Eyecare Deluxe uses closed-circuit television (CCTV) images to protect the clinic’s property and to provide a safe and secure environment for employees and patients inside the premises of Eyecare Deluxe. This policy sets out the details of how Eyecare Deluxe will collect, use, and store CCTV videos. For more information on your privacy rights associated with the processing of your personal data collected through CCTV video please refer to Eyecare Deluxe Privacy Notice.
The CCTV of Eyecare Deluxe is only capable of video recording, except inside the examination room, where there is an audio recording in place.
Purposes of CCTV
The data collected from the system will assist in:
· Prevention or detection of crime
· Identification and prosecution of offenders.
· Monitoring of the security of the premises within Eyecare Deluxe
· Ensuring that health and safety rules and procedures are being complied with.
· Identification of unauthorized actions or unsafe practices.
· Promoting productivity and efficiency.
Location of Cameras
Cameras are located at strategic points throughout the premises of Eyecare Deluxe principally at the hallways, cashier, and examination room. No camera focuses, or will focus, on toilets, shower facilities, and changing rooms.
All cameras (with the exception of any that may be temporarily set up for covert recording) are also clearly visible.
Appropriate signs are prominently displayed so that employees, clients, customers, and other visitors are aware they are entering an area covered by CCTV.
Recording and Retention of Images
Images produced by the CCTV equipment are intended to be as clear as possible so that they are effective for the purposes set out above. Maintenance checks of the equipment are undertaken on a regular basis to ensure it is working properly and that the media is producing high-quality images.
Videos are recorded in constant real-time (24 hours a day throughout the year).
As the recording system records digital videos, any CCTV videos that are held on the hard drive of a PC or server are deleted and overwritten on a recycling basis and, in any event, once the hard drive has reached the end of its use, it will be erased prior to disposal.
Videos that are stored on, or transferred onto, removable media such as CDs or which are stored digitally are erased or destroyed once the purpose of the recording is no longer relevant. In normal circumstances, this will be a period of 3 months. However, where a law enforcement agency is investigating a crime, images may need to be retained for a longer period.
Access to and Disclosure of Images
Access to, and disclosure of, images recorded on CCTV is restricted. This ensures that the rights of individuals are retained. Images can only be disclosed in accordance with the purposes for which they were originally collected. The images that are filmed are recorded centrally and held in a secure location. Access to recorded images is restricted to the operators of the CCTV system and to managers who are authorized to view them in accordance with the purposes of the system. Viewing of recorded images will take place in a restricted area to which other employees will not have access when viewing is occurring. If media on which images are recorded are removed for viewing purposes, this will be documented.
Disclosure of images to other third parties will only be made in accordance with the purposes for which the system is used and will be limited to:
Law enforcement agencies where the images recorded could assist in the prevention or detection of a crime or the identification and prosecution of an offender or the identification of a victim or witness.
Relevant legal representatives.
Admin officers and managers involved with performance management processes.
The Data Privacy Officer or another senior director only shall be permitted to authorize disclosure of images to external third parties such as law enforcement agencies.
All requests for disclosure and access to images will be documented, including the date of the disclosure, to whom the images have been provided, and the reasons why they are required. If disclosure is denied, the reason will be recorded.
Individuals’ Access Rights
Individuals have the right to request a copy of the personal data that Eyecare Deluxe holds about them, including CCTV images if they are recognizable from the image.
Necessary fees for processing the CCTV file shall be paid for by the individual.
If you wish to access any CCTV images relating to you, you must make a written request to the Data Protection Officer of Eyecare Deluxe. This can be done by using this email address email@example.com. Your request must include the date and approximate time when the images were recorded and the location of the particular CCTV camera so that the images can be easily located and your identity can be established as the person in the images.
Eyecare Deluxe will usually respond promptly and in any case within one month of receiving a request. However, where a request is complex or numerous, Eyecare Deluxe may extend the one month to respond by a further two months. Eyecare Deluxe will always check the identity of the individual making the request before processing it.
The Data Protection Officer of Eyecare Deluxe will always determine whether disclosure of your images will reveal third-party information, as you have no right to access CCTV images relating to other people. In this case, the images of third parties may need to be obscured if it would otherwise involve an unfair intrusion into their privacy.
If Eyecare Deluxe is unable to comply with your request because access could prejudice the prevention or detection of crime or the apprehension or prosecution of offenders, you will be advised accordingly.
Eyecare Deluxe is aware that covert recording can only be done in exceptional circumstances for example where Eyecare Deluxe suspects criminal activity taking place.
If Eyecare Deluxe considers there is a proportionate risk of criminal activity, or equivalent malpractice taking place or about to take place, and if informing the individuals concerned that the recording is taking place would seriously prejudice its prevention or detection, Eyecare Deluxe will covertly record the suspected individual(s).
In doing this, Eyecare Deluxe will rely on the protection of its own legitimate interests as the lawful and justifiable legal basis for carrying out the covert recording.
Covert monitoring may include both video and audio recording.
Covert monitoring will only take place for a limited and reasonable amount of time consistent with the objective of assisting in the prevention and detection of particular suspected criminal activity or equivalent malpractice. Once the specific investigation has been completed, covert monitoring will cease.
Information obtained through covert monitoring will only be used for the prevention or detection of criminal activity or equivalent malpractice. All other information collected in the course of covert monitoring will be deleted or destroyed unless it reveals information which Eyecare Deluxe cannot reasonably be expected.
Eyecare Deluxe will ensure that all employees handling CCTV images or recordings are trained in the operation and administration of the CCTV system and on the impact of the laws regulating data protection and privacy with regard to that system.
The Data Protection Officer of Eyecare Deluxe is responsible for the implementation of and compliance with this policy and the operation of the CCTV system and they will conduct a regular review of the use and processing of CCTV images and ensure that at all times it remains compliant with the laws regulating data protection and privacy. Any complaints or enquiries about the operation of the CCTV system of Eyecare Deluxe should be addressed tot he Data Protection Officer.
Eyecare Deluxe will process the personal data collected in connection with the operation of the CCTV policy in accordance with its data protection policy and any internal privacy notices in force at the relevant time. Inappropriate access or disclosure of this data will constitute a data breach and should be reported immediately to the Data Protection Officer.
In most cases, Eyecare Deluxe processes personal data in order to carry out its functions as an eye clinic, comply with legal obligations, lawful issuances or orders of other public authorities, as well as contractual obligations to its patients and to pursue its legitimate interests.
Personal data refers to personal and sensitive personal information as defined under the DPA.
II. SOURCES AND CATEGORIES OF PERSONAL DATA
Personal data, prescriptions, referral letters, medical results, and other documents provided by patients, their representatives, their attending doctors, and attending clinic associates.
Eyecare Deluxe operates closed circuit television (CCTV) systems for the safety and security of members of Eyecare Deluxe personnel, patients, and doctors, as well as its premises and assets. In the course of operating such CCTV systems, Eyecare Deluxe may capture your images and videos.
The categories of personal information that Eyecare Deluxe processes, usually through print or electronic means, include:
• Personal Details: Name, work and home addresses, contact details, birthdate, birthplace, age, gender, civil status, signature and such other information
• Medical and Ocular Details: medical and ocular history, prescriptions, medical records, referral letters, etc
• Government-Issued Identification: GSIS Number (Common Reference Number), taxpayer identification number (TIN), PhilHealth Number, Pag-IBIG Fund (HDMF) Number, etc.
• Legal Guardians and Emergency Contacts: Names, addresses, and other contact details
• Diagnostic Photographs and Images as well as other information as discussed above.
III. PURPOSES FOR THE PROCESSING OF PERSONAL DATA
Eyecare Deluxe processes personal data for the following purposes:
1) To process submitted forms and documents bearing personal information
2) To facilitate the conduct of comprehensive eye examinations, consultations, and follow-ups
3) To comply with internal processes and legal requirements in the administration of care and management
4)To verify the patient’s identity and prevent identity fraud
5) To communicate updates regarding matters related to the patient’s appointments, eye exams, management plan, and other legitimate concerns;
6) To perform actions such as the issuance of medical certificates, referral letters, order forms, statements of accounts, receipts, etc
8) To process donations and grants and facilitate eye and other welfare-related services, when available, to qualified indigent patients
9) To comply with the requirements of applicable laws and issuances of public
authorities, such as the filing and remittance of taxes
10) To investigate and resolve patient concerns.
11)To investigate a security threat;
12)To provide a safe workplace, and secure Eyecare Deluxe premises from threats, theft, robbery, fraud, legal liability, and similar incidents;
14)When so required, to process the termination of your managements and treatments
15) When so required, to settle accountabilities
16) To compile statistics and conduct research, subject to the provisions of the DPA, and applicable research ethics guidelines,
17) To comply with other applicable statutory and regulatory requirements, including directives, issuances by, or obligations of Eyecare Deluxe to any competent authority, regulator, enforcement agency, court, or quasi-judicial body;
Eyecare Deluxe has a legitimate interest in securing its premises, assets, doctors, clinic associates, and staff. Eyecare Deluxe adopts means in order to provide services for its patients in a more efficient manner. Rest assured that Eyecare Deluxe will process the above data for such periods allowed by the DPA and other applicable laws.
Examples when Eyecare Deluxe discloses information as allowed by the DPA or other applicable laws include:
a. disclosing personal information such as name, contact number, home and work address and medical and ocular details, office address, and other relevant information that are exempt from the coverage of the DPA in the relevant directories, and the like, for information purposes, or as required in order to comply to any competent authority, regulator, enforcement agency, court, or quasi-judicial body;
b. disclosing grants, donations, or any other discretionary benefit, given by Eyecare Deluxe, the Philippine government, or charitable institutions allowed by Section 4 (c) of the DPA qualified Eyecare Deluxe indigent patients
c. disclosures for the benefit or in support of the patient’s interests (such as those intended to enable patients to accept donations, grants, and awards)
d. news or feature articles (or other similar disclosures) about clinical breakthroughs regarding eye and vision management plan in Eyecare Deluxe public spaces, publications, websites or social media posts, or disclosures that Eyecare Deluxe may make in the exercise of its sound discretion in response to inquiries from the press, or press releases and other similar disclosures for journalistic purposes, as allowed by the DPA,
e. publishing, broadcasting, transmitting, uploading or streaming of Eyecare Deluxe activities or events pursuant to the legitimate interests of Eyecare Deluxe or third parties, or for journalistic purposes as allowed by the DPA;
f. information that we share with third parties who process personal data and information in order to provide products or services to the patient or to Eyecare Deluxe (e.g. Zeiss Laboratory, Paragon Laboratory, cloud service providers for data processing systems, email and software providers, and third-party health providers). Unless these personal data are provided, it will not be possible for such products or services to be provided to the patient. Where applicable, Eyecare Deluxe will take reasonable steps to require third parties who receive personal data to uphold the right to data privacy of all Eyecare Deluxe patients.
g. disclosures made pursuant to law and lawful issuances or orders of public authorities, such as law enforcement agencies, courts, and quasi-judicial bodies;
h. disclosures made in order for Eyecare Deluxe to respond to an emergency and comply with its duty to exercise due diligence to prevent harm or injury to its patients or others;
i. disclosures to establish, exercise, or defend legal claims; and
j. such other disclosures that may be made pursuant to the DPA and other applicable
K. RETENTION OF PERSONAL DATA
Eyecare Deluxe shall retain and provide measures for the secure storage of the personal data of all its patients for as long as the above purposes for processing such data subsist, in order to establish or defend legal claims, or as otherwise allowed or required by the DPA and other applicable laws and issuances. Eyecare Deluxe will archive and provide for the secure disposal of your personal data pursuant to the requirements of, among other laws and issuances, the DPA, and National Privacy Commission issuances,
V. HOW EYECARE DELUXE PROTECTS PERSONAL DATA
Eyecare Deluxe has put in place physical, organizational, and technical measures to protect the right to privacy and is committed to reviewing and improving the same.
VI. ACCESS TO AND CORRECTION OF YOUR PERSONAL DATA AND YOUR RIGHTS UNDER THE DPA
Patients have the right to access personal data being processed by Eyecare Deluxe about you. Patients may access their personal information, for instance, where applicable through the Data Privacy Officer Mr. Reuel Tan. In order for Eyecare Deluxe to see to it that the personal data is disclosed only to its owner, Eyecare Deluxe will require the presentation of valid government-issued ID (GIID), and documents that will enable Eyecare Deluxe to verify the patient’s identity. In case the request of personal information is made through a legal representative, in order to protect data privacy, we require representatives to provide a letter of authorization specifying the purpose for the request of documents or the processing of information, and valid GIIDs of the patient, as well as valid GIIDs of the representative.
In the event that the personal information needs to be corrected please get in touch with the Data Privacy Officer.
Aside from the right to access and correct personal data, patients have the following rights subject to the conditions and limitations provided under the DPA and other applicable laws and regulations:
a. The right to be informed about the processing of your personal data through, for example, this and other applicable privacy notices.
b. The right to object to the processing of your personal data, to suspend, withdraw or order the blocking, removal, or destruction thereof from our filing system. Please note however that (as mentioned above) there are various instances when the processing of personal data you have provided to us is necessary for us to comply statutory and regulatory requirements, or is processed using a lawful basis other than consent.
VII. HOW WE OBTAIN CONSENT AND HOW TO WITHDRAW CONSENT
Eyecare Deluxe obtains consent for the processing of personal data pursuant to this privacy notice by asking patients to sign the relevant form or, in some instances, to give consent through electronic means. If a patient wishes to withdraw consent, they may write or send an email to firstname.lastname@example.org with the subject DATA PRIVACY. A copy of GIID is required so that Eyecare Deluxe will be able to verify the patient’s identity. Note that consent may be withdrawn only for a processing activity for which consent is the only applicable lawful ground for such processing. Please await the Data Privacy Officer’s action regarding Data Privacy requests. Rest assured that once our Data Privacy Officer confirms the validly withdrawn consent for a processing activity the same shall be effective unless the patient thereafter sends a letter or email to the Data Privacy Officer consenting to such data processing activity.
VIII. REVISIONS TO THIS PRIVACY NOTICE AND QUERIES REGARDING DATA PRIVACY AND PRIVACY NOTICE FOR EYECARE DELUXE
Please contact Data Protection Officer of Eyecare Deluxe through the following:
+63 995 463 2319