software installed at a predetermined rate.
r. Lock all laptops away in a secure cabinet when not in use in the office or in the home and never leave on the back seat of a car.

3. Information Security
The IT Manager will act as the focus for all Information security issues, suggesting policies to mitigate risk, and assisting with their interpretation into team procedures and standards, whilst implementing those aspects affecting the operational security of The DUCHESS Information and IT infrastructure.

4. Management
Managers are responsible for:
a. defining reference and vetting requirements for the role and undertaking pre-employment/contract reference checking.
b. ensuring that their permanent, contract and temporary personnel are fully conversant with this Policy and all associated Policies, Standards, Procedures, Guidelines and relevant legislation, and are aware of the consequences of non- compliance.
c. Developing compliant procedures, processes and practices for use in their business areas.
d. Ensuring that when requesting or authorizing access for their staff, they comply with the standards and procedures defined by the Information Owners, with particular regard to segregation of duties, minimum access and any minimum training requirements.
e. Notifying the IT Manager via The DUCHESS Help Desk of any suspected or actual breaches or perceived weaknesses of information security.
f. Taking disciplinary action supported by the Human Resources Department in the event of misconduct, and non-compliance with Security Policies.

5. Data Protection Officer
The duties of the DPO shall include:
a. Specifying minimum training requirements and arranging its availability.
b. Monitoring pre-employment reference checking and advising
management to ensure compliance with requirements of the role.
c. Ensuring that system administrators receive prompt notification of
employee role changes and departures.
d. Ensure that procedures are in place reflecting the controls and access levels.
e. Periodically review access to ensure that procedures are followed, especially in the event of process changes that affect the asset.
f. Specifying the retention period for each asset, and the manner in which it should be deleted or destroyed at the end of that period.

6. Human Resources and Development
The Human Resources Department shall:
a. Promote awareness of training, including induction training and for ensuring inclusion of relevant security awareness therein & in employee documentation.
b. Support the DPO and management to define disciplinary action in the event of misconduct, and non-compliance with Security Policies and assisting management with disciplinary procedures.

7. Review of Information Security Policy
The DUCHESS Management will review this policy on a yearly basis, and the results of the review will be detailed on the minutes of this meeting. Any resulting changes will be notified to all relevant stakeholders.
In the event of major network configuration changes, change of policy, security incidents or a lack of security identified in the yearly penetration test performed on The DUCHESS’s network, the policy will be reviewed for effectiveness, and modified if appropriate,

8. Information Security Policy – Exceptions
It is not intended that any exceptions will be permitted even on a temporary basis but rather the Policy should be reviewed at the next opportunity. Any changes must be approved by the Information Governance Board.

9. Associated Documentation
Further information security documents supporting this policy will be developed over time.