- SOCIAL SERVICE LEAGUE-MP SHAH HOSPITAL
- Our contact details
- Name: SOCIAL SERVICE LEAGUE-MP SHAH HOSPITAL
- Address: P.O. BOX 14497-00800 WESTLANDS, NAIROBI.
- General phone number: 0111000600
- General inquiries email address: info@mpshahhospital.org
- Website: www.mpshahospital.org
PRIVACY NOTICE
ACKNOWLEDGING that we respect your privacy and we are committed to processing personal data in compliance with the Data Protection Act, 2019, Data Protection (General) Regulations 2021, Data Protection (Complaint Handling Procedure & Enforcement) Regulations, 2021 and the Data Protection (Civil Registration) Regulations 2020. This privacy notice explains to you what to expect us to do with your personal information when you contact us or use our services.
PLEASE NOTE, this Privacy Notice explains how we collect, use, share, and store (Process) personal data of third-party service providers (in the case of corporate entities, this refers to their representatives) and, generally, members of the public (referred to as “you” or “your” in this Privacy Notice).
“You” or “Your” means:
i)A patient/client is any individual receiving medical care, treatment, or consultation services at our Hospital, including individuals undergoing diagnostic procedures, receiving outpatient care, or participating in wellness programs; subscribing to, using, or purchasing any of our medical products and services or accessing our websites. Personal health information and related data are collected and processed aligned to the highest standard of medical care in compliance with legal and regulatory requirements and to facilitate communication and follow-up services.
ii)Any agent, dealer, and merchant who has a valid agreement with us and is defined as a merchant or agent by any applicable laws or Regulations.
iii)Any visitor (including contractors/subcontractors or any third parties) who gains access to any MPSH premises.
iv)Any supplier contracted by MPSH and executed a Supplier contract.
v)Members of the public
You must read this Privacy Notice and any other related privacy (Other Privacy Documents) we may provide from time to time regarding Processing personal data about you (or personal data you provide) so that you are fully aware of how and why we are using such data. This Privacy Notice adds to other Privacy Documents and does not intend to override them.
Please note that this Privacy Notice applies to our patients, their families, and other individuals who may use our healthcare services. If you need a copy, please contact us.
The MP. Shah Hospital is referred to as “we” in the Notice.
We will regularly review this Privacy Notice. This version is created on 30th August 2024.
WHO WE ARE
The hospital is a “DATA CONTROLLER” for the processing activities described below. We determine the purpose and means of Processing personal data (or personal data you provide).
The Hospital is registered as a “DATA CONTROLLER” and as a “DATA PROCESSOR” with the Office of the Data Protection Commissioner in line with section 18 of the Data Protection Act, 2019.
Our DPO is responsible for our data protection function. You can find the contact details for our DPO at info@mpshahhospital.org.
THE TYPES OF “PERSONAL DATA” THAT WE COLLECT AND PROCESS
“Personal data” means any information that is used to identify an individual natural person. Please note that there are “special categories” of personal data that are more sensitive and require a higher level of protection. The personal data we collect will be determined by the circumstances surrounding our relationship.
We will collect, use, store, share, or otherwise process personal data about you (or persons connected to you), including:
Details about our third-party service providers:
a) Personal details: such as name, date of birth, I.D., title, and job description; contact details such as business email address, physical address and telephone number, and other information required for Know Your Customer (KYC), Anti-Money Laundering (AML) and/or sanctions checking purposes (e.g., copies of your passport or a specimen of your signature).
b) Contractual details, such as a service contract,
i) information contained in your bids and/or your responses to our tenders or invitations,
ii) your written agreements/ contracts/ local purchase orders with us,
iii) signature authorizations issued by our corporate service providers,
iv) records relating to your performance in providing us with goods and services,
v) details of all invoices received from you (and associated purchase orders) as well as expenses claimed by you,
vi) details of payments to you, including records of associated taxes, details of your requests, queries, or complaints and
vii) bank account details insofar as our service provider is a natural person.
3.2.3 Details about members of the public:
a) Personal details: such as your name, title, gender, nationality, marital status, date of birth, place of birth, age, occupation, national identification/passport number, addresses, telephone numbers, personal email addresses, and social media accounts.
b) With your consent, we collect necessary and relevant Personal Identifiable Information (PII) such as name, address, date of birth, gender, next of kin, bank details, and contact details, as well as Personal Health Information (PHI), including the past, present, and future health status of patients, students/trainees, and staff to provide you with healthcare, training, and research or employee services.
c) Hospital-related details: such as the purpose of contacting the Hospital including when inquiring about the Hospital’s services or reporting a complaint, your responses to the Hospital’s surveys or questionnaires, and any health conditions when participating in any Hospital activities.
d) Donation/Fundraising-related details: such as the purpose of your donation, the amount of your donation, where applicable, the related organization donating, and bank account details or any other payment method relating to your donation.
e) Your personal information as a patient, employee, student/trainee, or third party may be processed, stored, or transmitted electronically or manually, for quality patient-centered care, employee or training services, or upon the lawful order of any competent authority, or by virtue of the mandate of the Hospital, as an employer and as a medical institution. Their disclosure and sharing shall only be upon your consent, or as required by law, with relevant private or public persons, offices, or entities.
3.2.4 Details on our communication, marketing, and monitoring activities:
a) Communications details: such as information contained in voice, messaging, letter, email, and other communications we have with you. We may also keep records of our meetings and conversations, whether with you or with other third parties, about you or the goods or services that you provide. Please note that as required and/or permitted by law, we may also monitor and record telephone, email, instant messaging, and other online communications with us regarding our hospital operations.
b) Monitoring information such as:
i) information about use of our information and communications systems, including website and system interaction (cookies, internet protocol (I.P.) address, your login data, browser type and version, time zone setting and location, browser plug-in types and similar technologies),
ii) information about use of the Hospital’s facilities,
iii) information about interactions with us on social media,
iv) information received in response to any surveys or complaint claims and
v) information gathered through CCTV and building access information.
c) Marketing data: such as preferences for receiving marketing from us and our third parties and communication preferences.
3.3 Please note that by providing us with any personal data about a third party, you will be confirming:
a) that you have obtained the necessary consent from those third parties to the use of their data, and
b) that the third parties are aware of your actions.
WHAT HAPPENS IF YOU FAIL TO PROVIDE THE REQUESTED PERSONAL DATA?
If you do not provide us with the personal data requested for our operational purposes, we may not be able to appropriately provide you with the medical services you require or adequately assist you contractually. That is, we may deny a data controller/processor a lawful basis to assist you.
HOW DO WE COLLECT PERSONAL DATA (OR PERSONAL DATA YOU PROVIDE)?
5.1 We may collect or receive your data (or personal data you provide) in different ways:
a) Where you provide the personal data directly to us, for example:
i) communicating with us by phone, email, or social media,
ii) participating in our tendering or recruitment processes,
iii) participating in our surveys or questionnaires or research activity,
iv) signing up to receive our marketing,
v) during your relationship with us when accessing our services or when providing us with your goods or services,
vi) completing a form, a security book, or events attendance lists to participate in events held by the Hospital), and
vii) using or registering to use our website (i.e. https://www.mpshahhospital.org/). Please see section 9 on Cookies for further information.
b) From third parties, such as your insurance provider, your employer, regulatory or professional bodies and government departments/ agencies,
c) From publicly available sources including but not limited to internet search engines, public records and registers, and social media accounts (e.g., Facebook, LinkedIn, Instagram, TikTok and Twitter),
d) Where you provide the personal data indirectly to us through monitoring devices or by other means (for example, the Hospital’s building and location access control and monitoring systems, CCTV, telephone logs and recordings, instant message logs, and email and internet access logs), if and to the extent authorized by applicable laws and our data retention policy.
5.2 Generally, you are not obligated to provide us with your personal data (or any person’s). However, if you provide us with the information we need, we may be able to provide you with medical services or assist you appropriately.
5.3 We will seek to minimize the amount of information we request, only that needed to perform the relevant function or service at the time, in compliance with the purpose limitation and data minimization principles.
HOW DO WE USE YOUR PERSONAL DATA (OR PERSONAL DATA YOU PROVIDE)?
6.1 We will process and store your data (or personal data you provide) for any of the following purposes:
a) confirming your identity and communicating with you (or, where applicable, the corporate entity you are connected to);
b) managing and improving our relationship with you (or, where applicable, the corporate entity you are connected to);
c) making decisions about procuring your (or the related corporate entity’s) goods and services including determining the terms of our contractual agreement;
d) undertaking contract, supply, and financial management, planning, and reporting within our business;
e) enabling third parties to deliver products or services on our behalf, including I.T. service providers;
f) managing, administering, and improving our business, client, and service provider engagements and relationships for corporate marketing, business development, analysis, and operational purposes;
g) evaluating recruitment applications for employment at the Hospital and undertaking pre-employment screening, including, where relevant and appropriate, identity checks, reference checks, and criminal record checks;
h) operating security (including CCTV), governance, audit, and quality assurance processes and arrangements;
i) fulfilling and monitoring our responsibilities under the various laws of Kenya;
j) enabling you to attend Hospital events, including fundraising activities;
k) communicating effectively with you by post, email, and phone, where appropriate, you will be given the opportunity to opt-out of receiving some communications from us;
l) complying with our obligations to donors and sponsors (including our disclosure obligations under their terms and conditions and policies);
m) managing and maintaining your information in hard copy records, files, and systems, including technical support and maintenance of the Hospital systems and managing electronic and hard copy records in line with our retention schedules;
n) for business contingency planning and response to active incidents;
o) establishing, exercising, and/or defending legal claims or rights and protecting, exercising, and enforcing our rights, property, or safety and those of our business or any entity related to the Hospital;
p) investigating and responding to complaints or incidents related to us or our business, to maintain service quality and to train staff to deal with complaints and disputes;
q) auditing, monitoring, investigation, and compliance monitoring activities about our policies, codes of conduct, applicable law, the prevention, and detection of criminal activity and to protect our assets and premises;
r) meeting our obligations to, cooperating with, responding to requests from, and complying with lawful requests by public authorities or where otherwise required or authorized by applicable laws, court orders, government regulations, or regulatory authorities (up to and including without limitation data protection, and tax), whether within or outside this countries) conducting compliance activities such as audit and reporting, assessing and managing risk, maintenance of accounting and tax records, fraud, and anti-money laundering (AML) prevention and measures relating to sanctions and anti-terrorism laws and regulations and fighting crime;
t) recording and/or monitoring telephone conversations to maintain service quality and security, for staff training and fraud monitoring and to deal with complaints, disputes, and potential and/or actual criminal activity. To the extent permitted by law, these recordings are our sole property;
u) for research and other statistical and trend analysis (de-identifying and aggregating or anonymizing source data with that of other clients and institutions in such a way that it is not possible to reverse-engineer and re-identify you) and;
v) complying with applicable laws and regulations.
LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA (OR PERSONAL DATA YOU PROVIDE)
7.1 We will only collect, use, and share your personal data (or personal data you provide) where we are satisfied that one of the following legal grounds apply to a specific Processing activity:
a) The Processing is necessary for the performance of a contract to which you are a party or to take steps, at your request, before entering such contract.
b) The Processing is necessary for the legitimate interests pursued by us or those of a third party to whom personal data is disclosed, except where such interests are overridden by your interests or rights and freedoms requiring personal data protection. We have a legitimate interest in processing personal data for the purposes set out above and in supporting the achievement of our immediate and long-term business goals and outcomes.
c)The Processing is necessary for us to comply with a legal obligation to which we are subject, such as providing information on request to government entities or regulatory authorities and conducting compliance activities such as audit and reporting, maintenance of accounting and tax records, or anti-money laundering.
d)The Processing is based on your consent. We will rely on your consent as a lawful basis for Processing personal data, as appropriate, including the processing of personal data relating to a child, Processing sensitive personal data outside Kenya, processing your personal data for direct marketing to you, and where you have provided us with your consent.
Where you have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Please note that by withdrawing your consent, the withdrawal will not render unlawful our prior processing of your personal data or the processing based on other legal bases for processing your personal data.
e) Processing is necessary to protect your interests (or someone else’s interests).
f) Processing is necessary to perform a task carried out in the public interest or for official purposes.
g) Historical, statistical, journalistic, literature, and art or scientific research.
7.2 Some of the above grounds for processing will overlap, and several grounds may justify our use of your personal data (or personal data you provide).
CHANGE OF PURPOSE
8.1 We will use your personal data (or personal data you provide) solely for the purposes for which it was collected unless we reasonably believe that we need to use it for another reason that is legally compatible with the original purpose.
8.2 If we need to use your personal data (or personal data you provide) for an unrelated purpose, we will notify you, explain our legal grounds for the change, and obtain your consent to process your personal data (or personal data you provide) for that unrelated purpose.
8.3 Please note that we may Process your personal data (or personal data you provide) without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
COOKIES
9.1 Please note that to improve our internet service, we will occasionally use a “cookie” -strictly necessary cookie and/or similar technologies that may place certain information on your computer’s hard drive when you visit our website or any of the Hospital’s affiliated websites.
9.2 A cookie is a small amount of data our web server sends to your web browser when you visit certain parts of our site.
9.3 We may collect cookies through, inter alia:
a) information about your use of our services and about the device you use to access our services,
b) the pages you request and visit and any posts you submit,
c) information on your interaction with other pages,
d) information obtained during maintenance or support of our website,
e) information about your device such as MAC and IMEI numbers, your I.P. address, and the URLs of sites from which you arrive or leave our website, and
f) your type of browser, operating system, mobile or internet service provider, and the make and size of your device (such as for page displays and interoperability).
9.4 We use cookies to do many different jobs, like letting you navigate between pages efficiently, identifying you after you have logged in by storing a temporary reference number in the cookie, allowing you to access stored information if you register for any of our online platforms, and generally improving your online experience.
9.5 Cookies do not enable us to gather your personal data unless you give the information to our server. Most Internet browser software allows blocking all cookies or enables you to receive a warning before a cookie is stored.
WHO DO WE SHARE YOUR PERSONAL DATA (OR PERSONAL DATA YOU PROVIDE) WITH?
10.1 We will disclose your personal data (or personal data you provide) to any of the following as appropriate:
a) our partner organizations,
b) Our external service providers are where we outsource certain functions, including but not limited to our I.T. and office systems, administrative services providers, and research companies. We will only disclose personal data to our external service providers when it is essential for them to provide their service, and we have a contract in place that requires them to keep your information secure and not to use it other than by our specific instructions,
c) funders and sponsors of the Hospital,
d) our professional service providers (e.g., legal advisors, accountants, auditors, insurers and tax advisors),
e) legal advisors, government and law enforcement authorities, and other persons involved in or contemplating legal proceedings,
f) competent regulatory, prosecuting, tax or governmental authorities, courts, or other tribunals in any jurisdiction,
g) other persons where disclosure is required by law or to enable products and services to be provided to you (or, where applicable, the corporate entity you are connected to),
h) any other relevant professional or statutory regulatory bodies,
i) establish, exercise, or defend our legal rights, including providing information to others and in connection with any ongoing or prospective legal proceedings,
j) prospective buyers as part of a sale, merger, or other disposal of any of our business or assets; and
k) Any other person you have authorized us to share your personal data with by your written consent.
10.2 In all the cases cited above, we require all parties we share your personal data (or personal data you provide) to respect the security of your personal data (or personal data you provide) and treat it by the law. Please note that we do not allow our external service providers to use your personal data (or personal data you provide) for their purposes and only permit them to Process your personal data (or personal data you provide) for specified purposes and per our instructions.
10.3 Please note that if you request us, in writing, to share your personal data (or personal data you provide) with third parties, we will follow your request to share the relevant information. However, we do not have control over how those third parties will use your information. Before you make your request, we recommend that you (or the person acting on your behalf) consider the data protection practices of that third party by reading their privacy policies or contacting them.
CROSS-BORDER TRANSFER OF PERSONAL DATA
11.1 We may transfer your personal data (or personal data you provide) to other hospitals, regulatory, prosecuting, tax and governmental authorities, courts and other tribunals, and other entities located in countries outside Kenya after confirmation of their “adequacy”-adequate safeguards in data protection laws and regulations through a Data Transfer Impact Assessment. However, you can also give consent allowing us to send your personal data and or health information to countries that have data protection standards different from those that apply in Kenya if you voluntarily assume the risks that go with the data transfer.
11.2 We will not transfer your personal information to an overseas recipient unless we have your clear and unequivocal consent or are required to do so by law.
DATA SECURITY
12.1 We have put in place appropriate physical, technical, and organizational measures to safeguard your personal data (or personal data you provide) from being accidentally lost, used, or accessed in an unlawful way.
12.2 We will limit access to your personal data (or personal data you provide) to those agents, contractors, and other third parties that require it for legitimate business purposes. They will only process your personal data (or personal data you provide) on our instructions and they are subject to a duty of confidentiality and bound by a data-sharing agreement compliant with the data protection law.
12.3 We have established procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected breach as soon as reasonably practical as prescribed by law. The notification will entail the facts, effects, and remedial action specific to a breach.
THE RETENTION AND STORAGE OF YOUR PERSONAL DATA (OR PERSONAL DATA YOU PROVIDE)
13.1 We will retain your personal data (or personal data you provide) for as long as reasonably necessary to accomplish the purposes for which it was collected, including complying with any legal, tax, accounting, or reporting requirements in compliance with Regulation 19 of The Data Protection (General) Regulations, 2021 and the MPSH Data Retention Policy’s schedule.
To ascertain the appropriate retention period for personal data, we examine the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, the need to comply with our internal policy and the applicable health, legal, regulatory, tax, accounting or other requirements.
13.2 We may retain your personal data (or personal data you provide) and health data for a longer period if the retention is:
a) required or authorized by law;
b) reasonably necessary for a lawful purpose;
c) authorized or consented by you;
d) for personal data that has been anonymized or;
e) for historical, statistical, journalistic, literature, and art or research purposes;
f) in case of a complaint or if we reasonably believe that there is a prospect of litigation concerning our relationship with you.
13.3 In some circumstances, we may anonymize your personal data (or personal data you provide) so that it can no longer be associated with you, in which case we may use such information without further Notice to you.
YOUR LEGAL RIGHTS
14.1 Subject to certain exceptions and limitations, you have several legal rights concerning the personal data that we hold about you (or persons connected to you). These rights include the right to:
a) be informed of the use to which your personal data (or personal data you provide) is to be used;
b) request access to your personal data (or personal data you provide) and receive a copy of the personal data we hold about you;
c) request correction and erasure of false or misleading personal data that we hold about you;
d) Request the restriction on processing your personal data (or personal data you provide). This enables you to ask us to suspend the processing of your personal data (or personal data you provide);
e) Request that we transfer personal data to you or another company in a commonly used electronic format. This is known as the right to data portability;
f) object to the processing of your personal data (or personal data you provide);
g) object and opt out of our direct marketing services;
h) request not to be subject to automated decision-making. This enables you to ask us not to make a decision about you that affects your legal position (or has some other significant effect on you) based purely on the automated processing of your data;
i) right to the erasure of personal data, that is irrelevant, excessive, or obtained unlawfully.
14.2 To exercise any of these rights, please write to the Data Protection Officer via the contact: info@mpshahhospital.org
14.3 We will respond to your formal request without undue delay and not later than reasonably practical as stipulated by the applicable Data Protection law.
14.4 Where the requester is a minor or an incapacitated person, then a guardian, administrator, or a person duly authorized by the requester shall make the formal request.
14.5 We treat all Personal Identifiable Information and Personal Health Information based on lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation and data localization; integrity; confidentiality, and accountability.
CONTACTS AND FURTHER INFORMATION
15.1 For any questions about this Privacy Notice or how we handle your personal data (or personal data you provide), please contact info@mpshahhospital.org.
15.2 We will respond to your questions and concerns promptly and in compliance with the relevant laws.
15.3 We purpose to respond to any complaints emanating from any data protection breaches through our MPSH Data Breach Complaints’ Mechanism.
AMENDMENTS TO THIS PRIVACY NOTICE
16.1 We reserve the right to update this Privacy Notice at any time and we shall notify you of the changes through electronic mail or such other means of communication which may be available to us.
16.2 We may also notify you in other ways from time to time about the processing of your personal data (or personal data you provide).
NON-COMPLIANCE
17.1 MPSH shall have the right to terminate any agreement with you for failure to comply with the provisions of this Notice and reject any application for information contrary to this Notice.