Privacy Policy

Margaret Lawrence University Teaching Hospital ("MLUTH", "we", "us", or "our") is committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, store, share, and protect information when you visit our website, use our online services, book appointments, submit feedback, apply for careers, or interact with our digital assistant.

This policy applies to information collected through our website and related online services. It should be read alongside any notices we provide at the point of care or during in-person registration at the hospital.

Depending on how you use our website, we may collect the following categories of information:

2.1 Information you provide directly

• Appointment requests: name, phone number, email address, date of birth, preferred appointment date and time, service requested, patient type, and reason for visit.
• Pre-registration details: gender, marital status, occupation, religion, nationality, state of origin, home address, and next-of-kin information (name, relationship, phone number, and address).
• Contact enquiries: name, email address, subject, and message content.
• Patient feedback: name, email address, phone number (optional), feedback category, rating, and message.
• Career applications: personal details, employment history, qualifications, references, and documents you upload (such as CVs and certificates).
• Chatbot conversations: messages you send to our website assistant, Bisi.

2.2 Information collected automatically

• Session identifier: a randomly generated session cookie used to link your appointment request to your browser session.
• Technical data: browser type, device information, IP address, and general usage data that may be recorded in server or application logs.
• Authentication data: for authorised staff accessing our admin portal, login credentials and session tokens managed through our authentication system.

2.3 Sensitive and health-related information

Some information you submit through our website may relate to your health, such as symptoms described in appointment requests, feedback, or chatbot messages. We treat this information with heightened care and only process it where necessary to provide care, respond to your request, or meet our legal obligations.

We use personal information for the following purposes:

• Processing and managing appointment requests and pre-registration.
• Communicating with you about appointments, enquiries, feedback, or job applications.
• Improving our website, services, and patient experience.
• Responding to feedback and resolving concerns.
• Reviewing and evaluating career applications.
• Operating and improving our website chatbot to answer common questions and guide visitors.
• Protecting the security and integrity of our website and admin systems.
• Complying with applicable laws, regulations, and professional healthcare obligations.

We process personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA) and related guidance from the Nigeria Data Protection Commission (NDPC). Depending on the context, our legal bases may include:

• Consent: where you voluntarily submit forms, use the chatbot, or provide optional information.
• Contract or pre-contractual steps: where processing is necessary to arrange appointments or respond to your requests.
• Legitimate interests: such as website security, service improvement, and internal administration, balanced against your rights.
• Legal obligation: where we must retain or disclose information to comply with healthcare, employment, or regulatory requirements.
• Vital interests: in rare cases where processing may be necessary to protect life or health.

Our website uses cookies and similar technologies as follows:

• Session cookie (mluth_session_id): an essential cookie that assigns a unique session identifier to your browser. It helps us associate your appointment request with your visit, is stored for up to one year, and is marked as httpOnly for security. This cookie is necessary for our online appointment workflow to function correctly.
• Authentication cookies: for authorised admin users, session cookies are used to maintain secure login state.

You can control cookies through your browser settings. Please note that disabling essential cookies may affect your ability to book appointments online.

We may share information with trusted third parties only where necessary, including:

• Hosting and database providers: to store website submissions and application data securely.
• Email service providers: to deliver notifications and respond to enquiries.
• Google Gemini (AI chatbot): messages you send to Bisi may be transmitted to Google's generative AI service to generate responses. Do not share sensitive health information in the chatbot that you would not want processed by a third-party AI provider. The chatbot is for general information only and is not a substitute for professional medical advice or emergency care.
• Map services: when you use location links on our website, you may be directed to third-party mapping platforms governed by their own privacy policies.

We do not sell your personal information. We may also disclose information where required by law, court order, or regulatory authority, or where necessary to protect the rights, safety, or security of patients, staff, or the public.

We retain personal information only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law. Retention periods may vary depending on the type of data:

• Appointment and pre-registration records are kept for as long as needed to manage your care and meet healthcare record-keeping obligations.
• Contact and feedback submissions are retained for a reasonable period to respond, investigate, and improve services.
• Career application materials are retained for the duration of the recruitment process and for a limited period thereafter, unless you request earlier deletion where legally permitted.
• Server logs and security records are retained for a limited period for troubleshooting and protection purposes.

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, loss, misuse, alteration, or disclosure. These measures include secure connections (HTTPS), access controls for admin systems, httpOnly session cookies, and restricted access to stored data on a need-to-know basis.

While we take reasonable steps to safeguard your information, no method of transmission over the internet or electronic storage is completely secure. Please use strong passwords for any accounts we provide and contact us promptly if you suspect unauthorised access.

Under the NDPA, you may have the right to:

• Request access to the personal data we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion of your data, subject to legal and healthcare record-keeping requirements.
• Object to or restrict certain processing activities.
• Withdraw consent where processing is based on consent, without affecting prior lawful processing.
• Lodge a complaint with the Nigeria Data Protection Commission if you believe your rights have been violated.

To exercise your rights, please contact us using the details in Section 12. We may need to verify your identity before responding to certain requests.

Our website is not directed at children under the age of 18 to submit information independently. If a parent or guardian books an appointment or provides information on behalf of a minor, they are responsible for ensuring that information is provided lawfully and accurately.

If you believe we have collected personal information from a child without appropriate authority, please contact us so we can take appropriate action.

Some of our service providers, including our AI chatbot provider, may process data on servers located outside Nigeria. Where this occurs, we take steps to ensure appropriate safeguards are in place in line with applicable data protection requirements.

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or need to report a privacy concern, please contact us:

• Margaret Lawrence University Teaching Hospital
• River Park Estate, Lugbe, Abuja, Nigeria
• Email: info@mluth.com
• Phone: +234 (81) 2345 6789

For urgent medical matters, please call our emergency line or visit the hospital directly. Do not rely on email or website forms for emergency care.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will post the updated policy on this page and revise the "Last updated" date below.

We encourage you to review this page periodically to stay informed about how we protect your information.