Privacy Policy

Privacy Policy & Informed Consent

Entity: My Virtual Doctor

Jurisdiction: Republic of South Africa

Compliance: POPIA (Act 4 of 2013); National Health Act (Act 61 of 2003)

1. Introduction

My Virtual Doctor (“we,” “us,” or “the Practice”) recognizes the importance of privacy and the sensitive nature of medical data. This policy describes our protocols for the collection, storage, and processing of “Personal Information” (as defined by POPIA) and “Special Personal Information” (medical records).

2. Information We Collect

We utilize a dual-silo data architecture to minimize risk:

  • Website Administrative Data: Limited to Name, Email, and Mobile Number. This is used solely for authentication and communication.
  • Special Personal Information (EMR): Stored on a secure VPS, separate environment. This includes:
    • Official Identity Numbers (UID).
    • Physical Address (for prescriptions/diagnostics).
    • Medical history, biometric data, and clinical photographs/video recordings from consultations.

3. Purpose of Processing

Information is collected for the following legal bases under POPIA:

  • Provision of Care: To provide accurate diagnosis and treatment.
  • Legal Obligation: Maintaining medical records for the period mandated by the HPCSA (typically 6–40 years depending on the case).
  • Legitimate Interest: To facilitate secure telemedicine communication.

4. Advanced Security Measures

To protect the Practice from liability, we implement industry-standard technical and organizational measures:

  • Access Control: The EMR Virtual Private Server (VPS) is accessible only via Public Key Infrastructure (PKI). Password-based logins are disabled to prevent brute-force attacks.
  • Network Security: The VPS is protected by a multi-layered firewall, allowing only specific white-listed traffic.
  • Encryption: Data is encrypted using AES-256 standards while at rest.

5. Sharing of Information (Operators vs. Third Parties)

  • No Commercial Sharing: We do not sell or share data with third parties for marketing.
  • Mandatory Disclosure: We may disclose information if required by a court order or if there is a “serious and imminent threat to public health or safety.”
  • Medical Referrals: With your verbal or written consent, clinical data may be shared with laboratories, pharmacies, or specialists.

6. Data Retention and Destruction

  • Retention: Medical records are kept as per the National Health Act requirements.
  • Destruction: Once the retention period expires, data is deleted using “secure wipe” protocols that ensure the information cannot be reconstructed. Data is only destroyed in specific circumstances under POPIA act.
  • All changes to data or additions/deletions are audited for accountability. A register of destroyed records is required.

7. Data Breach Notification

In the event of a suspected or actual data breach (unauthorized access), we are legally bound by Section 22 of POPIA to:

  1. Notify the Information Regulator.
  2. Notify the affected Data Subjects (patients) as soon as reasonably possible, unless identity disclosure would impede a criminal investigation.

8. Your Rights (The Data Subject)

Under POPIA, patients have the right to:

  • Withdraw Consent: You may withdraw consent for us to hold your data (subject to legal retention requirements).
  • Access & Correction: You may request a copy of your file or request that we update incorrect contact information.
  • Complaints: You have the right to lodge a complaint with the South African Information Regulator at complaints.IR@justice.gov.za.

9. The Information Officer

The Practice has yet to appoint an Information Officer responsible for overseeing POPIA compliance.

contact the below email in the interim:

Contact: info@myvirtualdoctor.co.za