APPROVED
order of the chief physician of the health care institution
“Brest City Polyclinic No. 2”
08/29/2022 No. 248
Personal Data Processing Policy
Chapter 1. General.
1.1. The policy regarding the processing of personal data in the health care facility “Brest City Polyclinic No. 2” (hereinafter referred to as the Policy) defines the basic principles, purposes, conditions and methods of processing personal data, lists of subjects and those processed in the health care facility “Brest City Polyclinic No. 2” (hereinafter – the institution) of personal data, the functions of the institution in the processing of personal data, the rights of subjects of personal data, as well as the requirements for the protection of personal data implemented in the institution.
1.2. Approval of the institution’s Policy regarding the processing of personal data is one of the measures taken to protect personal data, provided for in Article 17 Law of the Republic of Belarus dated 07.05.2021 No. 99-З “On the Protection of Personal Data”.
1.3. The policy is developed and determined in accordance with the following regulatory legal acts:
- Constitution of the Republic of Belarus;
- Labor Code of the Republic of Belarus;
- Law of the Republic of Belarus of 07.05.2021 No. 99-З “On the protection of personal data”;
- Law of the Republic of Belarus dated 10.11.2008 No. 455-З « About information, informatization and information protection”;
- Law of the Republic of Belarus of June 18, 1993 No. 2435-XII “ About healthcare»;
- Decree of the Ministry of Health of the Republic of Belarus No. 64 dated May 28, 2021 “ On approval of the Instruction on the procedure for depersonalization of personal data of persons receiving medical care”;
- Decree of the Ministry of Health of the Republic of Belarus of 07.06. 2021 No. 74 “On the forms and procedure for giving and withdrawing consent to the entry and processing of personal data of the patient”;
- other normative and legal acts of the Republic of Belarus and normative documents of authorized state authorities.
Chapter 2. Basic concepts and terms used in politics.
2.1. Operator – health care institution “Brest City Polyclinic No. 2”, located at the address: 224005, Brest, st. Belova, d. 2.
2.2. Personal data – any information relating to an identified natural person or an identifiable natural person.
2.3. Biometric personal data – information characterizing the physiological and biological characteristics of a person, which is used for its unique identification (fingerprints, palms, iris, facial characteristics and its image, etc.).
2.4. Genetic personal data – information relating to the inherited or acquired genetic characteristics of a person, which contains unique data about his physiology or health and can be identified, in particular, by examining his biological sample.
2.5. Special personal data – personal data relating to race or nationality, political opinions, membership in trade unions, religious or other beliefs, health or sexual life, administrative or criminal liability, as well as biometric and genetic personal data.
2.6. Publicly available personal data – personal data disseminated by the subject of personal data himself or with his consent or disseminated in accordance with the requirements of legislative acts.
2.7. Information – information (messages, data) regardless of the form of their presentation.
2.8. An identifiable natural person – a natural person that can be directly or indirectly identified, in particular through a surname, first name, patronymic, date of birth, identification number, or through one or more features characteristic of his physical, psychological, mental, economic, cultural or social identity.
2.9. Subject of personal data or subject – an individual in respect of whom the processing of personal data is carried out.
2.10. Processing of personal data – any action or set of actions performed with personal data, including the collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data.
2.11. Processing of personal data using automation tools – processing of personal data using computer technology, while such processing cannot be recognized as carried out exclusively using automation tools only on the basis that personal data is contained in the personal data information system or were extracted from it.
2.12. Processing of personal data without the use of automation tools – actions with personal data, such as the use, clarification, distribution, destruction, carried out with the direct participation of a person, if this ensures the search for personal data and (or) access to them according to certain criteria (files, lists, databases, magazines, etc.).
2.13. Dissemination of personal data – actions aimed at familiarizing with personal data of an indefinite circle of persons.
2.14. Providing personal data – actions aimed at getting acquainted with the personal data of a certain person or circle of persons.
2.15. Blocking of personal data – termination of access to personal data without deleting it.
2.16. Deletion of personal data – actions, as a result of which it becomes impossible to restore personal data in information resources (systems) containing personal data, and (or) as a result of which material carriers of personal data are destroyed.
2.17. Depersonalization of personal data – actions, as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.
2.18. Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state.
Chapter 3. Principles and purposes of personal data processing.
3.1. The Institution, being the Operator of personal data, processes the personal data of employees and patients of the healthcare institution “Brest City Polyclinic No. 2”, as well as other subjects of personal data, in the process of exercising the functions, powers and tasks assigned to the Operator.
3.2. The processing of personal data in a healthcare institution is carried out taking into account the need to ensure the protection of the rights and freedoms of employees and patients, as well as other subjects of personal data, including the protection of the right to privacy, personal and family secrets, based on the following principles:
- the processing of personal data is carried out on a lawful and fair basis;
- the processing of personal data is carried out in proportion to the stated purposes of their processing and ensures a fair balance of interests of all interested parties at all stages of such processing;
- processing of personal data is carried out with the consent of the subject of personal data, except for cases provided for by legislative acts;
- The processing of personal data is limited to the achievement of specific, pre-declared legitimate purposes. It is not allowed to process personal data that is incompatible with the originally stated purposes of their processing;
- The content and scope of the processed personal data correspond to the stated purposes of their processing. The personal data being processed is not redundant in relation to the stated purposes of their processing;
- The processing of personal data is transparent. The subject of personal data may be provided with relevant information regarding the processing of his personal data;
3.3. The operator takes measures to ensure the accuracy of the personal data processed by him, updates them if necessary.
3.4. Personal data is stored in a form that allows to identify the subject of personal data, no longer than required by the stated purposes of processing personal data.
3.5. Personal data is processed by a healthcare facility for the following purposes:
- ensuring compliance with the Constitution of the Republic of Belarus, legislative and other regulatory legal acts of the Republic of Belarus, local acts of the institution;
- exercising the rights and legitimate interests of the institution in the framework of the activities provided for by the Charter and other local legal acts of the institution, including the provision of qualified medical and advisory assistance to the population within its competence, or the achievement of socially significant goals;
- exercising the functions, powers and duties assigned by the legislation of the Republic of Belarus to an institution, including the provision of personal data to state authorities, to the Social Protection Fund of the Ministry of Labor and Social Protection of the Republic of Belarus, as well as to other state bodies; regulation of labor relations with employees of a healthcare institution;
- protecting the health and other interests of personal data subjects;
- conducting financial and economic activities;
- preparation, conclusion, execution and termination of contracts with counterparties;
- formation of reference materials for internal information support of the institution’s activities;
- enforcement of judicial acts, acts of other bodies or officials subject to execution in accordance with the legislation of the Republic of Belarus on enforcement proceedings;
- for other lawful purposes.
Chapter 4. Functions of an institution in the processing of personal data.
4.1. Healthcare institution when processing personal data:
- takes measures necessary and sufficient to ensure compliance with the requirements of the legislation of the Republic of Belarus and local acts of the institution in the field of personal data;
- takes legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
- appoints persons responsible for exercising internal control over the processing of personal data;
- issues local acts that define the policy and issues of processing and protecting personal data in the institution;
- acquaints the employees of the institution directly involved in the processing of personal data with the provisions of the legislation of the Republic of Belarus and local acts of the polyclinic in the field of personal data, including the requirements for the protection of personal data, and trains these employees; provides unrestricted access to this Policy;
- informs the subjects of personal data or their representatives in the prescribed manner about the availability of personal data relating to the respective subjects, provides an opportunity to get acquainted with these personal data when applying and (or) receiving requests from the specified subjects of personal data or their representatives, unless otherwise established by the legislation of the Republic of Belarus;
- stops processing and destroys personal data in cases provided for by the legislation of the Republic of Belarus in the field of personal data;
- performs other actions provided for by the legislation of the Republic of Belarus in the field of personal data.
Chapter 5. Categories of Personal Data Subjects.
5.1. The healthcare institution processes personal data of the following categories of subjects:
- employee relatives;
- job candidates;
- employees (including former) of the institution;
- employees and other representatives of counterparties – legal entities, individual entrepreneurs;
- counterparties – individuals;
- patients;
- the persons specified in the second part of Article 18 of the Law of the Republic of Belarus dated 06/18/1993 No. 2435-XII “On Health Care”;
- other subjects whose interaction with the Operator creates the need to process personal data.
Chapter 6. Content and scope of personal data.
6.1. The content and volume of personal data of each category of subjects is determined by the need to achieve the specific purposes of their processing, as well as the need for a healthcare institution to exercise its rights and obligations, as well as the rights and obligations of the respective subject.
6.2. The content and volume of personal data of each category of personal data subjects processed by the Operator are determined by the need to achieve specific processing goals and are defined in the Personal Data Processing Registry.
6.3. In the process of fulfilling mutual obligations and exercising rights by the Operator and personal data subjects, an objective and legitimate need for the Operator to process other personal data not specified in the Personal Data Processing Register is allowed.
Chapter 7. Conditions for the processing of personal data in an institution.
7.1. Personal data in a healthcare institution is processed with the consent of the subject of personal data to the processing of his personal data, unless otherwise provided by the legislation of the Republic of Belarus in the field of personal data.
7.2. The Operator’s employees whose duties include the processing of personal data are allowed to process personal data.
7.3. The processing of personal data by the Operator is carried out by collecting, systematizing, storing, changing, using, depersonalizing, blocking, distributing, providing, deleting personal data.
7.4. The operator processes personal data using automation tools, and without using automation tools.
7.5. The institution, without the consent of the subject of personal data, does not disclose to third parties and does not distribute personal data, unless otherwise provided by the legislation of the Republic of Belarus.
7.6. The institution has the right to entrust the processing of personal data on its own behalf or in its own interests to an authorized person on the basis of an agreement concluded with this person.
7.6.1. The contract must contain:
- purposes of personal data processing;
- list of actions that will be performed with personal data by an authorized person;
- obligations to respect the confidentiality of personal data;
- Measures to ensure the protection of personal data in accordance with Article 17 of the Law of the Republic of Belarus dated 07.05.2021 No. 99-З “On the Protection of Personal Data”.
7.6.2. The authorized person is not required to obtain the consent of the personal data subject. If the processing of personal data on behalf of a healthcare institution requires the consent of the subject of personal data, such consent shall be obtained by the healthcare institution.
7.7. For the purpose of internal information support, a healthcare institution may create internal reference materials, which, with the written consent of the subject of personal data, unless otherwise provided by the legislation of the Republic of Belarus, may include his last name, first name, patronymic, place of work , position, year and place of birth, address, subscriber number, e-mail address, other personal data reported by the subject of personal data.
7.8. Access to personal data processed in a healthcare facility is allowed only to employees of a healthcare facility holding positions included in the list of positions with access to personal data, according to the Personal Data Processing Register.
Chapter 8. Rights and obligations of personal data subjects.
8.1. The subject of personal data has the right:
- at any time, without giving reasons, withdraw your consent by submitting an application to the operator in the manner prescribed by Article 14 of the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z “On the Protection of Personal Data”, or in the form through which his consent was obtained;
- to receive information regarding the processing of their personal data, containing:
- name (surname, first name, patronymic (if any) and location (address of residence (place of stay) of the Operator);
- confirmation of the fact of personal data processing by the Operator (authorized person);
- his personal data and the source of their receipt;
- legal grounds and purposes for processing personal data;
- the period for which his consent is given;
- name and location of the authorized person, which is a state body, legal entity of the Republic of Belarus, other organization, if the processing of personal data is entrusted to such person;
- other information provided by law;
- require the Operator to amend their personal data if they are incomplete, outdated or inaccurate. For these purposes, the subject of personal data submits to the operator an application in the manner prescribed by Article 14 of the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z “On the Protection of Personal Data”, with the relevant documents and (or) their duly certified copies confirming the need making changes to personal data;
- receive information from the Operator about the provision of your personal data to third parties once a calendar year free of charge, unless otherwise provided by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z “On the protection of personal data” and other legislative acts. To obtain this information, the subject of personal data submits an application to the Operator;
- require the Operator to stop processing their personal data free of charge, including their deletion, in the absence of grounds for the processing of personal data provided for by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z “On the protection of personal data” and other legislative acts. To exercise this right, the subject of personal data submits an application to the Operator in the manner prescribed by the Law of the Republic of Belarus dated 07.05.2021 No. 99-З “On the protection of personal data”;
- appeal against the actions (inaction) and decisions of the Operator that violate his rights in the processing of personal data to the authorized body for the protection of the rights of subjects of personal data in the manner prescribed by law on appeals from citizens and legal entities.
8.2. The application of the subject of personal data must contain:
- surname, first name, patronymic (if any) of the subject of personal data, address of his place of residence (place of stay);
- date of birth of the personal data subject;
- identification number of the subject of personal data, in the absence of such a number – the number of the identity document of the subject of personal data, in cases where this information was indicated by the subject of personal data when giving his consent to the Operator or the processing of personal data is carried out without the consent of the subject of personal data;< /li>
- statement of the essence of the requirements of the subject of personal data; personal signature or electronic digital signature of the subject of personal data;
8.3. The subject of personal data is obliged to:
- provide reliable personal data to the institution;
- inform the institution in a timely manner of changes and additions to your personal data;
- to exercise their rights in accordance with the legislation of the Republic of Belarus and local acts of the institution in the field of processing and protection of personal data;
- to fulfill other obligations stipulated by the legislation of the Republic of Belarus and local acts of the healthcare institution in the field of processing and protecting personal data.
Chapter 9. Rights and obligations of the operator.
9.1. The operator has the right to:
- set the rules for processing personal data in the institution;
- make changes and additions to the local acts of the institution in the field of processing and protection of personal data;
- independently, within the framework of legal requirements, develop and apply the forms of documents necessary for the performance of the Operator’s duties;
- exercise other rights provided for by the legislation of the Republic of Belarus and local acts of the institution in the field of processing and protection of personal data.
9.2. Operator must:
- explain to the subject of personal data his rights related to the processing of personal data;
- obtain the consent of the subject of personal data, except as provided by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z “On the protection of personal data” and other legislative acts;
- ensure the protection of personal data during their processing;
- to provide the subject of personal data with information about his personal data, as well as about the provision of his personal data to third parties, except for the cases provided for by the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z “On the protection of personal data” and other legislative acts;
- make changes to personal data that are incomplete, outdated or inaccurate, unless a different procedure for making changes to personal data is established by legislative acts or if the purposes of processing personal data do not imply subsequent changes to such data;
- stop the processing of personal data, as well as delete or block them (ensure the termination of the processing of personal data, as well as their removal or blocking by an authorized person) in the absence of grounds for processing personal data provided for by the Law of the Republic of Belarus dated 07.05.2021 No. 99- З “On the protection of personal data” and other legislative acts;
- notify the authorized body for the protection of the rights of personal data subjects about violations of personal data protection systems immediately, but no later than 3 working days after the operator becomes aware of such violations, except as provided by the authorized body for the protection of the rights of personal data subjects ;
- change, block or delete inaccurate or illegally obtained personal data of the subject of personal data at the request of the authorized body for the protection of the rights of subjects of personal data, unless another procedure for making changes to personal data, blocking or deleting them is established by legislative acts;
li>
- to comply with other requirements of the authorized body for the protection of the rights of subjects of personal data on the elimination of violations of legislation on personal data;
- Fulfill other obligations stipulated by the Law of the Republic of Belarus No. 99-З dated 07.05.2021 “On the Protection of Personal Data” and other legislative acts.
Chapter 10. Monitoring compliance with the legislation of the Republic of Belarus and local acts of the institution in the field of personal data, including requirements for the protection of personal data.
10.1. Control over compliance with the legislation of the Republic of Belarus and local acts of the institution in the field of personal data, including requirements for the protection of personal data, is carried out in order to verify the compliance of the processing of personal data in a healthcare institution with the legislation of the Republic of Belarus and local acts of the polyclinic in the field of personal data, including the requirements for the protection of personal data, as well as taking measures aimed at preventing and detecting violations of the legislation of the Republic of Belarus in the field of personal data, identifying possible channels of leakage and unauthorized access to personal data, eliminating the consequences of such violations.
10.2. Internal control over compliance with the legislation of the Republic of Belarus and local acts of the institution in the field of personal data, including requirements for the protection of personal data, is carried out by the person responsible for organizing the processing of personal data in the clinic.
Chapter 11. Responsibility.
11.1. Persons guilty of violating the Law of the Republic of Belarus dated 07.05.2021 No. 99-Z “On the Protection of Personal Data” shall be liable under the legislative acts of the Republic of Belarus.
11.2. Employees and other persons guilty of violating this Policy, as well as the legislation of the Republic of Belarus in the field of personal data, may be subject to disciplinary and material, civil, administrative and criminal liability in the manner prescribed by the legislation of the Republic of Belarus.