This Privacy policy between MetroHealth HMO Limited (1039490), a Health Maintenance Organization with registered office at St. Nicholas House, 14^th Floor, 26 Catholic Mission Street, Lagos Island, Lagos (hereinafter referred to as the “MetroHealth”) and You, constitutes our commitment to your privacy on our administrative records, websites, social media platforms, and premises.

The words “we, “us” or “our” in this privacy policy, refers to MetroHealth HMO Limited.

Whereas:

1. We provide this Data Privacy Policy to achieve our responsibilities under the Nigerian Data Protection Regulation (NDPR) which requires greater accountability and transparency from organizations regarding your personal information, and which gives you greater control over how we use it.

• This Data Privacy Policy, therefore, clarifies how and when we collect personal data from and about you, why we do so, and how we treat this information and serves as a guide as to how personal data is managed by MetroHealth.  It also elucidates your rights concerning the collection of personal information and how you can exercise those rights. 

1.0       Your Privacy Rights

1.1       This Privacy Policy describes your privacy rights regarding our collection, use, storage, sharing, and protection of your personal information.

1.2       You can exercise the following rights concerning your Personal Data with MetroHealth:

1. Right to be informed – Organizations must tell individuals, what data of theirs is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.

• Right of access by the data subject – You have the right to request access to your data. This can be done by contacting MetroHealth via the contact details in paragraph 13.0 below.

• Right to withdraw consent – Where we have collected your data based on consent, you have the right to withdraw your consent at any time. Note that this could affect our ability to provide you with services.

• Right to rectification – You have the right to have your data rectified where inaccuracies or incompleteness have been identified. 

• Right to erasure (Right to be forgotten) – When we process personal data it is normally because there is a statutory basis for the processing. In case we receive a request from you looking to exercise your right of erasure, we will assess whether the data can be erased without affecting our ability to provide future services to you or fulfill statutory obligations. 

• Right to restriction of processing – You can ask us to restrict the processing of your personal information in certain circumstances. We will implement and maintain appropriate procedures to assess whether a request to restrict the processing of your data can be implemented. Where the request for restriction of processing is carried out, then we will write to you to confirm the restriction has been implemented and when the restriction is lifted.

• Right to data portability – MetroHealth processes personal data it collects because there is normally a statutory basis for the processing. Where personal data on data subjects have been collected by consent or by contract, the data subjects have a right to receive the data in electronic format to give to another data controller. 

• Right to object – You have a right to object to the processing of your data in specific circumstances. Where such an objection is received, we will assess each case on its merits. 

1. Right to complain – MetroHealth will implement and maintain a complaints process whereby you will be able to contact the Data Protection Officer. The Data Protection Officer will work with you to bring the complaint to a satisfactory conclusion for both parties. 

2.0       Your Personal Information

2.1       We collect personal data through the information you provided us or an affiliate on an application form for health plan coverage; when you use the Metrohealth Services; when you request further information about our products; when you apply for a job through our website; or when you contact us through any other means including information sent to us by your computer, mobile phone or other electronic access devices. We also collect information provided by your physician or other health care practitioner, your employer, or through all other related sources.  

2.2       By the use of our website, automatically collected information includes but is not limited to data about the pages you access, computer IP address, device ID or unique identifier, device type, geo-location information, computer and connection information, mobile network information, statistics on page views, traffic to and from the sites, referral URL, ad data, standard web log data, still and moving images.

2.3       Generally, the personal data collected includes (but is not limited to) your name, address, phone number, national identity number, date of birth, age, sex, height and weight, occupation, health habits, and general medical information. It could also include accident and injury dates.

2.4       We may also collect the information you provide us including but not limited to information on a web form, survey responses account to update information, email address, phone number, the organization you represent, official position, correspondence with the Metrohealth support services, and telecommunication with Metrohealth. We may also collect information about your transactions, inquiries, and your activities on our platform or premises.

2.5       We may also use the information provided by third parties like social media sites. Information about you provided by other sites is not controlled by Metrohealth and we are, therefore, not liable for how such third parties use your information.

2.6       We may also automatically collect some technical information when you visit our website, such as IP address and information about your visit such as pages that you viewed. This information assists us to understand customer interests and aids us to improve our website.

2.7       If you have created a username, identification code, password, or any other piece of information as part of our access security measures, you must treat such information as confidential, and you must not disclose it to any third party.

2.8       We reserve the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if in our opinion you have failed to comply with any of the provisions of this privacy policy.

3.0       Consent

3.1       You accept this privacy policy when you give consent upon access to our platforms, or use our services, content, features, technologies or functions offered on our website, digital platforms or visit any of our offices for official or non-official purposes (collectively the “Metrohealth Services”)

3.2       You also acknowledge that by completing and signing our registration form for any of our health plans, you have given consent to Metro Health HMO to request or inspect medical and other records maintained by your selected hospital for case management and complaint resolution purposes.

3.2       This privacy policy governs the use of the Metrohealth Services by our users and stakeholders unless otherwise agreed through a written contract. We may amend this privacy policy at any time by posting a revised version on our website or placing such notice at conspicuous points at our office facilities. The current version of this policy was last updated [.] The revised version will be effective 7 days after publication.

4.0       Usage of Personal Data

4.1       We use your personal information to fulfill our contractual obligations with you i.e., to perform transactions and functions necessary to implement and administer the health plan benefits purchased from us. On occasion, your personal information is also used for reporting or other functions. These functions include but are not limited to:

1. processing applications and sending notices about your transactions to requisite parties;
2. verifying your identity;
3. resolving disputes, collecting fees, and troubleshooting problems with any services we offer to you;
4. managing risk, or detecting, preventing, and/or remediating fraud or other potentially prohibited or illegal activities;
5. improving Metrohealth Services by implementing aggregate customer or user preferences;
6. measuring the performance of Metrohealth Services and improving content, technology and layout;
7. tracking information breach and remediating such identified breaches;
8. contacting you at any time through your provided telephone number, email address or other contact details.  
9.  to provide further information on our products and services (mail subscriptions).

4.2       Although we will only use personal data for the purpose for which we collected it, if there is a need to use your data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.  We may anonymize your personal data so that it can no longer be associated with you in which case it is no longer personal data.

5.0       Cookies

Cookies are small files placed on your computer’s hard drive that enables the website to identify your computer as you view different pages. Cookies allow websites and applications to store your preferences in order to present contents, options or functions that are specific to you. Like most interactive websites, our website uses cookies to enable the tracking of your activity for the duration of a session. Our website uses only encrypted session cookies which are erased either after a predefined timeout period or once the user logs out of the platform and closes the browser. Session cookies do not collect information from the user’s computer. They will typically store information in the form of a session identification that does not personally identify the user.

6.0       How we protect your personal information

We store and process your personal information on MetroHealth’s database. Where we need to transfer your data to another country, such country must have an adequate data protection law. We will seek your consent where we need to send your data to a country without an adequate data protection law. We protect your information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure, and alteration. Some of the safeguards we use are firewalls and data encryption, physical access controls to our data centers, and information access authorization controls. We will notify you and any applicable regulator of a breach where we are legally required to do so.

Nonetheless, we admit that no database is absolutely secure, and we only guarantee the safety of your data to the extent of our undertaking all reasonable measures to protect your data.

7.0       How We Share your information within Metrohealth and with Other Users

7.1       We respect your privacy and limit the disclosure of your personal data to third parties.  We do not sell, give or trade any personal data that we obtain from you to any third party for data mining or marketing purposes.  However, we work with third parties to perform our Services. In doing so, we may share any of the information we collect about you with third parties, namely the National Health Insurance Scheme or other Regulatory Authorities and other service providers (such as hospitals) that perform other services on our behalf, including administrative services. We may also disclose any of the information we collect about you to other parties, including vendors and governmental agencies retained to audit medical records and billings.

7.2       The type and the amount of information we share with others is limited to what is necessary to implement and administer the health plan you have with us, or as otherwise permitted or required by law.

7.3       You accept that your pictures and testimonials on all social media platforms about Metrohealth can be used for limited promotional purposes by us. This does not include your trademark or copyrighted materials.

7.4       From time to time we may send you relevant information such as news items, enforcement notices, statutorily mandated notices, and the essential information to aid the implementation of our mandate. We may also share your personal information in compliance with national or international laws, crime prevention, and risk management agencies and service providers.

8.0       Data protection principles

In line with the Nigerian Data Protection Regulation 2019 (NDPR), personal data may be processed under any of the following lawful basis: Consent of the data subject, performance of a contract with the data subject, legal obligation, vital interest of individuals and public interest.

Although we mostly collect and process your data with your consent, we may collect and process your data under any of the identified lawful basis depending on the circumstance.

Furthermore, all processing of personal data shall be conducted in accordance with the data protection principles set out in part 2 of the Nigerian Data Protection Regulations. In addition, our policies and procedures are designed to ensure compliance with the following principles:

1. Lawful – the legal basis for processing personal data is normally based on relevant legislation. We are permitted by law to process information for administrative schemes, statutory schemes and core functions.  Where there is no statutory basis, then we will request your consent at the time that the information is collected.  

• Fairly – For processing to be fair, we have to make certain information available to you. This applies whether the personal data was obtained directly from you or other sources.

• Transparently – We will provide a Data Privacy Policy upfront whenever you are sharing personal information with MetroHealth. We will ensure that the information provided is detailed and specific, and that the information is written in plain English which will be understandable and accessible.

9.0       Security and Retention of Your Personal Data

9.1       We maintain physical, electronic, and procedural safeguards to protect your personal information. We access and use your personal information to the extent necessary to administer the health plan services you are entitled to. We establish confidentiality agreements with contracted parties that receive non-public personal financial and health information about you. We restrict access to your non-public personal, financial, and health information to those employees who need to know that information to administer the product or service you purchased from us.

9.2       To prevent unauthorized access to your information, we have implemented strong controls and security safeguards at the technical and operational levels. Our website uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) to ensure secure transmission of your Personal Data. You should see the padlock symbol in your URL address bar once you are successfully logged into the platform. The URL address will also start with https:// depicting a secure webpage. SSL applies encryption between two points such as your PC and the connecting. Any data transmitted during the session will be encrypted before transmission and decrypted at the receiving end. This is to ensure that data cannot be read during transmission.

9.3       Metrohealth has also taken measures to comply with global Information Security Management Systems. We have, therefore, have put in place digital and physical security measures to limit or eliminate possibilities of data privacy breach incidents.

9.4       Personal data will be retained for as long as necessary to fulfill the purpose for which it was collected and processed including the purpose of satisfying any legal, regulatory, accounting, or reporting requirements.  For the appropriate retention period, consideration will be given to the amount, nature, and sensitivity of the Data, potential risk of harm from unauthorized use or disclosure, and applicable legal requirements.

9.5       Upon expiry of the applicable retention period, we will securely destroy your Personal Data in accordance with applicable laws and regulations.

10.0     Links to Other Websites and Premises

10.1     Certain transaction processing channels may require links to websites or organizations other than ours. Please note that Metrohealth is not responsible and has no control over websites outside its domain. We do not monitor or review the content of other party’s websites that are linked from our website or media platforms.

10.2     Opinions expressed or materials appearing on such websites are not necessarily shared or endorsed by us, and Metrohealth should not be regarded as the publisher of such opinions or materials.

10.3     Please be aware that we are not responsible for the privacy practices, or content of these sites.

10.4     We encourage our users to be aware of when they leave our site and to read the privacy statements of these sites. You should evaluate the security and trustworthiness of any other site connected to this site or accessed through this site yourself, before disclosing any personal information to them.

10.5     Metrohealth will not accept any responsibility for any loss or damage in whatever manner, howsoever caused, resulting from your disclosure to third parties of personal information.

11.0     Governing Law

This privacy policy is made pursuant to the Nigeria Data Protection Regulation 2019 and other relevant Nigerian laws, regulations, or international conventions applicable to Nigeria. Where any provision of this Policy is deemed inconsistent with a law, regulation, or convention, such provision shall be subject to the overriding law, regulation, or convention.

12.0     Changes to Privacy Notice

Due to constant changes in technology and regulatory requirements, we may need to change our privacy notice or update it from time to time.  The most recent version can always be accessed on the website.

13.0     Contact

13.1     If you know or suspect that anyone other than you know your security details, you must promptly notify us at dpo@metrohealthhmo.com. 13.2     For further inquiries or complaints, you can contact our Customer Service at 01-63100038 or 01-4606790. If you are an employer representative, you can call the Call Centre + (234)1 63100038 or + (234)1 4606790.