SAFE PATIENT

PRIVACY POLICY

PATIENT

1.     Introduction

1.1.    Thank you for your interest in the Safe Patient Chatbot and the Safe Patient related website, collectively referred to as the “Services”. The Services are provided to you by Safe Patient (Safe Patient), with its principal offices in The Campus Roland Garros Building, Ground Floor 57 Sloan Street, Bryanston, Gauteng, 2196, South Africa. Please read the following terms and conditions carefully.

1.2.    By clicking “I Accept” on the Safe Patient Chatbot you acknowledge that you have read, understood, and agreed to be bound by the terms and conditions (available at https://safepatient.co.za/terms) and this Privacy Policy. If you are not eligible or do not agree to any of the Terms or the Privacy Policy, then you may not use the Service.

1.3.    This privacy policy is aligned with the Protection of Personal Information Act 4 of 2013 (“the Act”). This Privacy Policy will inform you how we process your personal information as well as inform you about your privacy rights and how the law protects you (as data subject).

1.4.    It is important that you read this, and any later version, of this Privacy Policy with any other services, or where processing is necessary for a legitimate interest of Safe Patient (such as invoicing) or when we are acting as an operator by Processing Personal Information about you, so that you are fully aware of how Safe Patient processes personal information.

1.5.    Safe Patient may share information among its subsidiaries or websites that it owns or controls, as is permitted by section 72 of the Act and only for the purposes you have agreed to in.

  1. Definitions

    • “Safe Patient” means an education platform to support the patient consent process and manage risk posed to healthcare practitioners/health practices. Safe Patient is used primarily by healthcare practitioners and/or medical practice administrators, medical aid schemes and patients;

    • “Chatbot” means a computer program designed tosimulate conversation with human users, especially over the internet;

    • “Services” means the provision of access to, and engagement with, the Safe Patient Chatbot and the activities related thereto, and the Services made available by us via any other Safe Patient platform by means of which you are able to, amongst other things, register and receive information pertaining to your medical/surgical operation as recommended by your respective healthcare practitioner;

    • “data subject”means the person to whom personal information relates;

    • “health care practitioner”means any person, including a student, registered with the Health Professions Council of South Africa or any other recognised foreign healthcare authority outside of the Republic of South Africa whose profession is registrable in terms of the Health Professions Act 56 of 1974;

    • “medical practice” means the medical practice of your respective health care practitioner;

    • “medical scheme”means any medical scheme registered under section 24 (1) of the Medical Schemes Act 131 of 1998;

    • “information officer”of, or with reference to:

      • A public body refers to an information officer or deputy information officer as contemplated in terms ofsection 1 or 17 of the Act; or

      • A private body refers to the head of a private body as contemplated insection 1, of the Promotion of Access to Information Act;

    • “Regulator”means the Information Regulator established in terms of section 39 of the Act;

    • “Minister”means the Cabinet member responsible for the administration of justice;

    • “personal information”means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

      • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

      • information relating to the education or the medical, financial, criminal or employment history of the person;

      • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

      • the biometric information of the person;

      • the personal opinions, views or preferences of the person;

      • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

      • the views or opinions of another individual about the person; and

      • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

    • “processing”means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

      • the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;

      • dissemination by means of transmission, distribution or making available in any other form; or

      • merging, linking, as well as restriction, degradation, erasure or destruction of information.

    • “operator”means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;

    • “responsible party”means a public or private body or any other person who, alone or in conjunction with others, determines the purpose of and means for processing personal information.

    • Personal Information

      • It is important to know that Personal Information, as prescribed in the Act:

        • must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject;

        • may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive;

        • may only be processed if:

          • the data subject, or a competent person where the data subject is a child, consents to the processing;

          • processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;

          • processing complies with an obligation imposed by law on the responsible party;

          • processing protects a legitimate interest of the data subject;

          • processing is necessary for the proper performance of a public law duty by a public body; or

          • processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied;

        • must be collected directly from you, except if:

          • the information is contained in or derived from a public record or has deliberately been made public by the data subject;

          • the data subject, or a competent person where the data subject is a child, has consented to the collection of the information from another source;

          • collection of the information from another source would not prejudice a legitimate interest of the data subject;

          • collection of the information from another source is necessary:

            • to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

            • to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined insection 1of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

            • for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;

            • in the interests of national security; or

            • to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;

          • compliance would prejudice a lawful purpose of the collection; or

          • compliance is not reasonably practicable in the circumstances of the particular case; and

        • must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

  1. Personal information collected

    • We will collect the following personal information:

      • your full names and surname;

      • next of kin;

      • identity number;

      • your physical and postal address;

      • contact numbers and email address;

      • medical scheme details;

      • information relating to your age, gender, medical conditions and medical procedure, as per the consent you gave your medical practitioner.

    • The personal information collected will be restricted to that which we need to fulfil our agreed mandate with a medical practice and/or healthcare practitioner which is, but not limited to:

      • step-by-step support pre and post your medical procedure as recommended and consented to by your healthcare practitioner;

      • confirm your medical condition and medical/surgical procedure to be performed;

      • confirm the date of your medical/surgical procedure to be performed;

      • provide you with disease, procedure, anaesthetic and post-procedure information;

      • provide you with information relating to:

        • the advantages of your medical/surgical procedure;

        • your eligibility for the medical/surgical procedure;

        • complications of your medical/surgical procedure;

        • the recovery following your medical procedure;

        • when you may return to work, if applicable;

        • what is deemed to be a success of the recommended medical/surgical procedure and the risks associated with it;

        • living a healthier lifestyle following the medical/surgical procedure; and

        • recommended precautions you should take following the medical/surgical procedure.

      • Establish whether you:

        • know the difference between a medical and surgical procedure;

        • know you have the right to refuse the medical/surgical procedure consented to and recommended by your healthcare practitioner; and

        • understand the risks, implications and costs associated with the medical/surgical procedure.

      • In the event that your answer is “no” to any question, during your interaction with the Safe Patient Chatbot, Safe Patient has an automated clinical messaging system that recognises your response and responds accordingly. If the answers do not address your questions, please do not hesitate to contact your healthcare professional directly.

      • You will be required to complete a patient accountability form once you have completed your engagement with the Safe Patient Chatbot.

      • If at any stage during the interaction with Safe Patient, you indicate that you are uncertain, unclear or do not understand a question posed to you, you will be referred back to your healthcare practitioner or his/her medical practice who would then contact you within 48 hours.

      • Should your healthcare practitioner or his/her medical practice fail to contact the you within 48 hours, it is your responsibility to contact your healthcare practitioner or his/her medical practice;

  1. Further Processing

    • Any further processing of personal information will be done in accordance or compatible with the purpose for which it was collected.

  2. Storage and retention of records

    • Your personal information is stored securely on Amazon Web Services, Google Cloud Hosting and MongoDB, in compliance with POPI international standards.

    • Records of personal information will not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless, as prescribed in the Act:

    • retention of the record is required or authorised by law;

    • the responsible party reasonably requires the record for lawful purposes related to its functions or activities;

    • retention of the record is required by a contract between the parties thereto; or

    • the data subject, or a competent person where the data subject is a child, has consented to the retention of the record.

    • Records of personal information may be retained for periods in excess of those contemplated abovefor historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.

    • Safe Patient, as the responsible party who has used a record of your personal information, will:

      • retain the record for such period as may be required or prescribed by law or a code of conduct; or

      • if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.

    • Safe Patient will destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after we are no longer authorised to retain the record.

    • Safe Patient will destroy or delete a record containing your personal information in a manner that prevents its reconstruction in an intelligible form.

    • Safe Patient will restrict processing of personal information if:

      • its accuracy is contested by the data subject, for a period enabling the responsible party to verify the accuracy of the information;

      • the responsible party no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof;

      • the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or

      • the data subject requests the personal data to be transmitted into another automated processing system.

    • Personal information, with the exception of storage, only be processed for purposes of proof, or with the data subject’s consent, or with the consent of a competent person in respect of a child, or for the protection of the rights of another natural or legal person or if such processing is in the public interest.

  3. Correction of personal information

    • You, may request a Safe Patient to:

      • correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

      • destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain.

  1. Data/information breach

    • Where there are reasonable grounds to believe your personal information has been accessed or acquired by any unauthorised person, Safe Patient must notify:

      • the Regulator; and

      • yourself, unless the identity of such data subject cannot be established.

 

  1. Correction of personal information

    • You, having provided adequate proof of identity, have the right to:

      • request Safe Patient to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and

      • request your record or a description of the personal information about the yourself held by Safe Patient, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information;

        • within a reasonable time;

        • at a prescribed fee, if any;

        • in a reasonable manner and format; and

        • in a form that is generally understandable.

      • We will delay notifying you of the unauthorised access or acquisition of your personal information if a public body responsible for detection, prevention or investigation of offences or the Information Regulator informs us that notifying you will impede a criminal investigation. When we notify you of the compromise to the security of your personal information we will provide you with sufficient information to allow you to take protective measures against the potential consequences of the compromise.

  1. Responsible party

    • When you use our Chatbot and/or register as a user of any of our Services, Safe Patient is the Responsible Party and responsible for your Personal

    • Safe Patient will ensure that all the necessary measures in the Act are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

    • Safe Patient as the Responsible party:

      • will take all reasonably practicable steps to ensure that your personal information is complete, accurate, not misleading and updated where necessary;

      • must maintain the documentation of all processing operations under its responsibility;

      • must take all reasonably practicable steps to ensure that the data subject is aware of:

        • the information being collected and where the information is not collected from the data subject, the source from which it is collected;

        • the name and address of the responsible party;

        • the purpose for which the information is being collected;

        • whether or not the supply of the information by that data subject is voluntary or mandatory;

        • the consequences of failure to provide the information;

        • any particular law authorizing or requiring the collection of the information; and

        • the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organization.

  1. Operator

    • Where Safe Patient processes a data subject’s (i.e. a patient’s) personal information on instructions from the respective medical practice (Safe Patient client), Safe Patient will act as an Operator and the medical practice will act as Responsible Party.

    • As Responsible Party the medical practice has the sole responsibility for the legality, reliability, integrity, accuracy and quality of the personal information he/she/it or someone on their behalf makes available to Safe Patient.

  2. Information Officer

    • We have appointed an information officer (“IO”) and Deputy Information Officer for Safe Patient who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests, or wish to submit a complaint then please contact the IO, Mr Anil Govind at legal@safepatient.co.za. You have the right to lay a complaint with the Information Regulator (“IR”), who is the authority for data protection in the Republic of South Africa. https://inforegulator.org.za). Safe Patient would, however, appreciate and recommend that all data protection concerns and queries be addressed with it first before you approach the IR, hence please contact us or your healthcare practitioner/healthcare practice through whom Safe Patient’s services were initiated, in the first instance.

12.   Changes to the Privacy Policy and your duty to inform us of changes

12.1.   We keep our Privacy policy under regular review. Archived versions (if available) can be obtained by contacting us. Any changes made to our Privacy Policy in future will be posted on our website or made available during your engagement with Safe patient (including access to Services). The new version will apply the moment it is published on our website or incorporated by reference in any of our Terms and Conditions or other communication published on our website.

12.2.   If you supply us with personal information as part of your contact details required for our Services, you guarantee that is it accurate and correct. In the event that you details change, it is your responsibility to notify us of such changes as soon as possible.