Please read this Privacy Policy carefully to understand how your personal information will be handled by Umvuzo Health Medical Scheme. Every term of this Policy is material.
ABOUT UMVUZO HEALTH MEDICAL SCHEME
Umvuzo Health Medical Scheme (“Umvuzo Health” / ”the Scheme”), a registered restricted
membership medical scheme in terms of the Medical Schemes Act 131 of 1998, offers medical
scheme benefits to the employer group and their respective employees in the mining, food,
steel and retail sectors. Umvuzo Health is a self-administered medical scheme, supported by
various contracted service providers. The Scheme is subject to the authority of the Council for
Medical Schemes. The Scheme is governed by a Board of Trustees, which has a statutory
duty to keep beneficiary information confidential.
The following terms have the meanings assigned to them in this Privacy Policy unless the context requires otherwise:
“Umvuzo Health” refers to the Umvuzo Health Medical Scheme, registered with the
Council for Medicl Schemes.
“Board” refers to the Board of Trustees of the Scheme.
“Beneficiary” means a member and/or dependant of a member.
“Data subject” has the meaning assigned to it in POPIA and refers to the person to whom
the personal information relates and includes both natural and juristic persons.
“Dependant” means a dependant of a member admitted as such in terms of Rules of the
Scheme.
“Member” refers to a natural person who has been admitted as a principal member of
the Scheme in terms of the Rules and “membership” has a corresponding meaning.
“Officer” refers to a member of the Board, any Committee of the Scheme, the Principal
Officer, and any employee of the Scheme.
“PAIA Manual” refers to the Manual compiled by the Scheme in terms of section 51 of
the Promotion of Access to Information Act (Act 2 of 2000).
“Personal information” has the meaning assigned to it in POPIA and refers to information
relating to living human beings and existing juristic persons. It includes information such
as race, gender, age, medical information, identity number, contact details and
confidential correspondence and “information” has a corresponding meaning.
“POPIA” means the Protection of Personal Information Act (Act 4 of 2013) and the
Regulations issued in terms thereof.
“Principal Officer” means the Principal Officer of Umvuzo Health.
“Processing” has the meaning assigned to it in POPIA and refers to any operation or
activity concerning personal information, such as the collection, receipt, recording,
storage, updating, alteration, use, distribution, erasure or destruction of the information
and “process” has a corresponding meaning.
“Rules” means the registered Rules of the Scheme.
“The Scheme” refers to the Umvuzo Health Medical Scheme.
“You” / “your” refers to the data subject whose personal information is processed by the Scheme.
APPLICATION OF THE PRIVACY POLICY
This Privacy Policy applies to personal information that we have in our possession or under
our control and personal information that we collect or receive from or about you. It stipulates,
amongst others, how we collect the information, the type of information collected, why that
information is collected, the circumstances under which that information will be shared with
others, the security measures that we have implemented to protect the information and how
you may obtain access to and correct your information.
OUR COMMITMENT
We understand that your personal information is important to you. Your privacy and the
security of your information are just as important to us and we want to make sure you
understand how your information will be processed. We are committed to conducting our
business in accordance with the law. We will, therefore, only process, which includes collect,
use, store or disclose, your personal information in accordance with the law or otherwise with
your consent and will always strive to keep your information confidential. We take this
commitment to look after your personal information seriously. We have implemented several
processes to make sure that your personal information is used in the right way. We only collect
personal information that is necessary and use it for the purposes specified in this Privacy
Policy unless you are advised otherwise. We do not keep personal information longer than
needed for lawful purposes. We only share your personal information as specified in this
Privacy Policy and/or permitted in terms of the law or otherwise as agreed with you.
WHEN YOU PROVIDE PERSONAL INFORMATION ABOUT ANOTHER INDIVIDUAL / ENTITY
You must make sure that if you provide personal information about any individual or entity to
us, you may lawfully do so (e.g., with their consent). We will accept that you are acting lawfully.
You should make sure that they are familiar with this Privacy Policy and understand how we
will use and disclose their information.
COLLECTION OF YOUR PERSONAL INFORMATION
We collect personal information directly from you when you become a member, a dependant
or an employee of the Scheme and when you submit information on the website or the Scheme
App or otherwise to the Scheme. Information may also be collected from other sources,
depending on the circumstances, when it is, for example, not possible to obtain the information
directly from you, or you make information publicly available. Health care provider information
is, amongst others, collected from claims submitted in respect of goods and services provided
to beneficiaries. Telephone calls with external callers and virtual meetings are recorded. The
information that we collect is necessary to provide membership services, manage the Scheme
and comply with the Rules, the Medical Schemes Act and other laws. When you use our
website and/or Scheme App, you must familiarise yourself with the terms and conditions
applicable to your use of those platforms.
PROCESSING OF YOUR PERSONAL INFORMATION
There are various laws that permit the processing of personal information such as POPIA.
Employment laws permit the processing of employees’ information. We generally process the
personal information listed below, if applicable in the circumstances, and retain it as part of
our records. Other personal information may be collected and processed if it is required in the
circumstances.
Beneficiaries
Names, surnames, addresses and contact details;
Identity numbers, dates of birth and age, gender;
Dependants’ details;
Employment details;
Income and bank details;
Health information, including pre-existing conditions, diagnoses and treatment;
Previous medical scheme cover;
Details of treating providers;
Membership contributions and payment-related information;
Authorisation requests, claims, funding decisions, benefit allocation and benefit utilisation;
Dependant status, waiting periods and late joiner penalties;
Information related to complaints and disputes;
Telephone call recordings; and
Correspondence.
Trustees, Committee Members and Nominees
Full names and surnames, titles, identity numbers, age, addresses; contact details,
nationalities, gender, qualifications, vetting reports, photos, other information included on
nomination forms, curriculum vitae (“CVs”) and declarations of interests;
Signatures of official signatories and proof of residence, if required by the bank;
Bank details;
Position held at the Scheme;
Recording of virtual meetings, records of meeting attendance, information included in
minutes of meetings and participation in business-related matters / events on behalf of the
Scheme;
COVID-19 screening information, if applicable; and
Correspondence.
Employees and Job Applicants
Full names and surnames, titles, identity numbers, age, contact details, positions or roles
at the Scheme, nationalities, gender, race, qualifications, vetting reports, photos,
employment history, references, next-of-kin and other information included on CVs;
Relevant medical and disability information, if applicable;
Employment-related information such as sick certificates, performance and disciplinary
records, salary information, tax numbers and employment history;
Bank details;
Next-of-kin; and
Correspondence.
Health Care Providers
Full names and surnames / entity names, titles, addresses and contact details; practice
code numbers, qualifications and website addresses;
Designated service provider (DSP) / preferred provider network status;
Claims, remittance advices and payment related information;
Utilisation of scheme benefits; and
Correspondence.
Suppliers, Vendors, Other Persons and Public and Private Bodies
Entity names, addresses, contact details and website addresses;
Names, surnames, titles, contact details and positions of contact persons;
Names, surnames, titles and contact details of employees’ next-of-kin;
Qualifications, licences, accreditation and performance;
Proposals, agreements and related information;
Payment information including banking details and VAT Numbers;
Official documentation, such as newsletters and brochures;
BBBEE status;
COVID-19 screening information of visitors to the Scheme’s offices; and
Correspondence.
Insurers
Entity names, addresses, contact details and website addresses;
Names, surnames, titles, contact details and positions of contact persons;
Claims;
Payment-related information;
Correspondence.
PURPOSE OF PROCESSING YOUR PERSONAL INFORMATION
We generally process your personal information for the following purposes:
to conduct the business of a medical scheme in terms of the Medical Schemes Act,
including admission to membership, risk assessment of beneficiaries, under writing, risk
management, disease management, benefit management, the assessment and payment
of beneficiary claims, the collection of contributions and debts and for managed health
care and forensic investigation purposes;
for governance purposes;
for employment and related matters;
to verify provider details;
to comply with relevant legislation;
to report to persons and bodies as required and authorised in terms of the Rules,
legislation or by the data subjects;
for the maintenance of assets;
for communication purposes;
for marketing purposes;
for client services;
for procurement;
for historical, statistical and research purposes;
for enforcement of our rights; and
for any other lawful purpose, which directly relates the business of a medical scheme.
CONSENT
If you consent to the processing of your personal information, you may withdraw your consent
at any time. This does not affect the processing of personal information that has already
occurred. If you withdraw your consent, your personal information will only be processed as
provided for in the law.
OBJECTION TO PROCESSING
When we process your personal information to protect your legitimate interests or based on
the legitimate interests of the Scheme or those of a third party to whom we supply the
information, you may object to our processing, if it is reasonable to do so. This must occur on the form prescribed by POPIA, available from the Information Officer. This does not affect your
personal information that we have already processed. If you object and we agree with your
objection, your personal information will only be processed as provided for in the law.
LINKS TO SOCIAL NETWORKING SERVICES
We use social networking services such as WhatsApp, Facebook and LinkedIn to
communicate with the public about our services. When you communicate with us through
these services, the relevant social networking service may collect your personal information
for its own purposes. These services have their own privacy policies, which are independent
of this Privacy Policy.
DISCLOSURE OF YOUR PERSONAL INFORMATION
We will share only relevant personal information about you, if it is necessary and lawful in the
circumstances. We will generally share your personal information with the following persons
and entities in the conducting of our business:
Officers, employees, service providers, suppliers and vendors who assist us to provide the
services and who perform functions related to our business on a need-to-know basis,
subject to confidentiality undertakings where applicable;
Our insurers;
Our professional and legal advisers;
Our accountants and auditors;
Law enforcement structures, including courts and tribunals; and
Regulatory and other public or private bodies, persons or entities, as may be required or
permitted in terms of the law, including to comply with any legal obligation or to protect the
rights, property or safety of our business, the public or others.
We may also share your information with the following persons and entities:
Beneficiaries
Suppliers and service providers who perform functions related to the administration of our
business and the provision of managed health care services on a need-to-know basis and
subject to confidentiality undertakings;
Regulatory and other public or private bodies, persons or entities, as permitted in terms of
the Rules, legislation, the relevant beneficiary, or as may be required or permitted in terms
of the law (e.g., Council for Medical Schemes [“CMS”]);
• Banks;
• South African Revenue Services (“SARS”);
• Debt collectors / attorneys when contributions are outstanding;
Trustees, Committee Members and Nominees
Our beneficiaries; and
Vetting agencies.
Employees and Job Applicants
Our beneficiaries (depending on your job function);
Vetting agencies; and
Next-of-kin in emergency situations.
Health Care Providers
Our beneficiaries;
Banks; and
SARS.
Suppliers, Vendors, Other Persons, Public and Private Bodies
Our beneficiaries;
Banks; and
SARS.
If you share your personal information with any third parties, we will not be responsible for any
loss suffered by you or your employer (where applicable).
RECORD-KEEPING
We maintain records of your personal information for as long as it is necessary for lawful
purposes related to the conducting of our business, including the administration of Scheme
membership, to provide services to you, pay claims, comply with legal obligations, attend to
complaints, disputes and litigation, perform and enforce agreements, comply with our Rules and the law, and for historical, statistical and research purposes subject to the provisions of
the law.
INFORMATION SENT ACROSS THE BORDERS OF THE REPUBLIC OF SOUTH AFRICA
We send details of beneficiaries, who are abroad and in need of emergency treatment and
care, to our international emergency service providers. Personal information may be stored
on servers (‘clouds’) outside of the Republic of South Africa. We will implement mechanisms
to ensure that such storage is compliant with applicable legislation. We are not planning to
send any other personal information about any data subject to any other third party in a foreign
country. Should this be required, relevant data subject consent will be obtained, if required,
and transfers of such information will occur in accordance with the requirements of the law.
SECURITY OF YOUR PERSONAL INFORMATION
We are committed to ensuring the security of your personal information to protect it from
unauthorised processing and access as well as loss, damage or unauthorised destruction. We
have implemented and continually review and update our information protection measures to
ensure the security, integrity, and confidentiality of your information in accordance with
industry best practices. These measures include the physical securing of the offices where
information is held; secure storage of physical records; password control to access electronic
records and off-site data back-ups. In addition, only those officers, employees and service
providers or suppliers that require access to your information to discharge their functions and
to render services to us are granted access to your information and only if they have concluded
agreements with us or provided undertakings regarding the implementation of appropriate
security measures, maintaining confidentiality, and processing the information only for the
agreed purposes. We will inform you and the Information Regulator, if any person has
unlawfully obtained access to your personal information, subject to the provisions of the law.
RIGHT TO ACCESS YOUR PERSONAL INFORMATION
You have the right to request access to your personal information in our possession or under
our control and information of third parties to whom we have supplied that information subject
to restrictions imposed in legislation. If you wish to exercise this right, please complete the
prescribed form, available from the Information Officer, and submit it to the Information Officer.
Costs may be applicable to such request, which can be obtained from the Information Officer.
Please consult our PAIA Manual for further information.
ACCURACY OF YOUR PERSONAL INFORMATION
It is important that we always have accurate information about you on record as it could impact
on communication with you and benefit payment. You must therefore inform us as soon as
any of your information has changed. You may also request us to correct or delete any
information. Such a request must be made in writing on the prescribed form to the Information
Officer. The form can be obtained from the Information Officer. You must provide sufficient
detail to identify the information and the correction / deletion required. Information will only be
corrected / deleted, if we agree that the information is incorrect or should be deleted. It may
not be possible to delete all the information if we may lawfully retain it. Please contact the
Information Officer to discuss how we can assist you with your request. If we correct any
information and the corrected information will impact on any decision made or to be made
about you, we will send the corrected information to persons to whom the information has
been disclosed in the past if they should be aware of the changed information.
MARKETING OF PRODUCTS AND SERVICES
If you have given us consent, we may occasionally inform you, electronically or otherwise,
about supplementary products and services offered by us that may be useful or beneficial to
you. You may at any time withdraw your consent and opt out from receiving such information.
CHANGES TO THIS POLICY
We reserve the right in our sole and absolute discretion, to revise or supplement this Privacy
Policy from time to time to reflect, amongst others, any changes in our business or the law.
We will publish the updated Privacy Policy on our website. It will also be available at our
offices. Any revised version of the Policy will be effective as of the date of posting on the
website, so you should always refer back to the website for the latest version of the Policy.
It is your responsibility to make sure you are satisfied with any changes before continuing to use our services.
ENQUIRIES AND CONCERNS
All enquiries, requests or concerns regarding this Policy or relating to the processing of your
personal information by us should be addressed to the Information Officer at compliance@umvuzohealth.co.za. You may also lodge a complaint with the Information Regulator at POPIAComplaints@inforegulator.org.za should you feel that your personal information has been violated.
We would appreciate it if an affected party could give the Scheme an opportunity to consider their complaint before approaching the Information Regulator.
LAWS APPLICABLE TO THIS PRIVACY POLICY
This Privacy Policy is governed by the laws of the Republic of South Africa.