Aaroogya's Privacy & Policy
What personal data we collect and why we collect it
Aaroogya foundation endeavours to meet leading standards for data protection and privacy. While our reasons are founded in ethical and corporate responsibility, our privacy practices as outlined in this policy enable the following:
● Dignity for patients: Our work bringing primary healthcare to underserved communities in developing countries and humanitarian conflict zones means we must be mindful of upholding a standard of ethical caring, including patient privacy.
● Competitive Advantage: Our emphasis on protecting the privacy of customers, vendors, and employees distinguishes us from competitors.
● Business Enablement: Since Aaroogya foundation uses significant volumes of personal information, privacy notices are a prerequisite to building enduring business relationships.
This Policy defines requirements to ensure compliance with laws and regulations applicable to Aaroogya foundation’s collection, use, and transmission of Personal Data.
This policy is applicable to all Aaroogya foundation employees, joint venture employees, contractors, vendors, interns, customers, end users and business partners who, as part of valid business operations, may receive personal information from Aaroogya foundation, have access to personal information collected or processed by Aaroogya foundation, or who provide information to Aaroogya foundation.
This policy covers the treatment of personal information gathered and used by Aaroogya foundation for lawful business purposes. This policy also covers the personal information we share with authorized Third Parties or that Third Parties share with us.
“Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Sensitive personal information refers to personal information:
● About an individual’s race, ethnic origin, colour, caste or tribal affiliation, marital status, age, and religious, philosophical or political affiliations;
● About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings.
● Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, aadhar numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns
Special categories of personal data, where Aaroogya foundation operations are within the scope of European Union regulations or equivalent protections, are:
● Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
● Genetic data, biometric data for the purpose of uniquely identifying a natural person
● Data concerning health or data concerning a natural person’s sex life or sexual orientation.
This policy does not apply to the privacy practices of third parties whose operations we do not own or control, including but not limited to any third-party services facilitated by Aaroogya foundation, or to any individuals we do not manage or employ, unless otherwise contractually agreed upon between the third party and Aaroogya foundation.
● To ensure that all of the personal data or personal information in Aaroogya foundation’s custody is adequately protected against threats to maintain its security.
● To ensure that Aaroogya foundation’s employees & contractors are fully aware of the contractual, statutory or regulatory implications of any privacy breaches.
● To limit the use of personal data or personal information to identified business purposes for which it is collected.
● To create an awareness of privacy requirements to be an integral part of the day to day operation of every employee & contractor and ensure that all employees & contractors understand the importance of privacy practices and their responsibilities for maintaining privacy.
● To make all the employees & contractors aware about the processes that need to be followed for collection, lawful usage, disclosure/ transfer and disposal of personal data or personal information.
● To ensure that all third parties storing and processing personal information on behalf of Aaroogya foundation provide adequate data protection.
● To ensure that all applicable regulations and contracts regarding the maintenance of privacy and protection of personal data or personal information are adhered to.
- Changes or updates to the Enterprise Privacy shall be communicated to Aaroogya foundation’s internal personnel when the changes become effective.
- A Privacy Request procedure shall be defined to process complaints and requests for information related to Aaroogya foundation’s privacy practices Refer to Annexure E.
- Appropriate notice shall be provided at the time an individual is asked to give consent to the collection or processing of personal information and whenever personal information is collected.
- The Privacy Notice shall provide the following information:
- Purposes for which personal information is collected, used and disclosed;
- Choices available to the individual regarding collection, use and disclosure of personal information;
- That personal information shall only be collected for the identified purposes;
- Methods employed for the collection of personal information, including ‘cookies’ and other tracking techniques, and third- party agencies;
- That an individual’s personal information shall be disclosed to third Parties only for identified lawful business purposes and with the consent of the individual;
- That an individual’s personal information may be transferred within Aaroogya foundation’s entities for business purposes
- Consequences of withholding or withdrawing consent to the collection, use and disclosure of personal information for identified purposes;
- Individuals are responsible for providing Aaroogya foundation with accurate and complete personal information, and for contacting the entity if correction of such information is required.
- Process for an individual to access and update their personal information records;
- Process for an individual to register a complaint or grievance regarding privacy practices at Aaroogya foundation.
- Process for an individual to withdraw consent for the collection, use and disclosure of their personal information for identified purposes; and
- That implicit or explicit consent is required to collect, use and disclose personal information, unless a law or regulation specifically requires or allows otherwise.
- Individuals shall be provided a Privacy Notice in case any new purpose is identified for using or disclosing personal information before such information is used for purposes not previously identified.
- The Notice shall be in language that is simple and easy to understand, especially for marginalized communities.
3. Choice and Consent
- Implicit or explicit consent shall be obtained from individuals at the time of collection of personal information or as soon as practicable thereafter.
- Explicit consent shall be obtained from individuals for the collection, use and disclosure of sensitive personal information, unless a law or regulation specifically requires or allows otherwise. A record is maintained of explicit consent obtained from individuals.
- Implicit consent shall be considered adequate for the collection, use and disclosure of personal information which does not qualify as sensitive personal information.
- Implicit consent shall be considered adequate to share sensitive information between health providers for treatment purposes. This allows doctors, nurses, hospitals, laboratory technicians, and other health care providers to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a patient, or to refer the patient.
- Consent shall be obtained from individuals before their personal information is used for purposes not previously identified.
- Appropriate consent shall be obtained from individuals before their personal information is transferred to or from information processing systems not owned or controlled by Aaroogya foundation except in the cases mentioned above.
4. Collection of Personal Information
- The collection of personal information shall be limited to the minimum requirement for lawful business purposes
- Methods of collecting personal information shall be reviewed by management to ensure that personal information is obtained:
- Fairly, without intimidation or deception, and
- Lawfully, adhering to laws and regulations relating to the collection of personal information.
- Individuals shall be notified if additional information is developed or acquired about them.
5. Limiting Use, Disclosure, Retention and Disposal
- Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as permitted by law.
- An information inventory shall be maintained of all personal information collected, its mode of storage, period of retention and method of disposal, which is reviewed at least annually.
- Personal information retention shall be only for the duration necessary to fulfil the identified lawful business purposes or as prescribed by law.
- Personal information and health records shall be retained for a minimum of 6 years from the date of creation or the date the record was last in effect, unless otherwise prescribed by legislative agencies that require records to be retained for greater periods of time.
- Information may be stored in hard copy or electronic copy. The mode of storage will be determined based on the purpose for which data is collected and will be reviewed annually.
- Hard copy: physical representations of data, such as paper printouts. This includes, among other things, notes, memos, messages, correspondence, transaction records and reports.
- Electronic copy: information stored on electronic media, such as computer hard drives, copier and printer hard drives, cloud storage, removable solid drives including memory, disks and USB flash drives, mobile phones and magnetic tapes.
- Upon the expiration of identified lawful business purposes, Aaroogya foundation shall either securely erase or anonymize the individuals’ personal information.
- When disposing of personal information by completely destroying the hard or electronic copy, including all back- ups in such a way as to ensure that the information stored on it can never be recovered.
- Anonymization shall be carried out in such a way that the information cannot be used to identify an individual using the “Expert Determination” method. Aaroogya foundation may determine that health information is not individually identifiable health information only if:
- A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
- Applying such principles and methods determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
- Documents the methods and results of the analysis that justify such determination;
6. Access for Review and Update
- Processes shall be established for individuals to:
- Request access to their personal data or information;
- Correct or update their personal data or information; and
- Withdraw consent for the collection, use and disclosure of their personal information.
- The identity of individuals requesting access their personal information shall be reasonably verified before providing access to such information.
- A response shall be given individuals requesting access to their personal information in an accessible form, within a defined period from receipt of complaint/ request.
- Individuals shall be notified, in writing, the reason for any denial of requests for access to personal information. This notice will provide the source of Aaroogya foundation’s legal right to deny access and the individual’s right to challenge such access as allowed or required by law.
7. Disclosure to Third Parties and Outward Transfers
- The disclosure of personal information to third parties shall be only for identified lawful business purposes and with appropriate consent from the individuals unless a law or regulation specifically allows or requires otherwise.
- Management shall ensure that third parties storing or processing personal information on behalf of Aaroogya foundation have:
- Signed non-disclosure agreements or confidentiality agreements; and
- Established procedures to meet the terms of their agreement with Aaroogya foundation to protect personal information
- Personal information may be transferred outside the jurisdiction in which they were created or stored, for storage or processing where any of the following apply:
- The individual has given consent to the transfer of information
- The transfer is necessary for the performance of a contract between the individual and Aaroogya foundation, or the implementation of pre-contractual measures taken in response to the individual’s request.
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between Aaroogya foundation and a third party.
- The transfer is necessary or legally required on important public interest grounds or for the establishment, exercise or defense of legal claims.
- The transfer is required by law 6. The transfer is necessary in order to protect the vital interests of the individual.
- Remedial action shall be taken in response to misuse or unauthorized disclosure of personal information by a third party storing or processing personal information on behalf of Aaroogya foundation.
8. Security Practices for Privacy
- Aaroogya foundation’s information security policy and procedures shall be documented and implemented to ensure reasonable security for personal information collected, stored, used, transferred, and disposed by Aaroogya foundation, as required by law.
- Information asset labelling and handling guidelines shall include controls specific to the storage, retention and transfer of personal information.
- Management shall establish procedures that maintain the logical and physical security of personal information.
9. Quality of Personal Information
- Aaroogya foundation shall make best efforts to ensure that personal information collected is accurate and complete for the business purposes for which it is to be used.
- Aaroogya foundation shall make best efforts to ensure that personal information collected is relevant to the business purposes for which it is to be used.
10.Privacy Monitoring and Enforcement
- Individuals can file a complaint/ grievance about Aaroogya foundation’s privacy practices by submitting a filled Privacy Complaint Form (Annexure E) and sending it via mail (physical or electronic) to the Data Privacy Officer.
- All complaints/ grievances registered by individuals shall be recorded and responded to in a timely manner.
- The DPO shall conduct an investigation into the complaint and initiate corrective action to resolve it.
- Each complaint regarding privacy practices registered by individuals shall be validated, responses documented and communicated to the individual.
- Annual privacy compliance reviews shall be performed for identified business processes and their supporting applications.
- A record shall be maintained of non-compliances identified in the annual privacy reviews. Corrective and disciplinary measures shall be initiated and tracked to closure, guided by Aaroogya foundation’s management.
- Procedures shall be established to monitor the effectiveness of controls for personal information and for ensuring corrective actions, as required.
- Privacy Impact Assessments shall be conducted annually, or when there are significant changes to the process or system environment. Refer: Privacy Impact Assessment Template.
- Any conflicts or disagreements relating to the requirements under this policy or associated privacy practices shall be referred to the Data Privacy Officer for resolution.