Liability (Incorporating Personal Information) Policy in Regard to Pro-Active Health Solutions Proprietary Limited, Registration Number 1999/024038/07, Operating as INUA ("INUA")

 

The services of or offered by INUA are conducted and/or offered in accordance with the requirements of the Health Professions Act 56 of 1974. The services are subject to the authority of the Health Professions Council of South Africa ("HPCSA"). The healthcare practitioners practising at INUA are registered with the HPCSA. Social Workers are registered at the South African Council For Social Service Professions (SACSSP). All the healthcare practitioners provide healthcare services within the scope and ambit of their registration, competence and training. The practitioners are bound by the Ethical Rules of the HPCSA and the SACSSP Rules, which include the duty to preserve patient confidentiality.

 

For the purposes of this policy, personal information means personal information as defined in the Protection of Personal Information Act No. 4 of 2013 ("POPIA"), "process" or "processing" shall mean process or processing as defined in POPIA.

 

INUA collects and processes various information and/or personal information pertaining to its members, clients and patients. The information collected is based on need and it will be processed for that need/purpose only. Whenever possible, INUA will inform the relevant party of the information required (mandatory) and which information is deemed optional.

 

INUA will process personal information in a manner that is lawful and reasonable (i.e. will not infringe upon the rights of the individual or member).

 

Where consent is required for the processing of personal information, such consent will be obtained. Information will be processed in the manner provided by the applicable laws and/or under the following circumstances:

  1. When carrying out actions for the conclusion or performance of a contract
  2. When complying with an obligation imposed by law on INUA
  3. For the protection of a legitimate interest of the data subject (as defined in POPIA)
  4. Where necessary, for pursuing the legitimate interests of INUA or of an authorised third party to whom the personal information is supplied;
  5. For the purpose of medical care and consultations with patients.

 

Examples of the information INUA collects includes, but is not limited to:

  1. Information relating to the race, gender, sex, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of a client or patient.
  2. Information relating to the education or the medical, financial, criminal or employment history (this includes disciplinary action) of an employee or patient.
  3. Banking and account information.
  4. Contact information.
  5. Any identifying number, symbol, email address, telephone number, location information, online identifier or other particular assignment to the employee, member, client or patient.

 

INUA shall not process special personal information (as defined in POPIA), without complying with the specific provisions of POPIA. Special personal information includes information concerning:

  1. the religious or philosophical beliefs, race or ethnic origin, trade union, health, sex life or biometric information of a data subject; or
  2. the criminal behaviour of a data subject, where such information relates to the alleged commission by a data subject of any offence committed or the disposal of such proceedings.

 

2. Safeguarding of Personal Information and Consent

 

INUA shall review its security controls and processes on a regular basis to ensure that personal information is secure. It will take appropriate, reasonable technical and organisational measures to prevent loss or damage or unauthorised destruction of personal information, and unlawful access to or processing of personal information. This will be achieved by –

  • Identifying internal and external risks;
  • Establishing and maintaining appropriate safeguards;
  • Regularly verifying these safeguards and their implementation;
  • Updating the safeguards;
  • Implementing generally accepted information security platforms and procedures;
  • Patient contracts/signed forms and thereto, containing relevant consent clauses for the use and storage of patient information, or any other action so required, in terms of POPI are signed by every patient;
  • On an ongoing basis, all suppliers, insurers and other third-party service providers are required to sign a service level agreement guaranteeing their commitment to the protection of personal information;
  • Consent to process patient information is obtained from patients (or a person who has been given authorisation from the patient/client to provide the patient's personal information) and suppliers at sign on/appointment/contracting.

 

3. Transfer of Information Outside of South Africa

 

INUA will not transfer personal information about a data subject to a third party who is in a foreign country unless one or more of the following apply:

  • the third party is subject to a law, binding corporate rules or a binding agreement which provides an adequate level of protection of personal information and effectively upholds principles for reasonable processing of the personal information;
  • the data subject consents to the transfer;
  • the transfer is necessary for the performance of a contract between the data subject and INUA;
  • the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to that transfer and if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

 

4. Limitation of Liability

 

To the extent permitted by law (including POPIA), INUA shall not be liable for any loss, damage, or harm arising from a data breach where:

 

4.1. Reasonable security safeguards were implemented, and

 

4.2. The breach resulted from circumstances beyond its reasonable control, including but not limited to cyber-attacks, system failures, or third-party service provider failures.

 

5. User Responsibilities

 

Users of the services of INUA ("the user/s"), including using the services via electronic means are responsible for:

  • Keeping their access or login credentials confidential;
  • Immediately notifying INUA of any suspected unauthorised access to their account.

 

INUA will not be liable for breaches resulting from a user's failure to safeguard their access or login credentials.

 

6. Third-Party Processors

 

Where personal information is processed by third-party service providers, INUA requires such parties to implement appropriate data protection measures consistent with POPIA. However, INUA cannot guarantee the absolute security of third-party systems.

 

7. No Guarantee of Absolute Security

 

While INUA uses commercially reasonable security measures, no system is completely secure. Users acknowledge and accept the inherent risks associated with transmitting information electronically.

 

8. Retention of Records

 

INUA is obligated to retain certain information, as prescribed by law and the HPCSA.  As per the HPCSA guidelines, patient health records should ideally be stored indefinitely particularly if this can be done using an electronic format.  If this is not practical, a patient health record should be stored for at least a minimum of 6 (six) years as from the date that a patient health record has become dormant (dormancy commences at the time when a patient was last treated by a healthcare practitioner).  The exceptions to the aforesaid, include the following: for patients who were under the age of 18 years, when they were cared for (including obstetric care), the patient health records should be kept at least until the patient's 21st birthday, for mentally incapacitated patients, the patient's health records should be kept for the duration of the patient's lifetime.