Updated 22 January 2021
How we collect, process, store and share your Personal Information.
By providing us with your Personal Information, you:
Vula’s Data Subjects are typically healthcare practitioners, or people employed in an administrative role and acting on behalf of a healthcare establishment, department of health or a private or public healthcare practice. We act as a responsible party and Process, as the term is defined in POPIA, Personal Information, Special Personal Information, and patient Information on behalf of our Data Subjects, and in accordance with an agreement with the aforementioned individuals, to provide Vula’s services
- The Eight Conditions for Lawful Processing of Personal Information
- Access to Personal Information
- Personal Information Collected
- Use of Personal Information
- Sharing of Personal Information
- Data Accuracy
- Security of Personal Information
- Transborder Flow of Personal Information
- Retention of Personal Information
- Incomplete Personal Information
- Data Subject Rights
- Electronic Communications
- Declining Cookies
- Data Breaches
- Privacy Queries
- Information Officer
THE EIGHT CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL INFORMATION
POPIA sets out eight conditions for the lawful Processing, as defined in POPIA, of Personal Information (“the Eight Conditions”). Vula is committed to complying with the Eight Conditions:
- Condition 1 – Accountability: Vula will comply with the Eight Conditions while conducting business that involves the Processing of Personal Information.
- Condition 2 – Processing Limitation: the consent of a Data Subject is required for his/her Personal Information to be Processed. Such consent must be informed and specific, i.e. the Data Subject must know the reason for which the Personal Information will be Processed and by whom it will be Processed. Personal Information may not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the Personal Information is Processed, the Data Subject must be informed of the new purpose and consent must be obtained before the required Processing occurs. Vula will collect Personal Information directly from the Data Subject unless the Personal Information is in the public domain (for example, if the information can be obtained from an external public source such as the telephone directory, a Government Department or the Internet).
- Condition 3 – Purpose Specification: Personal Information will only be collected for a specific, defined, and lawful purpose related to the function or activity of Vula.
- Condition 4 – Further Processing Limitation: Where Personal Information collected by Vula is given to another person to Process, such further Processing will be done in accordance with the conditions under which Vula initially collected such information. Vula will ensure that such further Processing is only undertaken after such other person has undertaken in writing to comply with the necessary Processing conditions to ensure compliance with the Eight Conditions for the Processing of Personal Information.
- Condition 5 – Information Quality: Vula will take reasonably practicable steps (given the purpose for which Personal Information is collected or subsequently Processed), to ensure that the Personal Information is complete, not misleading, updated and accurate.
- Condition 6 – Openness: Vula will retain the documents that contain Personal Information in accordance with Vula ‘s Retention and Restrictions of Records Policy. Data Subjects have a right to know what Personal Information Vula has and for what purpose.
- Condition 7 – Data Security: Vula will ensure that appropriate security measures, Processes and procedures are in place to protect against unlawful or unauthorised Processing of Personal Information; and accidental loss of, or damage to Personal Information.
- Condition 8 – Data Subject Participation: Data Subjects may request access to any Personal Information data held about him/her by Vula and ask for inaccurate data to be amended or deleted.
Vula recognizes that Data Subjects have the right to have their Personal Information Processed in accordance with the Eight Conditions and will therefore protect these rights by:
- notifying a Data Subject that Personal Information about him, her or it, is being collected;
- notifying a Data Subject that his, her or its personal information has been accessed or acquired by an unauthorised person;
- allowing the Data Subject access to his, her or its Personal Information; and
- complying with the request of a Data Subject, where necessary, to correct, destruct or delete of his, her or its Personal Information.
ACCESS TO PERSONAL INFORMATION
A Data Subject, who has provided the Information Officer with adequate proof of identity, may request Vula to confirm, free of charge, whether or not Vula holds any Personal Information about the Data Subject; and provide a record of the Personal Information about the Data Subject held by Vula, including and providing information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
Vula may provide the record referred to above within a reasonable time, in a form that is understandable to the Data Subject. The Data Subject must also be advised of his or her or its right to request that the information be corrected, if incorrect.
Vula may refuse to disclose any information requested on the basis of grounds of refusal to access to certain records as specified in section C of the Promotion of Access of Information Act No. 2 of 2000 (“PAIA”). If a request for access to Personal Information is made to Vula and part of the information falls within one of the aforementioned grounds, Vula must disclose every other part of the information which does not fall within the protected ground.
PERSONAL INFORMATION COLLECTED
When you register to use the Vula App or Dashboard, we open and operate an account for you, provide you with our products and services, provide you with electronic communications relating to your account, our products and our services. To this end, we need to collect the following Personal Information from you:
- Name and Surname
- Healthcare Professional Registration Number
- Mobile number
- Email Address
- The Name and Location of your Practice, Department and/or Facility
- Profile photo (optional)
We also collect mobile device information during the course of your use of the Vula Mobile App in order to troubleshoot any issues that you, as a data subject, may have encountered, and to assist you in ensuring that you are on the latest version of the Mobile App and have all the latest functionality. We also use this information to make informed decisions on ways to improve the Vula Mobile App and to deliver an improved service as well as services and functionality that is relevant and accurate to our users.
Device information collected is limited to the following:
- Device ID
- Vula App Version
- Device Platform
- Device Token
- Device Manufacturer
- Device Model
- Device OS Version
- Device Time Zone
- Device Country Code
Vula may also collect Personal Information from you in other ways, including:
- when you communicate with us by email, chat, telephone or any other means, we collect the communication and any data provided in it;
- when you use the Vula platform we collect information in your referrals and chats with other healthcare practitioners;
- when we obtain information from third parties such as identity verification services from the Health Professions Council of South Africa, or similar professional registration councils, to confirm you are a registered healthcare practitioner;
- information contained in a public record or has deliberately been made public by you;
- where you have consented to the collection of the information from another source, including our social media platforms;
- collection of the information from another source would not prejudice a legitimate interest you may have;
- collection of the information from another source is necessary –
- to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
- to enforce a law imposing a pecuniary penalty;
- to enforce legislation concerning the collection of revenue as defined in relevant local legislation;
- for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
- in the legitimate interests of national security.
USE OF PERSONAL INFORMATION
We use your Personal Information for one or more of the following purposes:
- to verify your identity as a healthcare practitioner or healthcare service provider;
- to manage and maintain your account with us;
- to prevent fraudulent or unauthorised use of our products and services;
- to better manage our business and your relationship with us;
- to improve our products and services, and to develop new products and services;
- to notify you about benefits and changes to the features of our products and services;
- to provide you with personalised advertising and marketing;
- to respond to your enquiries and to resolve disputes.
Where necessary Vula may disclose your Personal Information in the public interest, which public interest includes:
(a) the interests of national security;
(b) the prevention, detection and prosecution of offences;
(c) important economic and financial interests of a public body;
(d) fostering compliance with legal provisions established in the interests referred to under points (b) and (c);
(e) historical, statistical or research activity; or
(f) the special importance of the interest in freedom of expression.
SHARING OF PERSONAL INFORMATION
We may disclose your Personal Information to our third parties, as defined in POPIA, for legitimate business purposes, in accordance with applicable law and subject to applicable professional and regulatory requirements regarding confidentiality. In addition, we may disclose your Personal Information to:
- any person that works for us and is in the employ of Vula, either as a permanent employee or contractor;
- companies and organisations that provide services to us, including in relation to technical infrastructure, marketing and analytics, and web and app development and support;
- companies and organisations that assist us with identity verification, background screening, due diligence and Processing or otherwise fulfilling transactions that you have requested;
- our professional advisers, consultants and other similar services;
- legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
- any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights;
- any relevant party for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including, but not limited to, safeguarding against and the prevention of threats to public security.
We may, from time to time, share Personal Information contained in the reports with Departments of Health for research purposes. However, we will only share Personal Information in these reports insofar as it is necessary for the governmental institution fulfil its functions in advancing public health or other public interests.
We may also share de-identified information, as defined in POPIA, with healthcare providers and/or researchers, who may publish this de-identified information for research purposes. This de-identified information is health information that has been de- anonymized, does not contain personally identifiable information, and can therefore not be linked to a specific person.
If you are referring a patient in the Platform you will be required to share Personal Information relating to yourself and the patient as part of the service provided by Vula. This Personal Information will only be shared with specialist medical healthcare providers who are also users of the Vula Platform.
Vula may, in permitted instances, provide universities healthcare establishments or health practitioners with de-identified Personal Information for ethical research purposes. The recipients of the aforementioned de-identified Personal Information are bound by, inter alia, professional confidentiality and, as a result, may not share or re-identify the Personal Information.
We will otherwise treat your Personal Information as private and confidential and will not share it with other parties except:
- where you have given permission;
- where we believe it is reasonably necessary to comply with any law, regulation, legal Process or governmental request, to enforce our Terms and Conditions of use or other agreements, or to protect the rights, property, or safety of us, our customers or others;
- where we may transfer rights and obligations pursuant to our agreement with you.
If we engage a third party to Process any of your Personal Information, the third party will be subject to binding contractual obligations to only Process such Personal Information in accordance with our prior written instructions; and use measures to protect the confidentiality and security of such Personal Information.
The Personal Information provided to Vula should be accurate, complete and up-to-date. Should Personal Information change, the onus is on the provider of such data to notify Vula of the change and provide Vula with the accurate data.
SECURITY OF PERSONAL INFORMATION
Vula places great importance on ensuring the security of your Personal Information. We regularly review and implement up-to-date technical and organisational security measures when Processing your Personal Information. Vula employees and contractors are trained to handle Personal Information securely and with the utmost respect, failing which they may be subject to disciplinary action.
Vula takes seriously the technical and organisational security measures we have in place to protect your Vula Account. In addition, the law requires that Data Subjects also have due regard to generally accepted information security practices and procedures in order to assist in securing the Vula Platform, their own user accounts, own Personal Information, and the patient Personal Information and Special Personal Information therein.
Our Vula Platform, including both the Mobile App and the Dashboard, are developed using secure technologies with Security by Design and Privacy by Default principles at the forefront of its architecture. The Platform can only be accessed using strong access control protocols, and only by Vula approved and validated data subjects.
As Vula is obliged to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or Processing of personal information, Vula utilizes a cloud based solution hosted by Heroku (a Salesforce company) in an Amazon Web Services Data Centre (“the AWS Data Centre”) in Europe. The AWS Data Centre is ISO 27001 certified which provides assurance with regards to the physical, logistical and environmental security of the Personal Information in the AWS Data Centre, as well as the business continuity and availability of the services offered by the AWS Data Centre.
Vula, in collaboration with Heroku and AWS, have further taken reasonable measures to:
- identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
- establish and maintain appropriate safeguards against the risks identified;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
In addition, Vula’s Data Subjects are responsible for:
- maintaining adequate security and control over your Vula Account sign-in details, including the use of strong passwords, ensuring that passwords are not written down or saved anywhere unencrypted, and not sharing your Vula Account sign-in details with other individuals;
- enabling any additional security features available to you on your Mobile device including Mobile device access pin codes, access patterns or facial recognition features;
- keeping your contact details up to date so that you can receive any notices or alerts we may send to you in relation to security (see Electronic Communications);
- maintaining security and control over the email mailbox and phone number associated with your Vula Account;
- notifying us in a timely manner as to the theft or other unauthorised use of your mobile device or Vula Account via our support email (firstname.lastname@example.org) so we can reset your Vula Account password.
In order to increase the security of your Vula Account and protect it from interruption caused to it by phishing, spoofing or other attack, computer viruses, spyware, scareware, Trojan horses, worms or other malware that may affect your computer or other devices, Vula recommends that you regularly use reputable virus screening and prevention software and remain alert to the fact that SMS, email services and search engines are vulnerable to spoofing and phishing attacks.
We encourage our Data Subjects to take all the above measures, and all other security measures available to you. In the case where the measures are not adhered to this may result in unauthorised access to your Vula Account and the loss or theft of any of your Personal Information as well as, potentially, any patient Personal Information and Special Personal Information that you have utilised the Vula Platform to Process. Vula shall have no liability to you or your patient for any unauthorised access to your Vula Account, where such unauthorised access was due to no fault of Vula, and/or any failure by you to act upon any notice or alert that we send to you.
Further information on Heroku, Salesforce, and their hosting services can be found at the following links:
Security Policy: https://www.heroku.com/policy/security
TRANSBORDER FLOW OF PERSONAL INFORMATION
We may transfer your Personal Information to recipients outside of the Republic of South Africa.
You may withdraw your consent to us Processing your information across borders, however this may mean that we are no longer able to offer the Service to you.
RETENTION OF PERSONAL INFORMATION
Vula will retain your Personal Information –
- for achieving the purpose for which the information was collected;
- when retention of the record is required or authorised by law;
- for the record for lawful purposes related to its functions or activities;
- when retention of the record is required by a contract between the parties thereto;
- when the Data Subject, or a competent person where the Data Subject is a child, as defined in POPIA, has consented to the retention of the record;
- for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
We may however, notwithstanding the above mentioned criteria, retain your Information in a de-identified manner for a period you deem necessary.
INCOMPLETE PERSONAL INFORMATION
Where indicated (for example in account registration forms), it is obligatory for you to provide accurate Personal Information to enable us to open and operate your Vula Account so you may be able to use our products or services. Should you decline/refuse or neglect to provide such Personal Information, or provide inaccurate or incomplete Personal Information, we may not be able to Process your account registration or provide you with our products or services.
DATA SUBJECT RIGHTS
We support the right of Data Subjects to have access to their data and their patient related data. The Personal Information Vula collects, Processes, stores and shares, are necessary for us to provide and improve the services we offer, or to comply with our regulatory and compliance obligations. We are the responsible party of our Data Subject’s Personal Information, and Processors of the patient’s Personal Information and Special Personal Information and Process the patient’s information on your behalf.
You have certain rights under data protection law, including the right to object to the Processing of your Personal Information or to request that we:
- provide you with a copy of your Personal Information (including in a format that can be shared with a new provider); or
- correct, delete, or restrict the Processing of your Personal Information.
These rights are limited in some situations, such as where we are legally required to Process or store your data, and may limit your ability to use our products and services. If you would like to exercise any of the above rights, please send an email to email@example.com with your request.
In order for Vula to provide you with the agreed services, you accept and agree that:
- any communications, agreements, notices and/or any other documents (together “Communications”) relating to your Vula Account or your use of Vula’s products and services will be provided to you electronically by posting them on the Vula Website, emailing them to the email address you have provided to us, or through any other form of electronic communication. You consent to receiving all Communications electronically;
- you will at all times have available to you the necessary hardware and software to receive, access and retain Communications sent to you electronically, including a device with an internet connection and a valid and accessible email address;
- you assume full responsibility for providing Vula with a valid and accessible email address to which any Communications may be sent, and for ensuring that the email address and any other contact information is kept up to date. Any Communication sent to the email address you have provided to us will be deemed to have been received by you. You can amend your contact information by signing-in to your Vula Account and accessing the Profile & Settings page.
You may at any time withdraw your consent to receiving Communications electronically by contacting firstname.lastname@example.org. You acknowledge that failure to give, or withdrawing, consent to receiving Communications electronically may put the security of your Vula Account at risk (see Security of Personal Information) should you not receive communications pertaining to your account security due to the consent withdrawn for receiving communications.
Care should always be taken in reviewing messages purporting to originate from Vula and, should you have any uncertainty regarding the authenticity of any communication, please contact us via email@example.com immediately to verify the authenticity of such communication.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
We protect all information with what Vula considers to be the highest degree of security and protection. In the event of any privacy or security breaches of the Vula Platform, or at our Third Party Hosted Data Centre, that are likely to result in any risk to your Personal Information or to your rights and freedoms, we will notify you and the relevant regulatory authority as soon as we become aware of such.
We expect our users to notify us immediately where they have reasonable grounds to believe that their accounts or patient data have been accessed or acquired by any unauthorised person. To notify us in this regard, please email firstname.lastname@example.org
Vula’s current Information Officer is:
Name: Kim-Lisa Gad
Department: Legal and Compliance
Telephone Number: 082 974 3860
Email Address: email@example.com