Data Protection Policy
This policy sets out how we collect, use, disclose, store, and protect your personal data in compliance with the Personal Data Protection Act 2012 (PDPA) of Singapore.
Introduction
Angsana Medical Pte. Ltd. (“us”, “we”, the “Clinic”) is committed to safeguarding the personal data entrusted to us by our patients, employees, service providers, vendors, and website visitors (“you”). This policy sets out how the Clinic collects, uses, discloses, stores, and protects personal data in compliance with the Personal Data Protection Act 2012 of Singapore (PDPA).
Scope
- All patients, employees, contractors, locums, clinic assistants, and third party service providers, of the Clinic.
- All visitors of the Clinic's website(s) such as www.angsanamedical.sg and related pages thereunder (the “Website”).
- All personal data in the Clinic's possession, whether in electronic or physical form.
Personal Data Collected
The Clinic may collect and process the following categories of personal data:
Patient information
Name, NRIC/FIN, passport information, contact details (including without limitation address, phone number, and e-mail address), medical history, treatment records, next-of-kin information, transaction information, payment details, likeness and voice (e.g. during teleconsultation).
Employee or contractor information
Name, NRIC/FIN, contact details (including without limitation address, phone number, and e-mail address), employment history, next-of-kin information, payroll and benefits details, likeness.
Third party service provider and vendor information
Information as reasonably required.
Website visitor information
Internet protocol (IP) address used to connect your computer or device to the internet, connection information such as browser type and version, your operating system and platform, the full URL clickstream to, through and from the Website (including date and time), cookie number and/or your activity on our Website, including the pages you visited, the searches you made.
Purpose of Collection, Use, and Disclosure
Personal data may be used and disclosed for the following purposes:
Patient
- Providing medical consultation, treatment, and follow-up care.
- Processing your queries, requests, and feedback.
- Processing payments and insurance claims.
- Administrative and operational purposes (e.g. scheduling, reminders, clinic management).
- Compliance with legal and regulatory obligations and guidelines/notices issued by legal and regulatory bodies.
- Internal training, quality assurance, service improvement, and complaints resolution.
- Maintaining security of the Clinic's premises (including CCTV surveillance).
- (If you have interacted with any of the Clinic's marketing efforts) responding to your activity on the Clinic's advertisements and other marketing efforts.
- Any other purpose for which consent has been obtained.
Existing or prospective employees / contractors
- Conducting interviews and processing applications (including obtaining employee references for background screening, pre-recruitment checks, and evaluating candidate's suitability for the position).
- Processing employment pass applications, visa applications and applying for dependent or long term social visit passes.
- Applying for insurance policy (if any) for employees and their dependents.
- Managing payroll, child care and/or family leave entitlement.
- Maintaining security of the Clinic's premises (including CCTV surveillance).
- (If you provide patient care) Publicity and listing of your service on the Clinic's Website.
- Compliance with legal and regulatory obligations.
- Any other purpose for which consent has been obtained.
Service providers / vendors
- (If you provide patient care) Publicity and listing of your service on the Clinic's Website.
- Managing and evaluating project tenders.
- Processing and payment of vendor invoices.
- Compliance with legal and regulatory obligations.
- Any purposes which are reasonably related to the foregoing.
Website visitor
- Analysis on how users use the Website (e.g. using cookies and via Google Analytics or other trusted analytics services).
Disclosure
Subject to the provisions of applicable law, your personal data may be disclosed by the Clinic for the purposes listed above to the following entities or parties (whether located overseas or in Singapore):
- Laboratories, diagnostic centres, and specialist clinics involved in the patient's care.
- Insurance companies, third-party administrators, and panel operators for claims processing. In such cases, we may disclose your medical diagnosis or information to such parties for claims processing, if required by such parties.
- Regulatory authorities, government agencies, statutory boards or authorities or law enforcement agencies.
- Vendors, contractors, third party service providers, IT service providers, and data hosting providers, in each case which support clinic systems and operations, who are bound by contractual or professional obligations to keep personal information confidential and use it only for the purposes for which the Clinic discloses the information to them.
- External auditors, consultants, or professional advisors engaged by the Clinic.
- Banks, credit card companies and payment service providers, and each of their respective service providers.
The Clinic will take reasonable steps to protect your personal data against unauthorised disclosure.
Consent
The Clinic will obtain consent before collecting, using, or disclosing personal data for purposes not mentioned in this policy, except where permitted or required by law.
You may withdraw consent by submitting a written request to the Data Protection Officer (details below). The Clinic will inform you of the potential consequences of withdrawal (e.g. inability to provide certain services).
If you provide the Clinic with any personal data relating to a third party (e.g. information on your family members), by submitting such information to the Clinic, you represent to the Clinic that you have obtained the consent of that third party to you providing the Clinic with their personal data for the purposes mentioned above.
Accuracy and Updating of Data
The Clinic relies on personal data provided by you or your authorised representatives. You are responsible for providing true, accurate and complete personal data. Failure on your part may result in the Clinic's ability to fulfil your requests and/or applications.
The Clinic will take reasonable steps to ensure data is accurate and up to date. If there are any changes to your personal data, please inform the Data Protection Officer in writing.
Protection of Personal Data
The Clinic adopts reasonable security arrangements to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks, including:
- Role-based access controls and password protection for IT systems.
- Encryption of medical records stored electronically.
- Regular system updates and antivirus software.
- Staff training on confidentiality and data protection.
Retention
Personal data will be retained only as long as necessary to fulfil the purposes for which it was collected, or as required by law (e.g. medical records retention under MOH guidelines).
Data Breach Management
In the event of a suspected or confirmed data breach, the Clinic will:
- Take immediate steps to contain the breach.
- Assess the extent and impact of the breach.
- Notify affected individuals and the Personal Data Protection Commission (PDPC) where required.
- Implement corrective actions to prevent recurrence.
Access and Correction Rights
Individuals may request access to their personal data held by the Clinic, or request corrections if the data is inaccurate or incomplete. Requests should be submitted in writing to the Data Protection Officer.
Data Protection Officer (DPO)
The Clinic has appointed a Data Protection Officer (DPO) to oversee compliance with the PDPA. Contact details:
Review of Policy
This policy will be reviewed regularly and updated as necessary to reflect changes in laws, regulations, and operational practices.