Privacy Policy

HLBMC shall respect and value the data subjects’ data privacy rights, and make sure that all personal data collected from our clients and customers are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality. This policy shall provide information on data protection and security measures, and may serve as guide in exercising the rights under the DPA.

Collection of Personal Data

1. Purpose and Necessity: Personal data must be collected for clear, specified, and legitimate purposes that align with the law, morals, and public policy. These purposes should be declared before or as soon as possible after data collection.
2. Consent: Prior consent is required before collecting and processing personal data, with certain legal exemptions. This consent must be time-bound to the specified purpose and documented either in writing or electronically. Verbal consent should be noted in the patient’s records.
3. Awareness: Data subjects must be informed of the identity of the Personal Information Controller (Healthserv), the purpose of data processing, and any third parties who might receive their data (e.g., Mt. Grace Hospital Inc., Philhealth, Health Insurance).
4. Specific Information: Data subjects must be given detailed information about the processing purpose and extent, including automated processing for profiling, direct marketing, or data sharing if applicable.

Processing of personal data

1. Processing of personal data shall be transparent and allow the data subject sufficient information to know the nature and extent of the processing of his or her personal data.
2. Processing shall uphold the rights of the data subject, including the right to refuse, withdraw consent, or object. All refusals, withdrawal of consent or objections shall be properly documented in the patient chart or record.
3. Any information and communication provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access.
4. Processed personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
5. Personal data processing shall be undertaken in a manner that ensures appropriate privacy and security safeguards.
6. Personal data should be accurate and where necessary for declared, specified and legitimate purpose, kept up to date. Inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted.

Retention of Personal Data

1. Retention of personal data shall be retained only for as long as necessary:
   1.1 For the fulfillment of the declared, specified, and legitimate purpose, or when the processing  relevant to the purpose has been terminated;
   1.2 For the establishment, exercise or defense of legal claims; and
   1.3 For legitimate business purposes which must be consistent with standards followed by the   pharmaceutical or healthcare industry and approved by appropriate government agency.
2. Personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects.
3. Personal data which is aggregated or kept in a form which does not permit identification of data subjects may be kept longer than necessary for the declared, specified, and legitimate purpose.
4. Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined.

Organizational security measures

1. HLBMC shall ensure that appropriate organizational information security measures are in place to promote a culture of security and awareness within the organization.
2. The IT Department shall secure the data in the hospital information system (Bizbox) through continuously execution of the twice a day data saving with two onsite and one offsite backup.
3. Medical charts of out-patient consultations and in-patient admissions are scanned.

Rights Of The Data Subject

Every data subject is entitled to the following rights:

1. Right to be informed – To be informed whether personal data pertaining to him are being, or have been processed, and the fair processing of personal information.
2. Right to object – To object the processing of his personal data. This includes the right to withhold consent to the processing in case of changes or amendment to the information supplied.
3. Right to access – To reasonable access, upon demand, contents of his processed personal data, sources from which these were obtained, recipients and reasons for disclosure to these recipients, processing manner and date when his personal data was last accessed or modified.
4. Right to rectify – To dispute the inaccuracy or error in his personal data.
5. Right to erase or block – To suspend, withdraw or order the blocking of his personal data from the PIC’s filing system.
6. Right to damages – Compensation or indemnity for any damages sustained due to inaccurate, incomplete, outdated, false, unlawful or unauthorized use of personal information.
7. Right to data portability – To obtain from the PIC a copy of his personal data processed by electronic means.

All personnel of HLBMC, regardless of the type of employment or to any entity involved in the collection, processing, storing, transferring, purging and/or disclosing of all types of personal data of its customers, employees, retirees, suppliers, distributors, service providers, business partners or other stakeholders all methods of contact, including in person, written, via the Internet, direct mail, telephone, or facsimile must comply with the terms set out in this manual. The processing of personal data within the HLBMC shall adhere to the following general data privacy principles both at the time of the determination of the means for processing and the time of processing itself:

1. Transparency– the customer (data subject) must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of the PIC, his or her rights as a data subject and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.
2. Legitimate Purpose– the processing of data shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
3. Proportionality– the processing of data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
4. Data subject– refers to an individual whose personal, sensitive personal or privileged information is processed within Healthserv including but not limited to its existing, future and former employees, customers, suppliers, contractual partners, interested persons, clinical trial subjects and patients.
5. Personal Data – refers to all types of personal information, including privileged information.
6. Personal Information Controller (PIC) – the Head or duly designated representative of any Department or Business Unit who controls the collection, holding, processing or use of personal data or instructs another to collect, hold, process, use, transfer or disclose personal data on its behalf. (Healthserv)