Legal & Compliance

Last Updated: 2023.09.15

Personal Data Protection Act

ARIA Spectre Sdn Bhd (referred herein as “the Company” or “we” or “us” or “our”) values your privacy and strives to protect your personal information (Personal Data). This Privacy Notice outlines how the Company comprising of ARIA Spectre CMS and other products under ARIA Spectre (referred herein as “Docspe”) collects, uses, maintains and discloses your Personal Data in accordance with the Malaysian Personal Data Protection Act 2010. Please note that we may amend this Privacy Notice at any time without prior notice and the amended Privacy Notice shall be made available in our premises and website.

What is Personal Data?

Personal Data refers to any information (e.g. name, address, NRIC number, photographs, financial, bank account details, occupation, religion, employer, etc) that relates directly or indirectly to an individual, who may be identified or identifiable from that information or other information that is in our possession including Sensitive Personal Data. Sensitive Personal Data refers to any information which relates to the health condition of an individual, his/ her religious beliefs or other beliefs of a similar nature and the commission or alleged commission of any offense.

Source of Personal Data

• Directly from you when you or your representative (parent, guardian etc) fill in the registration forms at the facilities registered with ARIA Spectre, or contact us via emails and letters, telephone calls and conversations, or when taking part in customer surveys and promotions and during marketing activities;
• From any third parties connected with you such as your employer/potential employer, agents (e.g. medical tourism agents), insurance companies, other healthcare facilities; and
• From such other sources to whom you have given your consent to disclose information relating to you.

Is the supply of Personal Data obligatory?

The Personal Data that we collect can either be obligatory or voluntary as it would depend on the purpose of you disclosing the Personal Data. If the Personal Data requested by us is to ensure that we are able to efficiently provide our services, then it would be obligatory for you to provide that information. If you fail to do so, it may affect the services provided to you. The Personal Data that would be voluntary are office fax number, email address, etc. However, such information will facilitate the delivery of services to you.

Purpose of collecting and processing your Personal Data

The purpose for which your Personal Data is collected and processed shall depend on the nature of the relationship which you have with us and your visits to the facilities registered with ARIA Spectre. The purpose may comprise part or all of the following:

• To process the services that you are currently receiving and / or the services that you have requested;
• To administer and communicate with you in relation to our current / future services and / or events;
• For insurance purposes, third party administration and any other third parties;
• To respond to your enquiries and feedbacks;
• For marketing and promotional activities;
• For audio recording (example: calls made to the contact centre);
• To administer and give effect to your commercial transaction (tender award, contract for service, other contractual obligations);
• To better understand your needs as our customer and to improve our services provided to you;
• For internal functions such as evaluating the effectiveness of marketing, market research, statistical analysis, reporting, audit, compliance and risk management and to prevent fraud;
• For the prevention of crime (example: usage of CCTV coverage);
• For investigating, reporting, preventing or otherwise in relation to any fraudulent, criminal activities;
• To ensure stakeholders’ interests are protected;
• For the purpose of enforcing our legal rights and/or obtaining legal advice;
• To transfer or assign our rights, interests and obligations under any of your agreements with us;
• For internal records management;
• For any other purpose that is required or permitted by any law, regulations, guidelines and/or relevant regulatory authorities; and
• Any other related purposes.

Disclosure of your Personal Data

Disclosure to Third Parties

• Insurance companies, credit card companies, current/potential employers/external counterparts for situations where a patient is transferred to another government/private hospital, parents/guardians of minors;
• Regulatory authority such as the Ministry of Health, Income Tax department, EPF, SOCSO, law enforcement agencies and any other statutory bodies having such authority or jurisdiction;
• Relevant accreditation bodies during their survey;
• Third parties appointed by us to provide services to us or on our behalf (such as auditors, company secretary, lawyers, event organizers, consultants, recruitment agencies, contractors, suppliers etc.).

Disclosure within the Company

Any disclosure made within the Company shall be done only when necessary to ensure that services provided to you are not hindered. Only pertinent Personal Data shall be disclosed to the relevant departments / employees.

We will otherwise treat your Personal Data as private and confidential and will not disclose your Personal Data without your consent UNLESS:

• You have given us upfront express or implied consent for the disclosure;
• The disclosure is necessary where there is a serious and imminent risk to your welfare;
• The disclosure is necessary for the purpose of preventing a crime or investigation;
• Disclosure was required and authorized by or under any law or by a order of the court;
• We had reasonable belief that we had the right by law to disclose the Personal Data to that third party;
• We acted in reasonable belief that we would have your consent if you had known of the disclosure and the circumstances of such disclosure;
• The disclosure was justified as being in the public interest in circumstances as determined by the relevant Ministries.

Security of your Personal Data

The security of your Personal Data is our priority. We will take all reasonable efforts and practical steps to ensure that all physical and soft copies of your Personal Data are kept in a secure manner. If we disclose any of your Personal Data to our authorised agents or service providers, we will require them to appropriately safeguard the Personal Data that is provided to them.

Retention of your Personal Data

We will only retain your Personal Data for as long as necessary to fulfil the purpose(s) for which it was collected or to comply with legal, regulatory and internal requirements. Upon the said purpose(s) being fulfilled, we will destroy or permanently delete your data according to our destruction policy.

Right to access and correct your Personal Data

You have the right to access your Personal Data held by us (subject to any exemptions as prescribed in the PDP or other Act) and to request for corrections to that Personal Data if it is inaccurate, incomplete, misleading or not up-to-date. Where appropriate, a fee may be imposed for any request to access and /or correct your Personal Data depending on the information that is requested.

Please note that access to your Personal Data may be withheld in certain situations as determined by the relevant authorities, legislations, acts and regulations and /or for the safety of our patients (for example when we are unable to confirm your identity).

Any inquiries or requests to access or update Personal Data or to withdraw consent should be directed to the department that is providing the required service, or by calling (+6011-2611-7985) or emailing us at [email protected] or [email protected].

Tarikh Kemaskini: 2023.09.15

Akta Perlindungan Data Peribadi

ARIA Spectre Sdn Bhd (dirujuk di sini sebagai “Syarikat” atau “kami”) menghargai privasi anda dan berusaha untuk melindungi maklumat peribadi anda (Data Peribadi). Notis Privasi ini menggariskan cara Syarikat yang terdiri daripada ARIA Spectre CMS dan produk lain di bawah ARIA Spectre (dirujuk di sini sebagai “Docspe”) mengumpul, menggunakan, menyelenggara dan mendedahkan Data Peribadi anda mengikut Akta Perlindungan Data Peribadi Malaysia 2010. Sila ambil perhatian bahawa kami boleh meminda Notis Privasi ini pada bila-bila masa tanpa notis awal dan Notis Privasi yang dipinda akan disediakan di premis dan laman web kami.

Apakah Data Peribadi?

Data Peribadi merujuk kepada sebarang maklumat (cth. nama, alamat, nombor kad pengenalan, gambar, kewangan, butiran akaun bank, pekerjaan, agama, majikan, dll) yang berkaitan secara langsung atau tidak langsung dengan individu, yang mungkin dikenal pasti atau boleh dikenal pasti daripada maklumat tersebut atau maklumat lain yang ada dalam simpanan kami termasuk Data Peribadi Sensitif. Data Peribadi Sensitif merujuk kepada sebarang maklumat yang berkaitan dengan keadaan kesihatan seseorang individu, kepercayaan agamanya atau kepercayaan lain yang serupa dan pelakuan atau dakwaan melakukan sebarang kesalahan.

Sumber Data Peribadi

• Terus daripada anda apabila anda atau wakil anda (ibu bapa, penjaga dll) mengisi borang pendaftaran di kemudahan yang berdaftar dengan ARIA Spectre, atau menghubungi kami melalui e-mel dan surat, panggilan telefon dan perbualan, atau apabila mengambil bahagian dalam tinjauan dan promosi pelanggan dan semasa aktiviti pemasaran;
• Daripada mana-mana pihak ketiga yang berkaitan dengan anda seperti majikan/bakal majikan anda, ejen (cth. ejen pelancongan perubatan), syarikat insurans, kemudahan penjagaan kesihatan lain; dan
• Daripada sumber lain yang anda telah berikan kebenaran anda untuk mendedahkan maklumat yang berkaitan dengan anda.

Adakah pembekalan Data Peribadi wajib?

Data Peribadi yang kami kumpulkan boleh sama ada wajib atau sukarela kerana ia bergantung pada tujuan anda mendedahkan Data Peribadi. Jika Data Peribadi yang diminta oleh kami adalah untuk memastikan kami dapat menyediakan perkhidmatan kami dengan cekap, maka adalah wajib bagi anda untuk memberikan maklumat tersebut. Jika anda gagal berbuat demikian, ia boleh menjejaskan perkhidmatan yang diberikan kepada anda. Data Peribadi yang akan menjadi sukarela ialah nombor faks pejabat, alamat e-mel, dsb. Walau bagaimanapun, maklumat tersebut akan memudahkan penghantaran perkhidmatan kepada anda.

Tujuan mengumpul dan memproses Data Peribadi anda

• Untuk memproses perkhidmatan yang anda sedang terima dan/atau perkhidmatan yang anda minta;
• Untuk mentadbir dan berkomunikasi dengan anda berhubung dengan perkhidmatan dan/atau acara semasa/masa hadapan kami;
• Untuk tujuan insurans, pentadbiran pihak ketiga dan mana-mana pihak ketiga yang lain;
• Untuk menjawab pertanyaan dan maklum balas anda;
• Untuk aktiviti pemasaran dan promosi;
• Untuk rakaman audio (contoh: panggilan dibuat ke pusat hubungan);
• Untuk mentadbir dan melaksanakan transaksi komersial anda (anugerah tender, kontrak untuk perkhidmatan, kewajipan kontrak lain);
• Untuk lebih memahami keperluan anda sebagai pelanggan kami dan untuk menambah baik perkhidmatan kami yang diberikan kepada anda;
• Untuk fungsi dalaman seperti menilai keberkesanan pemasaran, penyelidikan pasaran, analisis statistik, pelaporan, audit, pematuhan dan pengurusan risiko dan untuk mencegah penipuan;
• Untuk pencegahan jenayah (contoh: penggunaan liputan CCTV);
• Untuk menyiasat, melaporkan, mencegah atau sebaliknya berhubung dengan sebarang aktiviti jenayah penipuan;
• Untuk memastikan kepentingan pihak berkepentingan dilindungi;
• Untuk tujuan menguatkuasakan hak undang-undang kami dan/atau mendapatkan nasihat undang-undang;
• Untuk memindahkan atau menyerahkan hak, kepentingan dan kewajipan kami di bawah mana-mana perjanjian anda dengan kami;
• Untuk pengurusan rekod dalaman;
• Untuk sebarang tujuan lain yang diperlukan atau dibenarkan oleh mana-mana undang-undang, peraturan, garis panduan dan/atau pihak berkuasa kawal selia yang berkaitan; dan
• Sebarang tujuan lain yang berkaitan.

Pendedahan Data Peribadi anda

Pendedahan kepada Pihak Ketiga

• Syarikat insurans, syarikat kad kredit, majikan semasa/bakal/rakan sejawat luar untuk situasi di mana pesakit dipindahkan ke hospital kerajaan/swasta lain, ibu bapa/penjaga kanak-kanak bawah umur;
• Pihak berkuasa kawal selia seperti Kementerian Kesihatan, jabatan Cukai Pendapatan, KWSP, PERKESO, agensi penguatkuasaan undang-undang dan mana-mana badan berkanun lain yang mempunyai kuasa atau bidang kuasa sedemikian;
• Badan akreditasi yang berkaitan semasa tinjauan mereka;
• Pihak ketiga yang dilantik oleh kami untuk menyediakan perkhidmatan kepada kami atau bagi pihak kami (seperti juruaudit, setiausaha syarikat, peguam, penganjur acara, perunding, agensi pengambilan, kontraktor, pembekal dll.).

Pendedahan dalam Syarikat

Sebarang pendedahan yang dibuat dalam Syarikat hendaklah dilakukan hanya apabila perlu untuk memastikan perkhidmatan yang diberikan kepada anda tidak dihalang. Hanya Data Peribadi yang berkaitan hendaklah didedahkan kepada jabatan/pekerja yang berkaitan.

Kami sebaliknya akan menganggap Data Peribadi anda sebagai peribadi dan sulit dan tidak akan mendedahkan Data Peribadi anda tanpa kebenaran anda KECUALI:

• Anda telah memberi kami kebenaran tersurat atau tersirat untuk pendedahan itu;
• Pendedahan itu perlu jika terdapat risiko serius dan akan berlaku kepada kebajikan anda;
• Pendedahan itu perlu untuk tujuan mencegah jenayah atau penyiasatan;
• Pendedahan diperlukan dan dibenarkan oleh atau di bawah mana-mana undang-undang atau dengan perintah mahkamah;
• Kami mempunyai kepercayaan yang munasabah bahawa kami mempunyai hak oleh undang-undang untuk mendedahkan Data Peribadi kepada pihak ketiga tersebut;
• Kami bertindak dengan kepercayaan yang munasabah bahawa kami akan mendapat persetujuan anda jika anda mengetahui tentang pendedahan dan keadaan pendedahan tersebut;
• Pendedahan itu adalah wajar sebagai untuk kepentingan awam dalam keadaan seperti yang ditentukan oleh Kementerian berkaitan.

Keselamatan Data Peribadi Anda

Keselamatan Data Peribadi anda adalah keutamaan kami. Kami akan mengambil segala usaha yang munasabah dan langkah praktikal untuk memastikan bahawa semua salinan fizikal dan lembut Data Peribadi anda disimpan dalam cara yang selamat. Jika kami mendedahkan mana-mana Data Peribadi anda kepada ejen atau pembekal perkhidmatan kami yang diberi kuasa, kami akan memerlukan mereka untuk melindungi Data Peribadi yang diberikan kepada mereka dengan sewajarnya.

Pengekalan Data Peribadi Anda

Kami hanya akan mengekalkan Data Peribadi anda selama yang diperlukan untuk memenuhi tujuan (-tujuan) ia dikumpul atau untuk mematuhi keperluan undang-undang, peraturan dan dalaman. Apabila tujuan tersebut dipenuhi, kami akan memusnahkan atau memadamkan data anda secara kekal mengikut dasar pemusnahan kami.

Hak untuk Mengakses dan Membetulkan Data Peribadi Anda

Anda mempunyai hak untuk mengakses Data Peribadi anda yang dipegang oleh kami (tertakluk kepada sebarang pengecualian seperti yang ditetapkan dalam PDP atau Akta lain) dan untuk meminta pembetulan kepada Data Peribadi tersebut jika ia tidak tepat, tidak lengkap, mengelirukan atau tidak terkini. Di mana sesuai, bayaran boleh dikenakan untuk sebarang permintaan untuk mengakses dan/atau membetulkan Data Peribadi anda bergantung pada maklumat yang diminta.

Sila ambil perhatian bahawa akses kepada Data Peribadi anda mungkin ditahan dalam situasi tertentu seperti yang ditentukan oleh pihak berkuasa, perundangan, akta dan peraturan yang berkaitan dan/atau untuk keselamatan pesakit kami (contohnya apabila kami tidak dapat mengesahkan identiti anda).

Sebarang pertanyaan atau permintaan untuk mengakses atau mengemas kini Data Peribadi atau menarik balik kebenaran hendaklah diarahkan kepada jabatan yang menyediakan perkhidmatan yang diperlukan, atau dengan menghubungi (+6011-2611-7985) atau menghantar e-mel kepada kami di [email protected] atau [email protected].

Last Updated: 2023.09.15

We have made every effort to provide a detailed overview of the GDPR compliance and how does Docspe support your business to operate within the confines of this regulation especially when it comes to customer data and its verification through Docspe. But it is still advised to engage services of a legal counsel in order to have a better understanding of GDPR compliance and the liabilities that come along with it. The following compliance guide is actually the practices, procedures and upgrades introduced in the internal working of Docspe to make its services GDPR complaint.

The deadline for GDPR compliance is here and Docspe has wasted no time to make its services fully compliant with EU’s User Data and Protection guidelines. We have adopted an industry prevalent approach known as Data Process Control to better protect the interests of not only our clients but their customers as well.

Summary of GDPR Sections Applicable to Docspe CMS Services

Cookies

GDPR needs the websites and online businesses to intimate users that they are using cookies. The language of this intimation is also desired by GDPR to be easily understandable for an average user. Consent is required from the user before they are tracked because of these cookies. We have updated our cookies policy in this regard as well.

Lawful Basis

GDPR only allows the collection of user data for a legal reason. Docspe only collects data for verification purposes as per the legal agreement signed by Docspe and its customers. This data will be limited to verification of the credentials, identity or any other related verification that was required by our customers to be provided as per the legal agreement.

We have even added a consent process at the form where a customer is supposed to fill its identification details. We also provide the option for customers to go through our data protection, privacy policy and Terms & Conditions, to ensure full transparency.

Deletion

GDPR requires businesses and websites to forget and delete the user data when requested by the user. Docspe has taken steps to provide full control to the end-users about the data that they have submitted for identity verification.

Docspe's Game Plan for GDPR Compliance

Either you are a B2B or B2C, eCommerce company, Educational Entity or Crypto based organization, you probably by this point have known about General Data Protection Regulation (GDPR). It is a new directive set by the European Union, legislation that set forths guidelines regarding how information is collected and how it is processed and used.

The GDPR legislation was formed to harmonize data privacy laws across Europe. Empowering all EU citizen’s data privacy in the process, and to reshape how organizations approach data privacy in a secure and transparent manner.

At Docspe, tireless efforts have been underway over the last few months to assist our users, businesses and our clients. To help them understand, what the GDPR means for their businesses and to assist them in establishing a compliant process of their own. Considering that aspect, we have made great improvements to our Docspe platform to ensure that we stand at par with the GDPR measures.

Docspe has prepared a Game Plan for you to understand, how GDPR operates behind the scenes when a customer interacts using our service.

The Process:

Let’s say that John is a potential customer and lives in France. He is called the Data Subject, and your company the health service provider, is called the Controller of his data. Since Docspe is verifying the credentials of John on behalf of your company, then that makes Docspe, the Processor.

Here is how John might interact with Docspe:

• John’s controller uses Docspe with web browser
• John approaches the Controller and the controller intends to use Docspe to provide treatment to John and operate its business.
• Verification is carried out.
• John provide relevant credentials (Government-issued ID number)
• The controller displays his verification document up to the web camera. Or John will receive an SMS notification of 6-digit random one-time password to be shared only with the Controller
• The Processor will verify the registration
• Based on the results of verification of Verified or Not-Verified the Data Subject can proceed to the next course.

All the above-stated steps gather user data from the Data Subject on behalf of Controller that is passed on to Processor. Following are various aspects of our data protection policy, privacy policy and Terms & Conditions that control the entire process, under the guidelines of GDPR

User Data

User Data means any data, content, code, video, images or other materials of any type that User uploads, submits or otherwise transmits to or through Services. User will retain all right, title and interest in and to User Data in the form provided to Docspe. Docspe stores data on industry secured servers located in the EEA zone, and are monitored. Subject to the terms of this Agreement, you hereby grant to Docspe a non-exclusive, worldwide, royalty-free right to;

• (a) collect, use, copy, store, and transmit User Data, in each case solely to the extent necessary to provide the applicable Services to Client
• (b) Client hereby grants to Docspe all necessary rights to use, reproduce, modify, create derivative works from, distribute, perform, transmit and display the User Information (including any rights specifically pertaining to biometric information) solely to the extent necessary to provide the Services which will include the right for Docspe to grant equivalent rights to its service providers that perform services that form part of or are otherwise used to perform the Services.

Access to Data

The Services include access to the Back-office, Client may access and download (either manually or via API) the data from each of its Verifications, including extracted data and images for each individual Transaction, via the Back-office for the Term. Upon termination of this Agreement for any reason, access to the Back-office, and therefore access to data storage will be revoked. Docspe may delete any stored items in storage upon expiration or termination of this Agreement. Docspe will have no responsibility or liability for storing and deleting items in accordance with this Section 9.

Last Updated: 2023.09.15

ARIA Spectre Sdn Bhd (Docspe) is committed to and has implemented many safeguards to ensure its services, websites and data systems (collectively “Products”) are compliant with the regulations and conditions set forth in the Health Insurance Portability and Availability Act of 1996 (HIPAA). Docspe is committed to continuous improvement to ensure its Products incorporate state-of-the-art information technology privacy and security measures.

As a “Business Associate” per the definition in the HIPAA Act, and by assignment of the HIPAA covered entity, Docspe is subject to the following controls:

Administrative Safeguards (HIPAA 164.308)

Docspe has implemented policies to ensure appropriate assignment of data access permissions and proper movement and handling of that data. HIPAA training is an annual mandated event for all staff, as well as an annual review of policy effectiveness during internal or 3rd party auditing of our Products.

Physical Safeguards (HIPAA 164.310)

Docspe’s primary physical safeguard is to not retain sensitive data in any public or private Docspe location other than those assigned for database management and quality assurance activities. Specific workstation usage, disposal, reuse and security measures are in place. Access to Docspe facilities is all independently controlled via card access preventing walk-up intrusion. Docspe’s data centre uses a cloud-based architecture with inherent security measures including 24 hours monitoring, advanced fire protection systems, uninterruptible power and database redundancy. Annual audit of the facility security plan, disaster recovery plan, and contingency plans are in place.

Technical Safeguards (HIPAA 164.312)

To further protect sensitive data, Docspe enforces unique software architecture that includes user identifications, various database audit logging, data integrity systems and verified backups, entity authentication programs, digital certificates, various levels of encryption and other custom architecture to further obscure sensitive data from threats.

We process personal data on your behalf, and we endeavour to process the personal data in a safe and secure manner, together with any third party service providers we may engage. We are responsible only for our compliance with the applicable regulations insofar as these apply to us. Docspe uses best practice security measures to safeguard your data from any breach. You are reminded that your obligations in relation to your data subjects under the Data Protection Regime remain your sole responsibility, which by law cannot be delegated to any party even Docspe. You own your own data. Data is stored on Docspe cloud, and maintained by us. Our obligation is to safeguard the platform and cloud from any potential security breach, making sure best practices are in place. We provide you the platform to host your data, and use it for other purposes to manage your business. However, we do not have any power or right on the choices you make for your data. But we do provide you options and ways to make sure this is the best practice and risk mitigation measures.

No, Docspe is not liable for retaining your data for 7 years if the customer decides to destroy/delete/corrupt/remove/terminate this data by their own choice. We do use best practices to help you manage your data, like setting user permissions, having confirmation step with a warning prior to any data deletion, and even with a deletion, we still allow you to restore some data within a period of 30 days in case you decided to restore it for any reason. After 30 days, it is permanently deleted from the cloud storage. We process the data on your behalf, but we do not own your data or have any power to perform any action on it nor able to access your data without your permission.