Petcharavej Hospital Privacy Notice

This policy aligns with the Personal Data Protection Act B.E. 2562 (2019Petcharavej Hospital recognizes the importance of protecting personal data and has thus established a privacy policy for personal data owners.). The policy explains how the hospital handles personal data of its service users, such as collection, storage, use, disclosure, deletion, or destruction, along with the rights of the personal data owner, as follows: 

1. Definitions

• “Personal Data” refers to information about an individual which can be used to identify that individual, either directly or indirectly, excluding specifically information about deceased persons. 

• “Sensitive Personal Data” means personal data relating to race, religion, ethnic origin, political opinions, beliefs in a sect, religion or philosophy, sexual behavior, criminal history, health data, disabilities, trade union data, genetic data, biometric data, or any other information which affects the personal data owner in a similar manner as prescribed by the Personal Data Protection Act. 

•  “Service Users” refers to patients, hospital staff, hospital service users, whether individuals or legal entities, whether they have a contract with the hospital or not, and the general public who are owners of personal data. This includes legal guardians acting on behalf of minors, caregivers acting on behalf of incapacitated persons, or protectors acting on behalf of quasi-incapacitated persons. 

•  “Processing of Personal Data” refers to any operation or set of operations performed on personal data, whether automatically or otherwise, which involves collecting, using, or disclosing personal data as ordered by the personal data controller only, such as collection, recording, organizing, structuring, storing, adapting, modifying, retrieving, consulting, using, disclosing by transmission, disseminating, or making available, aligning or combining, restricting, deleting, and destroying. These operations on personal data can only be carried out as long as they do not conflict with the Personal Data Protection Act B.E. 2562 (2019) (including its amendments) and are within the scope allowed by the Personal Data Protection Law. 

• 2. Collection of Personal Data

     The hospital will collect personal data with clear objectives, scope, and methods that comply with the law and are fair. In collecting data, it will be done only to the extent necessary for the hospital’s operations and only for the hospital’s stated purposes. Furthermore, the hospital will ensure that data owners are aware and will obtain explicit consent before the data collection. 

3. Purpose of Data Collection or Use

    The hospital will collect or use personal data of data owners for the benefit of its operations, such as medical care, financial transactions, procurement, marketing, public relations, contract execution, the hospital’s activities, coordination with others, or to enhance the efficiency of its operations, such as database creation, analysis, and development of the hospital’s processes. And for any other purposes not prohibited by law and/or to comply with relevant laws or regulations related to the hospital’s operations. Data will be stored and used only for the duration necessary for the notified purposes or as prescribed by law. 

          The hospital will not take any action different from the specified purposes of data collection unless

• (1) It has notified the data owner of the new purpose and obtained consent. 

• (2) It’s in compliance with the Personal Data Protection Act B.E. 2562 or other related laws. 

4. Disclosure of Personal Data

   The hospital will not disclose the personal data of data owners to any third party without consent and will disclose according to the objectives that have been informed unless

     4.1 The hospital may disclose the personal data of the data owners under legal provisions, such as disclosure to government agencies, state agencies, or supervisory bodies. 

     4.2 This includes cases where there's a request for data disclosure by legal authority, for instance, data requests for legal proceedings or litigations. 

     4.3 Requests from private entities or other external individuals related to legal processes. 

     4.4 The hospital may disclose the personal data of the service users to individuals, other entities, or legal entities (which may be called "data recipients") who need to use, disclose, or exchange such data as follows

• In case of disclosure to medical professionals in other hospitals when there's a referral for further treatment or disclosure to specialists from different institutions for consultation, which can happen in both emergency and non-emergency situations. 
• In cases of disclosing certain health information to other involved parties in taking care of the service users, such as family members, relatives, friends, social workers, officials of elderly care homes, centers for the protection of homeless persons, for the benefit of the service users. 
• In the event that a service user brings a relative or another person to accompany them or to take care of the service user while they are receiving services within the hospital or medical center, it will be implicitly understood that you consent to allowing those individuals to be aware of the service user’s medical information. 
• In the case of disclosing information to agencies responsible for health insurance, such as social welfare agencies, social security offices, central accounting departments, insurance companies, or any government agency involved, it’s to provide the rights and benefits of treatment and payment for medical care to service users. 
• In the case of disclosing, exchanging information with partners, individuals, legal entities, or other government agencies to forward information in compliance with contracts and laws, it’s to ensure that service users receive comprehensive and complete service and treatment. 

In any case where the hospital uses or discloses such information to other related individuals or agencies, the hospital will operate within the framework of personal data protection laws. Furthermore, there will be an agreement with the data recipients to prevent unauthorized use or disclosure of the information and to ensure it is used only for the intended purpose. 

5. Guidelines for Personal Data Protection 

    The hospital will implement various measures, including measures to maintain the security of personal data that complies with laws, regulations, standards, and best practices for personal data protection. These measures are provided to the hospital’s staff and other relevant individuals. Additionally, the hospital supports and promotes awareness among its personnel regarding their duties and responsibilities in collecting, storing, using, and disclosing personal data. The hospital’s staff must adhere to policies and practices set by the hospital to ensure the proper and effective adherence to data protection laws and policies. 

6. Retention and Destruction of Personal Data 

    The hospital will retain the personal data of service users for as long as necessary to achieve the hospital’s objectives, as has been communicated, or for the period as mandated by law, or as long as the service user provides their consent. When there’s no longer a need to retain the data, or if a service user withdraws their consent, or if they don’t request the hospital to keep their personal data, the hospital will proceed to delete or destroy the personal data, or anonymize the data so that it can’t be used to identify the individual any longer 

7. Rights of Personal Data Owners 

    Personal data owners have the following rights

 (1) The right to revoke consent for the processing of personal data that has been previously given. Revoking consent does not impact the collection, use, or disclosure of personal data that consent was already given for. 

(2) The right to access personal data and request copies, as well as the right to disclose how the data was obtained without their consent. 

(3) The right to correct any inaccurate personal data. 

(4) The right to delete personal data. 

(5) The right to suspend the use of personal data. 

(6) The right to transfer personal data. 

(7) The right to oppose the processing of personal data. 

(8) The right to lodge a complaint regarding personal data protection. 

- Data owners can exercise the above rights by submitting a written request to the hospital. The hospital will inform the data owner of the outcome of their request within 30 days from the receipt of said request 

- However, the hospital may refuse some or all of the data owner’s rights if dictated by law. For example, if acting upon your request would affect the rights and freedoms of others, contradict the law, or if the request is unreasonable. The hospital will provide an explanation if there are any limitations in addressing your rights request. 

8.  Review and Modification of the Personal Data Owner’s Privacy Announcement Policy 

     The hospital may periodically revise or amend this policy to align with legal requirements, changes in the hospital’s operations, as well as suggestions and feedback from various entities. The hospital will announce any changes clearly before implementing them. 

9. Hospital Contact Information 

Data Protection Officer (DPO) Details

Petcharavej Hospital, 2469/13, New Phetchaburi Road, Bang Kapi Subdistrict, Huai Khwang District, Bangkok 10310. Tel. 0-2318-0080, 1390, 229 (DPO). 

Email: dpo@petcharavejhospital.com 

This policy is effective from June 1, 2022 onwards.