Privacy Policy

This Privacy Policy outlines how Belvedere Medical Centre (BMC) collects, uses, stores, and protects personal information in compliance with the Zimbabwe Cyber and Data Protection Act (CDPA).

Purpose of Data Collection

• Provision of medical treatment and healthcare services.
• Administrative and billing purposes.
• Processing of medical aid claims and payments.
• Legal and regulatory compliance.
• Marketing of our other services and health-related offerings.
• Providing access to and managing our online self-service patient portal.

Scope

This policy applies to all staff, contractors, and service providers of BMC who handle patient and staff personal data, both electronic and paper-based.

Data We Collect

• Identity details (name, date of birth, national ID, passport).
• Contact details (address, phone number, email).
• Medical history, diagnosis, treatment records.
• Medical aid membership details.
• Payment information.
• Portal login credentials (for online services).

Principles of Data Protection

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

Lawful Basis for Processing

• Consent from the data subject.
• Performance of a contract for healthcare services.
• Vital interests of patients.
• Compliance with legal obligations.
• Legitimate interests pursued by BMC in delivering healthcare and related services.

Data Sharing and Disclosure

• Medical aid societies for claims processing.
• Laboratory and diagnostic service providers.
• Regulatory bodies as required by law.
• ICT service providers hosting our healthcare systems.
• We do not sell patient data to third parties.

Data Retention

We retain patient data for as long as necessary to fulfil the purposes outlined above, and as required by Zimbabwean health records retention laws.

Data Security

• Role-based access controls
• Encrypted data systems
• Secure physical storage for paper records
• Regular staff training on data protection

Data Subject Rights

• Access their personal data.
• Request correction of inaccuracies.
• Request deletion of personal data (subject to legal requirements).
• Withdraw consent at any time.
• Object to certain types of processing, including direct marketing.

Data Breach Management

All breaches must be logged in the Breach Register. The Data Protection Officer (DPO) will notify the Data Protection Authority and affected individuals within 72 hours, as required by law.

Policy Review

This policy will be reviewed annually, or more frequently if regulatory updates occur.

Contact Information

For data protection inquiries, please contact our Data Protection Officer (DPO):
Email: rchakanyuka@bmchospitals.co.zw
Phone: +263778791092
Physical Address: Belvedere Medical Centre, 189 Samora Machael Ave, Harare, Zimbabwe