Personal Information Protection notice, issued in accordance with the UAE Federal Law 45 of 2021 on the Protection of personal data, UAE Federal Law 2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields and with Standards issued by Health Authorities
1. AIM AND PURPOSE OF THIS NOTICE
Mediclinic values your privacy, and with this Privacy Notice, we inform you about the personal information that we collect and process when interacting with you. By being transparent and informing you, we are also fulfilling our legal notification obligation as we are committed to processing your personal data according to the applicable privacy and data protection laws.
This notice applies to all patients, current and former (referred to as “patients”) of Mediclinic Middle East, its subsidiaries, and affiliates (“the Group”).
You should read and retain this notice, with any other privacy notice we may provide you on specific occasions when we are collecting or processing personal information about you, to be aware of how and why we are using your information and what your rights are under data protection laws.
Unless otherwise stated, all personal information we request from you is necessary for the purpose of providing you with healthcare services and for the purpose set out in this notice.
2. DEFINITION OF TYPES OF PERSONAL INFORMATION
Depending on our relationship with you, we might hold different categories of personal information, as per the table set out below:
The term “personal information” in this notice refers to information that can identify you as an individual respectively as a natural person.
Personal information is information that enables us to identify you as a natural person such as your full names, address, identification number, date of birth, gender, memberships to societies, etc.
Sensitive personal information
Sensitive personal information refers to information that directly or indirectly reveals a natural person’s family, racial or ethnic origin, political opinions, religious or philosophical beliefs, health, genetic or biometric data, physical or mental health.
3. HOW WE COLLECT YOUR PERSONAL INFORMATION
The personal information that we process is information we have obtained from you or on consent by you to collect it from a third party, when becoming a patient at one of our facilities. We also process personal information that is inferred about you, based on information which you provide to us during our interactions, or we receive from a third party.
Sensitive personal information about you, as defined above, may be collected and processed to the extent necessary to provide healthcare services and treatment, or to do the necessary administration of Mediclinic and its facilities, as it relates to the law or your consent. During your stay as inpatient or outpatient in our facilities, we also create new personal information about you, especially when documenting the medical treatment (such as diagnosis, recommendation of treatments, medication etc.). The documentation of information is inherent to the treatment process and required by law. The information forms part of your medical record and is sensitive personal information as defined above.
As required by law, our premises are monitored using closed-circuit television cameras in public areas, which records you while at a facility.
4. PURPOSE OF PERSONAL DATA PROCESSING
We will use your personal information based on the following lawful reasons to process:
Lawful reason to process
Data Elements (not an exhaustive list)
Based on contract between you and Mediclinic for healthcare services.
Manage all aspects of your treatment including admission process, treatment facilitation, maintenance of the patient medical record, case management, clinical diagnostic and procedure coding, billing, claim submission, general administration and human resource-related processes related to your treatment.
Name, gender, home address and telephone number, date of birth, biometric information, emergency contact details
Copy of passport or national identification document
Medical insurance, guarantor, sponsor and other benefits information
Employer details and contact information
Date of admission, tracking of bed status and theatre usage and date of discharge
Height, weight and other detailed health information such as allergies, preferences and special need requirements as well as diagnoses and treatment
Physical and mental healthcare records (including results and opinions from third party providers, such as X-rays, scans and blood tests; referrals and second opinions, such as written statements, medical photographs and diagrams and surgical videos)
Radiology results such as scans (e.g. MRI, CAT etc). Medicine prescriptions and medication information.
We need to comply with legal and regulatory obligations.
Comply with applicable federal and local laws and regulations.
Protect the safety and security of Mediclinic employees, patients and visitors and their property (including controlling and facilitating access to and monitoring activity in secured premises and activity using Mediclinic computers, communications and other resources)
Information required to comply with laws, the requests and directions of law enforcement authorities such as reporting to government, ministries and health authorities e.g. communicable disease reporting or occupational injury or disease reporting etc.
Video footage of our premises using closed-circuit television cameras which record you while in public spaces in our facilities.
We may also use your personal information where we need to protect your interests (or someone else’s interests) or it is needed in public interest.
Maintain emergency contact and beneficiary details (which involves Mediclinic holding information on those you nominate in this respect).
Anti-microbial stewardship initiative to reduce antibiotic resistance development
Names, email address, physical address, telephone number of next-of-kin or emergency contact
Referring doctor details such as name, email address, physical address, telephone number
Antibiotic usage and laboratory results
It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or as otherwise permitted by applicable laws.
Investigate and respond to claims against Mediclinic, its employees, patients and visitors.
Investigate incidents where patients were involved
Audio recordings used for quality control, training purposes and, if applicable,
Video footage using closed-circuit television cameras which records your on-premises public space behaviour
Physical and mental healthcare records (including results and opinions from third party providers, such as x-rays, scans and blood tests; referrals and second opinions, such as written statements, medical photographs and diagrams and surgical videos)
Collect relevant patient related information to initiate improvement in processes to prevent future harm to patients
Lawful reason to process
Data Elements (not an exhaustive list)
transcription of reports
Recording of telephonic discussions where applicable
Based on specific consent you have provided us
Conduct anonymous patient satisfaction surveys.
Marketing information Research in the field of health
Share e-mail, mobile phone number or other contact details in encrypted format with company conducting independent survey on our behalf
Promote new services, facilities and offerings.
Anonymised health data for research purposes, according to health authority regulations and policies.
5. CHANGE OF PURPOSE
We will only use your personal information for the purposes for which we collected it, as specified above or when reasonably compatible with the original purpose for which the information was collected.
If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
We may process your personal information without your knowledge or consent, in compliance with the law, where this is required or permitted by applicable laws.
6. DISCLOSURE AND SHARING OF INFORMATION
For the purposes specified in this notice, your personal information may be shared with third parties and other appropriate persons within the Group. We require all such persons to respect the security of your personal information and to treat it in accordance with our Policy and applicable law.
Portals of Regulators and Funders
All patient data is uploaded into the Government Health Systems, as required by law. In the Emirate of Abu Dhabi, patient data is uploaded into Malaffi, and in the Emirate of Dubai, patient data is uploaded in NABIDH and for other Emirates patient data is uploaded to the MoHAP portal.
Patient data is also uploaded to portals of insurances and various Government and health authorities such as DOH, DHA, MoHAP, FANR, DOH Finance sector for mandatory reporting.
Agents, service providers and suppliers
From time to time, we outsource the processing of certain functions and/or information to third parties. When we do outsource the processing of your personal information to third parties or provide your personal information to third-party service providers, we oblige those third parties to protect your personal information with appropriate security measures in accordance with our Privacy and Data Protection Policy and to at least the same level that we do.
As we continue to develop our business, we may buy or sell healthcare facilities and other assets. In such transactions, patient information is generally one of the transferred business’ assets and we may include your personal information as an asset in any such transfer. Also, in the event that we (the company or part thereof), or substantially all of our assets, are acquired, patient information may be one of the transferred assets to the entity that acquires us.
We will disclose any personal information we have concerning you if we are compelled to do so by a court of law, requested to do so by a governmental entity, or if we determine it is necessary to comply with the law or to protect or defend our rights or property in accordance with applicable laws. We also reserve the right to retain personal information that we collected and to process such personal information to comply with accounting, tax rules, health and other regulations, and any specific record retention laws, even if you are no longer being treated by the Group.
Like most international businesses, we have centralised certain aspects of our data processing and clinical resources administration in accordance with applicable laws in order to allow us to better manage our business. That centralisation may result in the transfer of de-identified and anonymised personal information from one country to another. You can expect a similar degree of protection in respect of your personal information in the destination country as can be expected in the country of treatment.
7. DO WE NEED YOUR CONSENT?
Generally, the company is not required to obtain your consent to collect and use your personal information for the purposes specified in the document, unless specifically required by applicable laws, in which case we will not process your personal information without your consent.
8. USE OF YOUR PERSONAL INFORMATION IN AUTOMATED DECISION MAKING
Mediclinic does not make use of automated decision making that would affect you as the data subject in any significant way, or have any legal consequences attached to it.
9. DATA SECURITY
Your personal information shall be treated as confidential and collected, processed, and stored by Mediclinic and our service providers in a manner that ensures appropriate security thereof, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures, which include:
- identity and access management;
- infrastructure and operations security;
- vulnerability management;
- business continuity planning;
- disaster recovery planning; and
- security awareness.
Further details of these measures are available upon request.
We have put in place procedures to deal with any suspected data security breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
10. DATA RETENTION
We will retain your personal information for no longer than is necessary or permitted by applicable law. Once you are no longer a patient of the Group, we will retain and, once required, securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
11. YOUR RIGHTS OF ACCESS, CORRECTION, ERASURE AND RESTRICTION
Personal information we hold about you should be accurate and current. Please update your personal information should it change during your relationship with us.
You may request to access, correct, erase, or restrict our processing of your personal information. We will need specific information from you to help us confirm your identity and ensure your right can be exercised.
Information can be requested by calling MCME toll free number 8001999 (Emirate of Dubai) or 8002000 (Emirate of Abu Dhabi) or download the release of information form from Mediclinic website and send to the Medical Records Department’s email mentioned in the form.
Once a request is received, and verified, the Medical Records Department shall release the information to you provide feedback to you as governed by law and internal processes.
You will not have to pay a fee to confirm whether Mediclinic holds personal information about you. Investigation reports, discharge summaries and copy of medical records are given free of cost as per the regulatory policies. We may however charge a fee should you request a copy of your comprehensive medical reports. We may refuse to disclose any information should your request for access clearly be unfounded, repetitive or excessive.
Where you provided consent to the collection, processing, and transfer, you have the right to withdraw your consent for that specific processing at any time, as far as it complies with laws and regulations. To withdraw your consent, please contact the relevant locality where you gave consent or send an e-mail with appropriate information to email@example.com. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
12. CHANGES TO THIS PRIVACY NOTICE
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, our lawful reason to process or how we handle your personal information, please contact the Mediclinic Middle East Data Protection Officer at firstname.lastname@example.org.
Should you believe that the processing of your personal information is in contravention with the applicable data protection laws, we’d appreciate that you will discuss the situation with your physician, the management of your Mediclinic facility or our Data Protection Officer. However, you can also lodge a complaint with the Authorities.
UAE Data Office: not yet established; for news please consult https://u.ae/en/about-the-uae/digital-uae/data/data-protection- laws
Dubai Health Authority: Contact toll free number 800DHA or email to MC_HRS@dha.gov.ae
Abu Dhabi Department of Health: Contact DOH customer service department on 800555 or using TAMM portal or registering at DOH portal