Location: Lagos, Nigeria
Department: MomCare Project
Reports To: Program Director, Digital Innovations
BACKGROUND
PharmAccess is implementing the MomCare project in Lagos State in collaboration with the Lagos State Health Management Agency (LASHMA). MomCare is a maternal healthcare quality improvement programme that uses outcome-based financing, the SafeCare quality assessment framework, and digital health tools to improve antenatal, delivery, and postnatal care for women enrolled in the Ilera Eko health insurance scheme.
In the course of implementation, MomCare collects, processes, stores, and shares personal and sensitive health data relating to enrolled women and their newborns, including enrollment records, clinical data, SafeCare quality assessment data, LASHMA insurance claims data, and community-level referral records. Some data is transferred to PharmAccess headquarters in the Netherlands for programme monitoring and reporting. To ensure full compliance with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, and where applicable, the General Data Protection Regulation (GDPR) or any other relevant laws, PAF is seeking expert legal support with data protection expertise scoped specifically to the MomCare project.
OBJECTIVES
The main objectives of this engagement are to:
• Review MomCare’s data collection tools, consent forms, data sharing arrangements, and data processing activities for compliance with the NDPA 2023, NDPR 2019, and applicable laws;
• Review Data Protection Impact Assessment (DPIA) covering MomCare’s data processing activities, including data shared with LASHMA and international transfers to PharmAccess headquarters in the Netherlands;
• Review data processing agreements (DPAs) for the collaboration with LASHMA and digital health platform providers; and
• Offer clear legal and compliance advice on required modifications, risk mitigation measures, and documentation to ensure MomCare operates in full regulatory compliance.
SCOPE OF WORK
The consultant will:
Conduct a legal review and compliance audit of:
• Data handling procedures for collection, storage, processing, and retention of MomCare data;
• Data sharing arrangements with LASHMA, Mom Care partners, and;
• International data transfer arrangements between PharmAccess Nigeria and the headquarters in the Netherlands.
Conduct full DPIA covering:
• Mapping of all MomCare personal data flows from community enrollment through clinical care, LASHMA claims processing, and international reporting;
• Assessment of the lawful basis for each category of data processing, including sensitive health data;
• Review of data collected, its use, and retention period to ensure it is necessary and appropriate;
• Identification of high-risk processing activities and evaluation of existing technical and organizational safeguards; and
• Development of risk mitigation strategies, documented in a DPIA report suitable for NDPC submission if required.
Develop and strengthen MomCare data protection documentation, including:
• Reviewing data processing agreements (DPAs) with LASHMA and digital health platform providers, clearly delineating controller and processor roles, obligations, security requirements, sub-processing conditions, and breach notification responsibilities;
• Updating or drafting MomCare-specific privacy notices, data subject rights procedures, and breach notification procedures; and
• Revising consent forms to ensure informed, specific, and unambiguous consent for all categories of health data processing.
Build internal capacity by conducting a training workshop for MomCare programme staff on NDPA 2023 obligations, sensitive health data handling, data subject rights, and breach notification.
Provide ongoing advisory support throughout the assignment period, including regulatory monitoring, ad hoc legal advice, and incident response assistance.
DELIVERABLES
• Inception Report: Assessment approach and initial data flow observations;
• Compliance Assessment Report: Gap analysis, prioritized risks, and recommendations;
• MomCare DPIA Report: Risk register and mitigation plan;
• Data processing agreements (DPAs) with LASHMA and digital platform providers;
• Updated data protection documentation: Consent forms, privacy notices, data subject rights procedure, and breach notification procedure;
• Training Workshop Report: Session materials, attendance records, and post-training evaluation; and
• Final Consultancy Report: Findings, completed actions, residual risks, and recommendations for sustained compliance.
CONFIDENTIALITY
All MomCare documents, data, and information shared under this engagement are strictly confidential and will not be disclosed or reused without written permission from PharmAccess Foundation. The consultant will sign a confidentiality and data protection agreement prior to commencing work.
REQUIRED QUALIFICATIONS
The ideal consultant or firm will have:
• A minimum of five (5) years of experience in data protection law or compliance, with demonstrated expertise in the Nigerian regulatory framework, and must be a registered Data Protection Compliance Organization (DPCO) with an in-house legal professional;
• In-depth knowledge of the NDPA 2023, NDPR 2019, and the NDPC regulatory framework;
• Proven experience conducting DPIAs, drafting data processing agreements, and performing compliance audits for organizations handling sensitive health data; and
• Familiarity with health data governance, digital health regulation, and cross-border data transfer requirements between Nigeria and the EU is an added advantage.
BUDGET & PAYMENT SCHEDULE
Payment will be made in three tranches:
• 30% mobilization fee upon signing of contract;
• 40% upon submission and acceptance of the DPIA Report, DPAs, and updated data protection documentation; and
• 30% upon delivery and acceptance of the Final Consultancy Report.
All payments will be made upon receipt of valid invoices and approval of deliverables by PharmAccess.
APPLICATION PROCESS
Interested individuals or firms should submit the following by close of business on Friday, May 15, 2026:
• A technical proposal (maximum 8 pages) describing the proposed approach and methodology;
• A financial proposal detailing consultancy fees in Nigerian Naira;
• CV(s) of the lead consultant and any proposed team members; and
• Examples of two or more similar engagements and at least two professional references.