Data Protection Impact Assessment

Document Control

Item	Detail
Document Title	Data Protection Impact Assessment — MediSeen HMS
Version	1.0
Date	2 March 2026
Classification	Confidential
Prepared By	Kalu Ifeanyi Mba, Data Protection Officer / CTO
Approved By	Pending DPO Sign-Off
Review Schedule	Annually, or upon material change to processing activities
Legal Framework	Nigeria Data Protection Act 2023 (NDP Act); NDPC Regulations

Introduction & Scope
Description of Processing Activities
Lawful Basis for Processing
Necessity & Proportionality Assessment
Risk Assessment
Risk Mitigation Measures
Data Retention Policy
Data Subject Rights Implementation
Cross-Border Transfer Assessment
Third-Party Processor Assessment
Consultation & DPO Sign-Off
Review Schedule & Version History

1. Introduction & Scope

1.1 Purpose

This Data Protection Impact Assessment (DPIA) evaluates the data protection risks arising from the processing of personal data through MediSeen HMS, a cloud-based hospital management system operated by MediSeen Health Systems Limited. This assessment is conducted pursuant to Section 29 of the Nigeria Data Protection Act 2023 (NDP Act) and the guidelines issued by the Nigeria Data Protection Commission (NDPC).

1.2 Scope

This DPIA covers all processing activities performed by MediSeen HMS, including:

Collection, storage, and use of patient personal and health data
Processing of patient financial and billing data
Processing of hospital staff personal and payroll data
Optional processing of student data via Klas integration
Cross-border transfer of data to DigitalOcean servers (London, UK)
Third-party payment processing via Paystack and Flutterwave

1.3 Why a DPIA Is Required

Under Section 29 of the NDP Act, a DPIA is mandatory where processing is likely to result in high risk to the rights and freedoms of data subjects. MediSeen HMS processes sensitive personal data (health records) at scale, involves cross-border transfers, and uses automated systems — all of which trigger the DPIA requirement.

1.4 System Overview

Component	Detail
Frontend	React SPA — app.mediseenhms.com
Backend API	Node.js / Express — api.mediseenhms.com
Database	PostgreSQL (managed, DigitalOcean)
Hosting	DigitalOcean App Platform — LON1 region (London, UK)
Payment Processors	Paystack, Flutterwave
Deployment	CI/CD via GitHub → DigitalOcean on push to main

2. Description of Processing Activities

2.1 Data Categories & Processing Purposes

Data Category	Specific Data Elements	Purpose	Who Accesses
Patient Personal Data	Full name, date of birth, gender, phone number, email, residential address, next-of-kin details	Patient registration, identification, emergency contact	Doctors, nurses, front-desk staff, hospital admin
Patient Health Records	Diagnoses, prescriptions, lab results, consultation notes, vitals (BP, temp, weight, etc.)	Clinical care delivery, treatment history, medical decision-making	Doctors, nurses, lab technicians (role-restricted)
Patient Financial Data	Billing records, payment history, insurance policy details, HMO information	Billing, invoicing, insurance claims, revenue management	Billing officers, hospital admin, finance team
Staff Personal Data	Full name, contact details, salary information, bank account details, National Identification Number (NIN)	Employment management, payroll processing, regulatory compliance	HR admin, hospital owner/management
Student Data (Klas integration)	Student name, class, grades, parent/guardian contact information	Academic records management (for medical school / teaching hospital integrations)	Academic admin, authorized teaching staff

2.2 Data Flow

Collection: Data is entered by authorized hospital staff via the web application (app.mediseenhms.com) over HTTPS.
Transmission: All data is transmitted via TLS-encrypted connections to the backend API (api.mediseenhms.com).
Storage: Data is persisted in a managed PostgreSQL database hosted on DigitalOcean's LON1 (London) data centre.
Processing: The backend processes data for clinical workflows, billing, reporting, and user management.
Payment Processing: When patients make payments, tokenized payment data is transmitted to Paystack or Flutterwave; MediSeen does not store card numbers.
Access: Authorized users access data through role-based access controls (RBAC) enforced at the application layer.

3. Lawful Basis for Processing

Under Section 25 of the NDP Act 2023, personal data shall only be processed where a lawful basis exists. For sensitive personal data (health data), Section 26 imposes additional conditions.

Processing Activity	Lawful Basis (Section 25)	Additional Basis for Sensitive Data (Section 26)	Justification
Patient registration & identification	Consent (s.25(a)); Legitimate interest (s.25(f))	Explicit consent obtained at registration	Patients provide data voluntarily during hospital registration with informed consent
Clinical care & health records	Vital interest (s.25(d)); Legitimate interest (s.25(f))	Necessary for medical diagnosis/treatment (s.26(h)); Vital interest (s.26(c))	Processing is essential for healthcare delivery; refusal would endanger patient welfare
Billing & payment processing	Contract performance (s.25(b))	N/A — financial data is not sensitive under NDP Act	Necessary to fulfil the service contract between hospital and patient
Staff payroll & HR	Contract performance (s.25(b)); Legal obligation (s.25(c))	N/A (NIN processed under legal obligation)	Required for employment contracts and statutory compliance (tax, pensions)
Insurance / HMO claims	Contract performance (s.25(b)); Consent (s.25(a))	Explicit consent for sharing health data with insurers	Patient consents to share specific health data with named HMO provider
Student records (Klas)	Consent (s.25(a)); Legitimate interest (s.25(f))	Parental consent for minors	Academic administration with informed parental/guardian consent
Cross-border transfer (to UK servers)	Section 43 — Adequate protection	UK recognised as having adequate data protection (UK GDPR)	DigitalOcean LON1 operates under UK data protection law; contractual safeguards in place

4. Necessity & Proportionality Assessment

4.1 Necessity

Question	Assessment
Is the processing necessary to achieve the stated purpose?	Yes. A hospital cannot deliver clinical care without collecting patient identification, medical history, and treatment data. Billing data is essential for hospital revenue operations.
Could the purpose be achieved with less data?	Partially. MediSeen collects only data fields required for clinical workflows. Optional fields (email, secondary phone) are clearly marked. Data minimisation principle is applied.
Could the purpose be achieved without personal data?	No. Healthcare delivery inherently requires identification of the individual patient and their medical history.
Is the processing proportionate to the aim?	Yes. Data collected maps directly to clinical, administrative, and financial needs. No profiling, scoring, or marketing use.

4.2 Data Minimisation Measures

Only mandatory fields are required at registration; optional fields are clearly indicated
Health records are structured per consultation — no bulk data collection
Payment card details are never stored; tokenized via Paystack/Flutterwave
Staff NIN is collected solely for statutory compliance and stored encrypted
Role-based access ensures users see only data relevant to their function

5. Risk Assessment

5.1 Risk Assessment Matrix

Risks are assessed using a Likelihood × Impact matrix on a 3-point scale:

	Impact →
Likelihood ↓	Low (1)	Medium (2)	High (3)
High (3)	Medium (3)	High (6)	Critical (9)
Medium (2)	Low (2)	Medium (4)	High (6)
Low (1)	Low (1)	Low (2)	Medium (3)

Scoring: Low = 1–2 | Medium = 3–4 | High = 6–9

5.2 Identified Risks

#	Risk Category	Description	L	I	Score	Rating
R1	Unauthorized Access	External attacker gains access to patient health records via API vulnerability or credential compromise	2	3	6	HIGH
R2	Data Breach	Mass exfiltration of patient or staff PII due to database compromise or misconfiguration	2	3	6	HIGH
R3	Cross-Border Transfer	Personal data of Nigerian citizens stored on UK servers without adequate safeguards or NDPC approval	2	2	4	MEDIUM
R4	Excessive Collection	Collecting more personal data than necessary for stated purposes, violating data minimisation principle	1	2	2	LOW
R5	Inadequate Consent	Processing sensitive health data without valid, informed, and explicit consent from data subjects	2	3	6	HIGH
R6	Insider Threats	Hospital staff accessing patient records beyond their role, or extracting data for unauthorized purposes	2	2	4	MEDIUM
R7	Third-Party Risks	Data processors (DigitalOcean, Paystack, Flutterwave) suffer a breach or process data beyond agreed terms	1	3	3	MEDIUM
R8	Data Loss / Unavailability	Database failure, corruption, or ransomware results in loss of patient records	1	3	3	MEDIUM
R9	Non-Compliance Penalties	Failure to comply with NDP Act obligations resulting in NDPC enforcement action or fines	1	3	3	MEDIUM

6. Risk Mitigation Measures

#	Risk	Technical Measures	Organizational Measures	Residual Risk
R1	Unauthorized Access	HTTPS/TLS encryption for all data in transit JWT-based authentication with token expiry Role-based access control (RBAC) Rate limiting and input validation on API Regular dependency audits (npm audit)	Security awareness training for all staff Strong password policy enforcement Quarterly access reviews Incident response procedure	MEDIUM
R2	Data Breach	Database encryption at rest (DigitalOcean managed DB) Automated daily backups with point-in-time recovery Network isolation — DB not publicly accessible Audit logging of all data access	Data breach notification procedure (72-hour NDPC notification) Annual penetration testing Data breach simulation exercises	MEDIUM
R3	Cross-Border Transfer	Data hosted in UK (adequate protection jurisdiction) Encryption at rest and in transit DigitalOcean DPA in place	Data Processing Agreement with DigitalOcean NDPC notification of cross-border transfer Regular review of UK adequacy status Migration plan to Nigerian hosting if required	LOW
R4	Excessive Collection	Mandatory vs. optional fields clearly distinguished in UI Schema validation — reject unexpected fields	Privacy-by-design review for new features Annual data mapping exercise	LOW
R5	Inadequate Consent	Consent capture at registration (timestamped, purpose-specific) Consent withdrawal mechanism in system Separate consent for sensitive data sharing (e.g., HMO)	Clear privacy notice at point of collection Consent forms reviewed by legal counsel Staff trained on obtaining valid consent	LOW
R6	Insider Threats	RBAC — minimum privilege per role Audit trail on all record access and modifications Session timeout and auto-logout	Confidentiality agreements for all staff Disciplinary policy for unauthorized access Periodic audit log reviews	LOW
R7	Third-Party Risks	Payment tokenization — no card data stored API-only integration with processors TLS for all third-party communications	Data Processing Agreements with all processors Annual third-party security review Vendor compliance verification (PCI-DSS for payment)	LOW
R8	Data Loss	Automated daily backups (DigitalOcean managed) Point-in-time recovery capability Multi-node database replication	Backup verification and restoration testing quarterly Business continuity plan documented	LOW
R9	Non-Compliance	Privacy notice implemented in application Data subject rights endpoints in API	DPO appointed and contactable Annual DPIA review cycle NDPC registration completed Staff data protection training	LOW

7. Data Retention Policy

Data Category	Retention Period	Justification	Disposal Method
Patient personal data	Duration of care + 6 years	Medical records retention best practice; statute of limitations for medical negligence claims in Nigeria	Secure deletion from database; anonymisation for statistical use
Patient health records	Duration of care + 6 years	Clinical continuity; legal requirements for medical records	Secure deletion; de-identified data may be retained for research
Patient financial data	7 years from transaction date	Tax and financial regulatory requirements (FIRS)	Secure deletion from database
Staff personal data	Duration of employment + 6 years	Employment law obligations; pension and tax records	Secure deletion from database
Student data (Klas)	Duration of programme + 3 years	Academic record keeping requirements	Secure deletion from database
Audit logs	2 years	Security monitoring and incident investigation	Automated purge
Backups	30 days rolling	Disaster recovery	Automatic expiry/overwrite

Note: Where a data subject exercises their right to erasure, data will be deleted within 30 days unless retention is required by law. Health records required for ongoing treatment or legal obligation are exempt from erasure requests.

8. Data Subject Rights Implementation

Under Part IV of the NDP Act 2023, data subjects have the following rights. MediSeen HMS implements these as follows:

Right	NDP Act Section	Implementation	Response Time
Right of Access	Section 34	Patients can request a copy of their records via the DPO (email/phone). Hospitals can export patient records from the system.	30 days
Right to Rectification	Section 35	Patients notify the hospital of inaccurate data; front-desk or clinical staff update records in system. Audit trail maintained.	14 days
Right to Erasure	Section 36	Request submitted to DPO. Data deleted unless legal retention obligation applies. Confirmation provided to data subject.	30 days
Right to Restrict Processing	Section 37	DPO can flag a patient record as restricted, limiting access to emergency-only clinical staff.	14 days
Right to Data Portability	Section 38	Patient data can be exported in structured, machine-readable format (JSON/CSV) upon request to DPO.	30 days
Right to Object	Section 39	Data subjects may object to processing based on legitimate interest. DPO reviews and responds.	30 days
Right to Withdraw Consent	Section 25(a)	Patients may withdraw consent at any time. Processing ceases for the relevant purpose; prior processing remains lawful.	Immediate

8.1 Request Process

Data subject submits request to the DPO via email ([email protected]
3, Inyima Lane, Ebem, Abia State, Nigeria) or in person at the hospital
DPO verifies identity of the requester (government-issued ID required)
DPO logs the request and confirms receipt within 7 days
Request fulfilled within the stated timeframe, or explanation provided if extension is needed
All requests logged in a Data Subject Request Register

9. Cross-Border Transfer Assessment

9.1 Transfer Details

Item	Detail
Data Exporter	MediSeen Health Systems Limited (Nigeria)
Data Importer	DigitalOcean LLC (US company; data centre in London, UK)
Data Location	LON1 Data Centre, London, United Kingdom
Data Types Transferred	All categories listed in Section 2 — patient, staff, and financial data
Transfer Mechanism	Encrypted API calls over HTTPS; managed database hosted in LON1

9.2 Adequacy Assessment

Under Section 43 of the NDP Act 2023, cross-border transfers are permitted where the receiving country provides adequate data protection. The United Kingdom has comprehensive data protection legislation (UK GDPR and Data Protection Act 2018) and an independent supervisory authority (ICO). The UK is widely recognised as providing adequate protection for personal data.

9.3 Safeguards in Place

Data Processing Agreement (DPA): DigitalOcean's standard DPA governs the processing relationship, including security obligations, breach notification, and sub-processor management.
Technical safeguards: Encryption at rest (AES-256) and in transit (TLS 1.2+); private networking; managed database with automated backups.
Access controls: Only MediSeen's application has database credentials; no DigitalOcean personnel access to customer data in normal operations.
Contingency: MediSeen maintains a documented migration plan to transfer data to Nigerian-hosted infrastructure (e.g., MainOne, Rack Centre) should the NDPC require data localisation or should UK adequacy status change.

9.4 NDPC Notification

MediSeen will file a cross-border transfer notification with the Nigeria Data Protection Commission as required under the NDP Act, providing details of the transfer, safeguards, and adequacy basis.

10. Third-Party Processor Assessment

Processor	Service	Data Processed	Location	Safeguards	Compliance
DigitalOcean LLC	Cloud hosting, managed database, CDN	All system data (stored in PostgreSQL)	London, UK (LON1)	DPA in place; SOC 2 Type II; ISO 27001; encryption at rest & in transit	UK GDPR compliant; NDPC cross-border notification to be filed
Paystack (Stripe)	Payment processing	Patient name, email, payment amount; card data handled by Paystack (not stored by MediSeen)	Nigeria / Global (Stripe infrastructure)	PCI-DSS Level 1; tokenised payments; DPA available	CBN-licensed; NDP Act compliant; PCI-DSS certified
Flutterwave	Payment processing (alternative)	Patient name, email, payment amount; card data handled by Flutterwave (not stored by MediSeen)	Nigeria / Global	PCI-DSS Level 1; tokenised payments; DPA available	CBN-licensed; NDP Act compliant; PCI-DSS certified
GitHub	Source code hosting & CI/CD	Application source code only (no personal data in codebase)	USA	SOC 2 Type II; encrypted repositories; access via SSH keys	No personal data processed; DPA not required

10.1 Processor Management

Data Processing Agreements (DPAs) are executed with all processors handling personal data
Processor security posture reviewed annually
Processor breach notification obligations included in DPAs (within 48 hours)
MediSeen retains the right to audit processors upon reasonable notice
Sub-processor changes by any processor require notification to MediSeen

11. Consultation & DPO Sign-Off

11.1 Stakeholders Consulted

Stakeholder	Role	Date	Input
Kalu Ifeanyi Mba	CTO / Data Protection Officer	2 March 2026	System architecture review; risk assessment; mitigation measures approval
Hospital Client Representatives	End users (hospitals)	Ongoing	Feedback on data collection requirements, consent processes, and access needs

11.2 DPO Recommendation

Based on this assessment, the residual risks associated with MediSeen HMS data processing activities are acceptable given the mitigation measures in place. The following actions are recommended to further strengthen compliance:

Complete NDPC registration and file audit return within 6 months
Execute formal DPAs with DigitalOcean, Paystack, and Flutterwave
File cross-border transfer notification with NDPC
Implement automated consent management in the application
Conduct first annual penetration test within 6 months
Develop and publish a public-facing privacy policy for mediseenhms.com
Conduct data protection training for all hospital staff users

11.3 DPO Sign-Off

I confirm that this DPIA has been conducted in accordance with the Nigeria Data Protection Act 2023 and that the processing described herein may proceed subject to the recommended actions above.

Name: Kalu Ifeanyi Mba

Title: Chief Technology Officer / Data Protection Officer

Organisation: MediSeen Health Systems Limited

Date: ____________________

Name: ____________________

Title: Managing Director / CEO