Introduction

This notice explains how the practice processes your personal information in accordance with the Protection of Personal Information (POPI) Act (no 4 of 2013).

 It will help you to understand how we collect and use your information and under which circumstances the practice may, or is legally obligated, to share your information. In addition to the POPI Act, the confidentiality and privacy policies and procedures of the practice are informed by and in accordance with the following acts, rules, regulations and ethical guidelines: Consumer Protection Act (no 68 of 2008), Debt Collectors Act (no 114 of 1998), Health Professions Act (no 56 of 1974), Medical Scheme Act (no 131 of 1998), Mental Health Care Act (no 17 of 2002), National Health Act (no 61 of 2003), Promotion of Access to Information Act (no 2 of 2000), Protection of Personal Information Act (no 4 of 2013) as well as the Ethical Rules of Conduct as set out by the Health Professions Council of South Africa (HPCSA).

The practice is committed to protecting your privacy and ensuring that your personal information is collected and used lawfully. The practice is committed to taking the appropriate, reasonable, technical and organisational measures to prevent the unlawful access to or loss of / damage to your personal information.

Scope:

This policy applies to all employees of Ask Dr Jane and anyone who may process Personal Information for and on behalf of Ask Dr Jane. This policy applies to all situations and business processes where Personal Information is processed, more importantly where such information may be made accessible to third parties.

Wherever the term ‘The Practice’ is used, it is referring to ‘Ask Dr Jane’.

The Protection of Personal Information (POPI) Act (no 4 of 2013)

The Purpose of the POPI Act:

The purpose of the POPI Act is to give effect to your constitutional right to privacy. It provides conditions to safeguard and secure the integrity and confidentiality of personal information that is processed by another party.

What is Personal Information?

Personal information is defined by the POPI-Act as information relating, but not limited, to:

• Your race, gender, sex, marital status and age.
• Your educational, medical, financial, criminal or employment history.
• Any identifier assigned to you such as your email address, physical address, telephone or identity number.
• Your biometric information such as DNA, body measurements or fingerprints.
• Your personal opinions, views and preferences.
• Correspondence sent by you that is of an implicit or explicit private nature.
• The views and opinions of other individuals about you.
• Your name if it appears with other personal information relating to you or if the name itself will reveal information about you.

What is Processing of Personal Information?

The processing of personal information is defined by the POPI-Act as any activity relating to the:

• Collection, receipt, recording, organising, storing, updating, retrieval or use of personal information.
• Dissemination by means of transmission, distribution or making available in any form of personal information.
• Merging, linking, restriction, degradation, erasure or destruction of personal information.

 What personal information does the practice collect?

The practice only collects lawfully permitted information. This includes, but is not limited to, the following:

• Your name, contact details and other information as required for administration purposes, including relevant billing information.
• Appointment dates and times as well as information relating to any other contact you have with the practice such as telephone calls and emails.
• Consultation notes which include diagnostic information and information about you given to the practice with your consent.
• Account related information such as dates of payments owed and received.

 How does the practice collect your personal information?

• The practice is committed to the informed, consensual and limited collection of essential and relevant personal information.
• Information is collected directly from you through the forms you complete, information shared during consultations and other information intentionally shared by you or someone you nominate. With your explicit permission and/or as permitted by law, information can also be collected from other sources such as referring medical practitioners. The practice will inform you, if appropriate, if any information about you is given to us in an unsolicited manner.

Why and how does the practice use your personal information?

• To provide you with care: The processing of personal information is integral to the process of medical consultation and proper patient treatment. The success of our working together greatly depends on your intentional sharing of confidential personal information such as your age, physical and mental health, sexual orientation, opinions, and beliefs etc.
• For administrative purposes: The practical running of the practice, such as billing procedures, requires that some of your personal information is processed.
• Secondary or indirect use: Your limited and completely de-identified / anonymous data may be used by the practice to participate in research, to participate in practice surveys / audits and to seek supervision from or give supervision to another registered medical practitioner. Should any other activity, in which the practice is legally obligated to participate, require your personal information to be used it will only be done when all appropriate, reasonable technical and organisational measures have been taken to protect your rights.

The disclosure of your personal information to 3rd parties

Under certain clearly defined circumstances the practice is legally obligated, or has the legal right, to share your personal information, without your consent. The practice will endeavour to notify you should this ever be applicable to you.

• Disclosure as obligated by Law: The practice is legally obligated to share your personal information if I have reasonable cause to believe that you present a danger to yourself or others, that a child or a vulnerable adult is in need of protection or if a court orders the disclosure of your records.
• Disclosure to Medical Schemes: It is mandatory to include an ICD-10 (International Statistical Classification of Diseases and Related Health Problems – 10th Revision) diagnostic code on all invoices that are submitted to a medical aid.
• Disclosure for Debt Collection: Should you default on payment, credit-related information concerning you may be disclosed to a credit bureau or attorney. In addition, the practice may be required to release reasonable information for the purpose of protecting a medical scheme against fraud.
• Disclosure to protect the practice: The practice will release reasonable information for the purpose of protecting its own legitimate interests, rights and property.
• Other 3rd party access or potential access to your personal information: If the practice has a contract with a third party, whose services require the processing of, or potential access to, your personal information; such as auditors and IT support, the practice will ensure that your personal information is protected. The practice gives preference to providers that have their own established privacy practices.

Keeping your personal information secure

Storage and Disposal of your Personal Information:

• The practice will store your information as long as required to do so by law. Currently the Health Professions Council of South Africa requires that the records of an adult be stored for 6 years after the last date of treatment.
• To ensure the protection of stored information the practice uses password protected electronic devices, up-to-date security software, password protected and encrypted storage and transmission of all client records. The practice regularly reviews and improves the measures taken to protect your personal information from unauthorised access, accidental loss, disclosure or destruction.
• All disposable documents containing personal information are securely destroyed.

Unauthorised access to your personal information:

• In spite of the security measures that are in place to protect your personal information, you acknowledge that the risk exists that your information may be accessed by an unauthorised 3rd party, for example, as a result of illegal activity. Should the practice reasonably suspect that your information has been accessed without the required authorisation; the practice will notify you and the appropriate authorities as well as take the necessary steps to reduce further risk.
• The Practice will not be held liable for any loss or negative consequence arising as a result of your information accessed through your own negligence. An example of this is, but not limited to, unauthorised access to your profile log in details as a result of your own negligence

Your rights regarding the processing of your personal information

You have the right to:

• Be notified if and for which reason/s your personal information is being collected.
• Be notified if your personal information has been accessed by an unauthorised person.
• Request to correct, destroy or delete your personal information (unless subject to another legal limitation).
• Reasonably object to the processing of your personal information.
• Submit an enquiry or complaint to the Information Regulator if you suspect that your personal information is not being lawfully processed.

The right of access to your personal information:

• Requests for access to your treatment records must be made in writing and be signed by you or your representative. All requests should be submitted with sufficient notice (a minimum of ten working days). In some cases there may be a charge for time spent preparing information requests.
• The policy of the practice is to, upon request, provide a treatment summary in easily understandable language so as to minimise any confusion or frustrations. We would typically advise that you review this summary in the presence of the Medical practitioner that treated you so that the practitioner may assist you with its interpretation, answer questions or address any concerns. Should you opt not to review your records with the Practice, the Practice reserves the right to deny you access to your records but may make them available to another mutually agreed upon healthcare provider who can assist you with the interpretation thereof.
• Information may also be withheld if another person is identified in these records and they do not want their information disclosed to you. Should the practice deny you access, you will be provided with a written explanation.

Questions & Complaints

Questions: If you have any queries about this notice; you need further information about the privacy practices; you wish to withdraw consent; exercise preferences or access or correct your personal information, please contact the Practice directly. Depending on the nature of your request, the Practice may ask you to address the practice in writing.

Complaints: Should you believe that the practice has utilized your personal information contrary to the applicable law, we request that you first attempt to resolve any concerns with us directly. If you are not satisfied with this process or you feel that we have not given your concerns the appropriate and respectful consideration, you have the right to lodge a complaint with the Information Regulator (www. justice.gov.za/inforeg/). Alternatively you have the right to address your complaint with the Health Professions Council of South Africa. Their website (www.hpcsa.co.za) gives detailed information on how to lodge a complaint.

Notification of changes to the Practice Privacy Notice

The practice reserves the right to update, modify or amend this policy in order to, but not limited to:

Adapt to changing data protection practices and technology, increase the functionality of the practice or to incorporate changes in law, regulations as well as good practice guidelines. If such changes have a potential limiting effect of your rights, we will inform you in writing of any such changes.