NDPR Compliance

1. What is NDPR?

The Nigeria Data Protection Regulation (NDPR) was issued in 2019 by the National Information Technology Development Agency (NITDA) to safeguard the rights of natural persons to data privacy. It was subsequently strengthened by the Nigeria Data Protection Act 2023, establishing the Nigeria Data Protection Commission (NDPC) as the regulatory authority.

Similarly, the Ghana Data Protection Act 2012 (Act 843) established the Data Protection Commission of Ghana to protect the privacy of individuals and personal data by regulating the processing of personal information.

MyDentalPractice is committed to full compliance with both NDPR and Ghana DPA requirements, ensuring that all personal data processed through our platform is handled lawfully, fairly, and transparently.

2. Data Controller Responsibilities

2.1 Role Definitions

2.2 Your Responsibilities as Data Controller

• Determine the lawful basis for processing each category of personal data
• Obtain valid consent where consent is the legal basis
• Provide privacy notices to data subjects before or at the time of collection
• Respond to data subject requests within the statutory timeframe
• Report data breaches to NDPC within 72 hours of awareness
• Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
• Maintain records of processing activities

2.3 Our Responsibilities as Data Processor

• Process data only on your documented instructions
• Ensure staff confidentiality obligations
• Implement appropriate security measures
• Assist you with data subject requests
• Notify you of any data breaches without undue delay
• Delete or return data upon termination of services
• Allow and contribute to audits and inspections

3. Lawful Basis for Processing

Under NDPR, all processing of personal data must have a lawful basis. The following bases apply to data processed through MyDentalPractice:

3.1 Consent

For certain processing activities, particularly marketing communications and optional features, we rely on data subject consent. Consent must be:

• Freely given without coercion
• Specific to the stated purpose
• Informed with clear understanding of what is being consented to
• Unambiguous through a clear affirmative action
• Withdrawable at any time with ease

3.2 Contract Performance

Processing necessary to provide our services to you is based on contract performance. This includes account management, service delivery, and billing.

3.3 Legal Obligation

Some processing is required to comply with legal obligations, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

3.4 Legitimate Interests

Where we rely on legitimate interests, we have conducted balancing tests to ensure that our interests do not override data subject rights. This includes:

• Security monitoring and fraud prevention
• Service improvement and analytics (using anonymized data)
• Customer support and communication

3.5 Vital Interests (Healthcare)

In emergency healthcare situations, processing may be necessary to protect the vital interests of the data subject or another person.

4. Data Subject Rights

NDPR grants data subjects comprehensive rights over their personal data. Our platform provides tools to help you fulfill these rights:

4.1 Additional Rights

• Right to Object: To processing based on legitimate interests or for direct marketing
• Right to Restriction: To limit processing while disputes are resolved
• Right to Withdraw Consent: At any time, without affecting lawfulness of prior processing
• Right Not to be Subject to Automated Decisions: To human review of significant automated decisions

4.2 Handling Data Subject Requests

Our platform helps you respond to requests through:

• Patient data export functionality (PDF, CSV, JSON formats)
• Audit trails showing all data access and modifications
• Record amendment features with change history
• Data deletion tools with retention policy compliance

5. Cross-Border Data Transfers

5.1 Data Location

MyDentalPractice primarily stores and processes data within Nigeria and Ghana. Our cloud infrastructure is selected to ensure data residency requirements are met.

5.2 Transfer Mechanisms

Where data must be transferred outside Nigeria or Ghana, we ensure compliance through:

• Adequacy Decisions: Transfers to countries deemed to have adequate data protection
• Standard Contractual Clauses: Approved contractual safeguards with data recipients
• Consent: Explicit consent for specific international transfers where appropriate
• Binding Corporate Rules: For transfers within our corporate group

5.3 Third-Party Processors

Our sub-processors who may process data internationally include:

• Cloud hosting providers (with data processing agreements)
• Email delivery services (encrypted transmission)
• Payment processors (PCI-DSS compliant)

All sub-processors are bound by data processing agreements that require NDPR-equivalent protections.

6. Data Retention Policies

6.1 Retention Principles

Under NDPR, personal data must not be kept for longer than necessary for the purposes for which it was collected. Our retention periods are:

6.2 Deletion Procedures

• Secure deletion using industry-standard methods
• Deletion from all backup systems within 90 days
• Anonymization where complete deletion is not feasible
• Certification of deletion available upon request

7. Security Measures

NDPR requires implementation of appropriate technical and organizational measures. Our security measures include:

7.1 Technical Measures

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Multi-factor authentication options
• Role-based access controls
• Intrusion detection and prevention
• Regular security assessments and penetration testing

7.2 Organizational Measures

• Information security policies and procedures
• Employee confidentiality agreements
• Regular security awareness training
• Incident response procedures
• Vendor security assessments

8. Breach Notification

8.1 What Constitutes a Breach

A personal data breach includes:

• Unauthorized access to personal data
• Accidental or unlawful destruction of data
• Loss or theft of devices containing personal data
• Unauthorized disclosure or transmission of data
• Alteration of data without authorization

8.2 Notification Contents

Breach notifications will include:

• Nature of the breach and categories of data affected
• Approximate number of data subjects affected
• Name and contact of Data Protection Officer
• Likely consequences of the breach
• Measures taken to address and mitigate the breach

9. Complaints and Enforcement

9.1 Internal Complaints

If you or your patients have concerns about how personal data is being handled:

• Contact our Data Protection Officer at dpo@mydentalpractice.ng
• We will investigate and respond within 30 days
• If unsatisfied, escalation procedures are available

9.2 Regulatory Complaints

Data subjects have the right to lodge complaints with:

• Nigeria: Nigeria Data Protection Commission (NDPC)
• Ghana: Data Protection Commission of Ghana

9.3 Penalties

NDPR violations can result in significant penalties. We take our compliance obligations seriously and have implemented comprehensive measures to prevent breaches.

10. Contact Information

For NDPR-related questions or to exercise data subject rights: