Personal Information Protection Notice (issued in accordance with Section 5 (a) (i) and 18 of the Protection of Personal Information Act, 4 of 2013 (POPIA)
1. AIM AND PURPOSE OF THIS NOTICE
Mediclinic values your privacy, and with this Privacy Notice, we inform you about the personal information that we collect and process when interacting with you. By being transparent and informing you, we are also fulfilling our legal notification obligation as we are committed to processing your personal data according to the applicable data privacy and information protection law provisions.
This notice applies to current and new users of the Mediclinic Baby App (in this notice collectively referred to as “app users”) of Mediclinic Southern Africa, its subsidiaries, and affiliates (“the Group”). It does not form part of any contract for treatment or another contract to provide services.
It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you so that you are aware of how and why we are using such information and what your rights are under applicable data protection laws.
Unless otherwise stated, all personal information we request from you is obligatory. If you do not provide and/or allow us to process all obligatory personal information, as requested, we will not be able to accomplish the purposes set out below.
2. DEFINITION OF TYPES OF PERSONAL INFORMATION
Depending on our relationship with you, we might hold different categories of personal information, as per the table set out below:
The term “personal information” in this notice refers to information that can identify you as an individual.
Personal information is information that enables us to uniquely identify you such as your full name, identification number/passport, date of birth, e-mail address, contact number, etc.
Sensitive personal information
Expected date of birth delivery
3. HOW WE COLLECT YOUR PERSONAL INFORMATION,
The personal information that we process is information that we have obtained from you upon becoming an app user of our Mediclinic Baby App. However, in other instances, we process personal information that we are able to infer about you based on other information which you provide to us or during our interactions with you, or personal information about you that we receive from a third party using a process mentioned below.
4. PURPOSE FOR WHICH PERSONAL INFORMATION IS COLLECTED AND USED
We will use your personal information based on the following lawful reasons to process:
Lawful reason to process
Data Elements (not an exhaustive list)
Based on specific consent you have provided us
Conduct patient satisfaction surveys.
Share information through CareConnect.
Specific client alliance programmes (CAP)
Mediclinic Baby competitions
Share e-mail or other contact details with the company conducting an independent survey on our behalf
Share information regarding Mediclinic Baby
List the data elements to be used (name, surname, ID nr., email address etc.)
5. CHANGE OF PURPOSE
We will only use your personal information for the purposes for which we collected it, as specified above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose for which the information was collected. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by applicable laws.
6. DISCLOSURE OF INFORMATION
For the purposes specified in this notice, your personal information may be shared with third parties and other appropriate persons within the Group. We require all such persons to respect the security of your personal information and to treat it in accordance with our Policy and applicable law.
Agents, service providers and suppliers
Like many businesses, from time to time, we outsource the processing of certain functions and/or information to third parties. When we do outsource the processing of your personal information to third parties or provide your personal information to third-party service providers, we oblige those third parties to protect your personal information with appropriate security measures in accordance with our Privacy and Data Protection Policy and to at least the same level that we do.
As we continue to develop our business, we may buy or sell healthcare facilities and other assets. In such transactions, app user information, such as being a member of the Mediclinic Baby programme, is generally one of the transferred business assets and we may include your personal information as an asset in any such transfer. Also, in the event that we (the company or part thereof), or substantially all of our assets, are acquired, app users’ information may be one of the transferred assets to the entity that acquires us.
We will disclose any personal information we have concerning you if we are compelled to do so by a court of law, requested to do so by a governmental entity, or if we determine it is necessary or desirable to comply with the law or to protect or defend our rights or property in accordance with applicable laws. We also reserve the right to retain personal information that we collected and to process such personal information to comply with accounting, tax rules, regulations, and any specific record retention laws, even if you are no longer being treated by the Group.
Like most international businesses, we have centralised certain aspects of our data processing and clinical resources administration in accordance with applicable laws in order to allow us to better manage our business. That centralisation may result in the transfer of personal information from one country to another. Whenever we do, you can expect a similar degree of protection in respect of your personal information which will be processed in accordance with our Privacy and Data Protection Policy and applicable laws, as you would in expect in the country of treatment.
7. DO WE NEED YOUR CONSENT?
By submitting your details, you give consent to Mediclinic, to process your personal information as provided, for the purposes of direct marketing by means of electronic communication in respect of healthcare services subscribed to under the Mediclinic Baby Programme.
Your data will be used solely for the purposes for which it was provided, you can unsubscribe at any time, should you choose to do so through the Mediclinic Baby Programme link provided to you.
8. USE OF YOUR PERSONAL INFORMATION IN AUTOMATED DECISION MAKING
Mediclinic does not make use of automated decision-making that would affect you as the data subject in any significant way, or have any legal consequences attached to it.
9. DATA SECURITY
Your personal information shall be treated as confidential and collected, processed, and stored by Mediclinic and our service providers in a manner that ensures appropriate security thereof, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures, which include:
· identity and access management;
· infrastructure and operations security;
· vulnerability management;
· business continuity planning;
· disaster recovery planning; and
· security awareness.
Further details of these measures are available upon request.
We have put in place procedures to deal with any suspected data security breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
10. DATA RETENTION
We will retain your personal information for no longer than is necessary or permitted by applicable law. Once you are no longer an app user of Mediclinic Baby, we will retain and, once required, securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations.
In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
11. YOUR RIGHTS OF ACCESS, CORRECTION, ERASURE AND RESTRICTION
It is important that the personal information we hold about you is accurate and current. Please follow the necessary steps to update your personal information should it change during your relationship with us.
Subject to certain exceptions, you may request to access, correct, erase, or restrict our processing of your personal information. We will need specific information from you to help us confirm your identity and ensure your right can be exercised. This is another appropriate security measure to ensure that personal information is not disclosed to or amended by any person who has no right to receive or amend the information.
Once a request is received, the Administration, Legal or Data Protection offices shall provide feedback to you as required by law or internal processes.
You will not have to pay a fee to confirm whether Mediclinic holds personal information about you. We may however charge a fee should you request a copy of your personal information. We may refuse to disclose any information should your request for access clearly be unfounded, repetitive, or excessive.
In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the relevant locality where you gave consent or send an e-mail with appropriate information to firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
For any other requests regarding access to information records created by us, refer to our Promotion of Access to Information Act Manual (PAIA Manual) here.
12. CHANGES TO THIS PRIVACY NOTICE
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, our lawful reason to process or how we handle your personal information, please contact the Mediclinic Southern Africa Compliance and Data Protection Officer at email@example.com or failing that, the Mediclinic Group Services Compliance and Data Protection Manager at firstname.lastname@example.org.
14. INFORMATION REGULATOR
Should you believe that the processing of your personal information is in contravention with the applicable data protection laws, you may log a complaint with the Information Regulator. The following link has their contact details: https://www.justice.gov.za/inforeg/contact.html