IHH Singapore Personal Data Protection Notice (also known as “Privacy Policy”)


  1. Introduction

      1.1 This Personal Data Protection Notice (“Notice”) is published on 10 February 2023 (“Effective Date”).

      1.2 IHH Healthcare Singapore1 is committed to protecting individuals'2 (“your”, “you” and “yours”) personal data responsibly and in compliance with applicable data protection related laws. Where personal data is processed in Singapore, only the Singapore Personal Data Protection Act (2012) (“PDPA”) shall apply.

      1.3 This Notice applies to the Processing3 of your personal data by us. It explains how we Process your personal data when you interact with us.  

      1.4 This Notice may be updated from time to time, with amendments to the PDPA or to provide you additional information. We strongly encourage you to read this Notice.

  2. Personal Data

      2.1 For purposes of this Notice, Personal Data means any information or combination of information, relating, directly or indirectly to an identified or identifiable natural person. 

      2.2 Depending on the nature of your interaction with us, the Personal Data we collect may include your personal identification information, health and medical information, account and profile information, network traffic and related data and/or any other information which have been provided to us or we may have access to, in the course of your interaction with us. 

      2.3 For more details on Personal Data which may be collected, please refer to Appendix 1.

      2.4 Personal Data of Vulnerable Persons4:

        a) It is, our intention and policy to comply with law when it requires parent, guardian or legal representative’s permission before collecting, using or disclosing Personal Data of Vulnerable Persons. 

        b) If a parent, guardian or legal representative becomes aware that Personal Data of a child or ward has been provided by that child or ward without the consent of the relevant parent, guardian or legal representative, please contact us (contact details provided below). Such Personal Data will be disposed of from our records. 

  3. How do we collect Personal Data?

  4. When we obtain Personal Data about you, this is generally necessary to fulfill a statutory or contractual requirement, or is required to perform or enter into a contract with you. In this case, you are obliged to provide your Personal Data. In other exceptional cases, decision to provide us Personal Data is voluntary. In this case, if you do not provide your Personal Data to us, we may not be able to accomplish some of the purposes outlined in this Notice.

    We collect Personal Data from you in the following ways: 

      3.1 Directly:

        a) when you create an account, register with us and/or submit any form to us or benefit from our services; 

        b) when you disclose Personal Data in face-to-face meetings, telephone conversations, emails and/or over any communication or messaging platforms with our teams such as marketing or customer service officers;

        c) when you sign up for our marketing and promotional communications and/or any initiatives; 

        d) when you interact, communicate with us and/or leave comments on our websites or social media platforms; 

        e) when you enter into an agreement, partnership, collaboration and/or provide any other documentation or information in respect of your interactions with us; 

        f) when you visit and/or are within our premises and your images are captured by us via CCTV cameras, photographs or videos taken by us or our representatives when you attend any of our events; 

        g) when you submit application for employment, internship, attachment, education or accreditation; 

        h) when you make available your Personal Data to us for any other reason;

      3.2 Indirectly:

        a) when we seek and receive your Personal Data in connection with your relationship with us (including, but not limited to, for our products and services or work, education and accreditation applications) from other data sources; 

        b) if you act as an intermediary or are supplying us with Personal Data and information relating to a third-party/other individual (such as a Relative5, friend, colleague, patient, employee, etc.), you undertake that you have obtained all necessary consents from such third-party/other individual for Processing of their Personal Data by us;

        c) as we are collecting third-party/other individual's Personal Data from you, you undertake to make such third-party/other individual aware of all matters listed in this Notice by referring them to our website or informing them of the contents of this Notice; and/or

        d) any other information which we may collect from other sources. 

  5. Ensuring accuracy of Personal Data

    1. 4.1 We strive to maintain Personal Data in a manner that is accurate, complete and up-to-date. The Personal Data you provide to us must be accurate, complete and up-to-date, and you must inform us of any significant changes to such Personal Data provided by you. 

      4.2 Furthermore, if you act as an intermediary or are supplying us with Personal Data and information relating to a third-party/other individual, please note that you need to ensure that such Personal Data is collected in compliance with the PDPA. For example, you should inform such third-party/other individual about the contents of this Notice. 

  6. For which purpose is Personal Data collected?    

  7. Personal Data shall be collected, used, transferred or otherwise Processed for one or more of the following purposes:

      5.1 Business Purposes: These are legitimate purposes as appropriate to conduct our business. These include Processing necessary for the performance of contractual obligations, account management of Individuals, customer service and support, finance and accounting, research and development, internal management and control, and any other reasonably related activities.

      5.2 Human resources and personnel management: This includes Processing necessary for the performance of an employment or other contract with an employee (or to take necessary steps at the request of an employee prior to entering into a contract), or for managing the employment-at-will relationship.

      5.3 Health, safety and security: For Processing necessary to ensure occupational safety and health, the protection of our assets, your verification and your access rights and its status;

      5.4 Compliance with legal and regulatory obligations: For Processing necessary for compliance with a legal obligation to which we are subject;

      5.5 Vital interests: For Processing necessary to protect your vital interests, for instance, situations that require us to protect your life or you from harm;

      5.6 Marketing and Promotion: We may, when Processing Personal Data for marketing communications and/or promotions, either: 

        a) obtain your consent; and/or

        b) offer you opportunity to not proceed with the processing and/or to choose not to receive such communications.

        If you wish to withdraw consent to receive such materials, please contact us (contact details provided below).

      5.7 Secondary Purposes: Processing of Personal Data (including previously collected data) for secondary purposes such as: 

        a) transferring the Personal Data to an Archive;

        b) conducting internal audits or investigations;

        c) implementing business controls;

        d) conducting statistical, historical or scientific research as required for our business operations;

        e) preparing or engaging in dispute resolution; 

        f) using legal or business consulting services; 

        g) managing insurance or other benefits related issues; and/or

        h) creating de-identified, aggregated and/or anonymised data from Personal Data from which you would not be identifiable, through removal of identifiable components, obfuscation, pseudonymisation, anonymisation, or any other means for purposes including, but not limited to (a) enhancing security; and/or (b) for further processing, aggregation, analysis (of the anonymised data that no longer contains your Personal Data only), for optimisation of patient care and improvement of healthcare services, products and research and developments which may include transferring such anonymised data to our affiliates and business partners in Singapore or abroad, for such purposes.

      5.8 Any other reasonably related purposes. 

      5.9 For more details on purposes for which Personal Data is Processed, please refer to Appendix 2.

      5.10 Exceptions: Some of our obligations under this Notice may be overridden if, under the specific circumstances at issue, a pressing legitimate need exists that outweighs your interest. Such a situation exists if there is a need to:

        a) protect our Business Interests including:
        1. the health, security or safety of individuals;
        2. our intellectual property rights, trade secrets or reputation;
        3. the continuity of our business operations;
        4. the preservation of confidentiality in a proposed sale;
        5. merger or acquisition of a business;
        6. the involvement of authorised advisors or consultants for business, legal, tax, or insurance purposes.

        b) prevent or investigate suspected or actual violations of
        1. law (including cooperating with law enforcement);
        2. contracts; and/or
        3. our policies.

        c) otherwise protect or defend us, our personnel’s or other individual’s rights or freedoms.

  8. Automated decision-making

    1. 6.1 Automated tools may be used by us to Process your Personal Data and/or make decisions about you. Some extent of human intervention may be involved in the automated decision-making.

      6.2 Where permissible under law, we may undertake automated decision-making if:

        a) the decision is made by us for purposes of entering or performing a contract provided that the underlying request leading to a decision by us was made by you;

        b) you have provided explicit consent; and/or

        c) the use of automated tools is otherwise required.

  9. Sharing your Personal Data with others

    1. 7.1 Your Personal Data may be shared with our employees, representatives and/or Affiliates.

      7.2 Access to Personal Data, will be limited to those who have a need to know the information for the purposes described in this Notice.

      7.3 From time to time, we may need to share your Personal Data with external parties, which may include the following:

        a) service providers, vendors, suppliers: we contract with authorised external parties or companies that provide products and services to us necessary for our operations;

        b) business and collaboration partners: we work with accredited doctors and specialists including, but not limited to, their clinic personnel and administrators, our corporate clients and/or partners (and their appointed service providers and/or customers), education and research institutes;

        c) public and governmental authorities: when required by law, or as necessary to protect our rights, we may share your Personal Data to public and governmental authorities that regulate or have jurisdiction over us;

        d) professional advisors and others: we work with and receive support from certain professional advisors such as banks, insurance companies, auditors, lawyers, accountants, and payroll advisors, consultants; and/or

        e) other parties in connection with corporate transactions: we may also, from time to time, share your Personal Data in the course of corporate transactions, such as during a sale of a business or a part of a business to another company, or any reorganisation, merger, joint venture, or other disposition of our business, assets, or stock.

      7.4 As appropriate, we will contractually protect and safeguard your interests at a similar level of protection as provided by us.

  10. Cross-border transfer of Personal Data

    1. 8.1. Due to our international presence, your Personal Data may be accessed by or transferred to our Affiliates and/or authorised external parties from various countries around the world in order for us to fulfil the purposes described in this Notice.

      8.2 As a result, we may transfer your Personal Data to countries located outside of Singapore, which may have data protection related laws and rules that are different from the standards provided under the PDPA

      8.3 Personal Data may be transferred to an authorised external party, located internationally only if, we believe it is necessary or appropriate to:

        a) ensure compliance with applicable data protection related laws which may include responding to requests from public and government authorities, cooperation with law enforcement agencies or other legal reasons; and/or

        b) satisfy purposes for which Personal Data has been collected by us or to enforce our terms and conditions.

  11. When do we retain your Personal Data?

    1. 9.1 We keep your Personal Data as long as we need to fulfil the purposes for which it has been collected. We retain Personal Data only:

        a) for the period required to serve applicable Business Purpose;

        b) to the extent necessary to comply with an applicable legal and/or regulatory requirement; and/or

        c) as advised by Singapore laws.

      9.2 Promptly after applicable retention period has ended, your Personal Data will be appropriately:

        a) disposed; and/or

        b) de-identified

  12. How do we protect your Personal Data?

    1. 10.1 We are committed to maintaining the security of the Personal Data processed and restrict the Processing of Personal Data to those data/information that are reasonable, adequate for, and/or relevant to the purposes described under this Notice.

      10.2 To protect your Personal Data, we take appropriate measures, and we also require external parties to whom we disclose your Personal Data to, to protect the confidentiality and security of your Personal Data. Depending on the state of the art, the costs of implementation and the nature of the data/information to be protected, we have put in place physical, technical and organisational measures to prevent risks such as unauthorised access, collection, use, disclosure, copying, modification, disposal or loss.

      10.3 If you have any reason to believe that your interaction with us is no longer secure, please contact us (contact details provided below).

  13. How can you contact us for choices available to you?

    1. 11.1 With respect to Processing of your Personal Data, upon successful verification of your identity, you may:

        a) obtain information on the Processing of your Personal Data over the past one year, subject to applicable fee(s) related to the costs of processing your access request;

        b) request to update or correct your Personal Data, provided we are satisfied on reasonable grounds that such a correction should be made; and/or

        c) withdraw your consent to use of your Personal Data. Please note that your request may affect the products and services we are able to offer to you;

      11.2 If you have any inquiries, requests, feedback or complaints in relation to protecting your Personal Data, please contact the Data Protection Office via the following channels:

      •    Call: +65 6307 7880

      •    Email: pdpo@ihhhealthcare.com

      •    Written communication mailed to: Data Protection Officer, IHH Healthcare Singapore, 1 HarbourFront Place, #03-02 HarbourFront Tower One, Singapore 098633.

      11.3 We will do our best to respond to you within a reasonable time and no longer than 30 days from the date we receive your inquiry, request, feedback or complaint.

  14. Updates to Notice

    1. 12.1 We may revise this Notice from time to time. Any changes will become effective as on the Effective Date, when we post the revised Notice on our website. You are strongly advised to review this Notice periodically for any changes.

Appendix 1: Personal Data which may be collected

Types of Personal Data Examples (Non-exhaustive)
Personal identification information (personal particulars, demographic and contact information) Name, NRIC, travel and permit document (passport, employment pass, VISA details), gender, date of birth, country of birth, country of residence, nationality, citizenship, marital status, Relatives, race, ethnicity, religion, contact number(s), email address(es).
Health and medical information Topics of interest, medical history and records including, but not limited to, drug prescriptions, tests and scan results, therapies and procedures, consultations, reports and reviews.
Account and profile informationAccount login information, health and medical information, benefits entitlement, accreditation, appointments, admissions, bills, purchases and/or payments information, insurance claims, transactions records, subscriptions, registrations, applications, enquiries, feedback, comments, ratings, reviews and testimonials via our communication and feedback touchpoints, channels and/or platforms.
Network traffic and other related dataIdentification numbers, location data, online identifiers, IP address, cookies, web beacons, device identification details, language settings.
Images and/or videos from which you may be identified, images captured on security systems, including CCTV and key card entry systems. Pictures uploaded into our accounts, social media or services otherwise provided to us by you, CCTV images, log files.
Compensation and payrollBank account information, salary, bonus, payroll deductions including direct insurance.
Job, position, and organisation data.Department, supervisor, office address, work location, permit details, hire date, job title, designation, business unit, part-time or full time position, work history, termination date and reason, retirement eligibility, promotions and disciplinary records, date of transfers, reporting manager(s), other details of employment contract.
Performance and benefits dataPerformance reviews and ratings, incentives, awards, retirement, benefits data of family members/dependents such as names and date of birth.
Tax DataTax number, contribution rates, tax preferences.
Data resulting from internal or external communicationsContents of email, records of communication through bots, messaging tools, mobile communications.
Information that you decide to voluntarily share with usFeedback, opinions, reviews, comments, any information you may share with us on our social media platform, internal communication platforms and websites.

Appendix 2: Purposes for which Personal Data is Processed

Purposes for Processing Personal DataExamples
Business Purpose 
Contractual obligations and necessityProviding and administering medical care, health and wellness services including, but not limited to, ordering and providing medication, medical tests, scans, reports, reviews, consultations, therapy, procedures; liaising with third-party service providers, vendors, suppliers and business and collaboration partners for the provisions of such, and related, products and services; and maintaining related documentations and records.
Account management of IndividualsCreating and maintaining account profiles and information including, but not limited to, health, medical, benefits entitlement, accreditation, transaction (enquiries and feedback, appointments, admissions, bills, purchases and/or payments, insurance claims, etc.) records; to enable the processing of requests including, but not limited to, subscriptions, registrations, applications, execution and conclusion of contracts, and providing customer service and support.
Customer service and supportHandling enquiries, feedback and complaints; arranging and facilitating bookings, registrations, applications; providing notifications and reminders; and providing support to deliver contractual obligations and other reasonably related account and relationship management requests and matters.
Finance and accounting Facilitate payments to, and receive payments from, Individuals, service providers, vendors, suppliers and business and collaboration partners; administering debt recovery and management; and other reasonably related matters.
Research and developmentReview, study, analyse, perform analytics and/or aggregate information on product and service consumption, patterns and trends; Individual behavioural patterns, preferences; to improve operations, services, product offerings, personalise experiences; and other reasonably related activities and objectives.
Internal management and controlInternal communications, scheduling work, recording time, managing and allocating company and employee assets and human resources, ensuring business continuity and crisis management; managing projects and costs, investor relations, alliances, ventures, mergers, acquisitions, divestitures, re-organisations or disposals and integration with purchaser; compilation of audit trails and other reporting tools, maintaining records relating to business activities, budgeting, financial management and reporting; intellectual property and standards management.
Human resources and personnel managementPerforming workforce analysis and planning including, but not limited to, internal surveys, performance evaluations, talent and career development, courses and trainings; grievances, disciplinary matters and terminations; maintaining internal employee directories and emergency contacts; management and administration of outplacement, eligibility for employment, initial hiring or rehiring; providing and verifying employment references and background checks; management of leave and other absences, compensation and benefits, taxes, loans, grants, business expenses and reimbursements, travel arrangements.
Health, safety and securityDeploying and maintaining technical and organisational security measures, conducting internal audits and investigations, conducting assessments to verify conflict of interests, identifying and authenticating employees, managing network security and preventing data loss using automated technologies to identify malicious data on equipment or networks and to detect confidential information from leaving our perimeters or from unauthorised access to that information. Recording of your Personal Data through video or other digital, electronic, or wireless surveillance system or device to secure and maintain IT infrastructure, office equipment, facilities and other property.
Compliance with legal and regulatory obligationsDisclosing Personal Data to government institutions or supervisory authorities as required by law or judicial authorisation for complying with tax and national insurance deductions, record-keeping and reporting obligations, conducting audits and investigations to prevent or detect fraud or corruption, compliance with government inspections and other requests from government or other public authorities, responding to legal process conducting investigations including employee reporting of allegations of wrongdoing, policy violations, fraud, or financial reporting concerns, complying with internal policies and procedures. Please also keep in mind that we may also use your data for security reasons and/or to protect our legitimate business interests or to prevent or investigate suspected or actual violations of law, breaches of the terms of employment or non-compliance with our policies.
Defence of legal claims Establishment, exercise or defence of legal claims to which we are subject, such as responding to legal processes such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims (including any whistle-blower/ethics hotlines).
Enhanced security and further processing for improved servicesCreation of de-identified and/or anonymised data from your Personal Data (by removal of identifiable components, obfuscation, anonymisation, or any other means) to enhance security and for further processing, aggregation, analysis for optimisation of patient care and improvement of healthcare services, products and research and developments which may include transferring anonymised data to our affiliates and business partners in foreign countries.

1 IHH Healthcare Singapore is a network of healthcare companies including without limitation Parkway Hospitals Singapore Pte Ltd, Parkway Shenton Pte Ltd, Medi-Rad Associates Ltd, Parkway Laboratory Services Ltd, Parkway College of Nursing and Allied Health Pte Ltd, iXchange Pte Ltd and their respective Affiliates. “Affiliates” shall mean any entity that controls, is controlled by, or is under common control, in each case either directly or indirectly with either a subsidiary or related corporation of IHH Healthcare Singapore, where “control” means the ownership of or the power to vote representing more than 50% of voting stock, shares or interests of the entity.
2 “Individual” means a natural person, whether living or deceased.
3 “Processing” is any operation or set of operations performed on the Personal Data including, but not limited to, collection, storage, use, disclosure, transfer or destruction.
4 “Vulnerable Persons” are persons deemed more vulnerable by applicable Singapore laws and regulations, and includes, but is not limited to, minors, elderly, persons with disabilities, and persons with diminished mental capacity.
5 “Relatives” include spouses, next of kin, dependents, children, and partners.