At Sorsix, our mission is solving human health, and our products and services are delivered to further this mission for our users. Nothing is more important to us than the health of our patients – it is our purpose. Sharing of information between healthcare providers is an essential part of effective delivery of healthcare, and for this reason we are often the conduit of information being shared between different service providers in the healthcare system. Therefore, the nature of our products and services involves the collection and distribution of sensitive information such as health data, well as other personal data.
I. OUR PURPOSES OF PERSONAL DATA PROCESSING
Personal data collected through the use of our products and services is used to deliver health services to our users or to facilitate the delivery of health services by our users to their patients.
With that general purpose in mind, we may use the collected personal data for the following particular purposes:
· Communication about upcoming healthcare appointments;
· Collecting and sharing of health information between clinicians who are treating a patient;
· Sharing of health information between a patient and their clinician;
· Providing information to third parties upon the request and consent of the personal data subject (e.g. payment channel providers in instances where we take payment through our products and services);
· Providing the functionality of our services, evaluating the functioning of our platforms, eliminating errors of our platforms and improving the usefulness of our services;
· Enabling healthcare providers to store personal data, especially in cases where such storage is stipulated with the applicable regulation;
· Reporting or researching, whereby in such cases the personal data we use is aggregated and de-identified (e.g. to enable clinicians to view a report on their activity with our products and services);
· Other purposes for which you have given explicit consent or an order.
II. TYPES OF PERSONAL DATA WHICH WE PROCESS
· Person identification data–name, surname, date of birth, telephone number, e-mail, address, data on government-issued identification documents and similar;
· Authentication information and tokens–passwords, usernames, data on electronic signatures and similar;
· Health data–medical history, consumed healthcare services, applied therapies, applied vaccines, healthcare appointments, test results and similar;
· Responses to questionaries–answers to forms you may have completed in the process of delivering or using healthcare services, which may include health data;
· Financial information–payment and obligations details, which are used to collect payment for used healthcare services or for reimbursing paid amounts when applicable;
· Information on healthcare preferences–preferred gender of doctors, spoken languages and similar;
· Usage information–IP address data, data on URL paths, and data on location when making bookings or when using our services in another manner, as well as types of devices through which you access our services and similar;
· Other data–recordings of you used as part of submissions to forms or as part of our telehealth service.
III. MANNER IN WHICH WE COLLECT PERSONAL DATA
In the course of providing our services, we collect the personal data in the following manner:
· The data subject discloses the personal data–Sorsix collects personal data that you directly disclose to Sorsix by using its platforms or communicating to its authorised employees.
· Another user discloses the personal data–Sorsix collects personal data of a user that is disclosed by another user, such as when a clinician enters personal data on its patient into our platforms;
· Automatic collection of personal data–Sorsix may collect personal information automatically through cookies and identifiers, such as when a user uses our platforms, websites or other services.
Our products and services may employ cookies; small pieces of data stored on your device’s web browser. These are used for site administration and analysis and to deliver tailored content. We may also use third-party services, such as Google Maps. The use of third-party services is governed by the privacy policies of these third-party organisations.
IV. OUR STANDARDS ON PERSONAL DATA PROTECTION
All of the platforms and services operated by Sorsix have been created to meet the principles of data protection by design and default.
While taking into account state of the art, and the nature, scope and purposes of the processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, Sorsix implements a high level of technical and organisational measures of data protection.
Details about Sorsix security practices are available in our Security Policy.
V. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
Sorsix does not disclose any of your data, except to provide the services for which the personal data has been collected or if the disclosure is demanded by a competent government authority.
Sorsix may disclose your data to third parties only in the following cases and under the following conditions:
· Usage of the services Sorsix provides– for Sorsix to provide its services to a patient, it must disclose its data to a competent clinician or enable clinicians to exchange information on your health and treatments. This disclosure is done solely based on the consent of the user.
· Order of competent government authority–government authorities may order Sorsix to disclose specific data it holds about its users. In such cases, the disclosure is under the following condition: i) only upon a sign-off release obtained by the Sorsix Privacy Officer, who is obliged to examine the authorisation of the requestor to seek the disclosure; ii) by limiting the disclosure strictly to the demanded data; iii) by performing the disclosure without disclosing any personal data, if possible; iv) by informing the requestor that the disclosed information contains personal data, which is protected by the applicable regulations; and v) on meeting the intended purpose, the Sorsix Privacy Officer must take reasonable steps to ensure the third party no longer has access to the personal information, including requesting that the third party destroy any copies of such, and disabling electronic access to information.
We do not share your information for marketing purposes with anyone.
VI. PERIOD OF PERSONAL DATA RETENTION
Sorsix will generally retain data for as long as required to provide services, or comply with Sorsix legal obligations, resolve disputes, or enforce legal agreements.
Data deleted from Sorsix servers may remain as residual copies on offsite backup media for approximately 12 months afterwards.
Personal information that is no longer being used but cannot be disposed of under the Public Records Act will be archived, in a manner that ensures confidentiality and security. All archiving and disposal must also be in accordance with relevant Sorsix records Policies.
VII. YOUR RIGHTS OVER YOUR PERSONAL DATA
When using our products and services, the ultimate owner of personal health information is the person whose health is in question.
Therefore, you have the right to request Sorsix to:
· Delete, correct or update your personal data processed by Sorsix; and
· Provide you with your personal data processed by Sorsix, in a commonly used and machine-readable format.
Please contact Sorsix with any request you might have in regarding the data we process about you at our e-mail address firstname.lastname@example.org.
Based on the submitted request, these rights will be provided to you as soon as possible, unless this is not possible due to certain legal or contractual restrictions or practical circumstances.
VIII. YOUR RIGHTS TO LIMIT DATA COLLECTION AND PROCESSING
Sorsix collects and processes your data based on your consent as a user of our platforms and services.
You may terminate this consent by informing Sorsix of this termination on our e-mail address email@example.com.
IX. LEGAL COMPLIANCE
Sorsix and its employees comply with the legal framework on personal data protection and privacy in the jurisdictions in which they operate, as follows:
· European Union–General Data Protection Regulation (GDPR);
· Commonwealth of Australia–the Privacy Act of 1993 and the 'Australian Privacy Principles'
· New Zealand–the Privacy Act of 2020;
· The Republic of North Macedonia–Personal Data Protection Law of 2020; and
· The Republic of Serbia–Protection of Personal Data Law of 2018.
In addition, specific rules in relation to health information are set out in the Health Information Privacy Codes (HIPC). These Codes are codes of practice under the Privacy Acts that apply specifically to health information. It sets out specific rules for agencies in the health sector and covers information collected, used, held, and disclosed by health agencies.
X. SUPERVISORY BODY
Suppose you believe that by collecting or processing your data, Sorsix has violated any of your rights. In that case, you can submit a redress of grievances directly to Sorsix at our e-mail address firstname.lastname@example.org or you can submit a request for protection of your rights to the competent supervisory bodies as follows:
· Office of the Australian Information Commissioner, for data subjects from the Commonwealth of Australia;
· Office of the New Zealand Privacy Commissioner, for data subjects from New Zealand;
· Personal Data Protection Agency, for data subjects from The Republic of North Macedonia; and
· National Data Protection Authority, for data subjects from The Republic of Serbia.
XI. YOUR RIGHT TO BE INFORMED
Upon your request, Sorsix will provide you with additional information on (i) our processing objectives; (ii) categories of personal data being processed; (iii) users or categories of users to whom personal data have been disclosed or will be disclosed; (iv) the estimated period for which the personal data will be kept and, if this is not possible, the criteria used to determine that period; (v) information on how to exercise your right to correct or delete personal data or to restrict the processing of personal data, or the right to object to any processing; (vi) information on how to exercise your right to submit a request for right’s protection to the competent supervisory authorities; and (vii) the existence of an automated decision-making process, including profiling.
Please contact Sorsix with a request or the above-cited information at our e-mail address email@example.com.
XII. FINAL REMARKS