POPI Section 18 – Privacy Notiﬁcation for collecting information from Patients
Effective Date: 1 July 2021
The new Protection of Personal Information Act, 2014 (POPI) came into effect on 1 July 2020. It builds on existing healthcare data privacy rules, strengthening in many key areas and non-compliance potentially results in severe financial penalties.
Cheryl Fisher Occupational Therapists is highly committed to maintaining high standards of information security, privacy and transparency, whether as a Responsible Party or as an Operator in terms of POPI.
We take our responsibilities in relation to the protection and security of our data and that of our employees, patients, vendors and partners incredibly seriously and the changes being introduced to ensure POPI compliance are part of a continuous, ongoing process that has always been central to what we do.
|Application of this Privacy Notification?|
This POPI Privacy Notification explains how Cheryl Fisher Occupational Therapists, (referred to as “the Practice,” “we,” “our,” or “us”) handles your Personal Information and can include Personal Information about others where you share their Personal Information with us. It details how we collect your Personal Information, why we collect it, and to whom we may share it. This Privacy Notification also discloses your Personal Information rights. It applies to all your Personal Information, including Personal Information stored electronically or in hard copy and Special Personal Information, which includes Personal Information about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic information, biometric information for the purpose of uniquely identifying a natural person, information concerning health or information concerning a natural person’s sex life or sexual orientation, and information relating to criminal behaviour.
|What Personal Data may we collect about you? [Section 18(1)(a)]|
The Practice collects and processes your Personal Information, which can come directly from you or from third parties with whom we contract or provide services or for compliance reasons. Personal Information includes all information that identifies you or can be used to identify you.
The information we process about you may include the following categories of Personal Information:
- Name & Surname
- Age and date of birth
- Demographic data
- Personal contact information (address, telephone, email address)
- Medical Scheme Information
- Communication and other personal preferences
- Payment related information
- Health and other Special Personal Information
- Data collected from Cookies (on our website)
- Data collected from website/mobile device usage and analytics (on our website)
|We may process your Personal Information for the following purposes [Section 18(1)(c)]|
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously. These records help to provide you with the best possible healthcare.
Our health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which the Practice hold about you may include the following information;
- Details about you, such as your address, referring doctor, emergency contact details
- Any contact the Practice has had with you, such as appointments, practice visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as formal and informal assessment, x-rays etc
- Relevant information from other health professionals, relatives or those who care for you.
Other purposes for retaining records may include [see paragraph 3.1 of the HPCA’s Booklet 9: Guidelines on the Keeping of Health Records):
- Further the diagnosis or ongoing clinical management of the patient;
- Conduct clinical audits;
- Promote teaching and research;
- Be used for administrative or other purposes;
- Be kept as direct evidence in litigation or for occupational disease or injury compensation purposes;
- Be used as research data;
- Be kept for historical purposes;
- Promote good clinical and laboratory practices;
- Make case reviews possible;
- Serve as the basis for accreditation
|Is the supply of the information voluntary or mandatory? [Section 18(1)(d)]|
Supplying of certain types of information is mandatory. Section 13 of the National Health Act, 2003, provides that the person in charge of our practice must ensure that a health record containing such information as may be prescribed is created and maintained for every user of health services. Paragraph 4.1 of the Health Professions Council of South Africa’s Booklet 9: Guidelines on Keeping of Patient Records provides that we must enter and maintain at least the following information for each patient consulted:
- Personal (identifying) particulars of the patient.
- The bio-psychosocial history of the patient, including allergies and idiosyncrasies.
- The time, date and place of every consultation.
- The assessment of the patient’s condition.
- The proposed clinical management of the patient.
- The medication and dosage prescribed.
- Details of referrals to specialists, if any.
- The patient’s reaction to treatment or medication, including adverse effects.
- Test results.
- Imaging investigation results.
- Information on the times that the patient was booked off from work and the relevant reasons.
- Written proof of informed consent, where applicable
|Consequences of failure to provide the information [Section 18(1)(e)]|
- refuse to provide your personal information which we request;
- do not consent to us handling your personal information in accordance with this Privacy Notification; or
- revoke any consent regarding the handling of your personal information by us which you have previously given,
then such refusal or revocation of previously given consent might prevent us from performing our services, and this might in turn, depending on your circumstances, adversely affect you.
|Any particular law authorising or requiring the collection of the information [Section 18(1)(f)]|
- National Health Act, 2003 – Section 13
- Booklet 9: Guidelines on Keeping of Patient Records of the Health Professions Council of South Africa’s – Paragraph 4.1
- Medical Schemes Act, 1998 – section 59(1)
- Health Professions Act, 1974 – Section 53(2)
|Transfer the information to a third country [Section 18(1)(g)]|
We may transfer your information to a Cloud database outside your country of domicile, potentially including countries which may not require an adequate level of protection for your Personal Information compared with that provided in your country.
|Recipient or category of recipients of the information [Section 18(1)(h)(i)]|
In order to deliver the best possible service, the Practice will share information (where required) with –
- other healthcare providers such as other OT practices, GP’s and hospitals.
- carefully selected third party service providers. When we use a third party service provider to process personal information on our behalf then we will always have an appropriate agreement in place to ensure that they keep the information secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:
- Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
- Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
- Medical Schemes.
- Accounting Bureaux’s and / or bookkeepers.
- Disclosures authorized by law. There are limited situations where we are legally required to disclose your personal information without your consent. These situations include (but are not limited to) reporting infectious diseases and fitness to drive, or by court order.
|How can you access, rectify or object to the personal information that you have given to us? [Section 18(1)(h)()]|
Even if we already hold your personal information, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Right to object: If we are using your information because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.
Right to withdraw consent: Where we have obtained your consent to process your personal information for certain activities (for example for a research project, or professional training), or consent to market to you, you may withdraw your consent at any time.
Right to erasure: In certain situations (for example, where we have processed your information unlawfully), you have the right to request us to “erase” your personal information. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will Delete your information but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your information are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
Right of data portability: If you wish, you have the right to transfer your information from us to another service provider. We will help with this.
|Objections / Complaints:|
Should you have any concerns about how your information is managed at our Practice, please contact the Information Officer as below. If you are still unhappy following a review by the Practice, you have a right to lodge a complaint with the Information Regulator as below.
|Chief Executive Officer||Mr Marks Thibela|
|Address||33 Hoofd Street Forum III, 3rd Floor Braampark P.O Box 31533 Braamfontein, Johannesburg, 2017|
|Tel No||+27 (0) 10 023 5200|
If you are happy for your data to be used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact the Practice Information Officer.
If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Information Officer as below.
|Information Officer||Cheryl Fisher|
|Address||100 Algernon Road, Norwood, 2192|
|Tel No||083 559 3023|
It is important to point out that we may amend this Privacy Notice from time to time. If you are dissatisfied with any aspect of our Privacy Notice, please contact the Practice Data Protection Officer.