MACROPROCESS: MANAGEMENT

PROCESS: STRATEGIC MANAGEMENT.

 

INTRODUCTION.

 

Law 1581 of 2012 developed "the constitutional right that all persons have to know, update and rectify the information that has been collected about them in databases or files, and the other rights, freedoms and constitutional guarantees referred to in the Article 15 of the Political Constitution; as well as the right to information enshrined in article 20 of the same”.

 

This constitutional right known as habeas data, gives citizens the ability to decide and control the information that others have about them and, in this order of ideas, Law 1581 of 2012 establishes mechanisms and guarantees that allow the full exercise of the aforementioned right. .

 

In compliance with the provisions of Law 1581 of 2012, the Astorga Oncology Clinic, as the person responsible for the processing of personal data and sensitive personal data of its users, clients, suppliers and employees, has adopted the following Data Protection Policy , to guarantee that the processing of personal data and sensitive personal data complies with current legal provisions.

 

SCOPE.

 

This policy is based on current regulations and therefore is mandatory application by all staff working in the clinic regardless of the contractual relationship, provided that their work involves the processing of personal data of users, suppliers, customers, and employees. The policy review periodicity is annual.

 

GENERAL OBJECTIVE.

 

Safeguard the constitutional guarantees of users, clients, suppliers and employees with whom the Astorga Oncology Clinic has a relationship, of handling their personal information in a confidential and secure manner.

SPECIFIC OBJECTIVES.

 

• Ensure that the personal data processed is adequate, pertinent and not excessive for the legitimate purposes for which they were obtained and that they are kept accurate and up-to-date.

• Provide the owner of the data with certain information on the treatment of the same that is going to be carried out in each case and obtain the authorization of this treatment through the completion of the institutional Habeas Data format.

• Facilitate the owner of the data the exercise of their rights of access, modification, cancellation, and opposition to their treatment in the cases in which the owner specifies it.

• Ensure that access to the data of users, customers, suppliers and employees corresponds to authorized users and under the commitments to process the data only for the purposes authorized by the data owner and to maintain the confidentiality and adequate level of security of personal data.

​

POLICIES.

 

The institutional policies that support compliance with the guidelines defined in this procedure are:

 

• Service Provision Policy.

• Risk Management and Administration Policy.

• Quality Policy and Continuous Improvement

• Information and Communications Management Policy.

REGULATORY FRAMEWORK.

 

• Statutory Law 1581 of 2012: By which general provisions are issued for the protection of personal data.

• Decree 1074 of 2015: By means of which the Single Regulatory Decree of the Commerce, Industry and Tourism Sector is issued. In its chapter 25, it partially regulates Law 1581 of 2012.

• External Circular 002 of 2015: Give instructions to those responsible for the processing of personal data to carry out the registration in the National Registry of RNBD Database.

 

DEFINITIONS OF TERMS.

 

The following are the definitions enshrined in Law 1581 of 2012, which will allow knowing the development of each of the issues raised in this document:

 

• Data processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. 

• Habeas Data: It is the fundamental right that every person has to know, update and rectify all the information that is related to them and that is collected or stored in data banks. (Article 15 of the Political Constitution of Colombia, Developed by Law 1266 of 2008.)

• Personal data: Any information linked or that can be associated with one or several determined or determinable natural persons. Database: Organized set of personal data that is subject to treatment. 

• Owner: Natural person whose personal data is processed. 

• Authorization: Prior, express and informed consent of the Owner to carry out the processing of personal data. 

• Responsible for the treatment: Natural or Legal Person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data. 

• Person in charge of the treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the Processing of personal data on behalf of the Responsible for the treatment.

• Affected or interested party: Natural person who owns the data that is the object of the treatment

• Cancellation: Procedure by virtue of which the person in charge ceases to use the data. The cancellation will imply the blocking of the data, consisting of the identification and reservation of the same in order to prevent its treatment except for its making available to the Public Administrations, Judges and Courts, for the attention of the possible responsibilities arising from the treatment. and only during the limitation period of said responsibilities. After this period, the data must be deleted.

• Assignment or communication of data: Treatment of data that involves its disclosure to a person other than the interested party.

• Consent of the interested party: Any expression of will, free, unequivocal, specific and informed, through which the interested party consents to the processing of personal data that concerns him.

• Dissociated data: Data that does not allow the identification of an affected or interested party.

• Personal data: Any numerical, alphabetical, graphic, photographic, acoustic or any other type of information concerning identified or identifiable natural persons.

• Personal data related to health: Information concerning the past, present and future health, physical or mental, of an individual. In particular, data related to people's health are considered those referring to their percentage of disability and their genetic information.

• Recipient or assignee: The natural or legal person, public or private or administrative body, to which the data is disclosed

• File: Any organized set of personal data, which allows access to the data according to certain criteria, whatever the form or modality of its creation, storage, organization and access.

• Dissociation procedure: Any processing of personal data that allows obtaining dissociated data.

• Third party: The natural or legal person, public or private, or administrative body other than the data subject or interested party, the data controller, the file manager, the data processor, and the persons authorized to process the data under the direct authority of the data controller. treatment or the person in charge of the treatment.

• International data transfer: Data processing that implies a transmission of the same outside the national territory, either constitutes an assignment or communication of data, or has the purpose of carrying out data processing on behalf of the person responsible for the file established in international territory. .

• User: Subject or process authorized to access data or resources. The processes that allow access to data or resources without identification of a physical user will be considered users.

• Successor in title: in Law, is that natural or legal person who has succeeded or replaced another, the deceased, by any legal title in the right of another. The succession or substitution may have occurred by act inter vivos inter vivos or by cause of death mortis causa.

• Sensitive data: Data that affects the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, organizations, etc., are considered sensitive. social, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data.

• Biometric Data: Biometric data is those physical, biological or behavioral traits of an individual that identify them as unique from the rest of the population. Those computer systems in which some biometric data is measured, as part of the process of identification and/or authentication of a subject, are known as biometric security systems or simply biometric systems. 

 

​The following list are some examples of biometric data:

• Fingerprints.

• Geometry of the hand.

• Iris analysis.

• retinal analysis.

• Veins on the back of the hand.

• facial features.

• Voice pattern.

• Handwritten signature.

• Typing dynamics.

• Step cadence when walking.

• Gesture analysis.

• DNA analysis.

BEGINNING.

 

• Principle of purpose: The treatment of information at the Astorga Oncology Clinic obeys a legitimate purpose in accordance with the Constitution and the Law, which will be framed in the management of information for activities related to its corporate purpose for care in health of users or defined contractual relationship with customers, suppliers and employees. 

• Principle of freedom: Data processing can only be exercised with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization.

• Principle of veracity or quality: The information subject to treatment must be true, complete, exact, updated, verifiable and understandable.

• Principle of transparency: In the treatment, the right of the Holder to obtain from the Treatment Manager or the person in charge of the treatment, information about the data that rests in their databases that concern him must be guaranteed.

• Security principle: The information subject to treatment must be handled with the human and administrative technical measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

• Principle of confidentiality: All persons involved in data processing are obliged to guarantee the confidentiality of the information, even once their relationship with any of the tasks that comprise the treatment has ended.

 

RIGHTS OF HOLDERS.

 

The Owner of the personal data will have the following rights: 

 

• Receive the authorization request for the processing of your personal data.

• Issue authorization for the processing of your personal data.

• Know, update and rectify your personal data before the Treatment Managers or Treatment Managers. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose Treatment is expressly prohibited or has not been authorized. 

• Request from the clinic proof of the authorization granted for the treatment of personal data except in the cases determined by the Law (Article 10 Statutory Law 1581 of 2012). 

• Be informed by the Treatment Manager or the Treatment Manager, upon request, regarding the use that has been given to your personal data. 

• Present before the control entities or the clinic, complaints for violations of the protection of personal data. 

• Revoke the authorization and/or request the deletion of the data when the Treatment does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that in the Treatment the Responsible or Processor has incurred in conduct contrary to the law and the Constitution. 

• Free access to your personal data that has been processed.

AUTHORIZATION OF PERSONAL DATA.

 

The request for authorization for the processing of personal data at the Astorga Oncology Clinic will be made through the completion of the Habeas Data format in which the patient is informed and requested the following:

 

• Demographic and identification data.

• Authorization for the use of medical record information for the purposes of your care or other related procedures such as authorizations and payments by your insurers or use for epidemiological management purposes, suppressing the identification data in these cases.

• Purpose of collecting personal data.

 

For the treatment of the personal data of suppliers and clients, these will be collected as long as they have the express authorization. 

 

For the treatment of personal data and Occupational History of employees, there must also be authorization for their treatment for the purposes that are required based on the contractual relationship.

CASES IN WHICH PERSONAL DATA PROCESSING AUTHORIZATION IS NOT NECESSARY.

 

The Owner's authorization will not be necessary in the case of: 

• Information required by a public or administrative entity in the exercise of its legal functions or by court order. 

• Data of a public nature. 

• Cases of medical or health urgency. 

• Treatment of information authorized by law for historical, statistical or scientific purposes. 

• Data related to the Civil Registry of People.

 

DUTIES OF THOSE RESPONSIBLE FOR INFORMATION.

 

• Guarantee the holder, at all times, the full and effective right of Habeas Data. 

• Request and keep a copy of the authorization granted by the Holder.

• Duly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted. 

• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

• Rectify the information when it is incorrect and communicate what is pertinent to each person in charge of the Information Processing.

• Process queries and claims made by users.

DUTIES OF THOSE IN CHARGE OF INFORMATION.

 

• Guarantee the Holder, at all times, the full and effective right of Habeas Data.

• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

• Timely update, rectify or delete the data in the terms indicated by law.

• Update the news on the information reported by the Data Holders within (5) business days from its receipt.

• Process the queries and claims made by the Holders in the terms indicated by law.

• Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce.

PURPOSE OF THE TREATMENT OF PERSONAL DATA AND SENSITIVE PERSONAL DATA OF USERS.

 

The processing of personal data and sensitive personal data provided by users of the Astorga Oncology Clinic will have the following purpose: 

 

• Identification and validation of user rights.

• Updating of data provided by the owner.

• Authorization for access to health services.

• Provision of contact information to service network providers to guarantee users timely access to other health services.

• Characterization and monitoring of the population, for health risk management, using information derived from healthcare services.

• Delivery of mandatory Public Health reports.

• Respond to requirements to control entities.

• Evaluation of indicators of opportunity and quality of services.

• Evaluation of the quality of the health products and services offered by the clinic, which may be carried out by any of the means of contact informed by the user in their care process.

• For the sending of information, through Email, Text Messages (SMS and/or MMS) or any other means of communication about the status, duties and rights, as well as the assistance and administrative activities that support the provision and management of health risk.

• Provision of information to the competent authorities if required.

PURPOSE OF PROCESSING PERSONAL DATA AND SENSITIVE PERSONAL DATA OF EMPLOYEES.

 

The processing of personal data and sensitive personal data provided by the employees of the Astorga Oncology Clinic will have the following purpose:

 

• Carrying out the personnel selection process according to their aptitude for a position or task.

• Establish a contractual relationship.

• Offer you training opportunities.

• Performance evaluations, job satisfaction, personal growth, well-being and occupational health.

• Comply with the affiliation process to the Comprehensive Social Security System (Health Promotion Entities, Occupational Risk Administrators, Pension and Severance Funds, Compensation Fund).

• Carry out the Remuneration process. 

• Exercise the defense against legal actions, comply with judicial requirements or other competent authorities, derived from the contractual relationship.

• Provision of information to the competent authorities if required.

• In general, for any other purpose derived from the contractual relationship.

 

RESPONSIBLE AND IN CHARGE OF INFORMATION AT THE ASTORGA ONCOLOGY CLINIC.

 

The clinic, as a legal person, is the General Manager of the Treatment of the information that rests in the databases of each one of the areas and services that make it up, however, it has determined a Responsible Party, the General Manager and some internal Managers by virtue of of the class of data handled by them, these are: