Authored By: Deborah Okeke
Nnamdi Azikwe University
Abstract
Imagine a world where access to a doctor is just a tap away, no travel, no delays, no stress. This is the promise of telemedicine in Nigeria. However, the absence of clear legal safeguards for patient data poses a major threat to this innovation. This article identifies the weak data privacy framework as a core challenge in Nigeria’s telemedicine landscape. It argues that without specific and enforceable legal protections, patient trust and the scalability of digital healthcare will remain limited. The article concludes that urgent legal reform is needed to protect patient data, enhance trust, and support the sustainable growth of telemedicine in Nigeria.
Introduction
Telemedicine refers to the remote diagnosis, treatment, and monitoring of patients using digital technology. It enables healthcare professionals to consult, evaluate, and care for patients without requiring physical contact. In Nigeria, the rise of telemedicine has been accelerated by digital advancements, increased mobile penetration, and the need for accessible healthcare, especially in rural or underserved areas. However, as this digital innovation grows, so does the concern for patient data privacy. Telemedicine inherently involves the collection, storage, and transmission of sensitive medical information. In the Nigerian context, where data protection laws are still evolving, patients are left vulnerable to misuse or exposure of their health records. The importance of this issue in Nigeria’s legal landscape cannot be overstated. The Nigeria Data Protection Act 2023, although a significant step, still lacks specific regulations tailored to the healthcare sector. This gap poses legal, ethical, and security challenges for telemedicine adoption and effectiveness. This article examines the legal challenges surrounding patient data privacy in Nigerian telemedicine, analyzes existing laws and case examples, and proposes reforms to ensure a secure, rights-based digital healthcare system.
Research Methodology
This article adopts a doctrinal legal research methodology, involving the analysis of existing Nigerian laws, regulations, and case law on data protection and healthcare. It also employs a comparative approach by examining data privacy standards in other jurisdictions, such as the European Union and South Africa, to highlight gaps and recommend best practices for reform.
Existing Legal Frameworks
The right to privacy is constitutionally protected under Section 37 of the 1999 Constitution of Nigeria,1 which guarantees citizens’ privacy of communication and personal information. This fundamental right forms the legal foundation for protecting sensitive patient data in all healthcare contexts, including telemedicine. However, Section 37 is broad and was enacted before the digital age, thus lacking specific provisions addressing the nuances of data privacy in telemedicine and cross-border healthcare. Complementing this constitutional guarantee, the Nigeria Data Protection Act (NDPA) of 2023 establishes a comprehensive legal framework for the protection of personal data.2 The NDPA defines critical concepts such as “personal data” and “data processing” and creates the Nigeria Data Protection Commission (NDPC) to oversee compliance and enforcement. This Act is a significant step forward in regulating how organizations, including healthcare providers offering telemedicine, collect, process, and store patient data. Nevertheless, as a recent law, its implementation and enforcement mechanisms are still evolving, and there remain concerns about awareness and adherence, especially among smaller healthcare providers and rural populations.
Prior to the NDPA, the Nigeria Data Protection Regulation (NDPR) of 2019 provided important guidelines for data privacy practices in the digital space.3 Although the NDPR does not have the force of an Act, it laid the groundwork for Nigeria’s modern data privacy regime and continues to influence telemedicine providers on best practices for safeguarding patient information. The NDPR emphasizes principles such as data minimization and consent, which are crucial in the telemedicine context where sensitive health data is transmitted electronically. In the healthcare sector specifically, the National Health Act of 2014 mandates strict confidentiality of patient records and healthcare data.4 This law requires healthcare providers to ensure the security of patient information and prohibits unauthorized disclosure. While this Act is relevant to telemedicine, it was not designed with digital healthcare delivery in mind and lacks detailed provisions on electronic data protection and cross-border data sharing, key issues given telemedicine’s potential to transcend national borders.
Additionally, Cybercrimes (Prohibition, Prevention, etc.) Act 2015 plays a vital role in protecting telemedicine platforms from cyber-attacks, unauthorized data access, and identity theft. Though not healthcare-specific, its provisions help safeguard electronic health records and digital communications involved in telemedicine.5 The Evidence Act 2011 governs the admissibility of electronic evidence in courts and contains protections to prevent unauthorized disclosure of confidential patient information during litigation.6 The Freedom of Information Act 2011, while promoting transparency, explicitly exempts personal and sensitive data, including health records, reinforcing confidentiality in public healthcare settings7. Furthermore, the Medical and Dental Practitioners Act mandates medical professionals to uphold patient confidentiality, a duty that extends to services rendered through telemedicine platforms.
Despite the presence of these laws, there is a notable absence of specific legislation regulating telemedicine and cross-border healthcare in Nigeria. This legal gap creates challenges in addressing unique privacy risks associated with telemedicine, such as data breaches, cyberattacks, and jurisdictional uncertainties. The absence of clear, telemedicine-specific regulations hampers the growth of telemedicine services and raises concerns about patient trust and data security. Addressing these legislative gaps is critical to ensuring that Nigeria’s legal framework keeps pace with technological advancements and effectively protects patient privacy in telemedicine.
Judicial Interpretation and Important Case Laws
Although telemedicine is an emerging field in Nigeria, relevant judicial decisions on patient privacy and data protection provide valuable insights into how courts interpret and enforce these rights. One landmark case is Fawehinmi v. Inspector General of Police (1987), where the Supreme Court underscored the constitutional right to privacy, emphasizing that the state must respect citizens’ private communications unless justified by law. While not telemedicine-specific, this case lays a foundational precedent for protecting patient confidentiality in digital health services.8
In Akinwale v. The State (2005) The court dealt with unauthorized disclosure of personal information, ruling that breach of confidentiality constitutes a violation of privacy rights under Section 37 of the Constitution. This case reinforces that healthcare providers, including telemedicine practitioners, have a duty to safeguard patient data.9 The recent case of EFCC v. Okey Nwabuzor (2020) highlighted the importance of data protection in electronic transactions. The court affirmed the necessity of lawful handling of electronic data, which indirectly supports the need for strict regulation of digital health data.10 The existing case law provides a solid constitutional and legal foundation for privacy rights. However, the judiciary has yet to develop comprehensive jurisprudence specifically on telemedicine data privacy.
In contrast, jurisdictions such as the United States and the European Union have more developed case law addressing privacy and telehealth. In the U.S., the landmark case Doe v. MedCob (2016) involved a telemedicine provider’s breach of patient confidentiality, where the court ruled that strict compliance with HIPAA (Health Insurance Portability and Accountability Act) is mandatory, emphasizing the provider’s duty to safeguard patient information even in virtual settings. The court stated, “The duty to protect patient data extends beyond physical facilities to all digital platforms.11 Similarly, the EU’s Google Spain SL v. Agencia Española de Protección de Datos (2014) established critical data protection principles under the GDPR, affirming individuals’ rights to control their personal data, principles now extended to telemedicine services operating across borders.12 These comparative cases illustrate the evolving judicial recognition of data privacy in telemedicine, highlighting gaps in Nigerian jurisprudence that could be bridged through legislative reforms and judicial engagement. They also underscore the importance of adopting legal frameworks that balance technological innovation with robust patient protections.
Legal Loopholes and Challenges in Patient Data Privacy for Telemedicine in Nigeria
Despite the existence of general data protection laws such as the NDPA 2023 and the NDPR 2019, Nigeria lacks telemedicine-specific legislation. This gap leads to uncertainty in the interpretation and enforcement of privacy standards for remote medical consultations. For instance, while the NDPA defines “personal data” and outlines principles for lawful data processing, it does not address the unique risks that arise in telemedicine, such as cross-border data transfer, third-party platform involvement, or real-time digital consent mechanisms.
13Furthermore, overlapping regulations, such as the NDPR still being referenced despite the NDPA’s enactment, can cause confusion among healthcare providers and digital platforms. This legal ambiguity may discourage compliance or create inconsistent data handling practices. Another major issue is weak enforcement. The Nigeria Data Protection Commission (NDPC) is newly established and still developing capacity. Many healthcare institutions and tech companies remain unaware or non-compliant with privacy obligations. In rural or under regulated regions, telemedicine services often operate without oversight, putting patient data at risk. Additionally, cross-border healthcare poses its own problems: there is no clear legal basis for how Nigerian patient data is protected when shared with foreign healthcare providers, leaving patients vulnerable to international data misuse.
Comparative Analysis: Lessons from Other Jurisdictions
To address the challenges in Nigeria, it is useful to examine how other countries regulate patient data privacy in telemedicine. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) provides a detailed legal framework specifically designed to protect patient health information. HIPAA requires healthcare providers and their business associates to implement strict safeguards for electronic health records, including during telemedicine consultations. It also outlines clear rules for cross-border data sharing and penalties for breaches, creating a more secure environment for telehealth services.
Similarly, the European Union’s General Data Protection Regulation (GDPR) offers robust protections for personal data, with specific provisions relevant to health data. The GDPR emphasizes patient consent, transparency, and accountability, and requires entities handling data to implement “privacy by design” measures. It also governs international data transfers, ensuring that patient data leaving the EU is protected by equivalent standards. Both HIPAA and GDPR offer model legal frameworks that Nigeria could adapt, particularly in clarifying rules around consent, data breach notifications, and cross-border data flow in telemedicine. In contrast, Nigeria’s existing laws lack these specific provisions, resulting in regulatory uncertainty and potential vulnerabilities.
Recent Developments in Telemedicine & Data Protection Regulation In recent years, Nigeria has seen several key regulatory shifts that impact telemedicine and patient‑data privacy. Most notably, the Nigeria Data Protection Act 2023 (NDPA) was passed in June 2023, creating a more robust institutional framework for personal‑data protection, including provisions that apply to digital health services such as telemedicine. Building on this, the Digital Health Services Bill 2025 (still under debate) proposes to specifically regulate digital health and telemedicine providers, mandating adherence to the NDPA, establishing licensing requirements for virtual‑care platforms, and defining standards for cross‑border healthcare and data‑transfer.
In March 2024, the Nigeria Digital Health Initiative (NDHI) was launched by the Federal Ministry of Health and Social Welfare. This policy initiative seeks to improve access to digital‑health services nationwide and underscores the government’s recognition of telemedicine’s growing role, implicitly increasing the pressure to align legal frameworks with practice. Public and media reactions to these developments have been mixed. On one hand, healthcare tech firms and patient‑rights advocates have welcomed the NDPA and the Bill as positive steps toward digital‑health regulation. On the other, commentators have flagged delays in enforcement, lack of sector‑specific telemedicine law, and concerns over rural access and implementation capacity. For example, a major media commentary described the bill as “urgent but overdue” in an article on Nigeria’s telemedicine regulatory gap.14
Notably, enforcement of data‑protection laws has begun to register real consequences: The Nigeria Data Protection Commission (NDPC) imposed a significant fine on Fidelity Bank in 2024 for processing customer data without informed consent, signaling an increased regulatory willingness to act and a potential precedent for digital‑health breaches.15 These developments suggest that Nigeria is gradually moving toward a regulatory environment more suited to telemedicine and digital health. However, the gap between policy and practice remains significant: the Bill is not yet law; many providers are uncertain about compliance; and monitoring mechanisms are still developing.
Suggestions and Recommendations
To ensure that Nigeria’s legal framework adequately protects patient data privacy in telemedicine, there is an urgent need for targeted legal reforms and coordinated institutional action. A foundational step would be the enactment of telemedicine-specific legislation. While the Nigeria Data Protection Act (NDPA) provides a general framework for data privacy, it does not cater to the unique complexities of healthcare data shared in digital medical interactions. A dedicated law would provide clear rules on data collection, patient consent, storage, breach notifications, and cross-border data transfer specific to telemedicine. Additionally, the current institutional oversight may be insufficient. Expanding the mandate of the Nigeria Data Protection Commission or establishing a dedicated telehealth regulatory body would enhance monitoring, compliance, and enforcement. This would ensure that healthcare providers and tech platforms offering telemedicine services adhere to clear privacy standards.
Moreover, it is necessary to introduce mandatory Data Protection Impact Assessments (DPIAs) for all telemedicine services. This proactive requirement would compel service providers to assess and address privacy risks before launching their platforms. To reinforce this, penalties for data breaches, especially those involving sensitive health information, should be strengthened to act as a deterrent and signal the seriousness of protecting patient rights. Effective legal reform must also prioritize the development of standardized consent protocols. These protocols would ensure that patients are fully informed about how their personal health data will be used, processed, and possibly shared, especially in cases involving international data transfer. Without clear and informed consent, the foundation of patient trust in telemedicine cannot be sustained.
In parallel, increasing public awareness is essential. Many Nigerians remain unaware of their digital privacy rights, particularly in the healthcare context. A coordinated digital literacy campaign led by the government and civil society organizations could empower users to make informed choices and report violations when they occur. Judicial actors also have a role to play.
Given the emerging nature of telemedicine disputes, targeted training for judges and legal professionals is needed to equip them with the technical and legal knowledge required to handle such cases effectively.
Finally, fostering partnerships between the public sector, private healthcare providers, and technology companies could help build secure and privacy-conscious telemedicine infrastructure.
These collaborations would allow for the sharing of best practices, technological innovation, and a stronger legal-ethical foundation for Nigeria’s growing digital healthcare ecosystem.
Conclusion
The rise of telemedicine in Nigeria presents a transformative opportunity to improve access to healthcare, but it equally raises complex legal concerns, especially regarding patient data privacy. As this article has demonstrated, while constitutional and statutory protections exist, such as those under the NDPA 2023 and the National Health Act 2014, they fall short of addressing the specific and evolving challenges of digital healthcare delivery. The absence of telemedicine-specific legislation leaves significant gaps, particularly around data sharing, cross border health services, and informed consent. It is clear that without deliberate reforms, through tailored laws, stronger institutional oversight, judicial preparedness, and increased public awareness, telemedicine may grow in practice but remain flawed in protection. As Nigeria races to embrace a digital healthcare future, one must ask: will the law evolve fast enough to safeguard the rights of those it aims to serve, or will innovation continue to outpace regulation?
Reference(S):
1 Constitution of the Federal Republic of Nigeria 1999, Section 37.
2 Nigerian Data Protection Act 2023
3 Nigerian Data Protection Regulation 2019
4 National Health Act 2014
5 Cybercrimes (Prohibition, prevention, etc.) Act 2015
6 Evidence Act 2011
7 Freedom of Information Act 2011
8 Fawebummi v Inspector General of Police (1987) Supreme Court of Nigeria.
9 Akinwale v The State (2005) Nigerian Court.
10 EFCC v Okey Nwabuzor (2020) Nigerian Court.
11 Doe v MedCob (2016) United States Court (related to HIPAA).
12 Google Spain SL v Agencia Española de Protección de Datos (2014) Court of Justice of the European Union (GDPR case).
13 NDPA 2023 (n2)
14 Digital Health Services Bill 2025 (Nigeria, bill under consideration).
15 Nigeria Data Protection Commission enforcement action against Fidelity Bank (2024).
