Form 1 - Objection to the Processing of Personal Information
05.09.2024 | PDF | 61.05 KB
“Client” A natural or juristic person who receives services from Mediclinic.
“Data subject” The natural or juristic person to whom personal information relates
“DIO” Deputy Information Officer;
“IO“ Information Officer;
“Manual” means the manual, together with all the annexures thereto as amended and made available at the offices of Mediclinic from time to time
“Mediclinic” means Mediclinic Pty Ltd (registration number -1969/009218/07)
“PAIA” Promotion of Access to Information Act No. 2 of 2000 (as Amended;
“POPIA” Protection of Personal Information Act No.4 of 2013;
“Processing” means any operation or activity or any set of operations whether or not by automatic means concerning personal information, including –
a) The collection, receipt, recording organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
b) Dissemination by means of transmission, distribution or making available in other form; or
c) Merging, linking, as well as restriction, degradation, erasure or destruction of information.
“Regulator” Information Regulator; and
“Requester” means any person or entity (including any data subject) requesting access to a record that is under the control of Mediclinic.
“Third-party” means any independent contractor, agent, consultant, sub-contractor or other representative of Mediclinic.
2. PREAMBLE
Manual of the Mediclinic Group of Companies (as per the individual companies and entities on the attached list, herein represented by Mediclinic (Pty) Ltd) prepared in terms of section 51 of the Promotion of Access to Information Act, No 2 of 2000.
3. ABOUT MEDICLINIC
Mediclinic is a diversified international private healthcare services group, established in South Africa in 1983, with divisions in Switzerland, Southern Africa (South Africa and Namibia) and the Middle East.
Mediclinic is focused on providing specialist-orientated, multi-disciplinary services across the continuum of care in such a way that the Group will be regarded as the most respected and trusted provider of healthcare services by clients, medical practitioners, funders and regulators of healthcare in each of its markets.
Mediclinic takes a sustainable, long-term approach to business, putting clients at the heart of its operations and consistently delivering high-quality healthcare services. In order to deliver on these priorities, the Group upholds the highest standards of clinical governance and ethical behaviour across its divisions; invests significant time and resources in recruiting and retaining skilled employees; makes considerable investment into its facilities and equipment; and respects the communities and environment in the areas in which it operates.
4. PURPOSE OF PAIA MANUAL
This PAIA Manual is useful for the public to-
4.1 check the categories of records held by a body which are available without a person having to submit a formal PAIA request;
4.2 have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records and the categories of records held on each subject;
4.3 know the description of the records of the body which are available in accordance with any other legislation;
4.4 access all the relevant contact details of the Information Officer and Deputy Information Officer who will assist the public with the records they intend to access;
4.5 know the description of the guide on how to use PAIA, as updated by the Regulator and how to obtain access to it;
4.6 know if the body will process personal information, the purpose of processing of personal information and the description of the categories of data subjects and of the information or categories of information relating thereto;
4.7 know the description of the categories of data subjects and of the information or categories of information relating thereto;
4.8 know the recipients or categories of recipients to whom the personal information may be supplied;
4.9 know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied; and
4.10 know whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.
5 CONTACT DETAILS
Name of company | Mediclinic (Pty) Ltd Registration number: 1969/009218/07 |
CEO Postal Address Street Address Telephone number E-mail address | Mr. Greg van Wyk P O Box 456, STELLENBOSCH, 7599 Mediclinic Corporate Office, 25 Du Toit Street, Stellenbosch +27 21 809 6500 |
Information Officer Postal Address Street Address Telephone number E-mail address
| Mr Clinton Lottering P O Box 456, STELLENBOSCH, 7599 Mediclinic Corporate Office, 25 Du Toit Street, Stellenbosch +27 21 809 6725 |
Deputy Information Officer Postal Address Street Address Telephone number E-mail address | Ms Varuschka Narotam P O Box 456, STELLENBOSCH, 7599 Mediclinic Corporate Office, 25 Du Toit Street, Stellenbosch +27 21 809 6500 Varuschka.Narotam@Mediclinic.com |
National or Head Office Postal Address Street Address Telephone number E-mail address | P.O. BOX 456. Stellenbosch, 7599 Mediclinic Corporate Office, 25 Du Toit Street, Stellenbosch 021 809 6500 www.mediclinic.co.za |
6. INFORMATION REGULATORS GUIDE
An official PAIA Guide has been compiled which contains information to assist a person
wishing to exercise a right of access to information in terms of PAIA and POPIA. Copies of the PAIA Guides are available, in two official languages, English and Afrikaans for public inspection at our registered head office during normal business hours (08h30 – 16h30). The PAIA Guide is also available on the Regulator’s website https://inforegulator.org.za/paia-guidelines/, in all eleven (11) official languages and copies thereof, including braille, are available at the Office of the Information Regulator, for inspection, during normal office hours. The Information Regulator can be reached at:
The Information Regulator Postal Address Telephone number E-mail address |
P O Box 31533, Braamfontein, Johannesburg, 2017 +27 (0) 101 023 5200 |
Information Officer Telephone number E-mail address | Mr. Mosalanyane Mosala +27 (0) 10 023 5251 |
Deputy Information Officer Telephone number E-mail address | Mr. Jaco Jansen +27 (0) 10 023 5237 |
7. ENTRY POINT FOR REQUESTS
PAIA provides that a person may only make a request for information, if the information is required for the exercise or protection of a legitimate right. Information will therefore not be furnished unless a person provides sufficient particulars to enable Mediclinic to identify the right that the requester is seeking to protect as well as an explanation as to why the requested information is required for the exercise or protection of that right. The exercise of an individual’s rights is subject to justifiable limitations, including the reasonable protection of privacy, commercial confidentiality and effective, efficient and good governance. PAIA and the request procedure contained in this Manual may not be used for access to a record for criminal or civil proceedings, nor should information be requested after the commencement of such proceedings.
The IO has been delegated with the task of receiving and coordinating all requests for access to records in terms of PAIA, in order to ensure proper compliance with PAIA and POPIA.
The IO will facilitate the liaison with the internal legal team on all of these requests. All requests in terms of PAIA and this Manual must be addressed to the IO using the details in paragraph 3 above.
8. CATEGORIES OF RECORDS OF MEDICLINIC WHICH ARE AVAILABLE WITHOUT A PERSON HAVING TO REQUEST ACCESS
There is currently no description of categories of records which are automatically available in terms of section 52(2) of the Act. Information that is obtainable via the Mediclinic website about Mediclinic is automatically available and need not to be formally requested in terms of this Manual. The following categories of records are automatically available:
8. DESCRIPTION OF THE RECORDS OF MEDICLINIC WHICH ARE AVAILABLE IN ACCORDANCE WITH ANY OTHER LEGISLATION
All records that are legally required to be kept by the company in terms of the following legislation are available:
Although Mediclinic has used its best endeavours to supply the Requester with a complete list of applicable legislation, it is possible that the above list may be incomplete. Wherever it comes to Mediclinic’s attention that existing or new legislation allows a Requester access on a basis other than that set out in the Act, Mediclinic shall promptly update the list. If a Requester believes that a right to access to a Record exists in terms of the legislation listed above, or any other legislation, the Requester is required to indicate what legislative right the request is based on, to allow the Information Officer the opportunity of considering the request in light thereof.
9. DESCRIPTION OF THE SUBJECTS ON WHICH THE BODY HOLDS RECORDS AND CATEGORIES OF RECORDS HELD ON EACH SUBJECT BY MEDICLINIC
Subjects on which the body holds records |
Categories of records |
Company secretarial records | Minutes of meetings, company registration certificates, share registers and other statutory registers. |
Finance | Reports and returns, banking details and back account records, financial statements and budgets. |
Funder Relations and Contracting | Healthcare provider database, Care Expert agreements, patient accounts, funder cost per event reports, product development reports, clinical performance reports. |
Hospital related records | Patient admission documentation, patient records information, patient billing information, minutes of meetings of all constituted committees. |
Human Resources | List of employees, employment contracts, employee records of each employee of Mediclinic, Employment Equity Plans, Retirement fund records, medical aid records, employee tax information, employee training records, payroll records, internal policies and procedures. |
Information Technology | Records regarding computer systems, programmes and databases held by Mediclinic. |
Legal Services | Restricted to legally confidential documentation. |
Marketing | List of models for photoshoots, details of Mediclinic Baby members, details of Mediclinic Prime members, Sponsor database, newsletters and magazines, medial list, supplier and service providers, internal and external guest lists, doctors contact details database, medical entrants database and stakeholder relationship management database. |
Nursing Services | WCA forms, Bed register or lists, vaccination registers, file request registers, pharmacy order, theatre management system, theatre lists, telephone lists for doctors, laboratory results, serious adverse events, schedule 5 & 6 medication registers, research and trial registers, reporting of notifiable medical condition register, patient stickers, and staff allocation books. |
Property | Title deeds, lease agreements, hire agreements / rental agreements. |
Operations | Policies, procedures, guidelines, reports and supporting documentation. |
Training and Development | Work place skills plans and annual training reports, student / learner records, learnership applications and placement information, apprenticeship documentation, information shared with the HWSETA, third party agreements, learner contracts and academic transcripts. |
10. PROCESSING OF PERSONAL INFORMATION
10.1 PRPOSE OF MEDICLINIC PROCESSING OF PERSONAL INFORMATION
10.1.1 Mediclinic will only process data subject’s personal information for a specific, lawful and clear purpose and will ensure that it notifies the data subject, unless we consider that we need to use it for another reason and that reasons is compatible with the original purpose for which the information was collected.
10.1.2 It will ensure there is a legal basis for the processing of any personal information.
10.1.3 Mediclinic will retain personal information only for no longer that is necessary or permitted by applicable law. Once information is no longer required in accordance with our retention policies, it will be securely destroyed. In some circumstances, we may anonymize personal information so that it can longer be associated with data subjects, in which case may use such information without further notice.
10.1.4 Mediclinic may share your personal information with third parties and other appropriate persons within the Group. We require all such persons to respect the security of data subjects’ personal information and to treat it in accordance with the applicable laws.
10.2 DESCRIPTION OF THE CATEGORIES OF DATA SUBJECT AND OF THE INFORMATION CATEGORIES OF INFORMATION RELALTING THERETO:
Categories of Data Subjects | Personal Information that may be processed |
Patients | Name, gender, home address and telephone number, date of birth, biometric information, emergency contact details Copy of passport and national identification document Medical scheme, insurance and other benefits information Employer details and contact information Date of admission, tracking of bed status and theatre usage and date of discharge Height, weight and other detailed health information such as allergies, preferences and special need requirements as well as diagnoses and treatment Physical and mental healthcare records (including results and opinions from third party providers, such as X-rays, scans and blood tests; referrals and second opinions, such as written statements, medical photographs and diagrams and surgical videos), banking details, video footage, and referring doctors details such as name, surname, email address, telephone number. |
Doctors and Allied Health Professionals | Name, Surname, Government Issued Identification, HPCSA Registration Number, Practice Number, practice contact details, specialty, qualifications, fields of interest, cell phone number, personal email address, race, gender, account numbers, CPE reports, Indemnity insurance, and patient experience survey results. |
Employees | Name, gender, telephone number, date of birth, photograph, biometric information, marital status, emergency contact details, ethnicity, residency and work permit status, nationality and passport information (including copies thereof), professional certifications and registrations, confirmation of qualifications, disability status and details where applicable and special needs, salary expectations, Covid-19 vaccination status may be monitored. Where permitted by law proportionate in view of the function to be carried out by an employee or prospective employee, the results of credit and criminal backgrounds and driving history. Tax number, social security number (country specific), banking details, sick pay, pensions, insurance and other benefit information, information about any spouse, minor children, or other eligible dependents and beneficiaries. Date of appointment, dates of promotion, work history, technical skills and educational background. Date of learning activities, duration, scores and learning completions. Height, weight and clothing sizes where required i.e for uniforms. Date of resignation or termination, reason for resignation or termination, information relating to administering termination of employment Records of work absences, vacation entitlement and requests, salary history, performance appraisals, letters of appreciation and commendation, disciplinary and grievance procedures and psychometric assessment records. Where permitted by law and proportionate in view of the function to be carried out by an employee or prospective employee, the results of credit and criminal background checks, the results of drug and alcohol testing (country specific), screening, health certifications, drivers licence number, vehicle registration and driving history. Information required to comply with laws, the requests and directions of law enforcement authorities or court orders, Tax number social security number, audit requirements (country specific). |
* All the details regarding the processing activities per data subject category listed above can be obtained from the company’s website, the employee privacy notice is available to employees on the Connect employees system.
10.3 THE RECIPIENTS OR CATEGORIES OF RECIPIENTS TO WHOM THE PERSONAL INFORMATION MAY BE SUPPLIED
We use different methods to collect personal information from and about you, including through:
· The Mediclinic Group is an international healthcare services group, with the Company’s registered office in the United Kingdom and its management offices based in South Africa. The Mediclinic Group has operating divisions, all of which are based outside the EU, in Switzerland (Hirslanden), South Africa and Namibia (Mediclinic Southern Africa) and the United Arab Emirates (Mediclinic Middle East). As such our information systems or those of service providers may be in different countries. This may result in the transfer of your personal information might end up in one of those information systems to another country, and that country may have a different level of data protection regulation than yours. By giving us personal information, you consent to this kind of transfer of your personal information. No matter what country your personal information is in, you can expect a similar degree of protection in respect of your personal information which will be processed in accordance with our privacy and data protection policy and applicable laws.
· As explain above, we outsource the processing of certain functions and/or information to third parties. When we do outsource the processing of your personal information to third parties or provide your personal information to third-party service providers, we oblige those third parties to protect your personal information with appropriate security measures in accordance with our standards and applicable law.
10.3.3 Business transfers
· Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this privacy notice.
· We reserve the right to disclose any personal information we have concerning you if we are compelled to do so by a court of law, requested to do so by a governmental entity, or if we determine it is necessary or desirable to comply with the law or to protect or defend our rights or property in accordance with applicable laws. We also reserve the right to retain personal information collected and to process such personal information to comply with accounting, tax rules, regulations and any specific record retention laws.
· We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
10.4 TRANS BORDER FLOW OF PERSONAL INFORMATION
10.5 Data Security Measures |
Mediclinic and our service providers takes appropriate technical and organisational measures designed to ensure that personal information remains confidential and secure against unauthorised or unlawful processing against accidental loss, destruction or damage. Technical and organisational measures include:
· Encryption of data in transit and at rest;
· Identity and access management;
· Infrastructure and operations security;
· Vulnerability management;
· Business continuity planning;
· Disaster recovery planning; and
· Security awareness.
Further details of these measures are available upon request. We have put in place procedures to deal with any suspected data security breaches, and will notify data subjects and the Regulator of a suspected breach where we are legally required to do so.
11 REQUEST PROCEDURE
11.1 Completion of prescribed forms
Any request for access to a record in terms of PAIA must correspond with the PAIA Form 2: Request for Access to Record and should be specific in terms of the record requested. (See PAIA Form 2 Regulation 7 hereto.). A request for access to information which does not comply with the formalities as prescribed by PAIA will be returned to you. POPIA provides that a data subject may, upon proof of identity, request Mediclinic to confirm, free of charge, all the information it holds about the data subject and may request access to such information, including information about the identity of third parties who have or have had access to such information.
POPIA also provides that where the data subject is required to pay a fee for services provided to him/her, Mediclinic must provide the data subject with a written estimate of the payable amount before providing the service and may require that the data subject pays a deposit for all or part of the fee.
Grounds for refusal of the data subject’s request are set out in PAIA and are discussed below. POPIA provides that a data subject may object, at any time, to the processing of personal information by Mediclinic, on reasonable grounds relating to his/her particular situation, unless legislation provides for such processing. The data subject must complete the prescribed form attached hereto as POPIA Form 1: Objection to the Processing of Personal Information and submit it to the IO at the postal or physical address or electronic mail address set out above.
A data subject may also request Mediclinic to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that Mediclinic is no longer authorised to retain records in terms of POPIA’s retention and restriction of records provisions.
A data subject that wishes to request a correction or deletion of personal information or the destruction or deletion of a record of personal information must submit a request to the IO at the postal or physical address or electronic mail address set out above on the form attached hereto as POPIA Form 2: Request for Correction or Deletion of Personal Information .
11.2 Proof of Identity
Proof of identity is required to authenticate your identity and the request. You will, in addition to this prescribed POPIA Form 2, be required to submit acceptable proof of identity such as a certified copy of your identity document or other legal forms of identity.
11.3 Payment of the prescribed fees
| There are two categories of fees which are payable: |
|
|
Section 54 of PAIA entitles Mediclinic to levy a charge or to request a fee to enable it to recover the cost of processing a request and providing access to records. The fees that may be charged are set out in the PAIA Regulations. Where a decision to grant a request has been taken, the record will not be disclosed until thenecessary fees have been paid in full.
|
11.4 Timelines for consideration of a request for access
Request will be processed within 30 (thirty) days, unless the request contains considerations that are of such a nature that an extension of the time limit is needed. The Information Officer will inform the requester of the decision, and the fees payable (if applicable).
11.5 Grounds for refusal of access and protection of information:
There are various grounds upon which a request for access to a record may be refused. These grounds include: |
· the protection of personal information of a third person (who is a natural person) from unreasonable disclosure; · the protection of commercial information of a third party (for example: trade secrets; financial, commercial, scientific or technical information that may harm the commercial or financial interests of a third party); · if disclosure would result in the breach of a duty of confidence owed to a third party; · if disclosure would jeopardise the safety of an individual or prejudice or impair certain property rights of a third person; · if the record was produced during legal proceedings, unless that legal privilege has been waived; · if the record contains trade secrets, financial or sensitive information or any information that would put Mediclinic (at a disadvantage in negotiations or prejudice it in commercial competition); and/or · if the record contains information about research being carried out or about to be carried out on behalf of a third party or by Mediclinic. |
Section 70 of PAIA contains an overriding provision. Disclosure of a record is compulsory if it would reveal (i) a substantial contravention of, or failure to comply with the law; or (ii) there is an imminent and serious public safety or environmental risk; and (iii) the public interest in the disclosure of the record in question clearly outweighs the harm contemplated by its disclosure. If the request for access to information affects a third party, then such third party must first be informed within 21 (twenty one) days of receipt of the request. The third party would then have a further 21 (twenty-one) days to make representations and/or submissions regarding the granting of access to the record. |
12. REMEDIES AVAILABLE TO A REQUESTER ON REFUSAL OF ACCESS
If the IO decides to grant you access to the particular record, such access must be granted with thirty (30) days of being informed of the decision. There is no internal appeal procedure that may be followed after a request to access to information has been refused. The decision made by the IO is final. In the event that you are not satisfied with the outcome of the request, you are entitled to lodge an internal appeal, a compliant to the Regulator by using PAIA Form 5: Complaint Form , or apply to a court of competent jurisdiction.
13. AVAILABILITY OF THIS MANUAL
Copies of this manual are available from the IO for inspection, free of charge at the offices of Mediclinic at 25 Du Toit Street, Stellenbosch, 7600.
* Please note this list is not exhaustive and may be updated from time to time as required.
13. UPDATING OF THE MANUAL
The Information Officer of Mediclinic will on a regular basis update this manual as required.
Issued by
Clinton Lottering
Information Officer