Should Vula Medical share any information with a Third Party outside the scope of obtaining advice from, or referring a patient to a Specialist or Health Practitioner, they undertake to do so only on the following conditions:

• Any information that can identify a person will be removed to protect the person’s privacy. This includes the name, surname, identity number, and facial images.

• Any information that can be used to communicate with a person will be removed to prevent unauthorised communications being sent. This includes phone numbers and email addresses.

• The information shared will only be used for research purposes.

• Where necessary to protect our legal rights and interest, or the interests of others, we may also use patient Information in relation to legal claims, compliance, audit, risk management and regulatory functions.

• We may, from time to time, share Information contained in reports with the Departments of Health for research purposes. However, we will only share Personal Information in these reports insofar as it is necessary for the governmental institution to fulfil its functions in advancing public health or other public interests.

• We may disclose Personal Information to our third parties, as defined in POPIA, for legitimate business purposes, in accordance with applicable law and subject to applicable professional and regulatory requirements regarding confidentiality. In addition, we may disclose Personal Information in order to provide support services to our data subjects. We may also share patient information with:

  • any person that works for us and is in the employ of Vula Medical, either as a permanent employee, consultant or contractor;

  • companies and organisations that provide services to us, including in relation to technical infrastructure, and web and app development and support;

  • our professional advisers, consultants and other similar services;

  • legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;

  • any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights;

  • any relevant party for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including, but not limited to, safeguarding against and the prevention of threats to public security.

• We will otherwise treat all patient Information as private and confidential and will not share it with other parties except:

  • where permission has been given;

  • where we believe it is reasonably necessary to comply with any law, regulation, legal process or governmental request, to enforce our Terms and Conditions of use or other agreements, or to protect the rights, property, or safety of us, our customers or others;

  • where we may transfer rights and obligations pursuant to an agreement with the Health Practitioner, Specialist or Patient.

5.4             Transborder flows of personal information

As set out in the Information Security section above, patient Personal Information and Special Personal Information collected through the Vula Platform may be transferred to, stored in, or otherwise processed in jurisdictions outside of the Republic of South Africa, where such transfer is necessary to enable healthcare practitioners to access and utilise the Vula Platform and its related services. 

In accordance with section 72 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”), such transborder transfers of Personal Information will only occur where the recipient third party, whether a natural or juristic person, located outside the Republic of South Africa is subject to: 

5.4.1.         applicable law; or

5.4.2.         binding agreement

which provides an adequate level of protection for the Personal Information that is substantially similar to the protections afforded under POPIA, and in accordance with the terms of this Privacy Notice.

The transfer of Personal Information across borders will be limited to what is strictly necessary for the provision of the requested services. 

5.5.         General description of Information Security Measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information

Vula Medical places great importance on ensuring the security of all patient information and is obliged to prevent the loss of, damage to, or unauthorised destruction of Personal Information and Special Personal Information as well as the unlawful access to or processing of this information. The patient Information collected is securely stored within the Vula Platform using regularly reviewed, up to date, and appropriate and reasonable technical and organisational measures as required by applicable law to protect the Information from loss, misuse, unauthorised access, unauthorised disclosure, alteration or destruction.

The Vula Platform, including both the Mobile App and the Web Portal, are developed using secure technologies with Security by Design and Privacy by Default principles at the forefront of its architecture, and can only be accessed using strong access control protocols, and only by Vula approved and validated end-users. 

The Vula Platform is a cloud based solution hosted by Heroku (a Salesforce Company) in a HIPAA certified Amazon Web Services (AWS) Data Centre in Europe. All patient Information collected, processed and stored is, thus, done so in this location. The AWS Data Centre is ISO 27001 certified which provides assurance with regards to the physical, logical and environmental security of the hosted solution and the patient Information therein, as well as the business continuity and availability of the services we offer.

Vula, in collaboration with the AWS Data Centre, has further taken reasonable measures to:

• identify all reasonably foreseeable internal and external risks to Personal Information in its possession or under its control;

• establish and maintain appropriate safeguards against the risks identified;

• regularly verify that the safeguards are effectively implemented; and

• ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

5.6.     Data Breaches      

In the event of any privacy or security breaches of the Vula Platform, or at our Third Party Hosted Data Centre, that are likely to result in any risk to a patient’s Personal Information and/or Special Personal Information, or to the patient’s rights and freedoms, we will notify Health Practitioners, Specialists, and the relevant Regulatory Authority as soon as we become aware of such.

End-users of the Vula Platform have also been advised to notify Vula Medical immediately where they have reasonable grounds to believe that their accounts or patient data have been accessed or acquired by any unauthorised person.

6.     INFORMATION REQUEST PROCEDURE

• The requester must use the prescribed form to make the request for access to a record. A request form is available from our offices.

• The request must be made to the Chief Information Officer named in section 3 above. This request must be made to the address, fax number or electronic mail address of the business.

• The requester must provide sufficient detail on the request form to enable the Chief Information Officer to identify the record and the requester.

• The requester should also indicate which form of access is required. The requester should also indicate if any other manner should be used to inform the requester. If this is the case, please furnish the necessary particulars to be so informed.

• The requester must identify the right that is sought to be exercised or to be protected and must provide an explanation of why the requested record is required for the exercise or protection of that right.

• If a request is made on behalf of another person, the requester must submit proof of the capacity in which the requester is making the request to the satisfaction of the Chief Information Officer aforesaid.

• The prescribed fee must be attached.

• We will respond to your request within 30 days of receiving the request by indicating whether your request for access has been granted or denied.

• Please note that the successful completion and submission of a request for access form does not automatically allow the requestor access to the requested record.

• Access will be granted to a record only if the following criteria are fulfilled:

  • The record is required for the exercise or protection of any right; and

  • The requestor complies with the procedural requirements set out in the Act relating to a request; and

  • Access to the record is not refused in terms of any ground for refusal as contemplated in Chapter 4 of Part 3 of the Act.

7.     DENIAL OF ACCESS

 Access to any record may be refused under certain limited circumstances. These include:

• The protection of personal information held concerning any natural person;

• The protection of commercial information held concerning any third party (for example trade secrets);

• The protection of financial, commercial, scientific or technical information that may harm the commercial or financial interest of any third party;

• Disclosures that would result in a breach of a duty of confidence owed to a third party;

• Disclosures that would jeopardize the safety of life of an individual;

• Disclosures that would prejudice or impair the security of property or means of transport;

• Disclosures that would prejudice or impair the protection of a person in accordance with a witness protection scheme;

• Disclosures that would prejudice or impair the protection of safety of the public;

• Disclosures that are privileged from production in legal proceedings unless the privilege has been waived;

• Disclosures of details of any computer programme;

• Disclosures that will put Vula Medical at a disadvantage in contractual or other negotiations or prejudice it in commercial competition;

• Disclosures of any record containing any trade secrets, financial, commercial, scientific, or technical information that would harm the commercial or financial interest of Vula Medical;

• Disclosures of any record containing information about research and development being carried out or about to be carried out by Vula Medical;

• If access to a record or any other relevant information is denied, our response will include:

  • Adequate reasons for the refusal; and

  • Notice that you may lodge an application with the court against the refusal and the procedure including details of the period for lodging the application. 

8.     AVAILABILITY OF THE MANUAL

8.1.        A copy of the Manual is available-

8.1.1.     on www.vulamedical.com;

8.1.2.     head office of Vula Medical for public inspection during normal   business hours;

8.1.3.     to any person upon request and upon the payment of a reasonable prescribed fee; and

8.1.4.    to the Information Regulator upon request.

8.2.         A fee for a copy of the Manual, as contemplated in annexure B of the Regulations, shall be payable per each A4-size photocopy made.

9.     UPDATING OF THE MANUAL 

The head of Vula Medical will on a regular basis update this manual.

Issued by

Dr William Mapham CEO and Information Officer