Long before digital health platforms existed, medical ethics treated patient information as confidential. The Hippocratic tradition reflects this clearly, requiring doctors to keep private whatever they learn in the course of treating a patient, except where disclosure is authorised by law or consent. Modern data protection law builds on this ethical foundation, translating professional duties of confidence into legal obligations that apply across digital systems, platforms and supply chains.
Globally, this special status is reflected in data protection regimes that classify health data as sensitive or special category data. Under the European Union’s General Data Protection Regulation, health data is subject to stricter conditions for processing and enhanced safeguards. Nigeria has adopted the same approach in its own legal framework.
The Nature of Health Data in a Digital Environment
Health data is inherently sensitive, revealing intimate details about our bodies, minds and histories. Unlike transactional data that may lose relevance over time, a medical record is not a snapshot that quickly becomes irrelevant. A diagnosis or genetic marker recorded today can affect a person’s insurability, employability and social standing many years into the future. When combined with other datasets, health information can be used to infer highly personal characteristics, even where identifiers have been removed.
The proliferation of telemedicine platforms, mobile health applications and remote monitoring devices multiplies the volume of data generated and widens the network of actors who can access it. At the same time, Artificial intelligence systems analyse vast volumes of patient information to support diagnosis, treatment planning and risk prediction, raising complex questions about accountability and bias.
This is why modern regulation insists on enhanced safeguards for the processing of health data – namely stricter consent frameworks, enhanced documentation and organisational accountability, and high organisational and technical security controls.
The Nigerian Legal Framework for Health Data
Nigeria’s approach to health data protection rests on a combination of constitutional rights, sector specific regulation and comprehensive data protection law.
- Article 9 of EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.(“the GDPR”)
- Section 30 of the Nigeria Data Protection Act 2023 (“the NDPA”)
The basis of our discussion will come from the Constitution of the Federal Republic of Nigeria, 1999, as amended (the “Constitution”) which assigns several fundamental and inalienable rights to Nigerian citizens. Section 37 of the Constitution guarantees the privacy of citizens, their homes, correspondence and family life and has been interpreted to include informational privacy and data protection. The protection of health data is therefore rooted in the broader right to privacy.
The National Health Act 2014 establishes a statutory framework for healthcare delivery and expressly restricts the disclosure of patient information, reinforcing the duty of medical confidentiality. Professional obligations are also imposed by the Medical and Dental Practitioners Act and the Code of Medical Ethics, which require healthcare providers to keep patient records secure and to preserve confidentiality both in physical and digital form.
At the centre of the modern regulatory framework is the Nigeria Data Protection Act (NDPA) 2023 which classifies information relating to a person’s health status as sensitive personal data. It allows processing of such sensitive data under strict circumstances: with the consent of the data subject, processing for the purpose of meeting the controller’s legal obligations under employment laws and social security laws, processing necessary to protect the vital interests of the data subject or another individual (for example, in life and death situations), or where processing is required for public health purposes under law.
The Act also imposes core principles that apply to all health data processing. Personal data must be processed lawfully, fairly and transparently. It must be collected for specified and legitimate purposes, limited to what is necessary, kept accurate, stored only for as long as required and protected by appropriate technical and organisational measures. The NDPA also grants individuals rights of access to, rectification of, erasure (or deletion) of their personal data, the right to object to a processing activity, restriction of processing, and the right to withdraw consent, for any processing activity. These principles apply to hospitals, clinics, digital health platforms, mobile applications, research institutions and any third party that processes health information on their behalf.
- Section 26 of the National Health Act 2014
- Section 44 of the Code of Medical Ethics in Nigeria (Medical & Dental Council of Nigeria, 2008)
- Section 22A and 44 of the Code of Medical Ethics in Nigeria (Medical & Dental Council of Nigeria, 2008)
- Section 65 of the NDPA
- Section 30 of the NDPA
- Section 24(1)(a) of the NDPA
- Section 24(1)(b) of the NDPA
- Section 24(1)(c) of the NDPA
- Sections 24 (1) (d) – (f) of the NDPA
- Section 34(1)(a), NDPA
- Section 34(1)(c), NDPA
- Section 34(1)(d) NDPA
- Section 36 NDPA
- Section 34(1)(e) and 34(2) NDPA
- Section 35, NDPA
The General and Implementation Directive (GAID), 2025 operationalises the NDPA and imposes further obligations on organisations that process health data. Schedule 7 of the GAID lists organisations that process health data as Data Controllers and Data Processors of Major Importance (DCPMIs). Aside other data processing obligations, health service providers have the following obligations:
A significant legislative development is the Digital Health Services Bill 2025, which awaits further readings in Nigeria’s National Assembly. The Bill aims to establish a comprehensive framework for regulating telemedicine platforms, mobile health applications and AI-driven clinical tools. It mandates all digital-health providers to obtain a license from the Federal Ministry of Health, comply with the NDPA and implement robust cybersecurity measure. It will also require system interoperability with national electronic health-record infrastructure and ensure the upholding of patient rights by mandating explicit consent before sharing data. The Bill codifies patients’ rights to receive accurate information, to access, correct or delete their health data and to provide accurate health information themselves. By harmonising with the NDPA and the National Health Act, the Bill promises to modernise Nigeria’s health sector while avoiding regulatory fragmentation.
Digital Health Platforms and Practical Compliance Obligations
As discussed earlier, The NDPC is empowered by the NDPA to enforce compliance with the provisions of the NDPA. Organisations that process health data are required to register with the NDPC, maintain records of processing activities, conduct Data Protection Impact Assessments for high-risk processing and submit annual compliance audits returns.
Section 32(1) of the NDPA and Article 7(i) of the Nigeria Data Protection Act – General Application and Implementation Directive 2025 (“GAID”)
- Section 44 of the NDPA and Article 7a & 9 of GAID
- Article 7c of GAID
- Schedule 1(6)(iii) of GAID
- Schedule 7(4) of GAID
- https://www.techhiveadvisory.africa/insights/review-of-nigerias-digital-health-services-bill-2025
- Section 6 of the NDPA
- Section 44 of the NDPA
For health technology providers to translate legal mandates into practice, digital-health operators should adopt a privacy-by-design and risk-based approach. This usually entails the following steps:
1. Data mapping: Organisations must understand their data flows. This involves mapping the categories of data collected, the purposes for which they are used, where they are stored, who has access to them and whether they are transferred outside Nigeria. This mapping exercise should typically occur before processing. This enables organisations to understand applicable legal obligations, assess legal risk and design effective controls into the product journey.
2. Lawful Bases and Consent Mechanisms: Organisations must establish clear and lawful bases for processing health data, and design mechanisms to document such lawful bases. Health data generally requires explicit consent, particularly where it is used beyond direct patient care for analytics, research or product development. Consent mechanisms must be clear, specific and freely given. Organisations must allow patients to withdraw consent, with appropriate consequences explained in advance. Most importantly, organisations must maintain records of consent obtained in an appropriate register.
3. Implementation of technical and organisational measures: Organisations should implement security measures proportionate to the level of risk and sensitivity of the data. Encryption, access controls, audit trails, regular testing and incident response planning are essential. Organisations must also prepare NDPA and GAID compliant breach response plans to effectively prevent, detect, remediate and report breaches within regulatory timelines.
4. Vendor management: Many digital health platforms rely on cloud providers, analytics vendors and AI developers. Health providers must enter into appropriate data processing agreements with all third-party vendors. These contracts must clearly allocate responsibilities, impose confidentiality obligations and ensure that processors comply with Nigerian data protection requirements.
Artificial Intelligence, Health Data and Accountability
Artificial Intelligence (AI) is now deeply embedded in healthcare delivery. AI tools assist with radiology, pathology, triage, treatment recommendations and predictive analytics. These systems depend on large volumes of health data for training and operation. Yet its deployment does not absolve organisations of responsibility.
Where an AI system processes personal health data, the deploying organisation remains responsible for compliance with data protection principles. Patients must be informed where automated tools are used in decisions that affect their care. Where such decisions have legal or similarly significant effects, safeguards must be in place, including the possibility of human intervention.
Responsible AI in healthcare requires consistent human oversight, careful selection of training data, bias mitigation and ongoing validation of outputs. Even where technology is supplied by third parties, liability for unlawful processing, discriminatory outcomes or data breaches will fall on the organisation that deploys the system in the context of patient care.
Conclusion
Nigeria’s digital health ecosystem is expanding rapidly. Technology is improving access to care, enabling new models of service delivery and supporting more accurate and efficient clinical decision making. At the same time, it is reshaping how some of the most sensitive personal information is collected, analysed and shared.
Health data is not merely an operational input. It is an expression of personal identity, vulnerability and dignity. The legal framework now in place, particularly the Nigeria Data Protection Act 2023 and the General Application and Implementation Directive, provides a foundation for protecting that dignity in a digital environment. However, laws alone are not enough. Effective governance requires investment in systems, training, risk assessment and accountability.
For health technology providers, privacy compliance is not an obstacle to innovation. It is a prerequisite for sustainable growth. Organisations that embed strong data protection, security and responsible AI practices into their platforms will be better positioned to earn patient trust, engage regulators constructively and scale across Nigeria and beyond. In digital health, respect for data is ultimately respect for people.
