Legal & Compliance
Remedi Innovations Sdn Bhd (referred herein as “the Company” or “we” or “us” or “our”) values your privacy and strives to protect your personal information (Personal Data). This Privacy Notice outlines how the Company comprising of REMEDi CMS and other products under remedi.my (referred herein as “REMEDi”) collects, uses, maintains and discloses your Personal Data in accordance with the Malaysian Personal Data Protection Act 2010. Please note that we may amend this Privacy Notice at any time without prior notice and the amended Privacy Notice shall be made available in our premises and website.
What is Personal Data?
Personal Data refers to any information (e.g. name, address, NRIC number, photographs, financial, bank account details, occupation, religion, employer, etc) that relates directly or indirectly to an individual, who may be identified or identifiable from that information or other information that is in our possession including Sensitive Personal Data. Sensitive Personal Data refers to any information which relates to the health condition of an individual, his/ her religious beliefs or other beliefs of a similar nature and the commission or alleged commission of any offence.
Source of Personal Data
The collection of Personal Data shall depend on the nature of your visit to the premise registered with our Company. There are various sources from which your Personal Data may be procured/collected by us including, but not limited to, the following:
Directly from you when you or your representative (parent, guardian etc) fill in the registration forms at the facilities registered with REMEDi, or contact us via emails and letters, telephone calls and conversations, or when taking part in customer surveys and promotions and during marketing activities;
From any third parties connected with you such as your employer/potential employer, agents (e.g. medical tourism agents), insurance companies, other healthcare facilities; and
From such other sources to whom you have given your consent to disclose information relating to you.
Is the supply of Personal Data obligatory?
The Personal Data that we collect can either be obligatory or voluntary as it would depend on the purpose of you disclosing the Personal Data. If the Personal Data requested by us is to ensure that we are able to efficiently provide our services, then it would be obligatory for you to provide that information. If you fail to do so, it may affect the services provided to you.
The Personal Data that would be voluntary are office fax number, email address, etc. However, such information will facilitate the delivery of services to you.
Purpose of collecting and processing your Personal Data
The purpose for which your Personal Data is collected and processed shall depend on the nature of the relationship which you have with us and your visits to the facilities registered with REMEDi. The purpose may comprise part or all of the following:
To process the services that you are currently receiving and / or the services that you have requested;
To administer and communicate with you in relation to our current / future services and / or events;
For insurance purposes, third party administration and any other third parties;
To respond to your enquiries and feedbacks;
For marketing and promotional activities;
For audio recording (example: calls made to the contact centre);
To administer and give effect to your commercial transaction (tender award, contract for service, other contractual obligations);
To better understand your needs as our customer and to improve our services provided to you;
For internal functions such as evaluating the effectiveness of marketing, market research, statistical analysis, reporting, audit, compliance and risk management and to prevent fraud;
For the prevention of crime (example: usage of CCTV coverage);
For investigating, reporting, preventing or otherwise in relation to any fraudulent, criminal activities;
To ensure stakeholders’ interests are protected;
For the purpose of enforcing our legal rights and/or obtaining legal advice;
To transfer or assign our rights, interests and obligations under any of your agreements with us;
For internal records management;
For any other purpose that is required or permitted by any law, regulations, guidelines and/or relevant regulatory authorities; and
Any other related purposes.
Disclosure of your Personal Data
As part of providing you with our services and the management and/or operation of the same, we may be required to disclose your Personal Data to the following:
Disclosure to Third Parties
Insurance companies, credit card companies, current/potential employers/external counterparts for situations where a patient is transferred to another government/private hospital, parents/guardians of minors;
Regulatory authority such as the Ministry of Health, Income Tax department, EPF, SOCSO, law enforcement agencies and any other statutory bodies having such authority or jurisdiction;
Relevant accreditation bodies during their survey;
Third parties appointed by us to provide services to us or on our behalf (such as auditors, company secretary, lawyers, event organizers, consultants, recruitment agencies, contractors, suppliers etc.).
Disclosure within the Company
Any disclosure made within the Company shall be done only when necessary to ensure that services provided to you are not hindered. Only pertinent Personal Data shall be disclosed to the relevant departments / employees.
We will otherwise treat your Personal Data as private and confidential and will not disclose your Personal Data without your consent UNLESS:
You have given us upfront express or implied consent for the disclosure;
The disclosure is necessary where there is a serious and imminent risk to your welfare;
The disclosure is necessary for the purpose of preventing a crime or investigation;
Disclosure was required and authorized by or under any law or by a order of the court;
We had reasonable belief that we had the right by law to disclose the Personal Data to that third party;
We acted in reasonable belief that we would have your consent if you had known of the disclosure and the circumstances of such disclosure;
The disclosure was justified as being in the public interest in circumstances as determined by the relevant Ministries.
Security of your Personal Data
The security of your Personal Data is our priority. We will take all reasonable efforts and practical steps to ensure that all physical and soft copies of your Personal Data are kept in a secure manner. If we disclose any of your Personal Data to our authorised agents or service providers, we will require them to appropriately safeguard the Personal Data that is provided to them.
Retention of your Personal Data
We will only retain your Personal Data for as long as necessary to fulfil the purpose(s) for which it was collected or to comply with legal, regulatory and internal requirements. Upon the said purpose(s) being fulfilled, we will destroy or permanently delete your data according to our destruction policy.
Right to access and correct your Personal Data
You have the right to access your Personal Data held by us (subject to any exemptions as prescribed in the PDP or other Act) and to request for corrections to that Personal Data if it is inaccurate, incomplete, misleading or not up-to-date. Where appropriate, a fee may be imposed for any request to access and /or correct your Personal Data depending on the information that is requested.
Please note that access to your Personal Data may be withheld in certain situations as determined by the relevant authorities, legislations, acts and regulations and /or for the safety of our patients (for example when we are unable to confirm your identity).
Any inquiries or requests to access or update Personal Data or to withdraw consent should be directed to the department that is providing the required service, or the Customer Service by calling (+603-5626-0017) or emailing us at email@example.com.
We have made every effort to provide a detailed overview of the GDPR compliance and how does REMEDi support your business to operate within the confines of this regulation especially when it comes to customer data and its verification through REMEDi. But it is still advised to engage services of a legal counsel in order to have a better understanding of GDPR compliance and the liabilities that come along with it. The following compliance guide is actually the practices, procedures and upgrades introduced in the internal working of REMEDi to make its services GDPR complaint.
The deadline for GDPR compliance is here and REMEDi has wasted no time to make its services fully compliant with EU’s User Data and Protection guidelines. We have adopted an industry prevalent approach known as Data Process Control to better protect the interests of not only our clients but their customers as well.
Here is a summary of GDPR sections that are applicable to customers and users of REMEDi services.
GDPR needs the websites and online businesses to intimate users that they are using cookies. The language of this intimation is also desired by GDPR to be easily understandable for an average user. Consent is required from the user before they are tracked because of these cookies. We have updated our cookies policy in this regard as well.
GDPR only allows the collection of user data for a legal reason. REMEDi only collects data for verification purposes as per the legal agreement signed by REMEDi and its customers. This data will be limited to verification of the credentials, identity or any other related verification that was required by our customers to be provided as per the legal agreement.
GDPR requires businesses and websites to forget and delete the user data when requested by the user. REMEDi has taken steps to provide full control to the end-users about the data that they have submitted for identity verification
Here is our Game Plan for GDPR Compliance
Either you are a B2B or B2C, eCommerce company, Educational Entity or Crypto based organization, you probably by this point have known about General Data Protection Regulation (GDPR). It is a new directive set by the European Union, legislation that set forths guidelines regarding how information is collected and how it is processed and used.
The GDPR legislation was formed to harmonize data privacy laws across Europe. Empowering all EU citizen’s data privacy in the process, and to reshape how organizations approach data privacy in a secure and transparent manner.
At REMEDi, tireless efforts have been underway over the last few months to assist our users, businesses and our clients. To help them understand, what the GDPR means for their businesses and to assist them in establishing a compliant process of their own. Considering that aspect, we have made great improvements to our REMEDi platform to ensure that we stand at par with the GDPR measures.
REMEDi has prepared a Game Plan for you to understand, how GDPR operates behind the scenes when a customer interacts using our service.
Here is the Process:
Let’s say that Ahmad is a potential customer and lives in France. He is called the Data Subject, and your company the health service provider, is called the Controller of his data. Since REMEDi is verifying the credentials of Ahmad on behalf of your company, then that makes REMEDi, the Processor.
Here is how Ahmad might interact with REMEDi:
- Ahmad’s controller uses REMEDi with web browser
- Ahmad approaches the Controller and the controller intends to use REMEDi to provide treatment to Ahmad and operate its business.
- Verification is carried out.
- Ahmad provide relevant credentials (Government-issued ID number)
- The controller displays his verification document up to the web camera. Or Ahmad will receive an SMS notification of 6-digit random one-time password to be shared only with the Controller
- The Processor will verify the registration
- Based on the results of verification of Verified or Not-Verified the Data Subject can proceed to the next course.
User Data means any data, content, code, video, images or other materials of any type that User uploads, submits or otherwise transmits to or through Services. User will retain all right, title and interest in and to User Data in the form provided to REMEDi. REMEDi stores data on industry secured servers located in the EEA zone, and are monitored. Subject to the terms of this Agreement, you hereby grant to REMEDi a non-exclusive, worldwide, royalty-free right to;
(a) collect, use, copy, store, and transmit User Data, in each case solely to the extent necessary to provide the applicable Services to Client
(b) Client hereby grants to REMEDi all necessary rights to use, reproduce, modify, create derivative works from, distribute, perform, transmit and display the User Information (including any rights specifically pertaining to biometric information) solely to the extent necessary to provide the Services which will include the right for REMEDi to grant equivalent rights to its service providers that perform services that form part of or are otherwise used to perform the Services.
Access to Data
The Services include access to the Back-office, Client may access and download (either manually or via API) the data from each of its Verifications, including extracted data and images for each individual Transaction, via the Back-office for the Term. Upon termination of this Agreement for any reason, access to the Back-office, and therefore access to data storage will be revoked. REMEDi may delete any stored items in storage upon expiration or termination of this Agreement. REMEDi will have no responsibility or liability for storing and deleting items in accordance with this Section 9.
You may instruct us to provide you with any personal information we hold about you; provision of such information will be subject to:
1. The payment of a fee (currently fixed at RM1.50 per invoice or per transaction) and
2. The supply of appropriate evidence of your identity (for this purpose, we will usually accept a picture of your government-issued ID).
We may withhold personal information that you request to the extent permitted by law.
You may instruct us at any time not to process your personal information for marketing purposes.
In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt-out of the use of your personal information for marketing purposes.
ID, Identity and Documents Verification
REMEDi employs machine learning, computers, Artificial Intelligence, Human Intelligence and Software technology to perform Verification processes through Template Matching Technique.
Unless otherwise stated in the Standard Agreement, the Verifications parameters include:
- Name, Date of Birth, Image and Video
- Proof of Address, Age, Designation, Academic Degree, Company Identity, Logos, etc. made available by REMEDi as Customised Services.
Users Individual Rights Request
The GDPR enhances the rights of individuals in a number of ways.
Access and Privileges
User can request access to the personal data he has shared with REMEDi about himself. Personal data is anything identifiable, like his name and email address. If he requests access, REMEDi (as the processor) need to provide a copy of the data, in most cases in machine-readable format (e.g. CSV or XLS).
Ahmad can also request to see and verify the lawfulness of the processing.
A client can seek access to their data by asking REMEDi of what they require at firstname.lastname@example.org. We at REMEDi believe to be at legal and moral obligation to facilitate any manner of an individual rights request.
REMEDi enables you to grant any access request by easily exporting user record into a machine-readable format.
In the manner same as accessing information, user can request REMEDi to modify his personal data, if it is inaccurate, incomplete or requires any sort modification or amendment.
The GDPR requires that a company be able to accommodate modification requests, as and when required.
Under the GDPR, the user has the right to request that REMEDi delete all personal data it has collected from him. The GDPR is required to permanently remove users contacts from their database, including verification results, all personal information, saved images/video, form submission data and credit card data.
In a GDPR compliant manner, a client can seek to have their data deleted by querying REMEDi at email@example.com. The Data protection officer at REMEDi in most cases will respond back within a 30 day period.
In many cases, the right to deletion is not absolute and can depend on the context of the request, so it does not always apply.
Remedi Innovations Sdn Bhd (REMEDi) is committed to and has implemented many safeguards to ensure its services, websites and data systems (collectively “Products”) are compliant with the regulations and conditions set forth in the Health Insurance Portability and Availability Act of 1996 (HIPAA). REMEDi is committed to continuous improvement to ensure its Products incorporate state-of-the-art information technology privacy and security measures.
As a “Business Associate” per the definition in the HIPAA Act, and by assignment of the HIPAA covered entity, REMEDi is subject to the following controls:
Administrative Safeguards (HIPAA 164.308)
REMEDi has implemented policies to ensure appropriate assignment of data access permissions and proper movement and handling of that data. HIPAA training is an annual mandated event for all staff, as well as an annual review of policy effectiveness during internal or 3rd party auditing of our Products.
Physical Safeguards (HIPAA 164.310)
REMEDi’s primary physical safeguard is to not retain sensitive data in any public or private REMEDi location other than those assigned for database management and quality assurance activities. Specific workstation usage, disposal, reuse and security measures are in place. Access to REMEDi facilities is all independently controlled via card access preventing walk-up intrusion. REMEDi’s data centre uses a cloud-based architecture with inherent security measures including 24 hours monitoring, advanced fire protection systems, uninterruptible power and database redundancy. Annual audit of the facility security plan, disaster recovery plan, and contingency plans are in place.
Technical Safeguards (HIPAA 164.312)
To further protect sensitive data, REMEDi enforces unique software architecture that includes user identifications, various database audit logging, data integrity systems and verified backups, entity authentication programs, digital certificates, various levels of encryption and other custom architecture to further obscure sensitive data from threats.