Privacy information

1.1. Protection of Personal Information Act 4 of 2013 (‘the Act’ or ‘POPIA’).

1.2. Drs Van Schoor, Roos and Malherbe (‘the Practice’).

1.3. The Practice is committed to safeguarding the privacy of all our patients.

1.4. This policy applies where we are acting as a responsible party / information officer as defined in the Act. Please note that - as is provided in Section 32 of POPIA, the prohibition on process of personal information concerning a data subject’s health does not apply to the processing by a medical professional, healthcare institutions or facilities or social services, for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned.

1.5. In this notice, "we", "us" and "our" refer to Dr Van Schoor, Dr Roos and Dr Malherbe individually. Dr Van Schoor / Dr Roos / Dr Malherbe – each registered as an Information Officer, in respect of their individual patients.

1.6. “Clinical Team” refers to Dr Van Schoor, Dr Roos, Dr Malherbe, and any other professional needed for an effective and holistic approach to the psychiatric treatment of a patient.

2.1. We may process data enabling us to get in touch with you and claim from your medical aid ("contact and account data" / “level 1 data”) – The contact and account data may include your name, email address, telephone number, postal address and/or social media account identifiers, medical aid account identifier, business name, account creation and modification dates, information contained in or relating to any communication that you send to us or that we send to you.

2.2. We may process data to enable us to provide you with necessary referral psychiatric treatment from the Clinical Team ("referral data" / “level 2 data”) – The referral data may include the data specified under contact and account data, your medication, past and future scripts, referral note/form, data necessary to enable other medical professionals to provide the patient with the necessary medical treatment.

2.3. We may process data to enable us to provide you with necessary psychiatric health treatment ("health data" / “level 3 data”) – The health data may include the data specified under contact and account data and referral data, any other data as disclosed by you during consultation with Dr Van Schoor, Dr Roos or Dr Malherbe (whichever is the patient’s primary physician) which may include general and special personal information (as specified in the Act).

Section 32 of POPIA, the prohibition on process of personal information concerning a data subject’s health does not apply to the processing by a medical professional, healthcare institutions or facilities or social services, for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned.

3.1. Administration of the professional practice – We may process contact and account data for processing medical aid claims, providing our services, generating invoices, bills, and other payment related documents, and for the proper administration of the Practice. The legal basis for this processing is premised upon our legitimate interests and the relationship between patient and treating physician.

3.2. Effective and holistic psychiatric treatment of a patient – We may process referral data for the purpose of providing a patient with effective and holistic psychiatric treatment from the Clinical Team. The legal basis for this processing is premised upon our legitimate interests and the relationship between patient and treating physician.

3.3. Psychiatric treatment and care of a patient – We may process health data for the purpose of providing a patient with psychiatric treatment and care. The legal basis for this processing is premised upon our legitimate interests and the relationship between patient and treating physician.

4.1. All the Personal Data that we collect will be stored on the servers of our hosting service provider and practice management solutions providers.

4.1.1. For administrative purposes and email communication, the practice uses Google Workspace solutions. Google provides product capabilities and contractual commitments to facilitate customer compliance with POPIA. Practice data is stored, processed, and governed by a data processing agreement with Google.

4.1.2. For processing and storing of patient information, the practice uses Cliniko practice management solutions, which meets or exceeds industry standard security measures with data encrypted using HTTPS (end-to-end encryption), 2048-bit SSL certification for encryption in transit and data is also encrypted at rest and backed up daily, using the industry-standard AES-256 encryption algorithm. Backups are redundantly stored in multiple physical locations. Data is also constantly streamed to replica databases for up to the second redundancy.

4.2. For the above reason, personal data is transmitted across borders and internationally.

4.3. We may disclose your level 1 data to medical aids and our payment service providers, insofar as reasonably necessary for lodging claims from our patient’s medical aids.

4.4. We may disclose your level 2 data to the Clinical Team, insofar as reasonably necessary to providing a patient with effective and holistic psychiatric treatment from the Clinical Team.

4.5. The Patient’s level 3 data is kept with upmost confidentiality, as it relates to a patient’s Personal Data as disclosed between patient and primary physician.

4.6. In addition to the specific disclosures of personal data set out herein, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

5.1. All the Personal Data that we collect will be stored on the servers of our hosting service provider and practice management solutions providers as set out in paragraph 4.1 above.

5.2. We may transfer your Personal Data from South Africa across borders with your prior written consent – as is granted upon the patient signing the Practice’s “POPIA Consent Form”.

5.3. We will make an adequacy determination with respect to the data protection laws of each of these countries. Transfers of data to international locations will be protected by appropriate safeguards, as stipulated in the user agreements between the practice and the service provider.

6.1. Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6.2. We will retain your personal data as follows:

6.2.1. Level 1 data will be retained for a minimum period of 6 years following the date of the most recent contact between you and us, and for a maximum period of 10 years following that date.

6.2.2. Level 2 data will be retained for a minimum period of 6 years following the date of closure of the relevant account, and for a maximum period of 15 years following that date.

6.2.3. Level 3 data will be retained for a minimum period of 6 years following the date of closure of the relevant account, and for a maximum period of 15 years following that date.

6.3. Notwithstanding the above,

6.3.1. we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.

6.3.2. we may retain your personal data as set out by the guidelines of the HPCSA.

7.1. Your principal rights under data protection law are:

7.1.1. the right to access – you can ask for copies of your Level 1 and 2 data.

7.1.2. the right to rectification – you can ask us to rectify inaccurate Level 1 and 2 data

and to complete incomplete Level 1 and 2 data.

7.1.3. the right to erasure – you can ask us to erase your Personal Data.

7.1.4. the right to object to processing – you can object to the processing of your personal data.

7.1.5. the right to complain to a supervisory authority – you can complain about our processing of your personal data, and

7.1.6. the right to withdraw consent – to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent.

7.2. These rights are subject to certain limitations and exceptions.

7.3 You may exercise any of your rights in relation to your personal data by written notice to us, using the contact details set out

8.1 We may update this notice from time to time by publishing a new version and made available upon request.

8.2 We may notify you of changes to this Policy by email.

You can contact us:

by post, to Drs Van Schoor, Roos and Malherbe, Zwavelstream Clinic, Plot 112, Achilles Rd. Ext., Zwavelpoort, 0081.

by telephone, on 0104750189, or

by email to the Information Officer: Dr PJ Malherbe info@drpjmalherbe.com