Privacy Policy
- Home
- Privacy Policy
Privacy Notice
1. Introduction
Siyanaka Acute Care Hospital t/a Women and Children Hospital ("we," "us," "our," or "the Hospital") is committed to protecting the privacy and confidentiality of your personal information. This Privacy Notice explains how we collect, use, disclose, and safeguard your information when you interact with us, whether as a patient, employee, website visitor, supplier, or in any other capacity. We comply with the Eswatini Data Protection Act, 2022 (EDPA).
Our Details:
● Name: Siyanaka Acute Care Hospital t/a Women and Children Hospital
● Physical Address: Portion 1 of Plot 1 Kelly St, Manzini, Eswatini
● Postal Address: PO Box 1329, Manzini, Eswatini
● Website: www.womenandchildren.net
● Registration Number: DC -CC111 -02102024 (Registered on October 2, 2024)
2. Data Protection Officer (DPO)
We have appointed a Data Protection Officer who is responsible for overseeing our data protection strategy and implementation to ensure compliance with the EDPA.
● Email: dpo@womenandchildren.net
● Phone: +268 2505 5511
3. Whose Personal Information Do We Collect?
This notice applies to the personal information of:
● Patients (including adults and children)
● Employees (including job applicants and contractors)
● Website visitors
● Third-party suppliers, vendors, and contractors
● Consultants
● Visitors to our premises
● Research participants (where applicable)
4. What Personal Information Do We Collect?
We collect various types of personal information depending on your relationship with us:
I. For Patients:
* Basic Identifying Information:
* Name (first name, last name, title)
* Age / Date of birth
* Gender
* Marital status
* National or ethnic origin
* Religion
* Address (physical and postal)
* Contact numbers (telephone, mobile)
* Email address
* Unique identifying number (e.g., patient ID number)
* Sensitive Personal Information (Health & Medical Data):
* Medical history (including family medical history)
* Information on physical and mental health (current conditions, past illnesses, disabilities)
* Diagnosis and treatment plans
* Medication details and prescriptions
* Test results (e.g., laboratory results, imaging scans, pathology reports)
* Genetic data
* Blood type
* Data concerning health or sex life (including sexual orientation if relevant and justified for medical care)
* Information related to children's health (collected with appropriate consent)
* Information on communicable or non-communicable diseases
* Immunization records
* Prescriptions
* Financial Information:
* Information relating to financial transactions (for billing)
* Medical aid or insurance details
* Banking details (for payments or refunds)
* Other Information:
* Next of kin or emergency contact details
* Occupation (if relevant for health assessments)
* Correspondence of a private or confidential nature
* Views or opinions of others about the individual (e.g., referral letters)
* CCTV footage (for security in public areas)
* Feedback and survey responses
II. For Employees (including job applicants and contractors):
* Basic Identifying and Contact Information: Name, address, contact numbers, date of birth, national ID number, gender, marital status.
* Employment-Related Information: Employment history, education, qualifications, banking details, tax information, criminal history (if relevant and legally permissible), emergency contacts, performance reviews, disciplinary records, leave records, race or ethnic origin, photographs.
* Health Information (as relevant to employment): Sick leave certificates.
III. For Visitors, Suppliers, and Other Third Parties:
* Basic Identifying and Contact Information: Name, contact details, company/organization details, job title.
* Security and Access Information: CCTV footage.
* Financial Information (for suppliers/contractors): Banking details, transaction history.
IV. For Website Visitors (www.womenandchildren.net ):
* Technical Data: Information collected via cookies (e.g., Browse actions, preferences, IP address, location data if enabled). See our Cookie Policy section below.
5. How We Collect Your Personal Information
We collect personal information:
● Directly from you: When you provide it to us (e.g., during admission, application, or when using our website forms).
● From third parties:
○ Referring doctors, hospitals, or other healthcare providers.
○ Family members or guardians (especially for children or incapacitated patients).
○ Medical aid schemes.
○ Publicly available sources (in limited circumstances).
● Automatically:
○ Through CCTV cameras on our premises for security and surveillance purposes.
○ Through cookies and similar technologies when you visit our website.
Special Note on Children's Data: We obtain explicit consent from a parent or legal guardian for the collection and processing of a child's personal information, especially sensitive health data, in line with the EDPA.
6. How We Use Your Personal Information (Purposes of Processing)
We use your personal information for the following purposes:
● For Patients:
○ Providing medical diagnosis, treatment, and ongoing care.
○ Hospital administration and management of our services.
○ Billing, payment processing, and managing financial accounts.
○ Communicating with other healthcare providers involved in your care.
○ Appointment scheduling and sending reminders.
○ Managing and maintaining patient records accurately.
○ Medical research (only with your explicit consent or where anonymized).
○ Public health reporting (as required by law, e.g., for notifiable diseases).
○ Quality assurance and improvement of our services.
○ Responding to your inquiries, concerns, and complaints.
○ Complying with legal and regulatory obligations.
○ Security purposes (e.g., CCTV footage) and for business analysis and quality improvement.
● For Employees:
○ Payroll and benefits administration.
○ Human Resources management (recruitment, performance, discipline, etc.).
○ Legal and contractual compliance.
○ Security purposes (e.g., CCTV footage) and for business analysis (e.g., internal staff photography for identification or team building, with consent).
● For Website Visitors, Suppliers, and Other Third Parties:
○ To provide website functionality and improve user experience.
○ To manage supplier and contractor relationships, including payments.
○ To ensure the security of our premises and IT systems.
○ To respond to inquiries.
7. Legal Basis for Processing Your Personal Information
We process your personal information based on the following legal grounds under the EDPA:
● Consent: Where you have given explicit consent for us to process your personal information for a specific purpose (especially for sensitive health data).
● Contract: Where processing is necessary for the performance of a contract with you (e.g., providing medical services, employment contract).
● Legal Obligation: Where processing is necessary to comply with a legal obligation (e.g., mandatory disease reporting to the Ministry of Health, tax obligations).
● Vital Interests: Where processing is necessary to protect your vital interests or those of another person (e.g., in a medical emergency where you are unable to consent).
● Public Interest/Official Authority: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
● Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided these interests are not overridden by your rights and interests5 (this basis is used carefully, especially for sensitive data, and after a balancing test).
Consent Details:
● We obtain consent through signed forms, verbal consent (documented), or digital consent mechanisms (e.g., website cookie banners).
● When seeking consent, we inform you about the purpose of processing, the types of data involved, and your rights.
● Consent records are maintained in individual files (e.g., patient files) and updated as needed, often renewed per visit. A log of digital consent is kept and stored on our server.
● You have the right to revoke your consent at any time. You can do this by contacting our DPO or using the method through which consent was initially given (e.g., cookie settings on our website). Please note that revoking consent may result in our inability to provide certain services if consent is the sole legal basis for that processing.
8. Data Sharing and Disclosure
Internal Access:
Access to your personal information within the Hospital is restricted on a need-to-know basis according to job roles and responsibilities. This includes:
● Doctors, Nurses, and other clinical staff involved in your care.
● Administrative and Billing staff for operational and financial purposes.
● Pharmacy staff for medication dispensing.
Sharing with Third Parties:
We may share your personal information with the following third parties under specific circumstances and with appropriate safeguards:
● Other Healthcare Providers: Referring doctors, specialists, other hospitals, laboratories, and pharmacies to ensure continuity and quality of care.
● Medical Aid Schemes/Insurance Companies: For processing claims and payments.
● Government Authorities: Such as the Ministry of Health (for notifiable diseases) or the Eswatini Data Protection Authority (EDPA) as required by law.
● Law Enforcement: Only when legally required and through proper legal channels (e.g., court order).
● Debt Collection Agencies: For outstanding payments, under strict contractual terms.
● IT Service Providers: Who help us manage our IT systems, electronic health records, and website. This includes cloud storage providers.
● Legal Advisors and Auditors: For professional advice and compliance checks.
9. International Data Transfers
● South African IT Service Providers: We share data with IT service providers based in South Africa. This includes a system provider that processes claim to funders, which involves clinical data and Personal Health Information (PHI).
● System Provider: Our system provider, based in South Africa, may have remote access to data stored on our premises for troubleshooting, system maintenance, and administrative processes.
● Email Service Provider/Cloud Platforms: We may use email service providers or cloud platforms for communication and data storage, which might involve servers located outside Eswatini.
Purpose of Transfers: These transfers are typically for specialized IT support, system maintenance, claims processing, data storage, or use of international software solutions.
Safeguards for International Transfers:
● Both our South African System Providers operate under contractual agreements that include data protection obligations, and they are subject to the South African Protection of Personal Information Act (POPIA), which provides a similar level of data protection.
● We use secure data transfer methods, including encryption, to protect data during transit.
● Where applicable, we will rely on adequacy decisions by the EDPA, your explicit consent, or appropriate contractual clauses for transfers outside Eswatini or SADC member states that may not have relaxed transfer conditions.
10. Data Security
We are committed to protecting the security of your personal information. We conduct annual security risk assessments to review emerging and current threats. Based on these, we implement and maintain appropriate technical and organizational measures, including:
● Data Management & Security Policies
● Access & Infrastructure Security Policies
● Operational & Third-Party Security Policies
● Human Factors & Training Policies
These measures are designed to prevent unauthorized access, disclosure, alteration, or destruction of your personal information.
11. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including for satisfying any legal, accounting, or reporting requirements.
|
Category of Personal Information |
Specific Data Types |
Purpose of Collection |
Proposed Retention Period (Semi-Active) |
Proposed Destruction/Disposal Period |
|
Employee Data |
||||
|
Basic Identifying & Contact Information |
Name, Address, Contact Numbers, DOB, National ID, Gender, Marital Status |
HR administration, payroll, communication, legal compliance |
5 years |
7 years |
|
Employment-Related Information |
Employment History, Education, Qualifications, Banking Details, Tax Info, Emergency Contacts, Performance Reviews, Disciplinary Records, Leave Records, Race/Ethnic Origin |
Payroll, performance management, career development, legal compliance, internal record-keeping |
5 years |
7 years |
|
Health Information (relevant to employment) |
Sick Leave Certificates |
Absence management, compliance with health and safety regulations |
10 years |
10 years |
|
Financial & Patient Data |
||||
|
Patient Billing Information |
Invoices, payment records |
Refunds, financial record-keeping |
10 years |
10 years |
|
Supplier Invoices & Payment Records |
Invoices, payment records |
Financial recording, payment processes, budget management, compliance, auditing, inventory |
10 years |
10 years |
|
Payroll Data |
Salaries, benefits, tax deductions |
Record-keeping, statutory compliance, salary payments, budgeting, forecasting |
10 years |
10 years |
|
General Ledger Entries |
Ledger entries |
Financial tracking, statements, audit, compliance |
10 years |
10 years |
|
Budgeting & Forecasting Data |
Budget and forecast data |
Financial planning and control, operational efficiency |
10 years |
10 years |
|
Special Cases (Medical Records) |
||||
|
Motor Vehicle Accident (MVA) |
Medical records |
For legal and insurance purposes, tracking treatment, and potential litigation. |
10 years after last consultation/access |
10 years after last consultation/access |
|
Maternity |
Medical records |
Documenting pre-natal, delivery, and post-natal care for the mother and child. Essential for future medical history. |
10 years after death/last access |
10 years after death/last access |
|
ART |
Medical records |
Monitoring treatment efficacy, drug compliance, and disease progression for patients on antiretroviral therapy. |
2 years after death/last access |
3 years after death/last access |
|
X-ray Films |
X-ray films |
Diagnostic and treatment planning for skeletal and organ conditions. Used for comparison with future imaging. |
5 years after production/last access |
5 years after production/last access |
|
Deceased (other than special cases) |
Medical records |
Administrative closure, assisting family with death certificates, and providing medical history for the coroner's office or legal matters. |
5 years after death |
5 years after death/last access |
|
Police Case |
Medical records |
Providing evidence for legal proceedings, documenting injuries, and assisting law enforcement in criminal investigations. |
10 years after death/last access |
10 years after death/last access |
12. Your Data Subject Rights
Under the Eswatini Data Protection Act, 2022, you have the following rights regarding your personal information:
● Right to be Informed: You have the right to be informed about the collection and use of your personal information. This Privacy Notice serves this purpose.
● Right of Access: You have the right to request access to the personal information we hold about you and to receive a copy of it.
● Right to Rectification: You can request the correction of inaccurate or incomplete personal information we hold about you.
● Right to Erasure (Right to be Forgotten): You can request the deletion of your personal information under certain circumstances, such as:
○ The data is no longer necessary for the purpose it was collected.
○ You withdraw consent (and there's no other legal ground for processing).
○ You object to the processing and there are no overriding legitimate grounds.
○ The data has been unlawfully processed. We may be unable to comply with an erasure request if processing is necessary for compliance with a legal obligation (e.g., legal obligation to retain medical records) or for the establishment, exercise, or defence of legal claims.
● Right to Restrict Processing: You can request the restriction of processing of your personal information under certain circumstances, such as:
○ You contest the accuracy of the data.
○ The processing is unlawful, but you oppose erasure.
○ We no longer need the data, but you require it for legal claims.
○ You have objected to processing, pending verification of legitimate grounds.
● Right to Data Portability: Where processing is based on your consent or a contract, and carried out by automated means, you can request to receive your personal information in a structured, commonly used, and machine-readable format, or request its transfer to another controller where technically feasible.
● Right to Object: You can object to the processing of your personal information if it is based on our legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms, or for legal claims.
● Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless certain conditions apply (e.g., necessary for a contract, authorized by law, or based on your explicit consent).
○ Currently, the Hospital does not engage in automated decision-making or profiling that has legal or similarly significant effects on individuals without human intervention. If this changes, we will update this notice and inform you about the logic involved and your rights to human intervention, to express your point of view, and to contest the decision.
13. How to Exercise Your Rights
● Submitting a Request: To exercise any of your rights, please submit a written request to our Data Protection Officer (DPO) via email or post using the contact details provided in Section 2 and Section 18 of this notice. You may also inquire through our social media platforms, which will then be directed to the DPO.
● Verification: We will need to verify your identity before processing your request (e.g., by asking for a copy of your ID document or other identifying information). This is to ensure your personal information is not disclosed to unauthorized individuals. A log of these requests is kept.
● Fees: Requests to exercise your rights will generally be processed free of charge.
● Response Time: We will respond to your request within a reasonable timeframe, as stipulated by the EDPA (typically within one month, extendable in complex cases).
14. Data Breach Notification
The Hospital has an Incident Response Plan in place to manage data breaches effectively. In the event of a personal data breach:
1. Recognition and Isolation: We will promptly identify and contain the breach.
2. Investigation: We will investigate the nature and scope of the breach.
3. Recovery: We will take steps to recover any lost data and remediate vulnerabilities.
4. Notification:
○ We will notify the Eswatini Communications Commission (ESCCOM) (EDPA), the designated authority for breach notifications within 72 hours of becoming aware of a breach, where feasible and if the breach meets the threshold for notification.
○ We will also inform affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms, in accordance with regulatory advice. Documentation is kept throughout each stage of the incident response process.
15. Cookies and Website Data
Our website www.womenandchildren.net uses cookies. Cookies are small text files placed on your device to collect standard internet log information and visitor behaviour information.
● Essential Cookies: These are necessary for the website to function correctly. They are used for:
○ Ensuring website security and authenticating users.
○ Saving user preferences critical to site operation (e.g., language settings).
○ Managing network traffic and load balancing.
● Analytical Cookies: These help us understand how visitors interact with our website. They are used for:
○ Tracking the number of visitors and page views.
○ Measuring time spent on pages.
○ Identifying referral sources.
○ We use Google Analytics for this purpose.
○ Analytical cookies are generally considered non-essential and require your consent, which can be managed through our website's cookie banner or settings.
You can set your browser not to accept cookies, and the website www.aboutcookies.org tells you how to remove cookies from your browser. However, some of our website features may not function as a result.
16. Updates to This Privacy Notice
This Privacy Notice is reviewed at least annually or as needed when there are significant changes to our data processing activities, new policies, laws, or regulatory guidance.
When changes are made, we will update the "Effective Date" at the top of this notice. We will notify you of material changes via:
● Our social media platforms (Facebook, Instagram, TikTok).
● Information provided during your visit to the Hospital.
● Through internal portals for employees.
● We encourage you to review this notice periodically.
17. How to Lodge a Complaint
If you believe your data protection rights have been infringed, you have the right to lodge a complaint with the Eswatini Data Protection Authority (EDPA). We would, however, appreciate the chance to deal with your concerns before you approach the EDPA, so please contact our DPO in the first instance.
Eswatini Data Protection Authority (EDPA) Contact Details:
● EDPA Address: Sibekelo Building Fourth Floor North Wing, Mbabane, Eswatini
● EDPA Email: dataprotection@esccom.org.sz
● EDPA Phone Number: +268 2406 7000
● You can also reach out via official communication platform using website address https://www.edpa.org.sz/contact .
18. Contact Us
For any questions about this Privacy Notice, to exercise your rights, or for any data protection concerns, please contact our Data Protection Officer:
● Email: dpo@womenandchildren.net
● Phone: +268 76983687 (Hospital line, ask for DPO)
● Postal Address: PO Box 6452, Manzini, Eswatini You can also reach out via our official communication platforms (Facebook, WhatsApp), and your query will be directed to the DPO.
Adopted 19th May 2025