1.1 ROSE Foundation (“ROSE”) understands the importance of protecting the privacy and confidentiality of all your personal and health information. We are committed to safeguarding your privacy and ensuring that your personal data is protected. We therefore take steps to make sure that our policies and practices in relation to personal data comply with the requirements of the Personal Data Protection Act 2010 (the “Act”) and the relevant laws.
2. How do We Collect Personal Information?
2.1 ROSE collects a range of personal and health information about individuals (“you”, “your”). ROSE may collect this information from you, or from another person dealing with you, such as your healthcare service provider, healthcare professional, or employer, or from third-party technology platforms.
3. Types of Personally Identifiable Information Collected
3.1 It is necessary for you to provide us with your Personal Data, when you require us to provide you with a Service. If your Personal Data is incomplete or incorrect, we will not be able to provide or continue to provide the Services to you.
3.2 If you use our Services and Site, your personally identifiable information (“Personal Data”) collected include, but not limited to:
a) your name, gender, age, telephone number, home address, email address, credit card information, bank account number;
b) the results of all pathology and screening tests performed by ROSE for individuals undergoing those tests;
c) other medical and health related information, including clinical information which may be provided by you or a healthcare service provider or a healthcare professional ordering a pathology or screening test. This may include a description of current or previous symptoms, health status, family history, health conditions, treatments and other test results; and
d) other information relating to screening and immunisation which is specific to our projects and services at the time we offer the services.
3.3 The type of information that ROSE collects and the way in which it may use and disclose that information varies according to the Services, activities and programmes ROSE provides or undertakes in relation to you, as an individual. Some of the purposes for which your Personal Data may be used are set out in sections below, including the use of Personal Data for direct marketing.
4. Purpose and Use of Personal Data
4.1 You agree that all the Personal Data provided by you to us may be used and retained by us for the following purposes and for other purposes as may be agreed between you and us or required by law from time to time (collectively, “Purposes”):
a) to perform and provide our Services (including ancillary Services) to you particularly, to perform and to assist in reporting a pathology test that has been ordered, and making recommendations for the management of test results (follow up) to healthcare service providers, healthcare professionals and employers;
b) as well as to perform our other activities and programmes;
c) to process any payment instructions, direct debit facilities and/or credit facilities requested by you or to liaise with a third-party payer;
d) for research, to improve our knowledge, particularly of how to better prevent cancer of the cervix in women. However, no research publication will ever identify an individual without prior written consent from that person. Where small numbers of patient data are used for research purposes, data suppression is routinely applied to prevent inadvertent identification of an individual;
e) if required, to share your Personal Data with statutory bodies, regulators, advisors, auditors, technology/ service providers, or our donors, benefactors, business partners and counter parties in connection with our business and discharge/ performance of any services related thereto, or by law for purposes of enforcing a judgement/ court order, assisting or preventing or detecting crime, and/or to meet our other contractual and regulatory obligations;
f) to communicate and to manage our relationship with you, your healthcare service providers, healthcare professionals, clients, employers, employees, employment applicants, service providers, advisors as well as regulators;
g) to provide you with communications with regard to health information, details of services and its benefits and to support projects and initiatives and fulfil contractual obligations;
h) to conduct activities related to quality assurance and improvement processes, accreditation and audits and managing legal and other claims;
i) to help investigations into complaints, to respond to complaints and suspected suspicious transactions as well as wrongful disclosure of Personal Data;
j) the normal management, operation and maintenance of the performance of the services including marketing and research (like aggregated behavioural analysis) for service improvements and designing new, or improving existing, services provided by us, and/or our subsidiaries to you; and
k) all other permissible purposes required to operate, maintain and better manage our business and your relationship with us, which we notify you of at the time of obtaining your consent; and you agree and consent to us using and processing your Personal Data for the Purposes in the manner as identified in this policy. If you do not consent to us processing your Personal Data for one or more of the Purposes, please notify us at the contact details below.
4.2. We would also like to use your Personal Data for direct marketing/cross-selling to you (whether by post, email, phone, text messages, social media, telecommunication channels or the likes) in relation to:
a) our offerings and promotions;
b) services, products, discounts and promotions offered by our counterparties healthcare service providers and/or healthcare professionals; and
c) other offerings and promotions from the third-party merchants that we cooperate with to provide benefits to our customers.
Please note that we cannot use your Personal Data for the aforesaid unless we have received your consent.
5. Security and Retention
5.1 All personal data provided to us is secured by us or our third-party service provider with restricted access by authorised personnel only. We maintain appropriate administrative, technical and physical safeguards to protect the personal data provided to us against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure, or use and other unlawful forms of processing.
5.2 Our Site may contain hyperlinks to other websites provided by third parties. We do not control these third- party websites or any of the content contained on those websites. Once you have left our website, we cannot be responsible for the protection and privacy of any information which you provide. You should exercise caution and look at the privacy statement for the website you visit.
6. When is Your Personal Data Disclosed?
6.1 ROSE may disclose your Personal Data for the purposes set out in the previous section. It may also disclose your personal and health information in the following circumstances:
a) to anyone that you have authorised or requested the disclosure to be made including your employer, your insurance broker or insurer, your healthcare service provider, or healthcare professional who ordered the pathology test;
b) at your request or your healthcare service provider, healthcare professional’s request, to another healthcare professional;
c) at your healthcare service provider’s or healthcare professional’s request, to another laboratory when a further opinion is being sought on a pathology specimen or for a pathology test that has been ordered but which is not performed at ROSE;
d) to your representative (e.g., a sibling, a spouse, a relative, any next of kin, an authorised representative or lawyer);
e) to our legal advisors and insurers;
f) to the extent required by law or pursuant to any court order. This may include information provided to a Coroner or a Court under a subpoena;
h) to any party nominated or appointed by us, either solely or jointly with other service providers, for purpose of establishing and maintaining our database and/or providing us with data centres and/or servers located within or outside Malaysia for our business purposes or otherwise;
You hereby acknowledge that such disclosure and transfer may occur and permit us to disclose and transfer your Personal Data to such third party and its advisors/representatives and/or any other person reasonably requiring the same in order for us to operate and maintain our business or carry out the activities set out in the Purposes.
6.2 ROSE may also disclose your information in other circumstances and to other persons if you have given your express or implied consent, or if we are permitted or required to do so by law (including under the Act, the Private Health Care Facilities and Services Act 1998 and Prevention and Control of Infectious Diseases Act 1988).
6.3 We may disclose and transfer (whether in Malaysia or abroad) to our counterparts, agents or service providers (under a duty of confidentiality or at the very least, have similar privacy laws like Malaysia) who provide screening technology, patented process, administrative, data processing, research and marketing, distribution, telecommunications, professional or other similar services to us and to any of our actual or proposed assignees or transferees of our rights with respect to you, to use, hold, process or retain such Personal Data for the purposes referred above on our behalf.
7. Your Rights to Your Personal Data
7.1 You have the right to:
a) check whether we hold any of your Personal Data;
b) access your Personal Data held by us;
c) ask us to correct or update any Personal Data which is inaccurate;
d) ascertain our policies and practices (from time to time) in relation to Personal Data;
e) opt out from receiving direct marketing materials from us at any time; and
f) subject to this paragraph 4, limit our processing of your Personal Data.
Any requests in relation to the above shall be in writing or any enquiries and addressed to:
Data Protection Officer
1-7, Kompleks Inkubator dan Inovasi (UMX)
Universiti Malaya, Lingkungan Budi
50603 Kuala Lumpur, Malaysia.
In accordance with the Personal Data Protection Act 2010, we have the right to charge you a reasonable fee for the processing of any Personal Data access request.
7.2 If you have any concerns or complaints about your privacy or the manner in which ROSE has handled your Personal Data, please contact our Data Protection Officer at the contact details above. We will endeavour to resolve your complaint promptly and will provide a written response to you.
If you believe your Personal Data may have been processed in breach of any provision of the Act, and ROSE is unable to resolve your complaint satisfactorily, you may wish to direct your complaint to the Personal Data Protection Commissioner. You may write to:
Department of Protection of Personal Data
Level 6, Kompleks Kementerian Komunikasi & Multimedia
Lot4G9, Persiaran Perdana
Precinct 4, Pusat Pentadbiran Kerajaan Persekutuan
Dated: 14 June 2021
[end of page]