Privacy Policy

Objectives

The objective of the data privacy policy is to establish clear guidelines and responsibilities for BOH Center and its staff in safeguarding Personally Identifiable Information (PII) and Protected Health Information (PHI). The aim of this policy is to ensure the confidentiality, integrity of patient data to protect against unauthorized access, disclosure, or misuse.

Scope

This policy applies to all users and all operating facilities, Information Technology (IT) resources including IT teams, computer equipment, network, voice or data communications equipment, computer programs, procedures and support software, data storage devices and media used to store, process, transfer and manage PII and PHI Health Information.

Responsibilities

  • The Information Security Manager responsible for development, maintenance, enforcement, and endorsement of the policy.
  • The Information Security Manager is responsible to assist the relevant business unit/section in implementation of the defined controls and ensuring compliance with this policy.
  • All Users are responsible to read, understand and adhere to this policy in their day-to-day activities.
  • The Information Security Manager is responsible to conduct awareness about the policy to Users.
  • Business Processes Owners are responsible for ensuring compliance to this policy within their area(s) of concern.
  • The Director or job title assigned with responsibilities of Entity’s higher management of BOH Centers shall endorse this policy for its effective implementation.

Policy Statement

Protected Health Information Privacy and Protection

  • The BOH Centers is committed in protecting the security and confidentiality of the personal information processed from Data Subjects including, but not limited to, employees, patients, customers, business partners, vendors, third parties, service providers, suppliers, former employees, and job applicants.
  • The BOH Centers is aware of the importance of effectively safeguarding and responsibly managing PII and PHI.
  • The BOH Centers adheres to the following privacy principles to ensure your data is processed in an appropriate and safe manner.
  • BOH Centers respects the privacy of all Data Subjects including but not limited to, employees, patients/customers, business partners, vendors, third parties, service providers, suppliers, former workers, and job applicants, and is aware of the importance of protecting and managing Protected Health Information appropriately.

Consent Collection

  • Choice and Consent: The BOH Centers shall obtain explicit consent from the Data Subject before the collection of their PII and PHI. The consent shall include the right of the Data Subject to withdraw from it.
  • The Entity shall keep records of the consent taken from the Data Subject to demonstrate compliance.

Fair, Legitimate and Transparent Processing

  • The BOH Centers will process PII and PHI of the Data Subject in a fair and lawful manner.
  • The BOH Centers will provide the Data Subject with a clear description of the purpose their PII and PHI has been collected for and a detailed version of the information will be made available to the Data Subject through the consent form and the BOH Centers’s Privacy Policy. The BOH Centers will adapt to a general policy of transparency about developments, practices, and policies with respect to the PII and PHI.

Collection Limitation

  • The BOH Centers will collect PII and PHI of the Data Subject limited to the purposes identified in the consent furthermore, any such information shall be obtained by lawful and fair means, and where appropriate, with consent of, the patient/customer or associate concerned.
  • Additionally, the BOH Centers will follow the principle of data minimization and will collect limited and relevant PII and PHI in relation to the purpose for which they are processed.

Use Limitation

PII and PHI of Data Subject will not be made available or otherwise used for any purpose other than what was agreed with that individual at the time of data collection.

Access

  • Data Subject will be given access to his/her PII and PHI that the entity has gathered or stored in its systems, and he/she will be provided with an opportunity to correct his/her PII and PHI thereby assuring that their PII and PHI is accurate. BOH Centers will erase, rectify, complete, or amend the PII and PHI to a justified request.
  • Data Subject may request BOH Centers to review, correct, update, suppress, or otherwise modify any of PII and PHI. The Data Subject may object PII and PHI processing and the decisions made by automated processing.
  • All such requests will be routed through the Data Protection Officer or equivalent.
  • The Information Security Manager responsibilities of managing Data Privacy in consultation with the respective Section/Department should support the closure of the request and ensure providing the data in a machine-readable format. However, Data Subject will be informed in priority if the request:
    1. The request is not relevant to its own PII and PHI or is excessively repetitive.
    2. The request is inconsistent with the judicial procedures or investigations conducted by the competent authorities.
    3. The request may negatively affect the efforts of the controller to protect information security.
    4. The request violates the privacy and confidentiality of others’ personal data.

Security

  • The BOH Centers will protect PII and PHI that it handles, with appropriate technical and organizational safeguards for security, against threats (internal and external security threats), such as loss of confidentiality, integrity, unauthorized destruction, usage, or other misuses. To protect against the risk that PII and PHI may be compromised by internal and external security threats, the entity relies on information protection controls:
    1. System controls: User access measures, Network security, Data security etc.
    2. Process controls: data classification policies, data backup and retention policy, compliance audits etc.
    3. People controls: Signing of NDAs and/or DPAs, training, awareness, employee background checks, and/or any other project specific requirements.
  • The BOH Centers will ensure that PII and PHI or its backup in any form is not stored, processed or transferred outside UAE, except in cases where a valid exemption to do so is issued by DoH is in place.

Disclosure to Third Party/Data Processors

The organization will disclose PII and PHI of a Data Subject to a third party only with the explicit consent of the Data Subject. For every new engagement with a third party or renewal of existing engagement where the PII and PHI is disclosed to third party, the following must be ensured:

  • To evaluate risk exposure of all third parties.
  • Initial due diligence to be conducted.
  • Include privacy and data protection provisions in the Contract/Service Level Agreement.

Accuracy

  • The BOH Centers will keep the PII and PHI as accurate, complete, and up-to-date.

Retention and Disposal

  • BOH Centers will retain PII and PHI only for the duration required to fulfil the stated purpose. The BOH Centers may require keeping PII and PHI for a longer period to comply with legal obligations, complaints, and enforce agreements. However, where PII and PHI is no longer needed, the BOH Centers will anonymize the data using identity concealment mechanism.

Cross Border Data Transfer

  • When conducting business, working on BOH Centers projects, or implementing new processes or systems, BOH Centers may require the transfer of PII and PHI to other BOH Centers entities or third parties located outside of the BOH Centers country of business. Entity Name can transfer and share PII and PHI in line with adherence to federal and local mandates on data transfer/processing/storage.

Privacy Data Breach Management

  • Privacy breach management establishes requirements for monitoring and responding to PII and PHI potential privacy breaches.
  • The BOH Centers establishes requirements for monitoring and responding to PII and PHI potential privacy incidents in accordance with policy requirements. Privacy incident management shall ensure:
    1. All privacy incidents shall be reported to Information Security Manager/Data Protection Officer or the assigned function through mail ID (Mode to be decided and developed by the Entity).
    2. All privacy incidents shall be recorded and tracked.
    3. Notify DOH – Abu Dhabi Health SOC about breach at the entity and/or the relevant third party/data processor within defined timeline.
    4. Inform the affected Data Subject about the breach including the level of impact/damage and the measures undertaken for correction and prevention.

Data Processing Inventory

  • The BOH Centers will prepare Data Processing Inventory to visualize, track, and analyze how PII and PHI is created, collected, used, shared, and disposed across the entity.
  • The Data Processing Inventory will assist in entity Information Security and Privacy risk management strategy by streamlining the data collection process and making it transparent.
  • The inventory will include fields including but not limited to:
    1. Description of the categories of PII and PHI.
    2. Details about the data subject.
    3. Individuals authorized to access personal healthcare.
    4. Period, purpose, limitation, and scope.
    5. Details about data exchange/transfer.
    6. Mechanism of transfer, deletion, modifying or processing.
    7. Data related to the cross-border movement if any.
    8. Technical and organizational measures related to information security and processing operations.
    9. Data Flow Diagrams.

Website Privacy Notice

BOH Centers is committed to protecting the privacy and confidentiality of personal data collected through its website in accordance with Abu Dhabi Department of Health (DOH), ADHICS v2, and UAE Federal Personal Data Protection Law (PDPL).

This section explains how personal data is collected, processed, stored, and protected when users access or interact with the BOH Centers website.

Information We Collect

BOH Centers may collect and process the following categories of personal data through its website:

a) Personal Information

  • Name, email address, phone number, and other contact details submitted via online forms, appointment bookings, or inquiries.

b) Technical Information

  • Internet Protocol (IP) address.
  • Browser type and version.
  • Device type and operating system.
  • Date and time of access.

c) Usage Data

  • Pages visited, navigation paths, session duration.
  • Interaction with website features and services.

d) Sensitive Information (if applicable)

  • Health-related data submitted voluntarily through secure forms (handled in compliance with PHI requirements).

Cookie Policy

BOH Centers uses cookies and similar tracking technologies to enhance user experience, ensure website functionality, and analyze website performance in compliance with DOH, ADHICS, and UAE PDPL.

Cookie Consent

  • Users are presented with a cookie consent banner upon first visit.
  • Users can accept or reject non-essential cookies.
  • Consent is recorded and can be withdrawn at any time.

Communication and Training

  • BOH Centers will ensure adequate awareness pertaining to data privacy, its importance, and implications through a targeted and relevant training program.

Policy Compliance

  • Any violation or breach to the policy may be subject to Information Security Violation Management Process and/or HR disciplinary procedure.
  • Users should seek clarification from Information Security Department if uncertain.
  • Information Security responsibilities reserve the right to check compliance periodically.
  • Exceptions require approval from Information Security Manager/Data Protection Officer.