User Data Processing Notice

Your workplace uses CompuGroup Medical South Africa (Pty) Ltd (“CGM”) software solutions to help you to manage the medical practice, and to offer integrated digital healthcare to patients. CGM’s solutions have been designed to comply with or be adaptable to international and local privacy legislation – including Europe’s GDPR and South Africa’s Protection of Personal Information Act (“POPIA”), Promotion of Access to Information Act (“PAIA”) and the Electronic Communications and Transactions Act (“ECTA”).

CGM takes the protection of Personal Information very seriously. For this reason we are constantly enhancing our hosted and on-premises systems to meet new legal requirements and perceived threats.

As a regular user of a CGM software solution it is important that you understand how Personal Information is processed in the course of your using a CGM solution. Also, it is important to understand what obligations current privacy legislation places on you, your practice, and CGM in relation to the processing of Personal Information.

For what purpose does CGM process Practice and Patient Personal Information?

CGM processes Personal Information of the Practice and Patients only on instruction from the Practice. The Practice, as a Responsible Party, authorises CGM, as an Operator, to process Personal Information specifically for the purpose of providing the CGM products and services laid out in your Practice’s contract with CGM.

Services to the Practice may include the switching of claims to medical schemes, transmission of pathology results, organisation and storage of patient records, billing systems, video consultations, electronic scripting, online appointment booking, and other applications. CGM also provides support and maintenance of your CGM solutions via our helpdesk. Reasons for processing Practice Personal Information include:

• Contracting with the Practice
• Installing CGM products
• Training Practice staff on use of the products and services
• Providing telephonic and online support
• Transmitting data between your Practice and third parties, such as medical schemes, insurers, administrators, pathology laboratories, pharmacies or other medical facilities
• Provision of cloud hosting and backup services
• Billing for products and services
• Marketing CGM products and services to the Practice
• Debt collection
• Updating records
• Deleting records

CGM may further process Practice Personal information in order to:

• Confirm and verify the Practice and practitioners’ identities
• Audit and recordkeeping
• Conducting market research
• In connection with legal proceedings
• In compliance with legal or regulatory requirements

CGM only processes Patient information for the purpose of helping your Practice provide an integrated digital healthcare offering to your Patients. Due to the nature of medical practice, such processing includes not only Personal Information, but also Special Personal Information. Reasons for CGM’s processing Patient Personal Information include:

• Providing telephonic and online support
• Transmitting data between your Practice and third parties, such as medical schemes, insurers, administrators, pathology laboratories, pharmacies or other medical facilities
• Provision of cloud hosting services

What Personal Information is processed by CGM?

CGM processes the Practice’s name, practitioner names, practitioner ID numbers, address, contact numbers, e-mail addresses, practice number, and banking details.

CGM processes a Patient’s name, medical aid name and number, dependant names, genders, and ages, ID number, gender, age, diagnosis, treatment information, general health records.

CGM’s obligations

• Safeguarding Personal Information in its custody – CGM takes all necessary technical and organizational security measures to protect Personal Information from loss or abuse. Personal Information is stored in a secure operating environment inaccessible for the public. In certain cases, Personal Information is encrypted by state-of-the-art technology during transmission. This means that communication between your computer and the CGM servers takes place by ways of an established encryption technique if supported by your browser.
• Providing POPIA-aligned secure cloud storage for the Practice database –if your Practice has subscribed to this CGM service.
• Ensuring all CGM staff and business partners have signed data security agreements – CGM staff also receive ongoing training on their responsibilities in relation to the processing of Personal Information.
• Only accessing your computer system when invited by you –CGM staff are only ever able to access your system when actively granted access by you for the specific purpose of maintenance or support. The link will time-out automatically after a certain period if not actively ended. Any copies of your database required for migration or repair purposes are stored by CGM on encrypted hard drives, and the information is only retained in a personally identifiable form for as long as required to satisfy the purpose of its sharing.
• Not sharing Personal Information with third parties – CGM does not share your Practice or Patients’ Personal Information with any third parties apart from those necessary to provide integrated healthcare services to your Patients and Practice management services to yourself. CGM only retains Personal Information in an identifiable form for as long as may be required for the purpose at hand, for short term reference relating to past queries, or for as long as required by law.
• Notifying the Practice and the Information Regulator of any data breach –relating to either the Practice or Patient Personal Information.
• Providing access to a Data Subject’s Personal Information on demand from the Data Subject –the Practice or any Patient has the right to ask CGM at any time what Personal Information CGM has on record about them. Requests can also be made for the updating, correcting or deleting of Personal Information. Such requests must be made via CGM’s PAIA Information Request form available on CGM’s website.

The Practice’s obligations

• Ensure the Practice’s systems are secure – make sure adequate firewalls, anti-virus and anti-malware software is installed on your Practice’s system by your Practice’s IT provider.
• Ensure that the Practice makes at least 2 regular backups of the Practice database – one of which must be stored off-site. Check periodically that the backups are working.
• Ensure that staff members only have access to Personal Information required for fulfilling their particular job functions – so only treating healthcare professionals should have access to Patients’ health records, for example.
• Ensure that the Practice has Data Processing agreements in place with all 3rd parties that process Personal Information on behalf of the Practice –for example, with CGM.

Your obligations

• Password protect –You must choose strong passwords to protect your computer and electronic devices which allow access to your CGM products and services, and do not share your passwords with anybody else.
• Store Personal Information securely –This applies to both paper documents and electronic ones. Don’t make unnecessary print-outs of documents, or leave printed documents lying around outside a locked cabinet.
• Avoid sharing Personal Information if possible –If you call the CGM helpdesk for support, rather block out Patient Personal Information on any screenshots before you make share images with CGM staff.
• Transfer or share Personal Information securely – If you do need to share or transfer Personal Information, encrypt it and password protect it wherever possible. Please note that ordinary e-mails, attachments, and WhatsApps are not sufficiently secure for the transmission of Personal Information.
• Inform your principal, IT provider, and CGM of any data breaches asap.