Align Data Protection Policy Notice
The Cayman Islands Data Protection Law, 2017 (the “DPL”) came into force on 30 September 2019. The DPL introduces legal requirements based on internationally accepted principles of data privacy and is the principal legislation regulating general data privacy in the Cayman Islands. This Data Protection Policy Notice (“Policy” or “Notice”) lets you know what happens to any personal or sensitive personal data that you give us, or any information that we may collect from you or about you from other organizations. Please read this Notice carefully, as it contains important information.
The DPL applies directly to Data Controllers, and Data Controllers are required to ensure that the Personal Data which they process (or which is processed on their behalf by any Data Processor) is processed in accordance with the data protection principles detailed below). For the most part, the DPL does not apply directly to Data Processors, but Data Controllers who wish to appoint Data Processors are required to ensure that Data Processors give certain contractual assurances with respect to the Personal Data that they process.
The DPL creates the function of an Information Commissioner also known as the Cayman Islands Ombudsman who has responsibilities/powers to oversee compliance with the regime and act as international liaison for data protection issues.
PURPOSE
The DPL affects Align because it controls or processes Personal Data in the course of its business. In the course of its business activities Align is required to receive and handle a wide range of data and information, including Personal Data and accordingly the DPL will apply to the collection, use and retention of that Personal Data. Given the nature of Align’s business, much of that Personal Data will be Sensitive Personal Data.
Align is categorized under the DPL as Data Processor in certain circumstances and Data Controller in other circumstances, which are as set out in “Scope” below. Where Align controls Personal Data, it is required to have in place a policy to ensure it meets its obligations under the DPL to ensure the rights of Data Subjects (as defined below), with regard to the way in which their Personal Data is handled.
SCOPE
This Policy applies to Align when acting as Data Controller under the DPL. Align acts as Data Controller in relation to the Personal Data of Data Subjects which are;
(i) employees of Align;
(ii) independent contractors of Align;
(iii) vendors of Align; and
(iv) clients and patients whose Personal Data has been provided in the course of their business relationship with Align.
Each of (i), (ii), (iii) and (iv) shall be referred to in this Policy as a “Relevant Person”. There is a contractual relationship between Align and each Relevant Person (in the case of (iv) the contractual relationship shall be referred to in this Policy as the “Business Relationship”). For the purposes of this Policy Relevant Persons are Data Subjects.
It should be noted that Align acts as Data Processor in respect of Personal Data of its clients and patients.
INTRODUCTION
In the usual course of Align’s business, by virtue of its Business Relationship with the Relevant Person and Align’s associated interactions with the Relevant Person or by virtue of the Relevant Person otherwise providing Align with personal information the Relevant Person provides Align with certain personal information which constitutes Personal Data. This includes, but is not restricted to, data such as name, residential address, email address, telephone number, place of birth, date of birth, passport number, etc Further, in the usual course of business Align and its agents, delegates and affiliates may from time to time use Personal Data for other activities that meet the legitimate interest grounds for processing under the DPL.
The DPL contains specific requirements concerning protection of Sensitive Personal Data.
ADDITIONAL DEFINITIONS
“Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
"Data Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
"DPL" means the Cayman Islands' Data Protection Law, 2017;
“Data Subject” means an identified living individual or a living individual who can be identified directly or indirectly by means reasonably likely to be used by the data controller or by any other person”
“Health Professional” means an individual registered to practice under any of the professions specified in the Health Practice Law (2013 Revision) or any other Law relating to health;
“Health record” means a record that (a) consists of information relating to the physical health, mental health or condition of a data subject; and (b) has been made by or on behalf of a health professional in connection with the care of the data subject”;
"Personal Data" means any data relating to a living individual who can be identified and includes data such as the living individuals location data, online identifier or one of more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of the living individual; (b) and expression of opinion about the living individual; or (c) any indication of the intentions of the data controller or any other person in respect of the living individual; information relating to an identified or identifiable natural person;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed;
“Processing” in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on Personal Data, including (a) organizing, adapting or altering the Personal Data; (b) retrieving, consulting or using the Personal Data; (c) disclosing the Personal Data by transmission, dissemination or otherwise making it available; or (d) aligning, combining, blocking, erasing or destroying the Personal Data.
"Relevant Personal Data" means all Personal Data provided to the Counterparty by Align or otherwise provided to the Counterparty in connection with the Counterparty’s performance of the Services pursuant to this Agreement.
“Sensitive Personal Data” means in relation to a data subject, personal data consisting of:-
a) The racial or ethnic origin of the data subject;
b) The political opinions of the data subject;
c) The data subject’ religious beliefs or other beliefs of a similar nature;
d) Whether the data subject is a member of a trade union;
e) Genetic data of the data subject;
f) The data subject’s physical or metal health or condition;
g) Medical data;
h) The data subject’s sex life;
i) The data subject’s commission, or alleged commission, of an offence; or
j) Any proceedings for any offence committed, or alleged, to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Cayman Islands or elsewhere.
TYPE OF INFORMATION ALIGN MAY COLLECT
· Name
· Address
· Telephone number
· Employment Information
· Next of Kin information
· Health Insurance Information (name of insurance company, policy owner, identification number)
· Appointments (details of appointments including notes of treatment and care and proposed plan including referrals)
· Health Information (personal and family medical history)
· Financial Information (debit and credit card information)
· Outgoing information including correspondence with other medical practitioners
· Incoming information including information received from other healthcare professionals
· Test results
LEGAL BASIS FOR COLLECTING AND PROCESSING YOUR INFORMATION
The personal data we collect will be adequate, relevant and not excessive in relation to the purpose(s) for which it is collected or processed. We require your personal and sensitive and confidential data in order to provide you with healthcare.
Legal obligation-the processing is necessary for Align to comply with the laws of the Cayman Islands.
Vital interest – the processing is necessary to protect the Data Subject’s life.
Public functions – the processing is necessary for Align to perform a public function, or a function of a public nature exercised in the public interest.
Legitimate interests – the processing is necessary for legitimate interests pursued by us as data controller or a third party.
Legal proceedings: the processing of sensitive personal data is necessary for legal proceedings, legal advice or legal rights.
Medical: the processing of sensitive personal data by a health professional or someone who owes an equivalent duty of confidentiality is necessary for medical purposes. “Medical purposes” includes the purposes of preventative medicine, medical diagnosis, the provision of care and treatment and the management of healthcare services.
Your information will not be further processed in any manner incompatible with the stated purposes.
How We Collect Information
We collect information in various ways, such as over the phone, in writing, in person at Align or over the internet if you transact with us online. This information may be collected by medical and non-medical staff. Wherever practicable we will only collect information from you personally. However, we may also need to collect information from other sources such as treating specialists, radiologists, pathologists, hospitals, other health care providers. In emergency situations we may also need to collect information from your relatives or friends.
How We Use and Disclose Your Information
We collect and hold data about you for the purpose of providing safe and effective healthcare. We will treat your personal information as strictly private and confidential. We will only use or disclose it for purposes directly related to your care and treatment, or in ways that you would reasonably expect that we may use it for your ongoing care and treatment. We may need to share information with other healthcare providers outside of Align when we order laboratory, diagnostic or preventative tests and when we make a referral. This is done to ensure you receive the care you need. Information may be provided to:
· Laboratories and imaging centers
· Other medical facilities including doctors, nurses and support staff who may receive the information
· Pharmacists
· Other persons involved with your care such as relatives, friends and caregivers if consent has been given for information to be released to them
· Insurance providers including when we submit a claim on your behalf for services rendered or request precertification of services.
You can withdraw consent to provide information to any one of the entities above, but this may result in a delay of care or in you having to pay for the services you receive at the Clinic or from its providers. We may also be required to share your information to third parties. This includes the Police, the Courts, insurers, attorneys, Government regulatory bodies. Whenever possible we will pass this information on in an anonymized format. We may disclose information about you to outside contractors to carry out activities on our behalf such as an IT service provider, solicitor or debt collection agent. We impose security and confidentiality requirements on how they handle your personal information. Outside contractors are required not to use information about you for any purpose except for those activities we have asked them to perform.
Accuracy of Information
We will make every effort and take all reasonable steps to ensure that the data we process is accurate and up to date. However, it is your responsibility to advise Align of any change in your information, particularly your name, mailing address, telephone number, email address, insurance provider and next of kin. You have the right to request that Align rectifies, blocks, erases or destroys inaccurate data without delay. You can make a request for rectification verbally or in writing. The request does not have to be to a specific person or contact point.
ALIGN AS DATA CONTROLLER AND THE EIGHT DATA PROTECTION PRINCIPLES
In relation to the Relevant Persons and Align’s use of their Personal Data Align is a Data Controller and is committed to comply with its obligations as such under the DPL. As Data Controller Align complies with the following eight data protection principles in respect of Personal Data which it processes, or which is processed on its behalf:
· First Principle: Personal Data shall be processed fairly. In addition, Personal Data may be processed only if certain conditions are met, for example the Data Subject has consented to the processing, the processing is necessary for the performance of a contract to which the Data Subject is a party, or processing is required under a law or to protect the individual’s vital interests.
· Second Principle: Personal Data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
· Third Principle: Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
· Fourth Principle: Personal Data shall be accurate and, where necessary, kept up to date.
· Fifth Principle: Personal Data processed for any purpose shall not be kept for longer than is necessary for that purpose.
· Sixth Principle: Personal Data shall be processed in accordance with the rights of Data Subjects under the DPL, for example subject access.
· Seventh Principle: Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data.
· Eighth Principle: Personal Data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data. The eighth principle does not apply where the Data Subject has consented to the transfer or where the transfer is necessary for the performance of an obligation imposed by law on the Data Controller in connection with the Data Subject’s employment.
PURPOSE LIMITATION
Align will only collect and process Personal Data for purposes that have been communicated to the Data Subject and are for lawful purposes. Align will process data for the following purposes:
· where this is necessary for the performance of the service being provided to the client/patient;
· where this is necessary for compliance with a legal obligation to which Align is subject; and/or
· where this is necessary for the purposes of the legitimate interests of Align or a third party (such as direct marketing and analyzing personal data for quality control, business and statistical analysis, tracking fees and costs, training and related purposes) except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject.
Align will not process Personal Data in a manner that is incompatible with the purposes communicated to Data Subjects.
Align will send to all clients, patients, employees/independent contractors, and vendors this document entitled “Align Data Protection Policy Notice” which sets out disclosure required to be made under the DPL describing Align’s purposes for collection of data, its processing, disclosure, and retention activities, and the rights of data subjects. This Notice will also be placed on Align’s website. This Notice may be amended from time to time and any amended version will be made available as above.
DATA MINIMISATION
The Personal Data collected will be adequate, relevant and not excessive, meaning it will be limited to what is necessary in relation to the purposes for which it is being processed.
KEEP IT ACCURATE AND UP-TO-DATE
Align will ensure that the Personal Data held is accurate and kept up to date. The accuracy of any Personal Data will be checked at the time of collection and at regular intervals or triggers thereafter. Align will take all reasonable steps to amend inaccurate or out-of-date Personal Data without delay.
STORAGE LIMITATION
Align will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Subject to compliance with local retention laws Align will take all reasonable steps to erase all Personal Data that is no longer required. Align will be clear when informing the Data Subject about the reason why the information is being retained. Align is aware of any required statutory retention periods where an obligation exists to retain a Data Subject’s Personal Data for fixed periods and ensure that Personal Data is retained in line with such statutory requirement(s) and that the Data Subject is aware of this retention period.
RIGHTS OF DATA SUBJECTS
RIGHT OF ACCESS
A person is entitled to be informed by Align whether the Personal Data of which the person is the Data Subject are being processed by or on behalf of Align, and, if that is the case, to be given by Align a description of –
· the Data Subject’s Personal Data;
· the purposes for which they are being or are to be processed by or on behalf of Align;
· the recipients or classes of recipients to whom the data are or may be disclosed by or on behalf of Align;
· any countries or territories outside the Cayman Islands to which Align, whether directly or indirectly, transfers, intends to transfer or wishes to transfer the data;
· general measures to be taken for the purpose of complying with the seventh data protection principle; and
· such other information as the Ombudsman may require Align to provide.
A Data Subject is entitled to communication in an intelligible form, by Align, of the Data Subject’s Personal Data, and any information available to Align as to the source of the Personal Data.
If the processing by automatic means of the Data Subject’s Personal Data for the purpose of evaluating matters relating to the Data Subject, including the Data Subject’s performance at work, creditworthiness, reliability or conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting the Data Subject, the Data Subject is entitled to be informed by Align of the reasons for that decision.
Align shall not be obliged to supply any Personal Data unless Align has received a request in writing, and any fee that Align may require, such fee being within the limits prescribed by regulations. There is a template subject access request form on the Ombudsman’s website. If Align reasonably requires further information in order to be satisfied as to the identity of the Data Subject making the request or to locate the information that the Data Subject seeks, and has informed the Data Subject in writing of the requirement, Align is not obliged to comply with the request unless supplied with that information, during which period the time specified in subsection below shall automatically stand suspended.
Align shall comply with a request within thirty days (or such other period as may be prescribed by regulations) of the date on which Align receives both the request and fee referred to above, but where Align has requested further information, the period shall not resume until the information has been supplied.
If Align cannot comply with the request without disclosing Personal Data relating to another Data Subject who can be identified from that Personal Data, Align is not obliged to comply with the request unless-
· the other Data Subject has consented to the disclosure of the Personal Data to the person making the request; or
· it is reasonable in all the circumstances to comply with the request without the consent of the other Data Subject.
The reference (above) to Personal Data relating to another Data Subject includes a reference to Personal Data identifying that other Data Subject as the source of the Personal Data sought in the request. Align will still be expected to communicate so much of the Personal Data sought in the request as can be communicated without disclosing the identity of the other Data Subject concerned, whether by the omission of names or other identifying particulars or otherwise. In determining whether it is reasonable in all the circumstances to comply with the request without the consent of the other Data Subject concerned, Align shall have regard to, in particular –
· any duty of confidentiality owed to the other Data Subject;
· any steps taken by Align to seek the consent of the other Data Subject;
· whether the other Data Subject is capable of giving consent; and
· any express refusal of consent by the other Data Subject.
If Personal Data is being processed by or on behalf of Align who receives a request under this section from the Data Subject, the obligation to supply the Personal Data under this section includes an obligation to give the Data Subject a statement of the Data Subject’s rights under the DPL in such form, and to such extent, as may be prescribed by regulations.
Align shall supply the Data Subject with a copy of the Personal Data in the format requested unless the supply of such a copy is not possible or would involve disproportionate effort; or the Data Subject agrees otherwise. If any of the Personal Data is expressed in terms that are not intelligible without explanation the copy shall be accompanied by an adequate explanation.
If Align has previously complied with a request for access by the Data Subject referred to therein, Align is not obliged to comply with a subsequent identical or similar request for access by the Data Subject unless the interval between compliance with the previous request and the making of the current request is reasonable. In determining whether the interval is reasonable, regard shall be had to the nature of the Personal Data, the purpose for which the Personal Data is processed and the frequency with which the Personal Data is altered.
Personal Data and other information supplied shall be supplied by reference to the data in question at the time when the request for the Personal Data is received, except that account may be taken of any amendment or deletion made between that time and the time when the information is supplied, the amendment or deletion being such that would have been made regardless of the receipt of the request.
RIGHT TO REQUIRE ALIGN TO CEASE PROCESSING
A Data Subject is entitled at any time, by notice in writing to Align, to require Align to cease processing, or not to begin processing, or to cease processing for a specified purpose or in a specified manner, the Data Subject’s Personal Data.
Align shall, as soon as practicable, but in any case within twenty-one days of receiving a notice, comply with that notice unless –
· the processing is necessary for the performance of a contract to which the Data Subject is a party or the taking of steps at the request of the Data Subject with a view to entering into a contract;
· the processing is necessary for compliance with any legal obligation to which Align is subject, other than an obligation imposed by contract;
· the processing is necessary in order to protect the vital interests of the Data Subject; or
· the processing is necessary in such other circumstances as may be prescribed by regulations
and Align shall state to the Data Subject the reasons for the non- compliance with the notice.
The DPL also contains specific rights of the Data Subject to request Align to stop processing for direct marketing and in relation to automated decision- making.
RIGHT TO REQUEST ALIGN TO RECTIFY, BLOCK, ERASE OR DESTROY
If the Ombudsman is satisfied on a complaint made under section 43 of the DPL that Personal Data is inaccurate, the Ombudsman may order Align to rectify, block, erase or destroy this data and any other Personal Data in respect of which Align is Data Controller and that contain an expression of opinion that appears to the Ombudsman to be based on the inaccurate data.
This right applies whether or not the Personal Data accurately record information received or obtained by Align from the Data Subject or a third party, but, if the data accurately records such information, then the Commissioner may instead of making an order as above –
· make an order requiring the Personal Data to be supplemented by a statement of the facts relating to the matters dealt with by the data as the Ombudsman may approve;
· make such order as the Ombudsman thinks fit to ensure the accuracy of the data, having regard to the purpose or purposes for which the data was obtained and further processed, with or without a further order requiring the data to be supplemented by a statement of the facts relating to the matters dealt with by the data as the Ombudsman may approve; or
· make an order requiring Align to ensure that the data indicates that, in the Data Subject’s view, the data is inaccurate.
If the Ombudsman makes an order as above, or is satisfied on a complaint made under section 43 that Personal Data that has been rectified, blocked, erased or destroyed was inaccurate, the Ombudsman may, if it is considered reasonably practicable, order Align to notify third parties to whom the data has been disclosed of the rectification, blocking, erasure or destruction.
RIGHT TO BE KEPT SAFE AND SECURE
Processing will be conducted in a manner that ensures appropriate security and confidentiality of the Personal Data. Align takes all commercially reasonable steps to secure the Personal Data from unauthorized or unlawful processing by third parties, alteration, disclosure, accidental loss, destruction, damage or any form of computer corruption. Align has implemented the following information security measures:
· Access to IT servers is restricted in a secure location to a limited number of staff;
· Access to systems is password protected;
· A back up procedure is in operation;
· Manual files containing Personal Data, financial information or confidential information are kept in a secure locked location with restricted access to staff; and
· A strong emphasis is placed on the security of Personal Data when it is held on portable devices.
LIMITS ON HOW PERSONAL DATA MAY BE USED OR SHARED WITH THIRD PARTIES
Personal Data may be processed by Align itself or it may be processed by others on its behalf. The overriding principle is that where Align uses a Data Processor to undertake processing of Personal Data on its behalf it will ensure that the engagement is evidenced in a written contract which requires the Data Processor to act only on instruction given by Align and which also requires the Data Processor to comply with obligations equivalent to those imposed on Align by the seventh principle.
It may be necessary for Align to transfer Personal Data for processing, back-up or storage to an agent, delegate, subcontractor or other representative of Align appointed by Align to carry out sub-processing activities on behalf of Align (each a “Permitted Processor”) under an appropriate written agreement between the Permitted Processor and Align.
Align and/or Permitted Processors may be legally obliged to share Personal Data and other financial information with respect to a Data Subject with their local authorities including regulatory, law enforcement or other governmental authorities (including tax authorities) or courts (collectively “Government Bodies”) and the local Government Bodies, in turn, may exchange this information with foreign Government Bodies including Government Bodies located inside or outside the Cayman Islands through automatic reporting, information exchange or otherwise.
Certain Permitted Processors are located within the Cayman Islands and in that case Personal Data will be stored on servers in the Cayman Islands. Where Align entities and Permitted Processors are located outside the Cayman Islands Personal Data will be stored on servers outside the Cayman Islands.
Personal Data may be transmitted, stored and processed on systems located outside of Align’s operating jurisdiction (the Cayman Islands), which systems are or may be operated by a Permitted Processor (and therefore authorities including regulatory or governmental authorities or courts in a jurisdiction (including jurisdictions where these parties are established or hold or process Personal Data) may obtain access to Personal Data which may be held or processed in such a jurisdiction or accessed through automatic reporting, information exchange or otherwise in accordance with the laws and regulations applicable in such jurisdiction).
Subject to applicable provisions of the DPL, the Personal Data shall not be shared other than as described herein.
EXEMPTIONS
The DPL provides certain exemptions from the data protection principles and restrictions on individual rights to information. Pertinent examples include exemptions from non-disclosure provisions as required by any enactment, law or court order.
KEEPING RECORDS OF ALL PROCESSING
Align maintains records of all its processing activities. This requires that Align determine what Personal Data it holds, where it came from and who it shares it with.
Align and its duly authorized agents/delegates will refrain from collecting any further Personal Data following the point from when the Data Subject’s relationship with Align has ceased and Align will, if required by applicable retention laws, retain Personal Data for such period from the termination of the relationship as is specified by such applicable retention laws. After expiry of the retention period, subject to applicable retention laws, Align shall take appropriate steps to dispose of any records containing the Data Subject’s Personal Data, to the extent this is operationally feasible and proportionate.
TRAINING
All Align staff will receive regular training to ensure they are aware of:
· The provisions of the DPL;
· The approach Align takes to ensure compliance with its obligations; and
· Recent developments and guidance in the area.
CO-OPERATION WITH CAYMAN ISLANDS AUTHORITIES
Align and, where applicable, its representatives, shall cooperate, on request, with the Cayman Islands Ombudsman in the performance of its tasks.
REPORTING OF DATA BREACHES
In the case of a Personal Data Breach, Align is required to notify the Ombudsman and the relevant Data Subject of the Personal Data Breach and the mitigating steps in respect of it within five days of when Align should have been aware of the breach.
Each Data Processor is required to notify Align without undue delay after becoming aware of a Personal Data Breach.
Relevant details for notifying the Ombudsman of a Personal Data Breach are set out on the Ombudsman’s website http://ombudsman.ky/get-in-touch.
REMEDIES, ENFORCEMENT AND PENALTIES
Breach of the DPL can lead (variously) to remedial action by the Ombudsman, the imposition of penalties and criminal sanctions. If, following receipt of a complaint by a Data Subject, the Ombudsman is satisfied that Personal Data held by a Data Controller is inaccurate, the Ombudsman may order the Data Controller to rectify, block, erase, destroy or update the Personal Data.
DESIGNATION OF RESPONSIBLE PERSON FOR DATA PROTECTION QUERIES AND REGULATORY COMMUNICATIONS
As Align does not control or process Personal Data on a large scale, Align Group is not required to designate a data protection officer. However, a member of staff has been designated as Responsible Person for each of (i) the receipt of any queries relating to data protection or in the event a Data Subject wishes to discuss his/her data protection rights with Align (“General Queries”), and (ii) communicating with the Cayman Islands Ombudsman. As at the date of this Policy the following is the email address for General Queries; info@align.ky