1.1.1 This Data Protection Policy has been adopted by Prospekt Medical Caspian (PMC) to set out the obligations of PMC and our employees in respect of collection, recording, organization, storage, adaptation, alteration, retrieval, use, treatment, handling, disclosure, correction, providing access to, blocking, erasure and the destruction of personal data.
1.1.2 Prospekt Medical Caspian (PMC) and our employees shall vigilantly take all appropriate measures to ensure the accuracy, integrity, and security of personal data, and to permit appropriate access to such data in accordance with the relevant laws and regulations, the EU Banding Corporate Rules, and the standard operating policy and procedures.
1.1.3 The words: “Personal Data” when used in this Policy means data:
a) In electronic, paper, or other forms including oral and written; and
b) That relates to the living or deceased individuals (the “data subject”) who can be identified from the data, or from other information, which is in the possession of, or likely to come into the possession of PMC or our employees.
1.1.4 Personal Data does not include data concerning a company, a partnership, or an association.
1.1.5 Personal Data need not be sensitive or secret to require protection under this Policy, and it may come from many sources and concern many different data subjects, such as employees, our customers, our customer’s employees or their families, our service providers, and our partners.
1.1.6 Personal Data includes both factual information and opinions or judgments.
1.1.7 This Policy applies to the employees of PMC and managers appointed by PMC.
1.1.8 PMC expects that our service providers will introduce principles in their respective businesses that are substantially like the principles set out in this Policy.
1.2 Purpose of the Policy
There are several important reasons why personal data must be carefully protected by PMC and our employees.
1.2.1 Prospekt Medical Caspian is the provider of medical assistance, international healthcare, and medical evacuation services. Our Mission is to deliver the highest levels of service and customer care to our clients. Our customers entrust us with sensitive personal data such as medical data. Our reputation and ability to continue serving our customers is dependent on our ability to protect their personal data. Our employees continually assess, improve, and adhere to the Data Protection principles in this Policy.
1.2.2 PMC and our employees are bound by laws and regulations to protect Personal Data in Kazakhstan, where we conduct our business. PMC adheres to the Data Protection laws of Kazakhstan. This Policy incorporates the broad principles.
1.2.3 PMC complies with the regulations for data protection which have been approved by the data protection authorities of the European Economic Area.
1.2.4 PMC and our employees are required to abide by the laws and regulations. Employees should be aware that they may be exposed to personal liability if they fail to abide by the laws and regulations.
1.2.5 Data Protection is of great importance to our customers and service providers. PMC has, therefore, entered into contracts with our customers and service providers that oblige PMC and our employees to take measures to protect their data and to disclose, and otherwise deal with data in a manner that the customers or our service providers expect. Failure by PMC or our employees to comply with the contract terms may result in the contract being cancelled and damages being awarded against PMC.
1.3 Compliance with Laws, other Policies and Contracts of Employment
1.3.1 This Policy should be read in the context of applicable laws and in conjunction with other relevant policies and standard operating processes and procedures.
1.3.2 Each employee has legal obligations under their contract of employment with PMC concerning confidentiality and trade secrets.
1.3.3 PMC expects employees to comply with applicable laws and regulations, and to be familiar with and to fully comply with this Policy and their contracts of employment.
1.3.4 All employees shall undertake the compulsory training on data protection, and managers have the responsibility of ensuring that training is completed by their employees.
1.4 Questions regarding the Policy
1.4.1 This Policy provides clear principles. However, new legal, and other considerations arise from time to time and the social, commercial, and legal environments change rapidly.
1.4.2 Employees may therefore have questions from time to time on how this Policy applies to particular situations. Employees are encouraged to seek guidance from their managers.
2 THE TEN PRINCIPLES OF DATA PROTECTION
This Policy sets out ten principles of data protection that every employee is required to understand and follow, and every manager is required to communicate to their team. Although described in this Policy separately, the principles are interrelated and must be understood as a whole. The ten principles are:
2.1 Authority and Accountability
2.1.1 The Chief Data Protection Officer is responsible for this Policy and for the protection of personal data.
2.1.2 Each employee is the owner of the data they utilize and is accountable to their manager for compliance with this Policy. Other individuals are designated as having authority and being accountable for specific aspects of the integration, implementation, audit, enforcement, and development of personal data protection at PMC.
2.1.3 The extent and scope of individual responsibilities are not set out in this Policy. This will be clearly set out in relevant standard operating processes and procedures.
2.2 Identify Purposes for Collecting Personal Data
2.2.1 No personal data shall be collected unless the purpose of collecting the data is made known to and is understood by the data subject.
2.2.2 If the purpose changes, the data subject shall be notified of the new purpose before the data is used for this purpose.
2.3 Consent of the Data Subject
2.3.1 The knowledge and consent of the data subject must be given before their personal data can be collected, used, disclosed, transferred, or destroyed. If the data is sensitive, the data subjects’ written approval is required.
2.3.2 If information is gathered electronically using the worldwide web, a data subject gives consent, by clicking ‘send’ as outlined on the web page. The data subject positively affirms their consent by clicking the ‘send’ button before the data is gathered.
2.3.3 The data subject must understand why the data is being collected, how it will be used, who it will be transferred to, and why. If requested by the data subject, PMC will also let the data subject know how the personal data will be stored and kept secure and how long it will be retained.
2.3.4 If the data is sensitive personal data, the data subject should be informed about alternatives to providing data, and the consequences of not providing it.
2.3.5 An individual shall be permitted to withdraw consent at any time, and PMC and our employees shall promptly honour any such withdrawal and notify the data subject when PMC has ceased gathering data.
2.3.6 If circumstances arise in which the law, regulations, or contractual commitments require that personal data be collected, used, disclosed, or transferred without the consent of the individual, employees shall raise this with their manager or Chief Data Protection Officer.
2.4 Collection Limitations and Accuracy
2.4.1 Personal Data shall be collected lawfully and fairly (without deception), and the collection shall be limited only to the purposes identified by PMC that are lawful, legitimate, and necessary for PMC to perform its business and operations. The personal data should be adequate for the purposes identified and shall not be excessive.
2.4.2 Personal data shall be as accurate, complete, and up to date as is necessary for the purpose for which it is to be used, considering the interests of the individual and what is reasonable and practical. Where practical, data should be provided or confirmed by the data subject.
2.5 Limiting Use, Disclosure, Retention and Destruction
2.5.1 Personal data shall be used and disclosed only for purposes for which it was collected.
2.5.2 Employees shall comply with the laws and regulations with regards to data retention, and with the Data Retention and Destruction Policy, and relevant standard operating processes and procedures. Subject to relevant laws and regulations, personal data shall be retained no longer than is necessary for the purposes identified.
2.5.3 Personal Data should be destroyed in a manner that prevents its recreation and care shall be taken to ensure that there is no unauthorised access during the destruction of data.
2.6.1 PMC and our employees shall have in place the appropriate technical and organisational measures to protect data against accidental or unlawful damages, destruction, accidental loss, theft, alteration, unauthorised disclosure, access or use, and which provide a level of security appropriate to the risk represented by the nature of the personal data being protected, and purposes for which is being collected.
2.6.2 Employees shall comply with the information Security Policy, Laptop Policy, and Clean Desk Policy to protect the security of personal data.
2.6.3 Security precautions shall correspond to the sensitivity of the personal data and they shall be improved in accordance with technological development.
2.6.4 Personal data shall be accessed by employees strictly on a need–to-know basis to perform their duties and only in support of legitimate business purposes.
2.6.5 Managers shall make employees aware of the importance of maintaining the confidentiality of personal data.
2.7.1 PMC and our employees shall be open about policies with respect to the management and protection of personal data.
2.7.2 This policy should be available for our employees, customers, service providers and partners.
2.7.3 The Human Resources Department shall inform employees and seek their consent on what personal data PMC collects and retains and how it will be used, who it may be transferred to and how it can be accessed.
2.8 Individual Access and Correction
2.8.1 PMC and our employees shall give individuals confirmation of what personal data has been collected and is being stored, and access to their personal data within a reasonable time after receiving their request.
2.8.2 The individual requesting the data shall describe it with reasonable specificity before data is provided.
2.8.3 PMC and our employees shall verify the identity of the person requesting the data before granting access.
2.8.4 In certain cases, personal medical data may be disclosed directly to a medical practitioner who is treating the data subject without being disclosed at the same time to the data subject.
2.8.5 If the data subject has successfully demonstrated that data is inaccurate or incomplete and has provided alternative or additional personal data that is verifiably accurate, PMC and our employees shall promptly correct the data.
2.8.6 If the data subject has successfully demonstrated that the data is unnecessary or illegitimate for our purposes, PMC and our employees shall promptly destroy it.
2.9 Challenging Compliance
2.9.1 Individuals shall be given the responsibility of Data Protection Administrators, who shall ensure that data is managed, protected, and utilized in compliance with this Policy. The Data Protection Administrators shall receive, record, address and elevate complaints concerning the handling of personal data from customers, service providers and employees.
2.9.2 The Clinic Manager is responsible for ensuring compliance with this Policy, handling complaints and enquiries raised in respect of personal data complaints, enquiries or issues raised by customers, service providers. The Chief Data Protection Officer (Clinic Manager) shall ensure that Data Protection Policy is properly implemented and elevate any complaints to the Data Protection Administrators where appropriate.
2.9.3 The Clinic Manager shall be responsible for communicating to the data subject and shall also communicate to elevate the matter to the General Director.
2.9.4 All complaints shall be addressed expeditiously, and acknowledgement of the identity of the employee addressing the complaint, and the appropriate length of the time will be taken to review the complaint will be provided no later than five (5) business days from the day the complaint was received. Regular updates shall be given to the complainant on the progress of the review if the review is likely to take longer than seven (7) business days. The complaint and outcome shall be recorded and made available to review by the General Director.
2.10 Transfers to a Third Party
2.10.1 PMC and our employees may transfer personal data to a third party, including a third party in another country, if it is lawful, accurate, not excessive for the purpose, legitimate and necessary for the purpose communicated to the data subject, and only if one or more of the following apply:
a) The recipient of the data is subject to a law, binding scheme, contract, or policy that upholds the principles of fair handling of information of personal data that are like the principles in this Policy; or
b) The data subject consents to the transfer.
3 EXCEPTIONS TO THE POLICY
3.1.1 If circumstances arise in which it is not in the interests of the data subject, PMC or third parties to comply with any of these principles, or if there is a good reason to for standard operating processes to deviate from these principles, employees shall raise this with Clinic Manager. 4 ENFORCEMENT, AUDITS AND REPORTING BREACHES
4.1.1 Breaches of this Policy may have serious legal and reputation repercussions and could cause material damage to PMC. Consequently, breaches can potentially lead to disciplinary action that could include summary dismissal and to legal sanctions, including criminal penalties.
4.1.2 All employees are expected to promptly and fully report any breaches of the Policy. Reports may be made using the following e-mail: [email protected]