Please read this Privacy Policy carefully to understand how your personal information will be handled by the Intercare Group. Every term of this Policy is material.

1. What is the purpose of this document?

This Privacy Policy stipulates how the Intercare Group of Companies processes your personal information. This includes why we collect information about you, the types of information we collect, how we collect it, with whom we share it, the security measures we use to protect the information, and how you may obtain access to and correct your information. You should read this Privacy Policy carefully. Every provision is essential and material. If something is unclear to you, please ask that it be explained.

1. About the Intercare Group of Companies

The Intercare Group of Companies offers healthcare services, including digital health services, through various platforms and at multiple facilities, such as primary care and wellness centres, dedicated units for acute and sub-acute care, rehabilitation and ambulatory day surgery centres. Various Intercare Group Companies provide support services to primary healthcare practitioners who practise their professions at Intercare facilities.

1. Companies Covered by this Privacy Policy

This Privacy Policy applies to all the Intercare Group Companies listed in the Annexure to this Policy.

2. Information and Deputy Information Officers

The details of the Information and Deputy Information Officers of all the Intercare Group Companies are listed in the Annexure to this Policy.

1. Explanation of Terms Used

   1. “Data subject” refers to the person or entity to whom the personal information relates.
   2. “Intercare” refers to the entities listed above as the context requires.
   3. "Mediclinic” means Mediclinic Southern Africa, which operates, amongst others, a range of multi disciplinary acute care private hospitals in South Africa and Namibia.
   4. “Personal information” has the meaning assigned to it in POPIA and refers to information relating to human beings and certain juristic persons. It includes information such as race, gender, pregnancy, age, health status and medical information, date of birth, identity number, contact details and confidential correspondence.
   5. “Processing” has the meaning assigned to it in POPIA and refers to any operation or activity concerning personal information, such as the collection, receipt, recording, storage, updating, alteration, use, distribution, erasure or destruction of the information.
   6. “POPIA” means the Protection of Personal Information Act (Act 4 of 2013) and its Regulations.
   7. “We” / “us” refers to Intercare or any of the entities listed in the Annexure, as required in the context.
   8. “Website” means the internet websites with the addresses https://www.intercare.co.za/ and https://healthhub.intercare.co.za/ and any website with a valid URL registered to Intercare.
   9. “You” / “your” refers to the data subject (i.e., the person or entity) whose personal information is processed by Intercare.

1. Our Commitment

We understand that your personal information is important to you. Your privacy, including the security of your information, is just as important to us. We want to ensure that you understand how your information will be processed. We are committed to conducting our business in accordance with the law. We will, therefore, only process your personal information, which includes collecting, using, storing, or disclosing it, as permitted by law or with your consent. We will always strive to keep your information confidential. We take our commitment to protecting your personal information seriously. We have implemented several processes to ensure that your personal information is used correctly.

1. When You Provide Information about Another Individual or Entity

You must ensure that if you provide us with personal information about any individual or entity, you are lawfully permitted to do so (e.g., with their consent). We will accept that you are acting lawfully. You should ensure that the persons (or entities) whose information you share understand how we will use and disclose their information. This is also set out in this Privacy Policy.

1. Purposes of Processing of Your Personal Information

Intercare generally processes your personal information for the following purpose

• to conduct, manage and administer the group companies in accordance with the law, including the administration of the company and claiming and collecting payment for services rendered from clients and patients,
• for treatment and care of patients, including their referral to other healthcare practitioners and facilities and disease management,
• for the maintenance of patients’ medical and dental records,
• for the provision of client services and the management of relationships,
• for conclusion and performance of contracts,
• for the maintenance of company and staff records,
• for employment and related matters of staff,
• for communication purposes,
• for reporting to persons (e.g. healthcare practitioners to whom referrals are made) and bodies, as required and authorised in terms of the law or by the data subjects,
• for clinical trials/research studies,
• for procurement,
• for the security of the company premises, in the interest of staff, patients and other relevant persons,
• for historical, statistical and research purposes,
• for enforcement of the companies’ rights, including legal defence purposes and/or • for any other lawful purpose related to the activities of a company.

1. Collection of Your Personal Information

General

We collect personal information about you if necessary.

We obtain personal information directly from you when -

• you become a group company director, shareholder, employee or contractor.
• you become a client of a group company.
• you become a patient of any Intercare healthcare practice or facility.
• you provide information or services to us.
• you contact us electronically or supply personal information on our website.
• you refer patients to us.
• you use our facilities.
• we procure products or services from you as a supplier, service provider or vendor.

We may collect publicly available personal information about you. We may also collect personal information from other sources when it is not possible to obtain the information directly from you, when it is necessary to protect your legitimate interests, such as ensuring your safety or when it is necessary to protect our legitimate interests, such as for legal defence purposes.

Applicants for Employment

We may collect information about job applicants from personnel agencies and vetting agencies.

Patients, their Next-of-Kin and Employers

We may collect information about patients from referring and treating healthcare practitioners, as well as hospitals where they are admitted. If a patient accesses an Intercare product or service through a third-party provider (such as a Health App), we may collect as much information about the patient from that third party as is required to access and use the service. We collect information about patients' next of kin, other individuals who may act on their behalf, and their employers as necessary to enable a patient to receive treatment at one of our healthcare practices or facilities.

Dependants and Next-of-Kin of Employees

We collect information about the dependants of employees when our employee benefits will also benefit them.
We also collect information about employees' next of kin in case we need to contact them in an emergency.

1. Processing of Your Personal Information

Various laws permit the processing of patients' personal information, including the National Health Act, the Health Professions Act, the Protection of Personal Information Act (POPIA), and the Medical Schemes Act. Employment and labour laws permit the processing of employees’ information.

CCTV cameras are installed at the entrances and in common areas of all Intercare facilities and premises, recording the movement of all persons for security purposes. Except for these recordings, filming or photographing any person, event, or matter occurring in or at any of our facilities or premises is strictly prohibited, except where prior written consent has been obtained from Intercare’s Brand Standards and Process Auditor to perform such a recording.

Directors and Shareholders

We generally process the following personal information about directors and shareholders, as may be necessary, and retain it as part of our records:

• Names and surnames, titles, identity numbers, contact details, physical and postal addresses, telephone numbers, nationalities, gender, race, qualifications, registered professions, registration numbers, CVs and photos,
• Financial and payment information, including bank details, and
• Correspondence.

Employees and Job Applicants, including Treating Healthcare Practitioners at Intercare group companies

We generally process the following personal information about employees and job applicants, as may be necessary, and retain it as part of our records:

• Names, titles, contact details, addresses, telephone numbers, identity numbers, dates of birth, age, race, gender, nationality, language, marital status, qualifications, profession, HPCSA or other statutory council number, bank details, references and CVs,
• Position or role at the company, job descriptions, relevant health and disability information, vetting reports (qualifications and criminal records), employment-related information, including all information supplied on the employment contract and in supporting documentation, disciplinary-related information, leave records, absenteeism information, remuneration and employment benefits, tax numbers and related tax information, next-of-kin details and information on dependants, health and safety-related incidents,
• Membership of professional societies, professional indemnity cover, records created in the performance of their duties, signatures of official signatories of a company and their FICA documentation, and
• Correspondence.

Patients

We generally process the following personal information about patients, if necessary, and retain it as part of our records:

• Contact or other identifying information, such as name, address, telephone number, date of birth, identity number, age, gender, nationality and correspondence,
• Health information, including health status and medical history and other information received from referring and other treating healthcare practitioners, reports of special investigations,
• Contact details and other relevant information about next-of-kin, the persons who may consent on behalf of patients and those responsible for the payment of accounts, including details of the patient’s medical scheme, health insurer or other funder,
• Accounts and payment details,
• Employment details (e.g. employer and its contact details),
• Correspondence, and
• Any other information recorded on patient documentation, such as consent forms.

Other Healthcare Practitioners

We generally process the following personal information about other healthcare practitioners who treat the patients, if necessary, and retain it as part of our records:

• Names and contact details, title, qualifications, specialisation, practice code numbers, interests and other information included on referral notes and
• Correspondence.

Clients, Suppliers, Vendors and Other Third Parties

We generally process the following personal information about suppliers, vendors and other third parties (including medical schemes, hospitals, healthcare facilities, and regulators), if necessary, and retain it as part of our records:

• Person or entity’s name and contact details,
• Names, titles and contact details of relevant persons or office bearers,
• Agreements and related information,
• Practice code numbers,
• Invoices,
• Official documentation, including newsletters and statements,
• Market information, and
• Correspondence.

Other personal information of data subjects, not stated above, may be collected and processed if required under the circumstances, subject to the provisions of the law.

Depending on the circumstances, we process personal information using automated and non-automated means, i.e., with and without human intervention.

1. Consent

MIf you must consent to the processing of your personal information, you may withdraw your consent at any time. This does not affect the processing of personal information that has already occurred. If you withdraw your consent, your personal information will be processed in accordance with the law. This may impact the services that you require from us. This will be discussed with you at the time if necessary.

1. Objection to Processing

When we process your personal information to protect your legitimate interests or those of Intercare or a third party to whom we supply the information, you may object to our processing if it is reasonable to do so. This must be completed on the form prescribed by POPIA, which is available at the reception of the relevant entity and from the Information Officer. This does not affect your personal information, which we have already processed. If you object and we agree with your objection, your personal information will be processed only as permitted by law.

1. Sharing and Disclosure of Your Personal Information

We maintain records of your personal information for as long as it is necessary for lawful purposes related to the conducting of our business, including to provide treatment and care to patients, comply with legal obligations, resolve complaints, attend to litigation (if applicable), enforce agreements and  for historical, statistical and research purposes subject to the provisions of the law.

We will share the personal information of data subjects in general with the following persons and entities if it is necessary and lawful in the circumstances:

• Law enforcement and government agencies or other related third parties: From time to time, we may be required to provide personal information to a third party to comply with a subpoena, court order, government investigation, reporting obligation, or another legal (including complaint) process. If we disclose your personal information in this manner, we will reasonably attempt to provide you with advance notice, unless we are prohibited from doing so or if it is inappropriate in the circumstances
• Corporate transactions: If we become insolvent or are involved in a merger, acquisition, reorganisation, or sale of all or a portion of our business or assets, we may share or transfer your personal information as part of such corporate transaction.
• Our staff, as required for their roles and functions, and to provide you with clinical services.
• Service providers (such as our IT support team) who assist us in providing support services to our companies, only, if necessary, subject to confidentiality undertakings and legislation that protects the privacy of your personal information.
• Our accountants and/or auditors.
• Our professional advisers (including legal advisers).
• Our insurers (including medical indemnity cover providers), if required in the unlikely event of a claim.

Specific sharing of relevant personal information will occur subject to the provisions of the law and, where necessary, with the data subject's consent. Specific sharing of relevant personal information of the data subjects below may include –

Concerning Patients

• Treating practitioners and practitioners to whom referrals are made. All medical and dental practitioners at Intercare medical and dental practices have access to Intercare patients' personal information (such as contact details, identification numbers, and medical scheme information, but excluding medical information). Patients must consent to share their medical information with the treating practitioner, where necessary.
• Mediclinic has access to the personal information of patients who were previously admitted to an Intercare hospital and are subsequently admitted to their facilities. Intercare Group Hospital Holdings (Pty) Ltd is a subsidiary of Mediclinic. Intercare hospitals and Mediclinic share a common IT platform.
• Persons who may lawfully act on patients’ behalf and those responsible for paying their accounts.
• Persons with parental responsibilities and rights in respect of children may obtain access to the children’s personal information, subject to providing sufficient evidence of their rights and responsibilities, and provided that it is in the best interest of the children.
• Paramedics and ambulances.
• Hospitals (in-patients).
• Next-of-kin.
• Parents, guardians and caregivers of patients.
• Executors of estates.
• Funders such as the patient’s medical scheme, the Road Accident Fund, the Compensation Commissioner or the employer (injuries on duty).
• Their employers concerning occupational diseases and injuries.
• Insurers (insurance medical reports and related matters).
• Debt collectors or attorneys, if necessary, to collect outstanding accounts

Concerning Treating Practitioners, Clinical and Other Staff (including Job Applicants) of a Group Company

• Entities performing peer review (healthcare practitioners).
• Next-of-kin in emergencies.
• Funders.
• Patients
• Vetting and employment agencies (if applicable).
• Banks.
• Professional societies.
• Peer review bodies
• Hospitals.
• The public (information on the company’s website).
• Relevant public and private bodies (such as the South African Health Products Authority and the Board of Healthcare Funders of Southern Africa [BHF]).

In respect of Suppliers, Vendors and Other Third Parties

• Banks.
• Funders.
• Patients.

1. Record-Keeping

We maintain records of your personal information for as long as it is necessary for lawful purposes related to the conducting of our business, including providing treatment and care to patients, complying with legal obligations, resolving complaints, attending to litigation (if applicable), enforcing agreements and for historical, statistical and research purposes subject to the provisions of the law.

1. Information Sent Across the Borders of the Republic of South Africa

We process and store your information in records within the Republic of South Africa. If we must disclose your personal information to a third party in another country, we will obtain your prior consent, unless such disclosure is permitted by law.

1. Security of Your Personal Information

We are committed to ensuring the security of your personal information to protect it from unauthorised processing and access, as well as loss, damage, or unauthorised destruction. There are inherent risks associated with the electronic transfer (e.g., via email) and storage of personal information. We will take all reasonable steps to protect your information. We have implemented information protection measures to ensure the security, integrity, and confidentiality of your information, in accordance with industry best practices. These measures are continually reviewed and updated. The measures include the physical securing of offices where information is stored, multi-factor authentication for accessing electronic records, encryption of information and devices, and off-site data backups. In addition, only those employees and service providers that require access to your information to discharge their functions and to render services to us are granted access to your information and only if they have concluded agreements with or provided undertakings regarding the implementation of appropriate security measures, maintaining confidentiality, and processing the information only for the agreed purposes. We will inform you and the Information Regulator if any person has unlawfully obtained access to your personal information, subject to applicable laws.

1. Social Networking Platforms

We may use social networking platforms, such as LinkedIn, X (formerly Twitter), and Facebook, to communicate with the public about our services. When you communicate with us through these services, the relevant social networking service may collect your personal information for its own purposes. These platforms have their own privacy policies. You should consult their privacy policies and documents for information about their privacy practices.

1. Right to Access Your Personal Information

You have the right to request access to your personal information in our possession or under our control, as well as information of third parties to whom we have supplied that information, and details of third parties to whom we have provided that information, subject to any restrictions imposed by legislation. If you wish to exercise this right, please complete the prescribed form, which is available at the reception of the relevant company and from its Information Officer and submit it to the receptionist or the Information Officer. Costs may apply to such requests, which can be obtained from the reception desk or the Information Officer. Please refer to our PAIA Manual (available at https://www.intercare.co.za/) for additional information.

1. Accuracy of Your Personal Information

We must always maintain accurate information about you on record, as it may impact communication and your health. Please notify us immediately if your information changes. Patients can update their information in person when visiting one of our healthcare practices or facilities, or electronically via the Intercare Healthcare Portal, which is accessible on the Intercare website.

You may also request that we correct or delete any information. Such a request must be made in writing on the prescribed form, which is available at the reception of the relevant entity and from its Information Officer and submitted to the receptionist or Information Officer. You must provide sufficient detail to identify the information, and the correction or deletion required. Information will only be corrected or deleted if we agree that it is incorrect or should be removed. Deleting all the information may be impossible if we may lawfully retain it. Please get in touch with reception or the Information Officer to discuss how we can assist you with your request. If we need to correct any information and the corrected information may impact any decision made about you, we will notify the individuals or entities to whom the information has been disclosed in the past, if they should be aware of the updated information.

1. Changes to this Privacy Policy

In our sole and absolute discretion, we reserve the right to revise or supplement this Privacy Policy from time to time to reflect, amongst others, any changes in our personal information practices or the law. We will publish the updated Privacy Policy on our website. It will also be available at the reception of all the Intercare Group Companies. Any revised version of the Policy will be effective as of the date of posting on the website, so you should always refer to the website for the latest version of the Policy. You are responsible for ensuring you are satisfied with any changes before continuing to use our services. If you have any questions concerning this Policy, please contact the Information Officer.

1. Enquiries and Concerns

All enquiries, requests or concerns regarding this Policy or the processing of your personal information should be addressed to the Information Officer at [email protected]. You may also complain to the Information Regulator at [email protected] (violation of personal information) or [email protected] (access to record requests). We would appreciate it if you would allow us to consider your complaint before you approach the Information Regulator.

1. Laws Applicable to this Privacy Policy

This Privacy Policy is governed by the laws of the Republic of South Africa and is subject to the jurisdiction of the South African courts.

Intercare Group of Companies
Information Officers and Deputy Information Officers