Personal Data Protection Policy

Updated as of 14 October 2024

1. Our Commitment to Your Privacy

Welcome to Polaris Plastic & Reconstructive Surgery Pte Ltd (the "Clinic", "we", "us", "our"). Your privacy and the protection of your personal data are of utmost importance to us. This Personal Data Protection Policy ("Policy") outlines how we manage the personal data we hold in accordance with Singapore's Personal Data Protection Act 2012 (the "PDPA"). We are committed to safeguarding your personal data and ensuring that it is collected, used, and disclosed in a responsible and transparent manner.

2. Scope and Application of This Policy

This Policy applies to all personal data collected, used, and disclosed by Polaris Plastic

• Reconstructive Surgery Pte Ltd. It covers personal data provided by our patients, prospective patients, website visitors, and any other individuals who interact with us or use our services. This Policy is designed to help you understand our data protection practices and your rights in relation to your personal data.

3. Personal Data We Collect

In this Policy, "Personal Data" refers to any data, whether true or not, about an individual who can be identified from that data or from that data and other information to which we have or are likely to have access. The types of Personal Data we may collect include, but are not limited to:

• Patient Identity and Contact Data: Your full name, NRIC, FIN, passport number, date of birth, gender, mailing address, email address, telephone numbers, and emergency contact or next-of-kin information. Please note that we will only collect, use, or disclose your NRIC number or a copy of your NRIC where it is required under the law or necessary to verify your identity to a high degree of fidelity.12
• Sensitive Health and Medical Data: Your medical history, allergies, consultation notes, diagnoses, treatment plans, prescriptions, laboratory results, X-rays, and other medical imaging records. As a plastic and reconstructive surgery clinic, this also includes highly sensitive data such as clinical photographs, videos, and 3D imaging records taken before, during, and after your treatment.
• Financial and Transactional Data: Information related to billing and payments, such as bank account details, credit card information, and details of transactions with us. This also includes information from your insurer or third-party administrator for claims processing.
• Technical and Usage Data: Information collected when you visit our website, such as your IP address, browser type, and information on your usage of our website collected via cookies. We may also operate closed-circuit television (CCTV) cameras on our premises for security purposes, which may capture your image.

4. Purposes for the Collection, Use, and Disclosure of Your Personal Data

We collect, use, and disclose your Personal Data only for purposes that a reasonable person would consider appropriate in the circumstances, and for which we have obtained your consent or have a legal basis to do so.4 Our purposes are categorised as follows:

• Primary Purposes (Provision of Medical Care): This is the core reason we collect your Personal Data. Activities under this category include patient registration, conducting medical consultations, making diagnoses, planning and administering your treatment, dispensing medication, and communicating with other healthcare professionals involved in your care, such as for specialist referrals or laboratory tests.
• Secondary Purposes (Administration and Operations): These are purposes necessary for the effective running of the Clinic. They include scheduling and confirming appointments, processing bills and payments, managing insurance claims, responding to your enquiries, performing internal audits and quality assurance, and complying with our legal, regulatory, and professional obligations.
• Optional/Ancillary Purposes (Requiring Explicit Consent): These are purposes outside of your direct medical care and our standard operations. They include sending you marketing and promotional materials about our services, using your testimonials or clinical photographs for educational or marketing purposes, and inviting you to participate in research projects where your data is not fully anonymised. We will only use your Personal Data for these purposes if we have obtained your separate and explicit consent to do so.

To provide greater clarity and transparency, the table below summarises our main data processing activities and the legal basis for them under the PDPA. This table serves not only to inform you but also acts as an internal governance tool, ensuring that every data processing activity within the Clinic is mapped to a legitimate and lawful purpose, thereby embedding the principle of accountability into our daily operations.4

5. Consent

Your consent is the cornerstone of our data processing activities. We may obtain your consent in the following ways:

• Express Consent: We will seek your explicit consent, typically in writing (e.g., by signing a form or ticking a box), for any purposes that are not directly related to your medical care or our clinic's administration. This includes consent for marketing communications or the use of your identifiable photographs for promotional purposes. We will not make your consent for such optional purposes a condition of providing you with medical services.4
• Deemed Consent: In the context of healthcare, consent can often be deemed. By voluntarily providing your Personal Data and presenting yourself for a consultation or treatment at our Clinic, you are deemed to have consented to our collection, use, and disclosure of your Personal Data for the purposes of providing you with medical care and for related administrative tasks.6
• Withdrawal of Consent: You have the right to withdraw your consent at any time by providing us with reasonable notice in writing to our Data Protection Officer. Upon receiving your request, we will inform you of the likely consequences of withdrawing consent, which may include our inability to continue providing you with certain medical services.4 We will then cease to collect, use, or disclose your Personal Data, except where permitted or required by law.

6. Disclosure of Your Personal Data

To provide you with effective care and to manage our operations, we may need to disclose your Personal Data to third parties. These parties may include:

• Other healthcare professionals, hospitals, clinics, or laboratories involved in your care (e.g., for referrals or diagnostic tests).
• Your insurance provider, company, or other third-party administrators for the purpose of processing your medical claims.
• Third-party service providers who supply us with services such as IT support, data storage, and payment processing. We will ensure that such providers are bound by contractual obligations to protect your Personal Data.
• Relevant government regulators, statutory boards, or authorities, such as the Ministry of Health, where required by law.
• Law enforcement agencies or in response to a court order.

If we need to transfer your Personal Data to a country outside of Singapore (for example, to a cloud service provider with servers located overseas), we will take steps to ensure that the recipient organisation provides a standard of protection to the transferred Personal Data that is comparable to the protection under the PDPA.4

7. Data Protection and Security

We take our responsibility to protect your Personal Data seriously. We have implemented reasonable security arrangements—encompassing administrative, physical, and technical measures—to safeguard your Personal Data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.4 These measures include physical access controls to our premises, password protection for electronic files, data encryption, and regular staff training on data protection policies and procedures.12

8. Retention of Personal Data

We will retain your Personal Data only for as long as it is necessary to fulfil the purposes for which it was collected, or as required by law. As a healthcare provider in Singapore, we are legally obligated to adhere to the specific retention periods mandated by the Ministry of Health (MOH) for patient health records. This legal obligation for long-term retention serves as a specific "legal purpose" under the PDPA, even after active treatment has concluded.18 Our retention periods are as follows:

• Electronic Patient Health Records: Retained for the patient's lifetime plus 6 years.9
• Paper Outpatient Records: Retained for 6 years from the date of the last consultation or treatment.9
• Paper Inpatient Records (if applicable): For adults, retained for 15 years from the last interaction.9

For any other Personal Data not covered by MOH guidelines, we will cease to retain it as soon as it is reasonable to assume that the purpose for which it was collected is no longer being served and retention is no longer necessary for legal or business purposes, in line with the PDPA's Retention Limitation Obligation.4

9. Your Rights as a Data Subject

Under the PDPA, you have certain rights in relation to your Personal Data. We are committed to upholding these rights.

• Right to Access: You have the right to request a copy of your Personal Data that is in our possession or under our control, as well as information about the ways in which your Personal Data has been used or disclosed by us within one year before the date of your request.4 We will respond to your request within 30 days. Please note that we may charge a reasonable fee for the processing of an access request.6
• Right to Correction: You have the right to request that we correct any error or omission in your Personal Data that is in our possession or under our control. We will correct your data as soon as practicable.4
• Right to Data Portability: You may have the right to request that we transmit your data that is in our possession or under our control to another organisation in a commonly used machine-readable format.4

To exercise any of these rights, please submit your request in writing to our Data Protection Officer.

10. Management of Data Breaches

In compliance with the PDPA's mandatory Data Breach Notification Obligation, we have procedures in place to manage any data breaches effectively.5 In the event of a data breach, we will:

1. Conduct a prompt assessment, to be completed within 30 calendar days, to determine if the breach is notifiable.3

2. A data breach is deemed notifiable if it (a) results in, or is likely to result in, significant harm to an affected individual, or (b) is of a significant scale (i.e., affecting 500 or more individuals).3

3. If the breach is determined to be notifiable, we will notify the Personal Data Protection Commission (PDPC) as soon as practicable, and in any case no later than three (3) calendar days after completing our assessment.3

4. We will also notify all affected individuals as soon as practicable, at the same time as or after notifying the PDPC, so that you may take steps to protect yourself from any potential harm.3

11. Website Usage, Cookies, and Third-Party Links

When you visit our website, we may use "cookies" to collect information about your usage, such as pages visited and the duration of your visit. This helps us to improve our website and provide a better user experience. You can choose to disable cookies through your browser settings, but this may affect the functionality of our website. Our website may contain links to other websites operated by third parties. We are not responsible for the privacy practices of these external sites.

12. Data Protection Officer (DPO) and Contact Information

We have appointed a Data Protection Officer (DPO) to oversee our compliance with the PDPA and to handle all privacy-related matters.4 Should you have any questions about this Policy, wish to exercise your rights, or provide any feedback regarding our handling of your Personal Data, please contact our DPO:

• Title: Data Protection Officer
• Email: clinic@polarisplasticsurgery.com
• Mailing Address: Polaris Plastic & Reconstructive Surgery Pte Ltd, [Clinic's Full Address]

13. Governing Law and Policy Updates

This Policy is governed in all respects by the laws of Singapore. We may update this Policy from time to time to ensure that it is consistent with our future developments, industry trends, and/or any changes in legal or regulatory requirements. The latest version of this Policy will always be available on our website.