POPIA Privacy Policy

Confidentiality of your personal information is important to the practice of Cresswell Physiotherapy. This Privacy Policy serves to summarise what personal information we collect, how it is used, and how we store and protect this information.

This Privacy Policy applies when you visit our website and make use of our services. This Privacy Policy may be supplemented or replaced by additional privacy statements or terms provided to you.

Please read this Privacy Policy carefully to understand how your personal information will be handled by the practice.  Every term of this Policy is material.


1.     About the Practice

Clare Cresswell Physiotherapy is a private physiotherapy practice and is subject to various laws and ethical rules protecting the privacy and confidentiality of patients.

Practice Contact Details
Practice No.: 7218664
HPCSA No.: PT0032921
Information Officer: Clare Cresswell
Phone: +27 83 267 1818
Email: clare@cresswellphysio.co.za
Address: 2 Fifth Avenue, Parktown North, Johannesburg, 2193
Website: www.cresswellphysio.co.za


2.     Definitions of Terms in this Policy

  • “Personal Information” is defined in the Protection of Personal Information Act [POPIA] and includes information such as contact details, age, gender, medical scheme membership and health information.
  • “Data subject” refers to the person (e.g., patient) or entity to whom the personal information relates.
  • “The Patient” patient includes any person who may consent on behalf of a patient and includes the person responsible for payment of the patient’s accounts.
  • “Processing”, as defined in POPIA, refers to any operation or activity concerning personal information, such as the collection, receipt, recording, storage, updating, alteration, use, distribution, erasure, or destruction of the information.
  • “We” / “us” refers to the practice.
  • POPIA” means the Protection of Personal Information Act (Act 4 of 2013) and its Regulations.


3.     Application of the Privacy Policy

This Privacy Policy applies to personal information that we have in our possession or under our control and personal information that we collect or receive from, or about, you. It stipulates, amongst others, how we collect the information, what information is collected, why that information is collected, the circumstances under which that information will be shared with others, the security measures that we have implemented to protect the information and how you may obtain access to and correct your information.


4.     How Information is Collected

  • Personal Information

We collect personal information directly from you when you become a patient or a supplier to the practice, when you supply information on our website or when you provide information to us. Information may also be collected from other treating practitioners, the patient’s next-of-kin and any other source from which the practice may lawfully collect information (e.g. the public domain / public records), as may be required in the circumstances. The information that we request is necessary for the safety of our patients or to manage our relationship with you.

If you provide personal information about any individual or entity to us, you must ensure that you may lawfully do so (e.g., with their consent). We will accept that you are acting lawfully. You should make sure that they are familiar with this Privacy Policy and understand how we will use and disclose their information.

  • Usage Data

Usage Data is collected automatically when using the website of the practice. Usage Data may include information such as your device’s internet protocol address (e.g. IP address), browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

  • Tracking Technologies and Cookies

We use Cookies, a small file placed on your device, and similar tracking technologies to track the activity on our website and store certain information. You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if you do not accept Cookies, you may not be able to use some parts of our website. Unless you have adjusted your browser setting so that it will refuse Cookies, our website may use Cookies.


5.     What Personal Information is collected

5.1.   Patients

  • Full names and surnames, title, identity number, date of birth, age, contact details, address, nationality and gender;
  • Name and contact details of next-of-kin, guardian, guarantor and main member of medical scheme;
  • Medical information, including medical history, details of medication used, diagnosis, injuries, X-ray reports, pathology laboratory results and COVID-19 screening information;
  • Information about relevant funders (e.g., medical scheme, insurer, Road Accident Fund or Compensation Commissioner for Occupational Diseases and Injuries);
  • Procedures performed;
  • Billing and payment details, including bank details for refunds;
  • Information recorded on practice documentation, such as agreements and consent forms;

5.2.   Other persons (e.g., Next-of-kin, Guardians, Guarantors, Referring Practitioners, References)

  • Full names and surnames, title, identity number, contact details, address and gender;
  • Practice information (e.g., address, contact details, practice number, practitioner registration number, speciality and practice manager details);
  • References;
  • COVID-19 screening information of visitors to the practice;

5.3.   Suppliers, Vendors and Other Stakeholders, including Public and Private Bodies and Regulators

  • Organisation’s name and contact details;
  • Names, titles and contact details of relevant persons and officers;
  • Agreements and related information;
  • Financial information, including invoices and bank details;
  • Official documentation, including newsletters and statements;
  • COVID-19 screening information of visitors to the practice;


6.     How Personal Information is Processed

Processing of information includes collection, use, storage, and dissemination of information. The practice will only process your and any other relevant person’s personal information in accordance with the law (e.g. the National Health Act, the Medical Schemes Act, the Health Professions Act and POPIA).

Your personal information will be used as follows:

  • To provide you with appropriate care;
  • To communicate with you in respect of your care, including, but not limited to, reminders of appointments and collecting payments for services rendered;
  • For administrative purposes, including preparing invoices and collecting payment for services rendered;
  • To refer you to other practitioners, or to report to your referring practitioners;
  • For the maintenance of practice records and patients’ medical records;
  • For historical, statistical and research purposes;
  • As proof;
  • For enforcement of the practice’s rights;
  • For any other lawful purpose related to the activities of a physiotherapy practice; and/or
  • As may be requested or authorised by you.


7.     Sharing of Patients’ Personal Information

The personal information collected before, during, and after the provision of our physiotherapy services, including full details related to your diagnosis and treatment (in the form of ICD-10 codes or otherwise), will be shared, as may be appropriate, with other practitioners involved in the your treatment and care, and other persons who may lawfully obtain access to this information such as your medical scheme, your treating practitioners, your next-of-kin, debt collectors, credit bureaus, regulatory bodies, other public bodies, persons and bodies performing peer review, law enforcement structures and purchasers of the practice. The practice will obtain your consent for such disclosures, where necessary. Service providers and professional advisors of the practice will obtain access to the information, subject to confidentiality undertakings, and strictly on a need-to-know basis, to provide services and/or advice to the practice. Personal information will not be disclosed by the practice to any person other than those indicated on this form or without your consent unless authorised in terms of the law. If we must provide your personal information to any third party in another country, we will obtain prior consent unless the practice may lawfully do so.


8.     Diagnosis / ICD-10 Codes

The practice must include codes on accounts that disclose your diagnosis, known as ICD-10 codes. These codes are necessary for funding decisions and benefit allocations by funders such as your medical scheme, the Compensation Commissioner for Occupational Injuries and Diseases, and the Road Accident Fund.


9.     Records of Patients’ Personal Information

All personal information is recorded in your medical record which may be held electronically and in hard copy. Records are retained for as long as it is necessary for lawful purposes related to the conducting of our practice, including to fulfil your requests, provide services to you, comply with legal obligations, resolve complaints / disputes, attend to litigation where instituted against the practice, enforce agreements and for historical, statistical and research purposes subject to the provisions of the law.


10.  Security of Personal Information

The practice has implemented reasonable security measures to ensure the safety and privacy of your personal information against destruction and unauthorised access. The practice will inform you and the Information Regulator if your personal information has been unlawfully accessed, subject to the provisions of the law.


11.  Information Sent Across the Borders of the Republic of South Africa

We process and store your information in records within the Republic South Africa (RSA), including in ‘clouds’, which may be outside of the RSA, but we ensure that these platforms comply with legal requirements to ensure the protection of your privacy. If we must provide your personal information to any third party in another country, we will obtain your prior consent unless such information may be lawfully provided to that third party.


12.  Peer Review / Clinical Practice Audits

Our practitioners may be subjected to peer review and the practice to clinical audits from time to time. Bodies performing such peer review or clinical audits may need to obtain access to patient information for this purpose. They will be required to sign confidentiality undertakings to only use the information for the specified purposes, before access is granted.


13.  Accurate and up-to-date Information

It is important that you provide accurate information to the practice about your health status, medical history, and other personal details such as a valid e-mail address and mobile number as well as medical scheme membership / other funder information to facilitate appropriate treatment and care, communication, and payment of accounts. It is your responsibility to inform the practice if any of the information has changed.


14.  Access to Patients’ Personal Information

You may have access to your personal information held by the practice and may request corrections to it, if required, subject to the provisions of the law. Please enquire with us and complete the prescribed form.


15.  Withdrawal of Consent and Objection to Processing

Where consent is provided for the processing of personal information, it may be withdrawn at any time. Depending on the circumstances, this may impact on your continued treatment unless the practice may process the information in terms of the law. If the circumstances make it reasonable and lawful to do so, the practice may terminate its relationship with you.

In certain instances, you may object to the processing of your personal information, if it is reasonable to do so, unless the practice may do so in terms of the law. The objection must be lodged on the prescribed form. Depending on the circumstances, this may impact on your continued treatment unless the practice may process the information in terms of the law. If the circumstances make it reasonable and lawful to do so, the practice may terminate its relationship with you.


16.  Concerns about the Processing of Patients’ Personal Information

Should you have any concerns or questions about the processing of your personal information by the practice, please raise this with Clare Cresswell at the practice. A complaint may also be lodged with the Information Regulator (+27 (0) 10 023 5207 / +27 (0) 82 746 4173 or complaints.IR@justice.gov.za).


17.  Changes to this Privacy Policy

We reserve the right in our sole and absolute discretion, to revise or supplement this Privacy Policy from time to time to reflect, amongst others, any changes in our practice or the law. We will publish the updated Privacy Policy on our website. It is your responsibility to make sure you are satisfied with any changes before continuing to use our services. If you have any questions concerning this Policy, please contact us on clare@cresswellphysio.co.za


18.  Laws Applicable to this Privacy Policy

This Privacy Policy is governed by the laws of the RSA.