1.     Introduction 

Leadway Health Limited (Leadway) is committed to protecting the privacy and personal information of its customers (data subjects).

Leadway ensures it adheres to strict controls to ensure that the personal data of the data subjects are obtained and used in line with the company’s privacy principles. The organization collects, processes and stores customers’ personal data in compliance with the Nigerian Data Protection Act 2023, Nigerian Data Protection Regulation 2019, extant Nigerian laws and other applicable international laws on data protection.

By providing the data subject’s personal information or the personal information of a beneficiary from the data subject’s policy, the data subject acknowledges that Leadway may only use the information in the manner specified in this Privacy Policy.

1.1       GENERAL PRINCIPLES

Leadway respects the privacy rights of its customers, clients, business partners and other individuals whose personal data are in its custody. It is guided by the following principles:

  1. Respect for Privacy: Leadway upholds the privacy rights of its customers, clients, business partners, and other data subjects, ensuring that the processing of personal data complies with the principles of lawfulness, fairness, and transparency;
  2. Data Security: Leadway safeguards personal data by implementing appropriate technical, security, and organizational measures to ensure confidentiality, integrity, and availability during data processing;
  3. Fair and Legitimate Data Use: Leadway collects personal data lawfully and fairly, processing it strictly for specified, explicit, and legitimate purposes that align with its business objectives and the requirements of the NDPA 2023.
  4. Accountability and Compliance: Leadway takes full accountability for demonstrating compliance with the NDPA 2023 and other applicable legal and regulatory frameworks. It ensures all employees and stakeholders understand their roles and responsibilities in protecting personal data.

2. Role definitions:

The following roles are defined for the purpose of this policy:

Data Subject: is an identifiable person; one who can be identified directly or indirectly, particularly by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity and includes Leadway’s clients, customers, business partners and employees.

Data Administrator: means a person or organization that processes data. For the purpose of this policy, Leadway Health Limited is the Data Administrator.

Data Processors: means a person or organization who processes personal data on behalf of or at the direction of the data controller or another data processor. For the purpose of this policy, Leadway Health Limited is the Data Processor.

Data Controller: means a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed. For this policy’s purpose, the Managing Director is the Data Controller or whoever he delegates.

Data Protection Officer (DPO) is appointed by the data controller to ensure that the strategy and implementation of data protection requirements comply with the data protection policy and the relevant extant laws. Leadway has a duly appointed a DPO, and their contact details are made available in this document.

3.     Types of Information Processed by Leadway

The precise nature of the personal data Leadway processes depends on the data subject’s relationship with Leadway. However, in many cases, if the Company is handling the data subject’s personal data as part of its role as an HMO, the Company may process the following:

  1. Personal information about the data subject – Examples are name, age, gender, date of birth, marital status, and nationality.
  2. Means of identification – Date of birth, National Identity Card Number (NIN), International Passport details, Drivers’ License, Voter’s card details, etc.
  3. Contact information – in some cases, for example, the Company may receive the data subject’s email address, residential address and phone number.
  4. Online information – for example cookies and IP address (your computer’s internet address), if you are logged into Leadway’s website.
  5. Financial information – the Company may process information related to payments the data subject makes or receives in the context of any HMO package. This includes information such as Bank account, Bank Verification Number (BVN) and other information obtained from credit reference agencies.
  6. Contractual information – for example, details about the policies a data subject holds and with whom the data subject holds them.
  7. Health information such as smoker status or medical-related issues relevant to a policy the data subject holds or a claim the data subject has made.
  8. Other sensitive personal data (health background/information, criminal history record, biometric details, academic records).

4.     Lawful basis of processing personal data

Leadway shall process personal data of its data subjects only when one or more of the following legal bases for processing apply:

  • The data subject has provided consent for the processing of their personal data, and such consent has not been withdrawn.
  • The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
  • The processing is required to comply with a legal obligation to which Leadway is subject.
  • The processing is necessary to protect the vital interests of the data subject or a third party.
  • The processing is carried out in the performance of a task in the public interest.
  • The processing is necessary for the purposes of legitimate interests pursued by Leadway or its third-party processors, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

5.     Requirement for Consent

  • Where the processing is based on consent, Leadway shall inform the data subject of the purpose for obtaining their consent prior to collecting their personal data and shall rely on the data subject’s unequivocal consent to process the data.
  • Where a data subject provides personal information about third parties, Leadway will require confirmation that the third party has authorized the data subject to act on their behalf. Additionally, the data subject may provide a copy of the third party’s consent to Leadway.
  • Consent will be obtained through the same medium used to obtain personal information or any other acceptable means to Leadway. Reference will be made to this Policy. The data subject will be required to indicate understanding and acceptance of the terms contained in the policy/agreement. This can be done via signature for physical documents, oral consent, or a ticked checkbox for electronic platforms.
  • Where Leadway has an appropriate, legitimate business need to use client personal information to maintain business records, including developing and improving products and services, Leadway will take extra care to ensure that the data subject’s rights to security and confidentiality are not infringed.
  • Leadway shall not deny the data subject their right to withdraw, at any time, consent to the processing of their personal data. However, this shall not affect the lawfulness of data processing that occurred before the withdrawal of such consent.
  • For Minors or persons lacking the capacity to give consent, Leadway shall obtain the consent of their parents or legal guardians. However, this may not apply where:
    1. The processing is necessary to protect the vital interest of the child or person lacking capacity to consent.
    2. For purposes of education, medical, or social care, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality.
    3. Necessary for court proceedings.

6.     Reasons for use and process of data by Leadway

  1. Pursuant to the aforementioned requirements, such personal data obtained with the consent of the data subject shall not be used in any manner other than the stated purpose for which the data was obtained, except with further consent of the data subject whether at the instance of the data subject or upon Leadway’s engagement with the data subject.
  2. Leadway may use or process the data subject’s personal data for a number of reasons:
    • Underwriting our business with our clients
    • Managing claims and claims assessment purposes.
    • Assessing, improving and developing our services.
    • Enhancing our knowledge of risk and insurance markets in general.
    • Fulfilling legal or regulatory obligations and protecting ourselves and our clients against fraud. Such regulators include the National Health Insurance Authority such other regulatory agencies that is created from time to time.
    • For the protection of public interest such as investigation of fraudulent claims and anti-money laundering checks.
    • For archiving purposes in the public interest, scientific or historical research or statistical purposes.
    • For the purpose of assessment of the proposed data subject’s employability, background checks and other employee benefits-related purposes.
  3. Leadway applies information protection technologies including perimeter security, malware management, data loss prevention and backup & Leadway’s data centers are also protected against environmental threats. Leadway’s information security policies and practices apply to all personal information in the company’s custody.
  4. Leadway will only transfer personal information to a third party where the company has ensured that such information is protected, the required third-party agreement has been signed, and the data subject’s consent is relied upon, except where the transfer is necessary for the fulfillment of a legal or contractual purpose.
  5. Leadway shall verify the data protection compliance of the Third Party to guarantee the safeguard and protection of the personal data of the data subject in the custody of the Third party.

7.     Methods of collecting private information

In most cases, Leadway may obtain personal information directly from data subject or from third parties such as its corporate clients. The following comprise the method of collection of personal information:

  1. Direct collection:
    • Know Your Customer (KYC) forms
    • Claim forms
    • Forums and feedback forms
    • Enquiry and Quote forms
    • Recorded telephone conversations
    • Digital touchpoints
    • Electronics means (emails and apps)
    • Employee engagement personal data forms (inclusive of medical report).
  2. Third-party data collection source
    • Individuals or employers with policies with Leadway under which a data subject is insured e.g. a named individual within a group policy
    • Family members in the event of incapacitation or death of the client for the purpose of claims payment
    • Health care providers such as Hospitals, Pharmacies, etc.

Provided that in the case of data obtained from a third-party source, consent will be obtained from the data subject where required.

8.     Leadway’s Use of Cookies

Leadway’s websites use cookies to track the browsing history of visitors to improve their experience. All Leadway websites provide visitors with an option to accept the use of cookies during the browsing session. Consent must be received before any form of data processing can be performed. Every consent given by a data subject will be kept secure as evidence that consent was received.

The data subject will provide consent by responding to a dialogue box corresponding to a dialogue box corresponding to declarations indicating whether consent is given or declined. Such declaration shall be in clear and plain language.

9.     Social Media Platforms

The data subject may wish to subscribe in various blogs, forums, and other social media platforms hosted by Leadway (“Social Media Platforms”) which are made available to the data subject. The main aim of these Social Media Platforms is to facilitate and allow the data subject to share contents. However, Leadway cannot be held responsible if the data subject shares personal information on Social Media Platforms that is subsequently used, misused or otherwise appropriated by another user. The data subject is required to consult the Privacy Statements of such services before using them.

10. Third-Party Access and Purpose of Access

 10.1 Disclosures to Employees

Leadway’s Employees have access to personal data and process personal data based on a “need to know” in order to do their job on behalf of the Company. Leadway regularly checks who has access to its systems and data.

10.2 Disclosure to Third Parties

Leadway may disclose data subjects’ personal information to the following categories of third parties:

  1. Leadway service providers and agents e.g. IT companies that support Leadway’s technology, marketing agencies, research specialists, document management providers and tax advisers.
  2. Leadway professional advisers: external auditors; reinsurers; medical agencies and legal practitioners.
  3. Clients who provide Leadway with data subjects’ personal data.
  4. Medical facilities
  5. Industry Regulators.
  6. Intermediaries who provide Leadway with data subjects’ personal data.
  7. Persons/entities legally authorized to act on behalf of Leadway e.g. Lawyers, Brokers
  8. Individuals nominated and authorized by the data subject to engage Leadway on their behalf.
  9. Credit referencing organization to obtain information which may be used by Leadway to determine its risk selection, pricing and underwriting.
  10. Independent Customer satisfaction survey providers.
  11. Financial organizations
  12. Government and its Agencies.
  13. Emergency assistance
  14. Debt collection agencies
  15. Selected third parties in connection with the sale, transfer or disposal of the business or in connection with employee assessment, academic records verification and employee well-being survey.

The above disclosures to the third party shall be made only to the extent necessary for the specific purpose for which the data is provided and the third party shall be informed of the confidential nature of such information and shall be directed to keep the data subject’s information strictly confidential.

11. Foreign Transfer of Personal Data

Leadway may be required to transfer client personal information to a third party in a foreign country. This is carried out in line with the provision of the NDPA as follows:

  • The transfer of the client’s personal information would be to a third party in a foreign country that has adequate data protection laws.
  • Leadway has the right to be informed of the transfer of their personal information and the appropriate safeguards for data protection in the foreign country.
  • The data subject’s personal information may be transferred to a third party in a foreign country in the following circumstances:
    • Where the data subject has consented to the proposed transfer after having been informed of the possible risks of such transfers.
    • The transfer is for the performance of a contract between the data subject and Leadway.
    • The transfer is for the performance of a contract concluded in the interest of the data subject between Leadway and another natural or legal person.
    • The transfer is for the public interest.
    • The transfer is for the establishment exercise or defence of a legal claim.
    • The transfer is to protect the vital interest of the data subject or other persons, where the data subject is physically or legally incapable of giving consent.

12. Length of time for keeping client personal information

Leadway has documented and approved a retention policy that guides the retention of the different categories of information it processes. The length of time for storing data subject’s personal information shall be in line with Leadway’s Retention policy. This includes keeping the data subject’s information for a reasonable period as stated in the Retention policy after the data subject’s relationship with Leadway or its client has ended particularly for statistical analysis, pricing and risk modelling and reference purposes.

In certain instances, Leadway will minimize personal data; or de-identify data for use in statistical or analytical activities. This is undertaken in accordance with the data protection laws.

13. Data Subject’s Rights

In accordance with the provisions of the Nigerian Data Protection Act, the following includes the rights of the data subject regarding their personal data.

  • Leadway shall disclose the specific purpose for which the information is required before obtaining the information from the data subject and shall inform the data subject of his/her right and method of withdrawal of consent.
  • The data subject has the right to request that Leadway perform certain activities on his/her personal information, such as a request for a copy of their personal information, correction of errors on the personal information, a change in the use of their personal information, or delete their personal information. Leadway is obligated to either carry out the data subject’s instructions or explain why it may not be possible – usually because of a legal or regulatory issue.
  • Data subjects have the following rights in respect of Leadway’s use of their personal information:
  • Right to access: The data subject has a right to a copy of their personal information as maintained by Leadway.
  • Right to rectify: Leadway takes due care to ensure that the personal information we maintain about data subjects are accurate and complete. However, if a data subject believes the information is inaccurate or incomplete, such data subject has the right to request an amendment.
  • Right to erase: Under certain circumstances, a data subject may ask that Leadway erase their personal information. For instance, where the personal information collected is no longer necessary for the original purpose or where consent is withdrawn. However, this will need to be balanced against other factors, such as the type of personal information obtained, the original reason for collection, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and Leadway continuous assessment of risk relating to the data There may be some legal and regulatory obligations which prevents Leadway from complying immediately.
  • Right to restriction of processing: under certain circumstances, but subject to regulatory requirements, a data subject may be entitled to instruct Leadway to stop using his/her personal This is applicable where:
    1. A data subject contests the accuracy of personal information held by the data controller
    2. Processing of personal data of the data subject is unlawful
    3. The data controller no longer requires the personal data but the data is required by the data subject for the establishment, exercise or defense of legal claims
    4. The data subject has objected to processing, pending the verification whether the legal grounds for the data controller override those of the data
  • Right to data portability: Under certain circumstances, data subjects have the right to ask that Leadway transfers any personal information that they have provided to Leadway to another third party. Once transferred, the other party will be responsible for safeguarding such personal information.
  • Right to object to marketing: Data Subject can object to the processing of his/her personal data for the purposes of marketing.
  • Right to lodge a complaint: Leadway’s data subject has the right to lodge complaints, in the event that there is an objection to the manner in which personal information is being used by Leadway. Such complaints can be communicated using the contact details provided in this policy. However, there are cases, Leadway may be unable to comply with the data subject’s requests for reasons such as the Company’s obligations to comply with other legal or regulatory requirements.

Notwithstanding, Leadway will always respond to complaints and where compliance is not feasible, an explanation will be provided accordingly.

  • The Data Controller shall communicate any rectification or erasure of personal data or restriction to each recipient to whom the data personal data has been disclosed unless this proves impossible or involves disproportionate effort.
  • In some circumstances, exercising some of these rights will mean Leadway is unable to continue providing cover under the data subject’s insurance policy and may therefore result in cancellation of the data subject’s policy and the data subject will therefore lose the right to bring any claim or receive any benefit under the policy, including in relation to any event that occurred before the right was exercised, if Leadway’s ability to handle the claim has been prejudiced. Each data subject’s policy terms and conditions set out what will occur in the event of a policy cancellation.
  • Automated decision making: Some of Leadway’s assessments of risks are made automatically by inputting the data subject’s personal information into a system, the criteria of which is determined by Leadway’s underwriting team and the decision is then calculated using certain automatic processes rather than manual process via discussions. We make automated decisions in the following situations:
  • Premium computation: we use the data subject’s personal information to determine premium and eligibility.
  • Fraud and money laundering prevention: Leadway uses automated anti-fraud and money laundering filters that check against global databases individuals known to have undertaken fraudulent and/or money laundering transactions and will reject those applicants based on outcomes of the automated checks.
  • Application assessment: Leadway may use scoring methods to assess applications, perform identity verification and determine premiums. Examples of information used by Leadway systems to do this include age, address, lifestyle (e.g. smoking, drinking, exercise routines) and medical history. If a data subject does not consent to process sensitive information in this manner, Leadway may be unable to assess the application or provide a quote. Alternatively, Leadway may only be able to offer to the data subject, policies that do not require Leadway to have that information from the onset. The automated decision-making performed by Leadway systems during the application is proprietary to Leadway, and the results thereof are not shared with third parties.
  • Right not to be subject to automated decision-making: A data subject reserves the right not to be subject to a decision based solely on automated processing of personal data, including profiling. Where the data subject chooses to opt out of automatic decision-making, formal communication to that effect will suffice. However, this shall not apply where:
    1. It is necessary for entering into or performance of contract between Leadway and the data subject.
    2. Authorized by law which provides safeguards for the fundamental rights and freedoms, and the interest of the data subject.
  • Authorized by the consent of the data subject.
  • The Data subjects can enforce the above rights by sending an email to . The Data Controller is obligated to act on the request of the data subject without delay. In the event that the Data Controller does not take action on the request of the Data Subject, the Data Controller shall within one month of receipt of the request, inform the Data Subject of the reasons why the request has not been actioned.
  • The exercise of the rights listed above shall be in conformity with constitutionally guaranteed principles of the Nigerian Data Protection Act for the general protection and enforcement of fundamental rights.

14. Marketing

  • The data subject reserves the right to the use of their personal information for marketing and Leadway shall obtain the consent of the client prior to using such information for marketing purposes in specific cases not covered under this policy.
  • Leadway is committed to only providing insurance marketing materials and communication to its customers that are relevant to their requirements and usage patterns. Where the data subject chooses to unsubscribe from our mailing lists, such can be achieved at any time by following the unsubscribe instructions that appear in all marketing emails or contacting Leadway via the details set out in this policy
  • Periodically, Leadway may run specific marketing campaigns through social media and digital advertising that the data subject may see which are based on general demographics and interests. Individual personal information is not used for these campaigns. Should a data subject not want to see such campaigns, the data subject shall be responsible for adjusting preference settings within the specific social media platform including cookie and browser settings
  • Leadway may retain any data provided on its website and mobile apps for a reasonable period, subject to the data subject’s prior consent, even if the contract is not consummated and such information may be used to make an enquiry on why the contract is not consummated.

15. Review of the policy:

The Company’s Data Protection Officer (DPO) is responsible for ensuring this policy is updated within three (3) years subject to changes in the Nigerian Protection Regulation and Laws.

16. Audit and Enforcement of the Data Protection Policy

The Internal Audit Department of the Company shall, periodically, conduct the audit of the privacy and data protection practice, in accordance with the extant Data protection regulation and the Data Protection Officer shall be responsible for monitoring compliance with the regulation.

17. Remedies for Violation of Data Protection Policy

In the event of a violation of this policy, the data controller shall redress the violation within 15 days. Where the violation pertains to the disclosure of the data subject’s information without his/her consent, such information shall be retracted immediately and confirmation of the retraction sent to the data subject within 48 hours of the redress. Where the violation is caused by any representative of the data controller, such representative shall be subject to appropriate sanction.

18. Contact details of the Data Controller and Data Protection Officer

Leadway’s Data Controller and Data Protection Officer can be contacted via the following details:

Office Address 

Leadway Health Limited

121/123, Funsho Williams Avenue, Iponri, Surulere, Lagos. Email Address