THE SPECIALIST CLINIC DATA PROTECTION POLICY (PDPA)
SECTION 1 – INTRODUCTION
This is the personal data protection policy of Singapore Sports and Orthopaedic Clinic. In this Policy, the terms “SSOC”, “we”, “us” and “our” refer to Singapore Sports and Orthopaedic Clinic.
We, SSOC, value the privacy of every individual and are committed to protect the personal data we collect in accordance with the principles set out in this Policy.
In accordance with The Personal Data Protection Act 2012 (“PDPA”), this Personal Data Protection Policy (“Policy”) describes how we may collect, use, disclose and manage your personal data. For general information on Personal Data Protection, please visit the Personal Data Protection Commission (“PDPC”) website (https://www.pdpc.gov.sg).
Should there be other regulatory or statutory requirements, such as Human Organ Transplant Act, Infectious Diseases Act etc which we may have obligations or mandated to comply or under which we are licensed under, we would need to comply with them as well and in the event of inconsistencies between those written laws and PDPA, the provisions of those other written laws may take precedence over PDPA.
Any terms used in this document, such as “individuals”, “personal data” or “reasonable”, which are also defined in the PDPA, should be understood to take on the definition or interpretation as provided by the PDPA or PDPC’s Advisory Guidelines documents.
We may update this Policy from time to time to ensure that our standards and practices remain relevant and comply with the applicable laws and guidelines. The latest version of this Policy supersedes earlier versions and will apply to personal data provided to us previously. We encourage you to review this page periodically to keep up to date with any changes to this Policy.
SECTION 2 – PERSONAL DATA
Personal data is defined as “data, whether true or not, about an individual who can be identified (i) from that data, or (ii) from that data and other information to which the organization has or is likely to have access.” This may include your full name, identification number, passport, name, nationality, date of birth, sex, contact details (address, email address, telephone numbers), NRIC, FIN or passport number, your image on our close-circuit television (CCTV) and in photographs, your medical history, patient history, allergy information, any other medical and health records, as well as name and residential address of any individual which you have provided us. Where required and medically necessary for diagnostic, treatment and record purposes, we may also take photographs of your wound(s).
The PDPA does not apply to:
business contact information, defined as an individual’s name, position name or title, business telephone number, business address, business electronic mail address, business fax number and any other similar information about the individual, not provided solely for the individual’s personal purposes;
personal data that is anonymized, i.e. identifying information is removed such that the remaining data does not identify any particular individual. The PDPC will consider the data anonymized only if the possibility of re- identification is trivial;
personal data of a deceased individual who has been dead for more than 10 years; and
personal data that is falsified with the intent to commit fraudulent.
The PDPA recognizes that a balance needs to be struck between the needs to protect personal data and the need of organizations to collect, use or disclose personal data. Hence, in meeting those obligations, PDPA considers what a reasonable person would consider appropriate in the circumstances when they undertake any action that is subject to data protection.
SECTION 3 – CONSENT, PURPOSES FOR COLLECTION, USE OR DISCLOSURE OF YOUR PERSONAL DATA
By applying this Policy, you consent to our collection, use and disclosure of your personal data for the purposes that a reasonable person would consider appropriate in the circumstances.
Consent for the collection, use or disclosure of your personal data can be provided either in the form of expressed consent or deemed consent. Your provision of personal data to us is voluntary and you are deemed to consent to our collection, use or disclosure of your personal data under which it was collected. If you have consented to our disclosure of your personal data to another organization for a particular purpose, they will use your personal data only for the purposes you have consented to.
If you provide the personal data belonging to others (such as your family members or next-of-kin), you warrant that you have informed the individuals of the purposes for which we are collecting their personal data and that they have consented to your disclosure of their personal data to us for those purposes.
We collect, use and disclose personal data for the following purposes:
Healthcare and other services
providing inpatient and outpatient medical treatment and services, healthcare and allied healthcare services;
management and coordination of your care including follow-ups, step-down care and other continuity of care issues; and/or
providing all other services on request or as needed, including customer service, patient liaison services, travel and accommodation arrangements, concierge services, porter, butler and housekeeping services, laundry services, ambulance services, arrival/departure transport services, security and guarding services and other products and services made available by us other Group entities and our respective partners.
appointments, bookings, admissions, transfers and discharge;
processing and collecting payment for products, treatments and services;
reimbursement of healthcare providers for services provided to you;
creation, storage, hosting, backup (whether for disaster recovery or other purposes) of medical records and financial and other business records;
verifying identity and conducting screenings, due diligence checks and credit checks;
responding to queries or feedback;
addressing or investigating complaints, claims or disputes;
compliance with internal policies, procedures and directives;
enforcing obligations owed to us; and/or
complying with our legal obligations and requirements.
guarding and securing our premises;
monitoring and assessing the provision of products and services;
financial reporting, regulatory reporting, management reporting, risk management (including monitoring credit exposures), audit and record keeping purposes;
business research, planning, statistical analysis and policy development; and/or
enhancing and improving our services, including reviewing standards of care.
Health information sharing
Sharing medical records with other health care providers for medical treatment and health care purposes, where required or permitted by law or pursuant to our referrals to other health care providers, including by way of the National Electronic Health Record (NEHR) system, which enables health information to be shared throughout the Singapore healthcare ecosystem.
Providing education and training for doctors and other medical, nursing or health professionals and students. You are entitled to say no at any time to such persons viewing or being granted access to your treatment and related information. Please inform your doctor before treatment if you do not want such persons to view or have access to your treatment and related information.
Conducting research into new treatments, procedures and practices for the improvement of healthcare, subject always to applicable laws and codes of conduct, including those relating to the protection of research subjects’ safety and confidentiality.
Marketing and promotion
With your consent, conducting marketing and promotion in relation to us, other Group entities and/or our respective partners.
We will not send telemarketing messages to your Singapore telephone number via text messages, telephone calls or facsimile transmission if we do not have your clear and unambiguous consent in writing or other recorded form to do so or if you have made the appropriate registration of your number with the Do Not Call Registry.
Public health purposes
Safeguarding public health and safety and preventing or lessening the threat to your health and safety or the health and safety of others.
Photography and CCTV (closed-circuit television)
We may take photographs and make videos and/or sound recordings in and around our premises from time to time, including our meeting and function rooms. You may be captured in such photographs and recordings.
We may use such photographs and/or recordings in our publications, websites and other communication channels, as well as in third party media, or display them in and around our premises and/or the premises of our Group.
CCTV may be in operation in and around our premises as necessary in the interests of security.
Any other purposes relating to or arising out of the above.
We may disclose the personal data to third parties, whether located in Singapore or elsewhere, in order to achieve the purposes stated in this policy. Such third parties include:
the doctors and other healthcare professionals who treat or have treated you, and their respective staff;
the Central Provident Fund Board of Singapore and/or your health insurance provider, for payment processing purposes;
other Group entities and our respective partners for the provision of products and services at your request or the conduct of marketing and promotions with your consent;
our service providers, contractors and agents;
third parties that you have used to obtain or request our products and services, including referral agencies, business introducers, travel agencies or similar service providers;
other Group entities for group-wide business purposes or where such disclosure is required or permitted by law;
healthcare providers, agencies or facilities for the purposes of information sharing and exchange via the NEHR system or other health information exchange systems, where such disclosure is required or permitted by law;
regulatory authorities, any statutory bodies or public agencies for the purposes of complying with their respective requirements, policies and directives or where such disclosure is required or permitted by law, including the Ministry of Health, Health Sciences Authority, the coroner and the police and other law enforcement agencies.
funeral homes and crematoria, where such disclosure is required or permitted by law;
organizations that handle organ donation, procurement and transplants, where such disclosure is required or permitted by law;
national registers and databases for various medical conditions, diseases and transplants, where such disclosure is required or permitted by law;
accreditation or representative bodies for health care providers, agencies, facilities or healthcare professionals, where such disclosure is required or permitted by law; and/or
anyone involved in your care or payment for your care (including a family member, friend or your caregiver or caregiving organisation) and anyone you have authorized us to contact or communicate with.
We may also collect, use and disclose personal data where required or permitted by law for any purpose. Your consent may not be necessary or required in some circumstances as provided in the “Second Schedule – Collection of Personal Data without Consent”, “Third Schedule – Use of Personal Data without Consent” and “Fourth Schedule – Disclosure of Personal Data without Consent” of the PDPA, or there may be other legislation such as Infectious Disease Act which renders this necessary. Where the disclosure is restricted by such legislation, the obligation under such other laws will prevail.
When using your personal data to contact you for the purposes under which you have consented, we may contact you via postal mail, electronic mail, SMS, telephone, fax or any other means.
If consents are not procured or if you fail to provide us with complete or accurate information, we may, in some situations, be prevented from providing a patient with medical treatment (or may be impaired in doing so, resulting in risks to that patient) or cause harm to a data subject.
We will take the approach that best safeguards us, you and others from risks, and we may well have no choice but to decline to proceed with the treatment in question to avoid causing harm or exposing us, you or others at risk.
SECTION 4 – PROTECTION OF YOUR PERSONAL DATA
We will practice strong data protection as part of our IT Policies and Procedures and in fulfilment of the obligations under various legislation requirements such as Private Hospitals and Medical Clinics Act (PHMCA), Infectious Disease Act (IDA) etc.
While we take reasonable efforts to protect your personal data held by us, we cannot be held responsible for unauthorized and unintended access that is beyond our control.
SECTION 5 – RETENTION OF YOUR PERSONAL DATA
We will review your personal data held by us on a regular basis to determine if such personal data is still needed. Your personal data will not be retained longer than needed for the purpose under which it was collected, unless there are business, industry and/or legal requirements for the retention of such. Your personal data will also not be kept for “just in case” it may be needed for other purposes that you have not been notified.
We may anonymize your personal data on record as an organization is considered to have ceased retention of personal data when it no longer has the means to associate the personal data with particular individuals. The anonymizing of data could be found under the section on Anonymization in the Advisory Guidelines on Selected Topics in the PDPC website.
We will retain employee personal data for a reasonable period for up to 7 years in accordance with its legal and business purposes, even after the person ceases to be employed by the Group. With regard to medical data, we will retain medical records in accordance to the duration stipulated by Ministry of Health.
SECTION 6 – TRANSFER OF YOUR PERSONAL DATA OUT OF SINGAPORE
If we transfer your personal data to a country outside of Singapore, we will ensure that such personal data is protected to a standard comparable to the protection accorded to personal data under PDPA. In summary, this means:
the collection, use and/or disclosure of your personal data would be for the purpose(s) for which you have given consent;
steps would be taken to ensure accuracy and completeness of your personal data when your personal data is used or disclosed to third parties;
security arrangements would be made to protect your personal data;
your personal data would be retained only if necessary for legal and business purposes; and/or
anyone who receives your personal data from us is either in a jurisdiction which has comparable data protection laws or is otherwise bound to protect your personal data.
SECTION 7 – WITHDRAWAL OF CONSENT, ACCESS AND CORRECTION OF YOUR PERSONAL DATA
It is the obligation of the individual to ensure that all personal data submitted to us is true, accurate and complete.
You may access your personal data currently in our possession by contacting our Data Protection Officer. We will process your request in accordance with the access requirements of the PDPA and will provide you with the relevant personal data within a reasonable time after the request has been made. A fee may be charged for processing an access request.
You may request to correct your personal data by contacting our Data Protection Officer. We will correct your personal data as soon as practicable after the request has been made unless we have reasonable grounds not to do so.
You may withdraw your consent for the collection, use and disclosure of your personal data in our possession by giving reasonable notice to us. Kindly note that we are obliged to evaluate and process your request. If you choose to proceed with your withdrawal, do note that it will affect the medical care and services you would receive from us or other healthcare institutions.
We will not be able to provide access to data which are opinion data kept solely for evaluation purpose such as opinion of suitability, eligibility, qualification of individuals for employment, promotion or continuance in employment. Once your consent is withdrawn, it is our obligation to cease, and cause our data intermediaries and agents to cease, such collection, use and disclosure within reasonable notice period. As a result, we may not be able to proceed with some transactions that you have requested.
SECTION 8 – CONTACTING US
If you wish to withdraw any consent you have given us at any time, or if you wish to obtain access or make corrections to your personal data held by us, or if you do not accept any amendment to this Policy, please contact:
. The Data Protection Officer Singapore Sports and Orthopaedic Clinic
6 Napier Road
#02-10/11/12 Gleneagles Medical Centre
SECTION 9 – AMENDMENTS AND UPDATES
We may amend this policy from time to time and will make available the updated policy on our website at www.orthopaedicclinic.com.sg. Each time we collect, use or disclose personal data, the latest version of this policy in force at the time will apply.