Privacy Statement of the Office of Health Standards Compliance (“OHSC”)

Our website address is: https://ohsc.org.za.

Terms of Use

This website supports Chrome and other internet browsers. The material or content contained in these web pages is provided for general information purposes only. While every care and effort has been taken to ensure the accuracy of the information provided, the Office of Health Standards Compliance (“the OHSC”) makes no representation. It gives no warranty, whether express or implied, relating to the correctness of the information published on these web pages. The OHSC accepts no responsibility for this. The user indemnifies the OHSC and the OHO and holds them both harmless from any loss, liability, damage, or expense of whatsoever nature (including but not limited to direct, indirect, and consequential loss) arising from the reliance on information contained in these pages, or otherwise connected with the information in these pages [whether arising from breach of contract (fundamental or otherwise), delict, negligence, gross negligence or otherwise]. Except where otherwise stated, the copyright of all the website contents is owned by the OHSC. No part of the site contents may be reproduced, transmitted, reused, or made available in any manner or in any media unless prior written consent has been obtained from the OHSC Information Officer. In the event of any dispute arising from using the information on these web pages, the user (including users’ residents outside the Republic of South Africa) accepts that the law of the Republic of South Africa shall apply.

The content of this website is intended for general information only and is not intended to serve as advice.

CONTACT US

If you have further questions about the disclaimer, please do not hesitate to email privacy@ohsc.org.za

Purpose

The OHSC has a legal mandate in terms of the National Health Amendment Act No 12 of 2013 to protect and promote the health and safety of users of health services in South Africa by:

  • Monitoring and enforcing compliance by health establishments with prescribed norms and standards set by the Minister of Health and do this through a process of conducting inspections and certification and enforcement of compliance with those standards; and

 

  • Ensuring and investigating breaches of those standards, withdrawing such certification if necessary, and investigating and resolving complaints relating to the national health system to ensure the safety of users of health care services.

Personal information means information that, alone or jointly with other factors, identifies you as a person. This includes your name, contact details, telephone number, biometric information, registration number, and any other information we collect. The OHSC treats all personal information collected through different channels as private and confidential. This Privacy Statement aims to explain how and why we use your personal information and the steps we will take to ensure that your personal information is safeguarded in our business processes as a regulator and employer.

​Right to change this Privacy Statement.

This Privacy Statement may be amended to align with changes in the law or changes in technology that impact how we process your personal information. We will publish all changes describing our new practices on our websites, and the latest version will replace previous ones.

Collection of personal information

Personal information is collected directly from you and may be collected indirectly from other external sources to fulfill our legislative mandate and sector-specific obligations. Due to the nature of the work of the OHSC, we need to have a complete view of the national health system and health establishments that we regulate, understand their operations and the consumers of health care services, and be proactive and pre-emptive in effectively identifying risks that impact on the achievement of our mandate. To effectively achieve this, the OHSC must collect information from multiple sources, which include:

  • Other healthcare regulators. These regulators may be inside or outside of South Africa
  • Media sources such as newspapers, social media, and the broadcast news
  • Law enforcement agencies such as the South African Police Service
  • Members of the public
  • Whistle-blowers
  • Our service providers
  • Recruitment agencies

Why do we collect personal information?

We collect your personal information for several reasons, which include the following:

  • To monitor and evaluate compliance with norms and standards prescribed by the Minister of Health for various categories of health establishments for which the OHSC is the responsible certification authority (our regulatory mandate).
  • Monitor and analyse the risk indicators as an early warning system for breaches of norms and standards and report them to the Minister of Health for appropriate intervention.
  • Identify areas of risk and make recommendations for intervention by a national, provincial, or municipal health department to ensure adequacy of compliance with the prescribed norms and standards.
  • In addition to the external regulatory mandate for health establishments that make up the national health system, we also manage the employment relationship and systems for our employees.
  • To process your employment application, where you have applied with us.

What personal information do we collect?

Our divisions collect and process different attributes of your personal information at specific points in our legislative and regulatory mandate or for internal business purposes such as human resources or procurement. Below is a non-exhaustive list of personal information categories we collect and process.

  • Identifying number (employee number, company registration number, ID number),
  • E-mail addresses, physical address, telephone number
  • Names, surnames, marital status, nationality, age, physical health status, mental health status, well-being, disability status, language, and date of birth.

Some of this information may be more prevalent in our employment processes than in the core regulatory business divisions.

  • Biometric information such as fingerprinting, particularly in our employment processes.
  • Information on your race, ethnic or social origin, criminal recordings/proceedings.
  • Education, medical, financial, and employment information

​We may not be able to carry out our legislative oversight mandate of health establishments or provide our services to the public, employ you, or procure your services without relevant aspects of your personal information that have been lawfully acquired. In the course of conducting inspections or investigations of health establishments, we may come into possession of your personal information in instances where the OHSC has a legislative mandate to provide this public oversight function, which we nonetheless will carry out with due regard to your privacy and the sensitivity of the information collected for regulatory purposes. In such instances, obtaining your consent is impractical and subject to the Protection of Personal Information. Should we be required to disclose such information while reporting on our regulatory functions, we will ensure that your rights as a data subject are duly recognised and will only disclose specifics of your personal information –- if the law requires or permits it.

Publication and access to OHSC registers

The OHSC collectively makes certain information accessible to the public on its website(s), such as lists of regulated entities and persons. The accessible information includes the details of the regulated health establishments, their contact information, names of appointed compliance officers, key individuals, etc. We will only make limited information available to allow the public to verify licensed entities and persons and contact them for their needs, where necessary.

The use of Third Parties

We occasionally share your personal information with third parties with whom we have concurrent regulatory jurisdiction or use as service providers. We will only disclose your personal information if:

  • It is necessary to fulfil our regulations in terms of the National Health Amendment Act
  • The law requires it for any other purpose
  • For necessary business purposes
  • We have a public duty to disclose the information
  • Your legitimate interests require disclosure or
  • You have, in certain instances – directly provided consent for us to disclose your information.

These third parties may include but not necessarily be limited to:

  • OHSC service providers
  • Other regulators (including foreign regulators)
  • Law enforcement agencies
  • Verification agents (such as those we use for employment screening)

Where applicable, we request the third parties with whom we share information to take adequate measures, comply with applicable data protection laws, and ensure the adequacy of the safeguards they use in their processes to protect the information we disclose to them. We do this through appropriate contractual arrangements with these third parties. We also take internal measures to ensure that the third parties we appoint have adequate and appropriate measures to protect the information we provide them, in whatever format.

Transborder information flows

Where necessary and appropriate, your personal information may be processed in other countries for:

  • Business purposes, in instances where our third parties are located in countries outside of South Africa.
  • Sharing with other regulators outside of South Africa to fulfill a legislative mandate
  • Law enforcement agencies for investigation purposes.

These countries may not have the same data protection laws as South Africa. However, before we transfer personal information outside South Africa, we have stringent processes to ensure that appropriate organisational and data security safeguards are put in place to protect personal information, which includes contractual and internal due diligence measures. 

Your Rights

You have rights as a data subject, which you can exercise in the personal information we hold about you. Requests must be made in writing to the OHSC Deputy Information Officer to enquire or enforce these rights on the contact details provided in this statement.   You can exercise your right to:

  • Request access to the information we hold about you. Please visit our PAIA Manual to learn more about the process for requesting access to information.
  • We may, as permitted by law in certain circumstances, charge a fee for this service.
  • Request the correction or deletion of your personal information or that of any data subject in our possession or under our control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
  • You can request the destruction and deletion of your personal information that we are no longer authorised to retain.
  • Object to how we process your personal information.
  • Complain to us about how we use your personal information using the contact details of the Deputy Information Officer. If you are not satisfied with how we handle your complaint, you can complain to the Information Regulator using the details provided in this statement.
  • Query a decision we make about some of our services made solely by automated means.
  • ​It is important to note that these rights are not absolute and must be balanced against competing rights. As such, they may be limited owing to the nature of our public interest mandate. We may also rely on certain exceptions that may impact your rights; for example, when conducting inspections of health establishments, we view patient files without your direct consent to evaluate compliance with norms and standards of care as it is a legal obligation of the OHSC. We are acting in the interests of all healthcare users. You have a right to object, or access to certain information may also be limited. We will only do this where the public interest we are mandated to protect outweighs to a substantial degree interference with your privacy. Where possible, in terms of law, we will explain the exception we rely on and its impact on your rights.

Our Security Practices

Our security systems and controls are designed to ensure confidentiality and prevent unauthorised access, loss, and damage to information by unauthorised parties. Our cyber security strategy is aligned with industry-standard frameworks to ensure effective cyber security risk management for the organisation. We conduct continuous security vulnerability assessments to improve our security posture and provide assurance to all our stakeholders.

Anonymous collection of data from the use of our website

We monitor user experience while you are using our website and collect anonymous connection statistics through our monitoring solution. This is to improve our website service and add value when you visit our website.

Use of cookies on the website

We use cookie technology on our website. Cookies are small files stored on a user’s computer or device when using our website(s). We have non-essential cookies that enable us to distinguish users and strict electronic communication transport security protocols that allow a website to declare itself a secure host. If you wish to turn off this technology, please click the link below.

Links to other websites on our website

Our website may have links to or from websites of regulatory bodies other than the OHSC. We request that you read and familiarise yourself with these other websites’ privacy and security policies. We are not responsible for the privacy and security of the websites mentioned; we only manage the websites of the OHSC.

Use and monitoring of electronic communications.

We must keep the public informed about any development of public interest. We communicate with you and the public using various channels, including the media.

Retention of personal information

Our retention schedule and information policies define how long we keep all records, including any personal information we process in the different divisions. Personal information is retained and destroyed as required or authorised by law and for defined purposes related to the OHSC’s activities.

How to contact us

If you have any queries about our privacy notice and how we process your personal information, please get in touch with the OHSC Deputy Information Officer at privacy@ohsc.org.za

​Physical address:

Office of Health Standards Compliance (OHSC) 79 Steve Biko Road Prinshof Pretoria 0084 If you have any complaints/ need clarification about how we handle your information, you may direct those queries to the Deputy Information Office or escalate them in respect of unresolved complaints for resolution to: South African Information Regulator: contact details are as follows:

Physical Address:

JD House, 27 Stiemens Street Braamfontein Johannesburg 2001  

Postal Address:

P.O Box 31533 Braamfontein Johannesburg, 2017 Complaints email: Complaints.IR@justice.gov.za General enquiries email: inforeg@justice.gov.za Website: https://www.justice.gov.za/inforeg/ ​