Our Commitment
Bristol Park Hospital takes privacy matters seriously and is committed to ensuring that an adequate level of data protection for all persons with whom the Hospital has dealings. This includes, among others; patients and their relatives and carers, healthcare professionals, users of our products and services, including website, representatives of our service providers, suppliers, contractors and business partners, representatives of the scientific community, visitors, employees and job applicants.
This Privacy policy explains how Bristol Park Hospital handles your personal data
- Personal Data collected by Bristol Park Hospital
Personal data, or personal information, means any information relating to an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity data, which include name, username or similar identifier, social media usernames/handles, profile photos, title, date of birth, age, gender, race and ethnicity, photographs, and audio and visual recordings.
- Contact data, which include address, email, telephone and mobile phone numbers.
- Professional data, which include job title, place of work, employment history, education, work address, areas of practice and specialisms.
- Financial data, which include mobile money wallets, bank account and payment card details.
- Transaction data, which include details about payments to and from you, and other details of products and services you have purchased from us, or from elsewhere and shared with us, including customer account numbers.
- Usage and engagement data, which include information about how you use our websites, products and services. We may use tracking pixels and encoded URL strings to track when emails we send you have been opened and which links in an email have been clicked. Tracking pixels are small image files which are embedded in emails and downloaded to your device when you load the pictures in an email. You can turn off pixels by turning off the images in the email itself. Encoded URL strings are pieces of code that are added to links. These do not use any technology (e.g. local storage, cookies etc.) to store or access data on your device. Through the use of tracking pixels and encoded URL strings, we collect information about your opening of the email (including time and date, your IP address, the city where you opened the email, the type of device, browser and operating system used to open the email) and the links you click on in the email.
- Health/Medical data, which include information about your health, ailments you may have suffered, medicines you may be taking, adverse effects you may have experienced, and genetic and biometric data.
- Marketing and communications data, which include your preferences for receiving marketing from us and our third parties and your communication preferences.
- Where Bristol Park Hospital collects your personal data from
Bristol Park Hospital may collect your personal data from different sources:
- Data that you communicate to us through various media, registrations, applications, surveys, and direct and indirect interactions with Bristol Park Hospital including medical tests.
- Data that we collect automatically, for instance recordings of telephone calls when you call Bristol Park Hospital or when we call you and technical data we automatically collect about your equipment, browsing actions and patterns as you interact with our websites, platforms, WiFis, applications, emails, and services, through certain technologies, such as tracking pixels, encoded URL strings and cookies.
- Data that we collect from publicly available sources, including identity, contact and health/medical data from Bristol Park managed social media pages or accounts such as Twitter or Facebook (for example, when you post a query or report an adverse event).
- Data that we obtain from third parties, for example, technical data from analytics providers such as Google, contact, financial and transaction data from providers of technical, payment and delivery services, identity, contact and professional data from data brokers or aggregators, and identity and health/medical data from healthcare professionals when they report an adverse event. We may also need to confirm contact or financial information with third parties or verify the registration of healthcare professionals.
In such cases, we generally receive such personal data from third parties that are authorized to share it in the framework of their own privacy and data protection policies or in accordance with the law.
Personal data relating to children
In some instances we may collect personal data about children for the provision of our services, such as clinical activities or for patient support programs, with the consent of his/her parent or guardian. However, we do not otherwise knowingly solicit personal data from, or market to, children.
- The purpose for Bristol Park Hospital processing your personal data
Bristol Park Hospital collects your personal data for the following purposes:
- to carry out our healthcare and business operations, including to carry out marketing and sales; to register you as a customer/patient/supplier; to provide you with access to Bristol Park’s products and services; to process and deliver your order, including to manage payments, fees and charges, and collect and recover money owed to us; to respond to your requests; and to keep track of our interactions and meetings, such as when you contact us for information and support.
- to comply with legal or regulatory obligations that apply to Bristol Park Hospital, including to monitor safety; to manage and report adverse events; to carry out prevention and investigatory activities; to document and publicly disclose certain transfers of value made to employees, suppliers, healthcare professionals, healthcare organizations, Insurance organizations, and patient organizations; and to carry out administrative formalities, registrations, declarations and audits.
- to provide patient support, healthcare services, treatment, patient engagement and prescription information, notification and communication with family, appointment reminders, including to provide, manage and administer patient support and homecare programs; and to manage claims, including insurance claims.
- to conduct research and development, including to carry out clinical studies, registries and trials; to manage and validate the recruitment and participation of individuals in studies, trials and other operations; to analyze demographic data; to offer special programs, activities, trials, events and promotions via our services; and to carry out market and consumer studies.
- to allow us to identify or authenticate you, including to provide or verify your credentials including via government-issued ID, employment card, healthcare professional number, driver’s license data, and passport data.
- to improve and develop our products and services, including to identify usage trends and develop new products and services; to understand how you and your device interacts with our services; to customize, measure and improve our websites, products and services, marketing, customer relationships and experiences; to track and respond to safety concerns; to determine the effectiveness of our promotional campaigns; and to conduct surveys. If we use tracking pixels or encoded URL strings in emails we send you as described in the “What” section above, we will use the data we collect to measure the performance and improve the content of our emails (for example, by ensuring that our emails are compatible with your type of browser or device). Please see the “What” section above for more details on our use of tracking pixels and encoded URL strings, including how to turn tracking pixels off.
- to personalize our communications with you and your experience when using our services, including to personalize the way we communicate with you and the content of those communications (through all channels) to ensure they are in line with your preferences and relevant to your practice and interests; to ensure that our services are presented in the way that best suits you; and to present you products and offers tailored to you. This may include combining your data with other information we may already have about you from other sources (e.g. from our interactions through other channels). It may also include analyzing and predicting your preferences, interests and prescribing behaviors. We may use segmentation techniques to do this, which involves dividing our customers into smaller groups or “segments” that are likely to have similar preferences and interests, so that we can personalize our communications with you.
- to allow us to communicate with you, including to respond to your requests and inquiries; to provide support for products and services; to provide you with important information, administrative information, required notices, and promotional materials; to send you news and information about our products, services, or brands and operations; and to organize and manage professional events and congresses, including your participation in such events.
- for recruiting and human resources administration purposes.
- to process payments we may need to issue in a specific situation, including to verify your financial data and to facilitate further payments.
- to respond to legal requests, including from administrative and judicial authorities, in accordance with applicable laws; to comply with summons, court orders, required registration, or legal process.
- to protect our rights and interests, including to protect the health, safety and security of Bristol Park Hospital personnel, tangible and intangible assets, and premises; to ensure technical functionality and security of our services; to carry out internal audits, asset management, system and other business controls; to manage business administration (finance and accounting, fraud monitoring and prevention); to maintain the security of our services and operations; to protect our rights, privacy, safety and property; to allow us to pursue available remedies and limit the damages that we may incur as necessary; and to protect ourselves against possible fraudulent actions.
- Grounds for processing your personal data
Depending on the data processing in question, Bristol Park Hospital will generally process your personal data on one of the following legal grounds:
- With your prior consent, where you have clearly expressed your consent to Bristol Park Hospital’s processing of your personal data. In practice, this will generally mean that Bristol Park Hospital will ask you to sign a document, to fill in an “opt-in” form or to follow a procedure to allow you to be fully informed, and then either clearly accept or refuse the data processing envisaged.
- Where needed to perform a contract between you and Bristol Park Hospital. In this case, the processing of your personal data is generally necessary for the execution or performance of that contract; this means that if you do not wish for Bristol Park Hospital to process your personal data in that context, Bristol Park Hospital may refuse to enter into such contract with you or may not be able to provide you with the products or services covered by that contract.
- Where we need to comply with legal obligations applicable to Bristol Park Hospital’s activities.
- Where it is necessary for the “legitimate interests” of Bristol Park Hospital, meaning the interests of our business in conducting and managing our business to enable us to give you the best service/product, and the best and most secure experience (provided that these are not overridden by your interests or rights (such as securing and improving our Services, for example).
- As described above, we may collect and process your personal data when you visit our websites (including through cookies) for a number of purposes, such as to administer and protect our websites, to deliver relevant website content to you, and to use data analytics to improve our websites. In these cases, we will process your personal data on the basis that it is necessary for our legitimate interests (for provision of administration and IT services and network security, to keep our website updated and relevant, to study how customers use our products/services and to develop our business).
- If we use tracking pixels or encoded URL strings in emails we send you as described in the section above, we will process your personal data on the basis that it is necessary for our legitimate interests (to develop our products/services and grow our business).
- Bristol Park Hospital may, on a case-by-case basis, rely on other legal grounds for processing your personal data, such as the protection of your vital interests.
Please note that we may also process your personal data on the basis of more than one legal ground depending on the specific purpose for which we are using your data.
- Who Bristol Park Hospital shares your personal data with
For the purposes described above, Bristol Park Hospital may need to share your personal data with the following authorized third-parties:
- Bristol Park Hospital and its affiliates who undertake leadership reporting and provide IT and system administration services and other services.
- Our partners, such as healthcare professionals, Insurance companies and organizations, distributors and agents, and other members of the healthcare and pharmaceutical industry.
- Selected suppliers, service providers and vendors acting upon our instructions who provide website hosting, payment processing, order fulfilment, information technology, system administration and related infrastructure provision, customer service, healthcare professional validation, email delivery, data analysis, auditing, market research, digital monitoring, marketing, advertising, brand, communication and other services.
- Healthcare and patient service providers who administer patient support on behalf of Bristol Park Hospital and provide other healthcare services.
- Professional advisors including lawyers, bankers, auditors and insurers, who provide consultancy, banking, legal, insurance, accounting and other services.
- Legal, regulatory, administrative and other authorities, as required by applicable laws including laws outside your country of residence.
- Potential acquirers and other stakeholders in the event of a merger or legal restructuring operation such as an acquisition, joint venture, assignment, spin-off or divestiture.
Bristol Park Hospital may need to share your personal data with other third-parties from time to time. In this case, Bristol Park Hospital will require that all such third-parties:
- undertake to comply with data protection laws and the principles of this Policy.
- only process the personal data for the purposes described in this Policy and in accordance with our instructions.
- implement appropriate technical and organizational security measures designed to protect the integrity and confidentiality of your personal data.
- Where Bristol Park Hospital may transfer your personal data
Bristol Park Hospital is a Kenyan organization however with affiliates, partners, suppliers, service providers and vendors located in many countries around the world. For that reason, Bristol Park Hospital may need to transfer (via access, visualization or storage) your personal data to other jurisdictions/outside of Kenya.
Safeguards for international transfers of personal data: In cases where Bristol Park Hospital needs to transfer personal data outside of Kenya, we endeavor to ensure a similar degree of protection is afforded to it.
- What Bristol Park Hospital does to protect your personal data
We have implemented a variety of technological and organizational procedures and measures to ensure the integrity and confidentiality of your personal data from unauthorized access, use and disclosure. These measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks posed by the processing (in terms of likelihood and severity) to your rights and freedoms. For instance, we store your personal data on servers that have various types of technical and physical access controls, which may include, for instance, if appropriate, encryption. We may also aggregate, pseudonymize or anonymize personal data to ensure that no personally identifiable information is communicated to third parties.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
- Bristol Park Hospital’s approach to determining how long to retain your personal data
Bristol Park Hospital will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, as outlined in this Policy.
As an exception, Bristol Park Hospital may be required to retain your personal data for longer periods as required or permitted by law, or as necessary to protect its rights and interests.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting and other requirements.
We may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
- Your rights are and how you can exercise them
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
- to request access to your personal data. This enables you to receive a copy of your personal data, unless such data is already made directly available to you.
- to request correction of your personal data should your personal data be inaccurate, incomplete or obsolete.
- to request the deletion of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- to withdraw your consent at any time to the data processing, where your personal data has been collected and processed by Bristol Park Hospital on the basis of your consent. Note, this will not affect the lawfulness of processing up until the time at which you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
- to object to the processing of your personal data, including profiling, where your personal data has been collected and processed on the basis of the legitimate interests of Bristol Park Hospital or where Bristol Park Hospital is processing your personal data for direct marketing purposes. To exercise this right you will need to justify your request by explaining to us your particular situation and why you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- to request restriction of the processing of your personal data This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- to request the transfer of your personal data from Bristol Park Hospital to you or a third-party, where technically feasible, in which case we will provide to you, or a third-party of your choice, with your personal data in a structured, commonly used and machine-readable format. Please note however that this right only applies to automated information where the processing is based on your consent or in order to perform a contract with you.
11. How to contact us
Bristol Park Hospital welcomes any questions or comments you may have regarding this Policy or its implementation. You can send any questions about this Policy or Bristol Park Hospital’s use of your personal data to our Data Protection Officer using the contact details below:
Email: dpo@bristolpark.or.ke
P.O. Box 9193-00200 Nairobi
- Bristol Park Hospital reserves the right to make any changes to our Privacy Policy. Any changes will be posted on this page and, where appropriate, notified to you by email. Please visit this page to check our most current privacy policy.