SECTION 1: INTRODUCTION
1. This Personal Data Policy (“Policy”) sets out how Ninkatec Pte Ltd (including its associated companies and affiliates, as well as service providers and third parties appointed by Ninkatec on your behalf) (collectively “we”, “us”, or “our”) may collect, use, disclose or otherwise processes your personal data in accordance with the Singapore Personal Data Protection Act (No. 26 of 2012) (“PDPA”).
2. The purpose of this Policy is to inform you of how Ninkatec collects, uses, discloses, processes or otherwise handles your personal data, and to let you know how you can exercise your rights in respect of your personal data. This includes organisations which we have engaged to collect, use, disclose or process personal data for our purposes.
3. We may from time to time update this Policy. Updates will be posted on our website at https://www.ninkatec.com/data-protection-policy. By continuing to interact with us, subject to applicable laws, you agree to be bound by the prevailing terms of the Policy as so updated from time to time.
4. This Policy supplements but does not supersede nor replace any other consents you may have previously or specifically provided to Ninkatec in respect of your personal data, and your consents here are in addition to any consents by you or rights given at law to Ninkatec to collect, use or disclose your personal data.
SECTION 2: PERSONAL DATA
1. In this Policy, “personal data” refers to any data, whether true or not, about an individual who can be identified
(a) from that data; or
(b) from that data and other information to which we have or are likely to have access, including data in our records as may be updated from time to time.
2. Depending on the nature of your interaction, transaction or agreement with us, some examples of personal data which we may collect from you include your name and identification information such as your NRIC number, contact information such as your address, email address or telephone number, nationality, gender, date of birth, marital status, photographs and other audio-visual information, employment information, financial information such as credit card numbers, debit card numbers or bank account information and medical history.
SECTION 3: CONSENT/ WITHHOLDING/ WITHDRAWAL OF CONSENT
1. By interacting with us, using our website, submitting information to us, or engaging our services, you agree and consent to us collecting, using and disclosing your personal data in the manner set forth in this Policy.
2. If you are providing personal data which belongs to others, you warrant that you have informed the individuals of the purposes for which we are collecting their personal data and that they have consented to your disclosure of their personal data to us for those purposes.
Withholding/Withdrawal of consent
1. The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you in writing. You are entitled under applicable law to withhold/withdraw consent to the collection, use or disclosure of personal data, and Ninkatec will respect your choices in this regard. You may withdraw consent and request us to stop using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below (Section 9: Contact Us).
2. Upon receipt of your written request to withdraw your consent, we may require a reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us.
3. Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our goods or services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing or via email to our Data Protection Officer at the contact details provided below (Section 9: Contact Us).
4. Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.
5. If consents are not procured or if you fail to provide us with complete and accurate information, we may, in some situations, be prevented from providing a patient with medical treatment, or may be impaired in doing so, resulting in risks to that patient.
6. If you withhold information, this can have the same effect as when you withdraw consent, we may well have no choice but to decline to proceed with the transaction, agreement or interaction in question to avoid causing harm or exposing us, you or others to risk.
SECTION 4: COLLECTION OF PERSONAL DATA
1. Generally, we may collect your personal data in various ways including but not limited to:
i. when you submit any forms, including but not limited to Data Enrolment Form and hospital reference letters;
ii. in the course of your engaging our services, or your providing documentation or information to us;
iii. when you request for a patient assessment or when you interact with our care coordinators and service providers via telephone calls (which may be recorded), email, face-to-face meetings, our website, our electronic services, letters;
iv. when we seek information from third parties about you in connection with your relationship with us, including from next-of-kin and caregivers;
v. when, as a patient, you are examined by our staff or medical equipment, or when you are subject to or participate in a medical examination;
vi. when you are contacted by, and respond to, our care coordinators, nurses, doctors and other service providers;
vii. when you subscribe to any of our online services or communication platforms (including electronic updates and alerts);
viii. CCTV recordings while you are within our premises; ix. when you request that you be included in an email or other mailing list;
x. when you make payment or provide details to facilitate payment, or secure or administer the application of grants/ benefits/ subsidies;
xi. when you submit an employment application or provide documents or information such as your resume, from recruitment agencies and employment references;
xii. when you submit your personal data to us for any other reasons.
2. We may also collect personal data about you from third parties such as:
i. your representatives/ intermediaries/ agents or your next-of-kin who may either be providing information on your behalf, or in connection with their own transactions, agreements or interactions with us (in which event we will endeavour to collect only such personal data as may be relevant);
ii. your employers; and
iii. your service providers (e.g. your bank, your insurance office etc.)
3. If you provide us with any personal data relating to a third party, by submitting such personal data to us, you also represent to us and must ensure that you have notified the third party of the terms of this Policy and obtained his / her consent thereto.
4. We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete, true and accurate, please update us if there are changes to your personal data by informing us in writing or via email to our Data Protection Officer at the contact details provided below (Section 9: Contact Us).
SECTION 5: PURPOSE OF HANDLING AND DISCLOSURE OF PERSONAL DATA
1. Generally, Ninkatec handles your personal data for the purposes set out in this section. Any one or more of the listed purposes may apply to your personal data, depending on the actual circumstance. The following does not purport to be an exhaustive listing, although an effort is made to set out as many salient purposes as may be applicable.
2. The purposes which we collect, use and disclose personal data include but is not limited to:
For patients or prospective patients
i. if you are a patient, to provide medical and other allied health treatments, such as physiotherapy and speech treatment and therapy. In each case the disclosure of sharing such personal data is solely to such persons or entities which are involved in the care of the patient;
ii. onboarding of information necessary to establish patient records and to commence treatment and care of the patient;
iii. managing your relationship with us, and providing medical treatment, services and advice, including and without limitation to the management of your appointments, registration, communicating patient care issues, securing instructions on treatment instructions.
iv. communicating next-of-kin/authorised representatives for purposes of providing patient location (e.g. during home visits), medical updates, and seeking consent from them in emergency/ incapacity situations;
v. contact number and email address for purposes of contacting you and/or your representatives to remind you of appointments with Ninkatec;
vi. prescribing and dispensing appropriate medication whether through Ninkatec or other channels;
vii. ensuring proper and complete diagnosis and appropriate treatment including and without limitation to identifying health/ treatment risks (e.g. communicating potential adverse reactions) and monitoring appropriateness of medication usage and recording patient infection data;
viii. ensuring appropriate delivery of care patient care services including delivering results of investigations, other medical updates and facilitating rental/purchase of healthcare services equipment;
ix. verifying patient identity and documenting accurate information e.g. certification of reportable diseases, certification of death;
x. coordinating healthcare services provided by other healthcare providers;
xi. referring/ collaboration with/ transferring patients to other institutions, healthcare professionals, caregivers, additional support on treatment, specialist assistance, the procurement or provision of follow up care or as part of seamless/ integrated/ holistic care arrangements;
xii. working with funeral directors, casket companies, or other relevant personnel as may be necessary to discharge duties with respect to a deceased individual; and
xiii. all other purposes reasonably related to the aforesaid.
For healthcare operations
In relation to planning, execution, administration and implementation of relevant healthcare operations matters:
i. responding to, processing and handling your queries, feedback and suggestions;
ii. requesting feedback or participation in surveys;
iii. verifying your identity, processing payments as well as managing our administrative and business operations (including the processing, storage, monitoring and backup of data);
iv. managing the security of our premises, facilities and technology infrastructure;
v. providing updates and other communications on developments relating our services;
vi. sending administrative email notifications e.g. security, support and/or maintenance notices;
vii. to improve our services and communications to you as well as the quality of your interaction with our website;
viii. conduct reviews, reporting and examining case studies, incidents, issues encountered so as to understand, minimise and avoid risks, service failures or hazards;
ix. to meet organisational auditing, accreditation and compliance requirements concerning service standards;
x. to ensure that staff, volunteers, trainees are properly trained to provide medical services or execute their functions in the context of healthcare operations generally;
xi. to ensure that staff, volunteers, trainees are properly trained to provide medical services or execute their functions in the context of healthcare operations generally;
xii. complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority; and
xiii. any other incidental business purposes related to or in connection with the above.
For next-of-kin, family member, caregiver, representative or legal guardian of our patients
We recognise that the care of a patient may involve other individuals; these may include caregiver, next-of-kin, representative (including executor or administrator to a deceased patient) to a patient (including a deceased patient) or where the individual is a legal guardian or parent of a minor/ disabled patient (collectively a “Patient’s Representative”). The purposes of handling of your personal data include:
i. processing your application for our services on behalf of the patient;
ii. contacting relevant authorities in coroner’s cases;
iii. arrangement of home visits, providing medical updates, and seeking consent in emergency/ incapacity situations;
iv. arrangements for caregiver placements;
v. facilitating vendor liaisons for delivery and maintenance of medical equipment;
vi. managing and treating patients, including registering for consultations; and
vii. all other purposes reasonably related to the aforesaid. purpose relating to any of the above.
For external service providers
i. assessing your suitability as external service provider;
ii. administrative and support processes relating to your provision of services to Ninkatec;
iii. facilitating communication between you and the patient and patient’s next-of-kin/ caregivers/ representatives/ legal guardians;
iv. managing our relationship with you and ensuring medical records are kept up-todate;
v. processing and payment of vendor invoices and bills; and viii. all other purposes related to the aforesaid.
For incoming employees
In addition, if you are seeking employment or any other appointment with us, the purposes for which we collect, use and disclose personal data include:
i. processing and assessing your application;
ii. performing background checks, verifying your credentials and qualifications as well as obtaining employment references; and
iii. any other purpose relating to any of the above.
Disclosures of Personal Data
3. We take reasonable steps to protect your personal data against unauthorised disclosure. Subject to the provisions of any applicable law, your personal data may be disclose, for the purpose listed above (where applicable), to the following entities or parties, whether they are located in Singapore or overseas.
i. to our third-party service providers and agents (including those located outside Singapore) engaged by us for the purpose of rendering medical care, evaluation and quality assurance, audit and review;
ii. to relevant governmental ministries, regulators and professional regulatory bodies, registries, statutory boards or authorities or law enforcement agencies including the Singapore Ministry of Health (“MOH”) and the National Electronic Health Records (“NEHR”) to comply with any laws, rules, guidelines and regulations or schemes imposed by any governmental authority;
iii. insurance offices or organisations, reinsurers or investigators for claims, reinsurance and compliance/audit purposes;
iv. to agents, contractors or third party service providers who provide technology solutions, support, operational or administrative services, such as for our online services, courier services, telecommunications, information technology, payment, payroll processing, training, market research, storage, archival, client support services; and
v. any other party to whom you authorise us to disclose your personal data.
Compliance with applicable law and regulations
4. As healthcare providers, Ninkatec and its staff are subject to and regulated by various statutes and regulations such as Medical Registration Act, Singapore Medical Council Guidelines etc. Additionally, special legislation may apply to certain healthcare scenarios e.g. National Registry of Disease Act, Infectious Disease Act, etc. Such legislation (collectively, “Medical Laws”) may override/ apply in place of the provisions/ standards set by the PDPA in respect of the subject matter of such legislation. We may owe duties under such Medical Laws to handle your personal data in certain ways, including making disclosures to appropriate government agencies, ministries, statutory bodies, or third parties in each case in accordance with and within scope of our legal duties.
5. For these purposes, disclosures are made as follows:
i. reporting relevant suspected adverse drug reactions experienced by patients to Health Sciences Authority (HSA);
ii. complying with court orders, directives, or applicable requests from appropriate authorities;
iii. notifying and registering with various registries including registration and notification of death;
iv. providing necessary reports where required to assist in investigations or proceedings (e.g. suspect cases of abuse);
v. facilitating contact tracing if patient is exposed to a certain infectious disease e.g. COVID-19 or identifying and reporting an outbreak or cluster of infection e.g. dengue fever;
vi. releasing personal data to coroner or medical examiner to identify a deceased person, determine cause of death/ investigations/ verdicts; and
vii. all other purposes reasonably related to the aforesaid.
6. The purposes listed in the above clauses may continue to apply even in situations where your relationship with us has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with you).
7. You further understand, acknowledge and agree that we may be required to transfer your personal data records to jurisdictions outside Singapore in the provision of our services to you. Personal data may therefore be exported to, processed and accessed in countries whose laws provide a different level of protection, which may not necessarily be comparable to that provided in Singapore.
SECTION 6: ACCESS TO AND CORRECTION OF PERSONAL DATA
1. We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer in writing or via email at the contact details provided below (Section 9: Contact Us).
If you wish to make
a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or
b) a correction request to correct or update any of your personal data which we hold about you, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.
Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.
2. We will respond to your request as soon as reasonably possible. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA). We may also request for more information from you for verification purposes.
SECTION 7: SECURITY AND RETENTION MATTERS
1. To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures such as up-to-date antivirus protection, encryption and the use of privacy filters to secure all storage and transmission of personal data by us, and disclosing personal data both internally and to our authorised third-party service providers and agents only on a need-to-know basis.
2. You should be aware, however, that no method of transmission over the internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.
3. We will retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws. For employee personal data, we will retain for up to 7 years in accordance with its legal and business purposes, even after the person ceases to be employed by Ninkatec. With regard to medical data, we will retain medical records in accordance to the duration stipulated by MOH.
4. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.
5. Ninkatec will acknowledge notification duty executed from court or competent legal authority as to the identification of any individual appointment under applicable law, regulation or court order as a Patient’s Representative and Ninkatec will accord any such person access to the personal data of the patient
6. We recognise that the care of a patient may involve other individuals; these may include caregiver, next-of-kin, representative (including executor or administrator to a deceased patient) to a patient (including a deceased patient) or where the individual is a legal guardian or parent of a minor/ disabled patient (collectively a “Patient’s Representative”).
7. The purposes of Handling of your personal data include:
i. contacting relevant authorities in coroner’s cases;
ii. arrangement of home visits, providing medical updates, and seeking consent in emergency/ incapacity situations;
iii. arrangements for caregiver placements;
iv. facilitating vendor liaisons for delivery and maintenance of medical equipment;
v. managing and treating patients, including registering for consultations;
vi. all other purposes reasonably related to the aforesaid.
vi. Ninkatec will acknowledge notification duly executed from court or competent legal authority as to the identification of any individual appointment under applicable law, regulation or court order as a Patient’s Representative and Ninkatec will accord any such person access to the personal data of the patient where required by such law, regulation or court order.
vii. Patients of majority age (i.e. 18 years and above) and with full legal capacity, are entitled to exercise their legal rights to identify any persons who are to act as a Patient’s Representative. If not otherwise specified by the patient, or alerted with due proof of contrary authorisation/order, reasonable assumption will be made to contact any nextof-kin (i.e. parents, spouse, siblings and children) in the event of emergency situations where such contact is necessary to safeguard the health, well-being and safety of the patient.
viii. We will endure to abide to (subject to approved verifications to ensure validity of such instructions) any instruction given to us by any patient of legal age of majority to limit access to his/her personal information or to allow only certain proposed individuals in the management/handling of any personal data or issues concerning the patient’s healthcare.
ix. Notice is given to all individuals that even if they identify themselves as a Patient’s Representative, the identification may not match our latest records/ instructions from the patient, or such records/ instructions may limit access to the patient’s personal data. In such cases, Ninkatec reserves the right to decline access, pursuant to our obligations under the PDPA.
SECTION 8: TRANSFER OF PERSONAL DATA OUTSIDE OF SINGAPORE
1. We generally do not transfer personal data to countries outside of Singapore.
SECTION 9: CONTACTING US
1. You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:
Ninkatec Pte Ltd (Data Protection Officer)
380 Jalan Besar, #05-12 ARC 380 Singapore 209000
Contact: 6247 9247
2. This Policy and your use of this website shall be governed in all respects by the laws of Singapore.
SECTION 10: EFFECT AND CHANGES TO POLICY
1. This Policy applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
2. We may revise this Policy from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Policy was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.
Updated 12 January 2021