MEDIX MEDICAL SERVICES EUROPE LTD ("Medix") DATA PROTECTION POLICY FOR PATIENTS
1. POLICY STATEMENT
Medix provides personal case management services ("Medix Services") to individuals (individuals who seek or obtain Medix Services being "Patients"). As a result Medix acquires personal data about Patients including information about their physical and mental health and condition. Medix recognises the importance and sensitivity of such personal data and is committed to dealing with it in line with Patients' expectations and in accordance with Medix's legal obligations under the Data Protection Act 1998 (the "Act").
The purpose of this document is to set out, for Patients, Medix policies and procedures in relation to their personal data and for complying with the Act.
Medix's Data Protection Compliance Manager is responsible for ensuring compliance within Medix with the Act and with this policy. Any questions or concerns about the operation of or compliance with this policy, or more generally with the Act, should in the first instance be referred to the Data Protection Compliance Manager.
2. DEFINITIONS USED IN THIS POLICY
"Personal data" is data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession, or likely to come into the possession, of Medix, and includes expressions of opinion about the individual and any indication of the intentions of Medix or any other person in respect of the individual.
"Medical information" forms part of personal data and comprises information about an individual's physical or mental health or condition, including without limitation:
The reasons for seeing a health professional;
Tests and procedures undertaken, the results of such tests and procedures, clinical findings and diagnoses;
The options for care and treatment suggested by a or various health professionals; decisions made about care and treatment; and
Details of action health professionals have taken and their outcomes.
"Processing" information means obtaining it, holding it, organising it, using it, disclosing it, manipulating it or destroying it;.
3. THE PRINCIPAL PROVISIONS OF THE ACT
Under the Act, Medix complies with the following data protection principles in relation to all personal data which it processes in respect of a Patient.
The data protection principles are:
that personal data should be processed fairly and lawfully;
that personal data should be obtained only for one or more specified and lawful purposes and should not be used for other purposes;
that personal data should not be excessive in relation to the purpose for which it is processed;
that personal data should be accurate and where necessary kept up to date;
that personal data should not be kept longer than is necessary for the purpose for which it is processed;
that personal data should be processed in accordance with the rights of data subjects under the Act;
that appropriate technical and organisational methods should be taken against unauthorise processing and accidental loss or destruction; and
that personal data should not be transferred outside of the EU except where specific criteria are met.
Medix is fully committed in complying with those principles in processing all personal data relating to Patients. By setting out its policies and procedures for such processing in this and in other related documents so that they are transparent to Patients and by following these policies and procedures, Medix aims to achieve that commitment.
4. PERSONAL DATA HELD BY MEDIX
During the course of providing (or considering whether to provide) Medix Services Medix will acquire personal data, including medical information, regarding Patients. Only such information as is necessary for the purposes of providing (or considering whether to provide) Medix Services to a Patient shall be requested and held.
5. PURPOSES FOR WHICH PERSONAL DATA MAY BE AQUIRED AND HELD
Medix will obtain, and hold personal data about Patients only for the purposes of providing (or considering whether to provide) Medix Services to those Patients.
6. DISCLOSURE OF PERSONAL DATA
Medix is committed to maintaining the confidentiality of all Patients' personal data and medical information and shall not disclose any personal and medical information relating to a Patient to third parties except as follows:
To doctors and other members of the Medix team providing the Medix Services, (provided that such disclosure is only for the purpose of enabling them to provide the Medix Services and the recipients are bound by an obligation of confidentiality);
To specialist doctors, who may be situated in any part of the world, to assist in providing the Medix Services, provided that such disclosure is only for the purpose of enabling them to provide the Medix Services;
To third-party health care providers if Medix wishes to retrieve medical information from them which is necessary for the provision of the Medix Services;
To the insurance company with whom the Patient (or family member) has the policy of insurance under which the Medix Service is provided (provided that such disclosure is only for the purpose updating member medical history and quality control.
Where disclosure is expressly requested or permitted by the Patient; or
Where disclosure is required by law or regulations, by any court or any relevant regulatory
Medix seeks to ensure that the personal data held by it is accurate and kept up to date. Accordingly, Patients are advised to inform Medix if they become aware that any personal data held by Medix is out of date or inaccurate.
8. STORAGE OF DATA
All personal data of Patients held by Medix shall be stored securely and access shall be restricted only to those who are authorised to use it for the purpose of medical case management.
9. SUBJECT ACCESS REQUESTS
Patients have a right at any time to request in writing access to a copy of any personal data which Medix holds about them only when adequate proof of identity is being provided. If after accessing such information a Patient believes any of the personal data which Medix holds is incorrect, the Patient can ask to have the inaccurate data amended.
All access requests are forwarded to the Data Protection Compliance Manager.
10. RETENTION/DESTRUCTION OF PERSONAL DATA
Medix aims only to retain personal data for as long as is necessary for the purposes for which it was obtained and therefore to return, destroy or erase from Medix' systems personal data when it is no longer required.
All personal data relating to a Patient held by Medix shall be returned to the Patient or destroyed after a period of minimum 10 years from the date on which Medix stops providing the Medix Services to that Patient.
Destruction of data shall be carried out securely and in an appropriate manner.
11. NOTIFICATION TO THE INFORMATION COMMISSIONER'S OFFICE
Medix has given notification to the Information Commissioner ("IC") and has registered with the IC.
12. MONITORING AND REVIEW OF THE POLICY
This policy is reviewed on an annual basis by Medix board of directors. Recommendations for any amendments are reported to the President, the Global Medical Director, and the Data Protection Compliance Manager. All amendments are reviewed and audited by Medix legal counsellors.
Medix will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.