Article 12: Data Protection in the Fintech and Healthtech Sectors

OTL LawNo CommentsCategories: Uncategorized

Welcome to the last article of the OTL Law & Nexa Advisory Knowledge Management Series on Data Protection and Privacy in Nigeria and Africa. We have journeyed through the concept of personal data, data protection, the roles, responsibilities, and principles of data processing, data subject rights, and building a privacy programme.

In this final article, we will spotlight the fintech and healthtech sectors, discussing their peculiar data processing needs, specific challenges, emerging norms and practical steps for DPOs to ensure continued compliance. These sectors are important because of the nature of the data they process and the risks involved in their processing activities.

1. Understanding the Fintech Context

Fintech companies rely on data for almost every part of their operations. They collect and process Know Your Customer (KYC) records, transaction histories, credit information, device fingerprints, behavioural analytics and, in several cases, biometric identifiers. Both the nature of this data and the laws regulating financial services make processing in this sector particularly sensitive.

2. Why Fintech Data Processing Requires Careful Governance

a. Biometric Information for KYC: Financial institutions often process biometric information (e.g. fingerprints and facial recognition) for Multi-Factor Authentication (MFA) to guarantee the security of users’ data. This biometric information is regarded as sensitive data and as such, requires a higher level of protection.

b. Long-term retention obligations: Financial regulations often require fintech organisations to store transactional records, accounting information, and KYC documents for about seven years. Long retention increases exposure to security incidents and therefore requires strong governance.

c. Revealing nature of financial data: Unauthorised access to financial data can expose spending habits, financial strength, loan history, and behavioural patterns. In some African countries, such as Ghana, financial data is classified as sensitive data.

d. Additional industry security standards: Fintech organisations that process cardholder data must comply with PCI DSS in addition to NDPA and GAID 2025 requirements.

e. Frequent cross-border processing: Fintech platforms often rely on global service providers for cloud hosting, transaction processing, analytics or communication. Part 8 of the NDPA and schedule 5 of the GAID 2025 apply to these transfers.

3. Practical Steps for Continued Compliance in Fintech

a. Identity Verification and KYC Processing

  1. Document the lawful basis for each category of KYC data.
  2. Provide layered privacy notices that explain the use of biometrics or automated verification.
  3. Conduct DPIAs for all biometric and fraud detection tools.
  4. Align retention periods with regulatory requirements and delete KYC data promptly once retention lapses.
  5. Implement strict access controls and audit trails for identity data.

b. Transaction Records and Long-term Storage

  1. Map every database or platform storing transaction history.
  2. Separate active data from archived records.
  3. Encrypt all records in transit and at rest.
  4. Implement deletion workflows for data older than the seven year retention period.
  5. Review retention obligations annually, especially when regulations change.

c. Fraud Monitoring and Automated Processing

  1. Provide clear information to users about profiling and automated decisions.
  2. Maintain human oversight for automated transaction blocking.
  3. Conduct accuracy reviews and fairness assessments of fraud detection systems.
  4. Document automated decision processes in line with GAID 2025 requirements.
  5. Include all fraud systems in annual DPIA reviews.

d. Third Party and Vendor Management

  1. Record all processors and sub-processors in the vendor register.
  2. Use regulator-compliant Data Protection Agreements (or Addendums).
  3. Verify security safeguards and cross-border transfer mechanisms.
  4. Conduct vendor risk assessments at least annually.
  5. Maintain updated evidence of compliance reports from high risk vendors.

4. High Security Obligations in Fintech

Fintech organisations operate in one of the most attacked digital environments. Their security measures must therefore exceed the standard baseline. Key expectations include:

a. Robust access control systems: Fintech systems should implement role-based access control, multi-factor authentication and session timeouts. Administrative access should be monitored with privileged access management tools.

b. Encryption across all environments: Encryption must be applied in transit and at rest. Sensitive fields such as card numbers, bank details and unique identifiers should be tokenised.

c. Pseudonymisation and data minimisation: For analytics or fraud modelling, fintech organisations should use pseudonymisation techniques that separate identity from behavioural data. Only the minimum data required for each use case should be processed.

d. Cloud security: Fintech platforms using cloud hosting should:

  1. Implement network segmentation.
  2. Enable continuous monitoring.
  3. Deploy intrusion detection and prevention systems.
  4. Maintain incident logging and real-time alerts.

e. Use of Privacy Enhancing Technologies: Techniques such as differential privacy, secure multiparty computation, encrypted analytics and tokenisation strengthen compliance when processing high volumes of financial data.

5. Understanding the Healthtech Context

Healthtech organisations process special category data such as diagnoses, treatment history, genetic information, reproductive health data, mental health records and biometric measurements. These are sensitive data as defined in section 65 of the NDPA.

6. Why Healthtech Data Processing Requires Stronger Safeguards

a. Intrinsically sensitive nature of health data: Misuse of medical records can result in discrimination, stigma, financial disadvantage and long-term harm.

b. Vulnerability of data subjects: Some patients are considered vulnerable (e.g. children, and mentally challenged patients) under schedule 6 of the GAID 2025,and therefore require enhanced transparency and care.

c. Complex retention obligations: Medical records must often be retained for long periods for continuity of care.

d. Cross-border flows in telemedicine: Cloud-based health platforms regularly transmit data across borders. The NDPA and schedule 5 of the GAID 2025 apply to these flows.

5. Practical Steps for Continued Compliance in Healthtech

a. Consent and Transparency

  1. Obtain explicit consent for processing special category data.
  2. Use clear and accessible notices tailored to patient literacy levels.
  3. Separate consent for research or secondary uses.
  4. Maintain a detailed consent register.
  5. Provide clear instructions for withdrawal of consent.

b. Access Control and Clinical Systems

  1. Use strict role-based access rules for medical records.
  2. Maintain audit logs that record every access.
  3. Enforce multifactor authentication.
  4. Review access permissions regularly.
  5. Segregate clinical, administrative and analytics systems.

c. Data Security and Storage

  1. Encrypt health data in transit and at rest.
  2. Use pseudonymisation or anonymisation for research.
  3. Maintain secure backup and disaster recovery plans.
  4. Implement device-level security for clinicians who use mobile tools.
  5. Conduct DPIAs for new clinical technologies.

d. Telemedicine and Cross-Border Storage

  1. Map all telemedicine processing activities and the locations of hosted data.
  2. Review cross-border transfers in line with part 8 of the NDPA, including ensuring that international partners meet adequacy or CBDTI requirements.
  3. Use secure video and messaging platforms.
  4. Inform patients where international hosting is used.

6. High Security Obligations in Healthtech

Health information requires some of the strongest protections in data governance. Controllers must focus on:

a. Explicit consent management

Explicit consent is the default for processing health data. Consent must be freely given, specific, informed, recorded, and easily withdrawn.

Healthtech DPOs should consider implementing digital consent dashboards and paper-based alternatives for in-clinic patients.

b. Enhanced security controls

Health organisations should use:

  1. Advanced encryption.
  2. Strong authentication protocols.
  3. Secure endpoint devices.
  4. Regular penetration testing.
  5. Automated threat detection on clinical systems.

c. Additional controls for special category data

Records relating to genetics, mental health, reproductive health or HIV status should be stored with heightened safeguards and strict access control rules.

Conclusion

Fintech and healthtech organisations operate in data intensive environments that involve high risk processing, long retention periods and sensitive categories of information. Their compliance responsibilities are therefore more demanding. A strong privacy programme, clear governance structures, regular DPIAs and robust security measures are essential to ensure safe processing and build user trust.

This article concludes the OTL Law & Nexa Advisory Data Protection and Privacy Knowledge Management Series for players in the Nigerian and African tech ecosystem. We hope the series has provided clarity, structure and practical guidance for every organisation that seeks to build compliant and responsible data processing practices. A compiled version of this series will be made available in a few weeks. If you still have more questions about data protection and compliant processing, please reach out to us at info@nexaadvisory.co or info@otllaw.com.