Bangkok Hospital Siriroj commits to protect your personal data as a patient who undergoes investigation, treatment and medical services including other services provided by the hospital. Your personal data is to be protected in compliance with the Personal Data Protection Act B.E. 2562. The hospital as a controller of such personal data is responsible by law for notifying you of this document for reasons and methodology hospital collects, gathers, uses or discloses your personal data, including informing you your rights as an owner of such personal data.
The hospital analyzes your personal data under a scope as defined by Personal Data Protection Act B.E. 2562 and analyzes the data only as necessary for aforementioned action. The hospital concludes the use of your personal data as below details.
|Type of Data
For a purpose of investigation and providing medical services
1.1. Providing medical services within hospital health providers
1.2. Providing medical services if necessary to link data among network health providers.
1.3 Referral between health providers
For purpose of analysis study to develop quality of treatments by unidentified personal data
The hospital may use your personal data for analysis study to develop quality of treatments by an overall report with unidentified owners of personal data and the company strictly maintains confidentiality of such data.
Disclose of the data to your insurance companies or contractors for purposes of rights to claim compensation from insurance companies or to reimburse medical claims
The hospital needs to disclose your personal data to insurance companies to comply with a contract that you or
Disclose of the data to a party referring you for investigation or a payer when you give consent for disclose of personal data
In case of agency of either government, private sector or state enterprise refers you to the company for treatments or is a payer for your medical expenses, the hospital will disclose your health data which is sensitive personal data to aforementioned agency only if you give consent to disclose your data to the agency otherwise, the hospital will directly send you a result of investigation.
For purpose of linking electronic database of medical records among health providers via mobile application
Once you give consent, the hospital will enter your personal data into computer system in a format of mobile application for your convenience to receive consultation via the application and for you to manage your data via the application. To maximize benefits, the system will link electronic database of medical records among network health providers for you to browse your existing personal data maintained in the providers via electronic devices as the hospital makes agreement with network health providers to protect your personal data in compliance with Personal Data Protection Act B.E. 2562.
For marketing purposes
The hospital may collect, gather, use and analyse personal data for analysing your health condition and contacting you for communication, providing medical information and offering promotion, products and services according to your consent
Apart from aforementioned purposes, the hospital will not use your personal data for other purposes unless the Personal Data Protection Act B.E. 2562 permits such as
- When receipt of your consent (Section. 24) or when receipt of intended consent in case of using sensitive personal data (Section. 26)
- For analysis study or statistic which establishes appropriate protection measures to protect personal data, right and liberty of an owner of personal data (Section. 24(1))
- To prevent, suppress threatening to life, body or health (Section. 24(2))
- To comply with a contract between hospital and you (Section. 24 (3))
- To perform duties accordingly to hospital mission for public interests (Section. 24 (4))
- Legitimate Interest of hospital or person or other juristic person except the aforementioned interest is less important than basic rights of personal data owner (Section. 24(5))
- For legal compliance of hospital (Section. 24 (6))
- To prevent, suppress threatening to life, body or health in case the use of sensitive personal data when the owner cannot give self-consent regardless of any causes (Section. 26 (1))
- For establishment rights for legal claims (Section. 26 (4))
- For public health interests or other social protection as the company establishes appropriate measures to protect basic rights and benefits of personal data owner (Section. 26 (5) (B))
- For needs to comply with Labor protection law, provision of medical welfare, social security (Section. 26(5) (C))
“Personal Data” includes information related to an individual that can be identifiable either directly or indirectly excluding the information of the decreased particularly
“Sensitive Personal Data” includes individual data related to race, ethnicity, political opinion, beliefs, religion or philosophy, sexual behavior, criminal records, health information, disability, trade union information, genetic data, biometric data (such as facial image data, iris simulation data, fingerprint replica) or any other information that affects the owner of personal data in a similar manner as defined by committee of personal data protection
“Health data” includes the following data
- Day, month, year of receiving medical treatment
- History of drug allergy and history of drug side effects
- History of food allergy
- Diagnostic disease, procedure name, surgery name
- Blood result, laboratory result, pathological result, radiological images, and radiological report
- List of prescribed medication
- Other information such as symptoms, physician recommendation, diagnostic details
“Process” includes collect, gather, use or disclose
“Personal Data Controller” includes an individual or juristic person who has authority in decision making about collection, gathering, use or disclose of personal data
“Personal Data Processor’ includes individual or juristic person who perform collection, gathering, use or disclose of personal data according to orders or on behalf of a personal data controller, in addition, the individual or juristic person performing actions as above must not be a personal data controller.
“Bangkok Dusit Medical Services Group” includes companies in hospital network are currently existing or will be in the future, regardless it may be registered in Thailand or overseas, including Bangkok Dusit Medical Services Company limited
“Network health provider” includes health providers in a group or network of hospital operating both in Thailand and overseas
Personal Data Hospital Collects from You
Your personal data collected by hospital can be classified as followings
|Type of Personal data
|1. Personal data
|Such as name, surname, ID card number, face image, gender, date of birth, passport number or other identifiable numbers
|2. Contact data
|Such as address, telephone number, e-mail address
|3. Financial data
|Such as billing information, credit or debit information, receipt information, invoice information
|4. Marketing data
|Such as registration information used for subscribing and marketing participation
|5. Technical data
|Such as IP address of computer, type of browser, cookies information time zone setting, operating system, platform and technology of devices used for accessing website and Online Appointment System
|6. Health data
|History of food allergy, blood result, laboratory result, pathological result, radiological images and radiological report, list of prescribed medication, necessary information for medical services, information of feedback and treatments
Sources Of Personal Data
Hospital collects and gathers your personal data from the following sources
- Personal data directly collected from you such as
- In case, you receive investigation and treatment, hospital receives your personal data from your contact hospital about services or your self-register at hospital for receiving medical services and other services from hospital, including registration via electronic media
- Personal data indirectly collected from you such as
- Person who are close to you such as relatives, spouse etc.
- Person, you give authority to act on your behalf in contacting with the hospital
- Network health providers, in case you already give consent to the network health provider for disclose of your personal data
- Person, juristic person or agency of any government, private sector, or state enterprise who refers you for investigation services to the hospital or is a payer for your service expenses
Disclose Or Share of Personal Data
The hospital will not disclose your personal data to outsiders except when laws permit for needs in operation so hospital may disclose your personal data for the following cases
- Disclose personal data to government agency, authority agency or any person when laws define or authorize, including complying with court orders
- Disclose personal data to individual or juristic person the company needs to comply with contract or for your benefits as an owner of personal data. hospital requires those individual or juristic person must maintain confidentiality and protect your personal data according to standards as defined by Personal Data Protection Act B.E. 2562, including but not limited to individual or juristic persons as listed below
- Network health providers and BDMS group as necessary as for providing investigation and medical services to you as the company will disclose personal data only as necessary and the company will maintain confidentiality of your personal data as its duties complied with relevant laws such as Medical Facilities Act B.E. 2541, National Health Act B.E. 2550 and Medical Profession Act B.E. 2525
- Insurance company or its provider managing compensation
- Health provider servicing patient’s referral
- The one referring you for investigation or services at a health provider or paying service expenses for you
Important personal data analyzer for the company’s operation such as employee, or laboratory service provider, database management, telecommunication, computer system, payment or provider of Technology Outsource
- The hospital may maintain personal data in Cloud Computing by using such services from the third party located in Thailand or overseas. hospital makes a contract with mentioned persons very thoroughly and considers safety system in maintaining personal data that Cloud Computing service provider functions in regarding personal data protection
Duration Of Personal Data Retention
- The hospital uses standards of duration for retention of medical records in accordance with Medical Facilities Act B.E. 2541 and the latest version, the hospital will maintain medical records in its system at minimum of 5 years once hospital creates the records. For medical benefits, the records will be maintained at the period you have not contacted with hospital longer than 10 years from the latest medical visit. Once completion of that 10-year duration, all original medical records, copies and electronic medical records will be disposed.
- In case the hospital must comply with laws, regulations of other professional councils, court order or establish rights for legal claims to enter dispute resolution processes, the hospital may maintain such personal data for the duration according to the legal statute or until the dispute is final whichever the case may be.
Measures Of Personal Data Retention and Analysis
- The hospital will manage the retention of personal data with standards not less than a level required by law and with appropriate system to protect and safeguard such personal data such as the use of Secure Sockets Layer: SSL, protect with firewall, password and other technology measures for encryption of information via the internet, and store in a facility with access protection system that limits the person’s access to personal data kept in a document format
- The hospital limits access to personal data that may be accessed by staffs, agent, partner or third party. Access to personal data by the third party can be done according to setting or order. Also, the third party is responsible for maintaining confidentiality and personal data protection
- The hospital establishes technology method to protect unauthorized access to the computer system
- The hospital has an inspection system to manage destruction of unnecessary personal data for hospital
- In case of sensitive personal data, the hospital applies measures to maintain the security of documentation and electronic data for access and control of the use as well as having operating system and backup including emergency plan and conducting regularly risk assessment of the system
Overseas Transfer Of Personal Data
- Some cases, hospital may need to transfer your personal data to overseas. hospital may perform the transfer after notifying you of objectives of the transfer and receiving your consent. Then the hospital may inform you about insufficient standards of personal data protection of the destination country
- The hospital can transfer your personal data without your consent if the transfer of personal data to overseas is in accordance with a contract you are as the contract’s partner or to protect or suppress any threatening to life, body or health of personal data owner, or for the use according to your request prior to making that contract or according to requirements in Personal Data Protection Act B.E. 2562
When you visit our website, hospital uses cookie to ensure you will receive good experience from using the hospital’s website. Cookie is a small file that stores information and records it on to computer devices or communication tools when you access via web browser you choose while visiting the website.
The hospital uses cookie to collect identity of your website visiting, with the identity hospital can remember the nature of your website using more easily and such data will be used for development of the hospital website to match with your needs more. For convenience and speed of your using the website, sometimes hospital may authorize the third party for this operation which may need IP address and cookie for analysis, data link and processing according to marketing purposes. You can set cookie when you enter the company website as you can choose to allow or not allow cookie to perform analysis, data link and processing according to marketing purposes.
Rights Of Personal Data Owner
As a personal data owner, you have rights to request the hospital to process your personal data according to scope allowed by laws as below
- Right to withdraw consent: you have rights to withdraw your consent for personal data processing as consents to the hospital anytime throughout the period your personal data stored at hospital.
- Right of access: you have rights to access your personal data and request the hospital for a copy of aforementioned personal data, including requesting the hospital to disclose the acquisition of your personal data you did not give your consent
- Right to rectification: you have rights to request the hospital to correct incorrect data or add to incomplete data
- Right to erasure: you have rights to request the hospital to erase your data by some reasons
- Right to restriction of processing: you have rights to request the hospital to suppress the use of your personal data by some reasons
- Right to data portability: you have rights to transfer your personal data maintained by the hospital to other data controllers or yourself by some reasons
- Right to object: you have rights to object your personal data processing by some reasons
You can contact with Data Protection Officer to request to exercise your rights as aforementioned at Bangkok Hospital Siriroj No. 44 Chalermprakiat Ror 9 Rd. Phuket , telephone number: 076-361-888,
e-mail address: [email protected]
Changes Of Personal Data Protection Policy
The hospital may review and change the personal data protection policy in the future for developing better personal data protection, The hospital will notify you every time when the aforementioned policy changed.
You can contact with Data Protection Officer to request to exercise your rights as aforementioned at Bangkok Hospital Siriroj No. 44 Chalermprakiat Ror 9 Rd. Phuket , telephone number: 076-361-888, e-mail address: [email protected]