Principal Privacy Policies

Segworks shall:

• a. Protect the privacy of personal information, sensitive personal information, personal health information, and electronic personal health information, in accordance with Philippine laws and relevant international standards;

• b. Comply with laws allowing disclosure of information;

• c. Adhere to the principles of transparency, legitimate purpose and proportionality;

• d. In matters pertaining to privacy, comply with the terms and conditions of its Business Agreement with PhilHealth.

Personal information must be:

• a. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;

• b. Processed fairly and lawfully;

• c. Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;

• d. Adequate and not excessive in relation to the purposes for which they are collected and processed;

• f. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may be processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.

The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

• a. The data subject has given his or her consent;

• b. The processing of personal information is necessary and is related to the fulfilment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;

• c. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;

• d. The processing is necessary to protect vitally important interests of the data subject, including life and health;

• e. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or

• f. The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

• Processing of sensitive personal information shall be allowed where it is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing; or, the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured.

Consistent with the foregoing goals and principles, Segworks shall implement for the Mobile EHR system the following privacy strategy:

• a. Must have a designated Data Privacy Officer;

• b. Must conduct a security risk assessment annually, at a minimum, to measure the potential risks and vulnerabilities to the confidentiality, integrity and availability of SPI and EPHI;

• c. Must implement reasonable and appropriate administrative, technical and physical safeguards to protect the confidentiality, integrity and availability of PI, SPI, CI, CHI, PHI and EPHI;

• d. Prior to conducting business with a third party that involves the storage, share, exchange or processing of PI, SPI, CI, CHI, PHI and EPHI, Segworks must coordinate with the third-party to sign a Contractor or Client Contract that includes provisions for the third-party to reasonably safeguard PI, SPI, CI, CHI, PHI and EPHI;

• e. Segworks, particularly the Mobile EHR system, must protect PI, SPI, CI, CHI, PHI and EPHI during the full lifecycle of transformations, whether electronic or not. This includes preparation of data transmission, transmitting data, and receiving transmitted data. For the electronic transmission of CHI: (1) If the public internet is used for electronic data exchange, policies and procedures should cover the secure transmission of data, which includes encryption of data; (2) If private secure point-to-point connections are used for electronic data exchange, policies and procedures should cover their provisioning and maintenance. Data encryption is recommended even when using secure private point-to-point connections.

• f. To the extent that the activities of Segworks, through the Mobile EHR system, may be considered the functions of a personal information controller, Segworks will submit the foregoing voluntary privacy code for the review and approval of the National Privacy Commission of the Philippines, and comply with modifications as may be required by the said commission;

• g. Segworks shall comply with the terms and conditions of its Business Agreement with PhilHealth.

Privacy Policies Relating To IHCP Clients

Institutional Healthcare Provider (IHCP) clients of Segworks shall execute a contract, the terms and conditions of which shall be consistent with the requirements of the PhilHealth, and the requirements of the applicable law. At the minimum, the contract shall stipulate that the IHCP client shall:

• a. Comply with the provisions of the Data Privacy Act of 2012, such as, but not limited to the consent of the data subject to the capture, processing, storage, and sharing of personal information, sensitive personal information, personal health information, and electronic personal health information; or, without consent of the data subject, if any of the following conditions obtain:

• a.1 If necessary to protect vitally important interests of the data subject, including life and health;

• a.2 If necessary in order to respond to national emergency, to comply with the requirements of public order and safety (upon court order);

• a.3 To fulfil functions of public authority which necessarily include the processing of personal data for the fulfilment of its mandate;

• a.4 The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

• b. Observe the Rights of the Data Subject, such as:

• b.1 To Be informed whether personal information pertaining to him or her shall be, are being or have been processed;

• b.2 Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity:

• b.2.1 Description of the personal information to be entered into the system;

• b.2.2 Purposes for which they are being or are to be processed;

• b.2.3 Scope and method of the personal information processing;

• b.2.4 The recipients or classes of recipients to whom they are or may be disclosed;

• b.2.5 Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;

• b.2.6 The identity and contact details of the personal information controller or its representative;

• b.2.7 The period for which the information will be stored; and

• b.2.8 The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Data Privacy Commission;

• c. Agree that any information supplied or declaration made to the data subject on these matters shall not be amended without prior notification of data subject: Provided, That the notification under par. 6.1.2.2 shall not apply should the personal information be needed pursuant to a subpoena or when the collection and processing are for obvious purposes, including when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the context of an employer-employee relationship, between the collector and the data subject, or when the information is being collected and processed as a result of legal obligation.

The IHCP client shall grant Segworks the authority to use data for research and development activities, particularly those geared towards improving the services of Segworks.

Errors, malicious code, acts of fraud, whether intentional or by negligence, committed by users of IHCP client(s) shall be the liability of the affected IHCP client(s). The costs incurred by Segworks to correct such errors, or repair the damage caused by the malicious code or by acts of fraud, shall be borne by the IHCP client(s).

The IHCP shall grant Segworks the right to suspend service for violation(s), whether intentional or by negligence, of the contract between Segworks and the IHCP, the rules and regulations of PhilHealth, or the applicable laws.

The IHCP shall immediately notify Segworks and PhilHealth for breaches of data in accordance with the regulations of PhilHealth and/or the Data Privacy Act of 2012.

The IHCP shall agree to the training of its users on this policy.

Segworks shall retain IHCP data for a period of six (6) years, unless a longer period is required by PhilHealth or by law.

Segworks shall not disclose, release, or sell information, or allow other parties to obtain a copy of any data from the eClaims system for any purpose other than that permitted by PhilHealth or as required by law. Segworks shall, at all times, provide systems that maintain the confidentiality of information between patients and the IHCP, and between IHCP and PhilHealth.