Privacy Policy

1. Introduction

This Privacy Notice (Notice) shall apply to any and all personal information of our customers and visitors held by employees, assignees and agents of Health X. This privacy policy is to provide information to you, our patient, on how your personal information (which includes your health information) is collected and used within our practice, and the circumstances in which we may share it with third parties. It continues to apply even if your agreement for health care services or other products and services with us ends. It should also be read alongside our terms and conditions, as these include sections relating to the use and disclosure of information. In this document, wherever we have said ‘you’ or ‘your’, this shall mean you (the customer), any authorised person on your account, anyone who deals with us on your behalf (such as agents, advocates, trustees or executors, attorneys under a Power of Attorney) and other related people (including authorised signatories, partners, members). If you are an insurance customer it also means you, named insured parties or beneficiaries under your policy, dependants, claimants and other third parties involved in an insurance policy or claim (such as witnesses).

2. Why and When Consent is necessary

When you register as a patient of our practice, you provide consent for our physicians and practice staff to access and use your personal information so they can provide you with the best possible healthcare. Only staff who need to see your personal information will have access to it. If we need to use your information for anything else, we will seek additional consent from you to do this.

3. Why We Collect Your Data

We collect your information to enable us to provide you with health care services. Our main purpose for collecting, using, holding and sharing your personal information is to manage your health. Our staff will check your details with you to ensure they are up-to-date and correct.

4. What Data Do We Collect?

We collect Personal Data and Special Categories of Data that include but not limited to:

  • Names, date of birth, addresses, contact details, gender, registration number, career/work details, photographs.
  • Medical information including medical history, medications, allergies, adverse events, immunizations, social history, family history, risk factors and other relevant details.
  • Healthcare identifiers and health fund details.
  • User login and subscription data, such as login credentials for phone and online site access;
    1. information about your device or the software you use, such as its IP address, technical specification, and unique identifying data;
    2. cookies and similar technologies we use to recognise you, remember your preferences and tailor the content we provide to you;
    3. records of correspondence and other communications between us, including email, live chat, instant messages, and social media communications;
    4. information from third parties where you purchase any of our products or services through such third parties;
  • Personal Data collected shall be adequate, relevant and limited to what is necessary in relation to the purpose for which the data will be processed, which majorly involves providing medical services to you.

5. When, Why and with Whom we Share Your Data

We share your personal information:

  • With a health care provider who shall handle your case subject to the obligation of professional secrecy under law.
  • With third parties who work with our practice for business purposes, such as pharmacies, Laboratories or information technology providers.
  • With SMS or an Interactive Voice Phone call to obtain feedback on your experience in using our services.
  • When it is required or authorised by law.
  • When it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent.
  • When need to do so in connection with regulatory reporting, litigation or asserting or defending legal rights and interests;
  • When have asked you for your permission to share it, and you have agreed.
  • When we wish to send marketing information to you or others, as long as you have given us your consent, or it’s within our legitimate interest to do so;
  • Only people who need to access your information will be able to do so.

Other than while providing medical services or as otherwise described in this policy, our practice will not share personal information with any third party without your consent. We will not share your personal information with anyone outside Kenya.

6. How Long We retain Your Data

Your Personal data shall not be kept for longer periods than is necessary to achieve the purpose for which the data was collected and processed.   HealthX data retention period is 25 years If we don’t need to retain information for this period of time, we may destroy, delete or anonymize it more promptly.

7. Where We Hold Your Data

At all times we will endeavor to hold your Data on servers only within Kenya. Whenever your information is held by Health C or on its behalf, Health X shall take reasonable and appropriate administrative, physical and technical safeguards to keep your information safe and secure which may include anonymization, encryption and other forms of security. Nevertheless, transmission via the internet is not completely secure and we cannot guarantee the security of information about you. Notwithstanding the above, we may use information that does not identify you for any purpose except as prohibited by law. We may however transfer the data to outside Kenya only in the following instances;

  1. for the performance of a contract between the you and Health X or implementation of pre-contractual measures taken at your request;
  2. for the conclusion or performance of a contract concluded in your interest between Health X and another person;
  3. for any matter of public interest;
  4. for the establishment, exercise or defense of a legal claim;
  5. in order to protect your vital interests or of other persons, where you are physically or legally incapable of giving consent; or
  6. for the purpose of compelling legitimate interests pursued by the Health X which are not overridden by your interests, rights and freedoms.

8. Your Acknowledgment of this Notice and Your Rights

Under General Data Protection Regulation, and the Kenya Data Protection Act 2019 you are entitled to the following rights;

    1. Rights to Be informed. The General Data Protection Regulation sets out the information we must provide to you about your Data. All the information we are required to give you is contained within this Privacy Notice. If you do not understand any part of this, you should contact us immediately and we will be happy to explain it to you.
    2. Right of Access You have the right to access and obtain a copy of the Personal Data, and any supplementary information that we hold about you to enable you to verify the legality of the processing carried out. This will be provided free of charge, unless your request is unfounded, excessive, or repetitive, and the information will be sent to you within 30 days of your request being received.
    3. Right to Rectification You have the right to request that we correct any inaccuracies in the Personal Data we hold about you. This will be corrected within 30 days.
    4. Right to erasure You have the right to request that we erase your Personal Data. For example, you may exercise this right in the following circumstances:
      1. your Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by us;
      2. you withdraw consent and no other legal ground permits the processing;
      3. you object to the processing and there are no overriding legitimate interests for the processing;
      4. your Personal Data was unlawfully processed; or
      5. your Personal Data must be erased for compliance with a legal obligation.
    5. Right to restrict processing
      1. You have the right to restrict our processing of your Personal Data where any of the following circumstances apply, although we will still be allowed to store it:
        1. Where you feel that your Personal Data which we hold is not accurate. Processing will be restricted until you verify the accuracy of the information.
        2. Where the processing is unlawful, and you do not want your Personal Data to be erased and request the restriction of its use instead;
        3. Where we no longer need to process your Personal Data, but the data may be required to establish, exercise or defend a legal claim
        4. Where you have objected to our processing of your Personal Data pending the verification of whether our legitimate business interests override your interests, rights and freedoms.
      2. Where you exercise your right to restrict our processing of your Personal Data, we will only continue to process it in accordance with the requirements of this policy or our legal obligations.
    6. Right to Data Portability
      1. You have a right to receive and transfer the Personal Data that we hold about you. This applies to: –
        1. personal data you have provided to us
        2. where the data was processed by you giving us your individual consent or for the performance of a contract
        3. and where processing was carried out by automated means.
      2. Where you make such a request, this will be provided in a structured, commonly used, machine readable format such as a CSV file. This will be completed within one month of us receiving your written request for the data.
    7. Right to object to processing
      1. In certain circumstances, you have a right to object to our processing of your Personal Data
        1. Where we have processed it as a legitimate interest (including profiling)
        2. Direct Marketing (including profiling)
        3. Processing for scientific / historical research and statistics
      2. We will still be able to process your Personal Data where
        1. We can demonstrate compelling legitimate grounds for us to process your Personal Data which override your interests, rights and freedoms
        2. The processing is for establishment, exercise and defense of legal claims.
    8. Right to object to automated decision-making including profiling
      1. You have a right not to be subjected to decisions being made solely by automated means without any human involvement. We will still be able to carry out this type of decision-making where: –
        1. It is necessary to enter or for the performance of a contract (such as a contract of insurance) which is the main reason we would use this type of decision-making; or
        2. You have given your explicit consent for us to do so.
      2. We will only process data in the way you would expect it to be used, and you will be entitled to have a person from our firm to review the decision so that you can query it and set out your point of view and circumstances to us.
    9. Right to Withdraw Consent
      Where the legal basis of Consent has been used for collecting the data, you have the right to withdraw that consent at any time. Where you exercise your right to withdraw consent, any data processed prior to the withdrawal of consent will remain valid. Health X may use personal data, other than sensitive information, for the purpose of direct marketing. In line with the current legal framework, you shall be provided the option to opt-out of receiving any marketing messages at such time as you wish.

9. Your responsibility

You are responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible. If you provide information for another person (a beneficiary under an insurance policy or a dependent), it shall be your responsibility to direct them to this notice.

10. Updates to this Privacy Policy

We reserve the right to make updates and revisions to this Policy at our discretion and at any time. When we make changes to this Policy, we will post the updated notice on the website and applications and update the Effective Date. Any changes will be effective on the “Updated” Date. Your continued use of our website and applications following the posting of changes constitutes your acceptance of such changes. If you would like to exercise any of your rights above, please contact our DPO (