1.0 Introduction

Your privacy is important to us. This privacy statement explains the personal data Outspan Teaching and referral Hospital (“Outspan Hospital”) collects, how Outspan Teaching and referral Hospital processes it, and for what purposes. This statement should be read together with the Terms and Conditions of Use for other Outspan Teaching and referral Hospital products and services. Where there is a conflict, this statement will prevail. This statement applies to all customers, suppliers, agents, merchants, dealers and all visitors frequenting any of Outspan Teaching and referral Hospital premises.

2.0 Definitions

References to

2.1 “You” means:

i) Customer / patient/ client- the person who, uses or purchases any of our products and services or accesses our websites and includes any person who accesses any of the products and services.

(ii) Any stakeholder, who has signed an agreement with us and is recognized as a stakeholder in accordance with any applicable laws, Regulations and agreements/contracts.

(iii) Any visitor t is a person (including contractors/subcontractors or any third parties) who gains access to any Outspan Teaching and referral Hospital premises.

(iv) Any supplier who has been contracted by Outspan Teaching and Referral Hospital and executed a Supplier contract.

2.2 “Outspan Hospital”, “we” or “us”, “our” and “ours” means Outspan Teaching and Referral Hospital

The word “includes” means that what follows is not necessarily exhaustive and therefore the examples given are not the only things/situations included in the meaning or explanation of that text.

3.0 Statement Details

3.1 Collection of Information

3.1.1 We collect your personal information with your knowledge and consent when you do any of the following (please note that this list is not exhaustive):

a) Access services or get products from any of our premises.

b) Register for a specific product or service in Outspan hospital and it branches.

c) Buy, or use a Outspan Teaching and referral Hospital product or service online, on the cloud, on a mobile or other electronic devices, in our hospital or branches;

d) Subscribe to Outspan Teaching and referral Hospital, SMS platform email or social media platforms;

e) Ask Outspan Teaching and referral Hospital for more information about a product or service or contact Outspan Teaching and referral Hospital with a query or complaint;

f) Respond to or participate in a survey, marketing promotion, prize competition or special offer;

g) Visit, access or use Outspan Teaching and referral Hospital or affiliated third-party websites;

h) We may also collect your information from other companies including, insurance companies, health management organizations, business directories; i) We may collect your information when you interact with us as a supplier, agent or merchant as prescribed in this statement;

j) We also collect information when you visit any of our premises. 3.1.2 We do onboard minors (any person under 18 years of age) and adults who are unable to give individual consent for various reason, with consent of the legal guardian or where not available the consent of the authorized hospital personnel. If you allow a child to use our services, you should be aware that their personal information could be collected as described in this statement.

3.2 What Information is collected? The information we collect and store about you includes but is not limited to the following:

3.2.1 Your identity registration information, including your name, photograph, address, location, phone number, identity document type and number, date of birth, email address, age, gender and mobile number and next of kin information.

3.2.2 Your credit or debit-card information, information about your bank account numbers and SWIFT codes or other banking information.

3.2.3 Your transaction information when you use our MPESA service.

3.2.4 Your preferences for particular products and services, based on information provided by you or from your use of Outspan Hospital’s (or third party) network, products and services.

3.2.5 Name, family details, age and profiling information collected during service delivery or surveys conducted by Outspan Teaching and referral Hospital and their agents on behalf of Outspan Hospital.

3.2.6 Your contact with us, such as when you: call us or interact with us through social media, website, text, email (we may record your conversations, social media or other interactions with us), register your biometric information such as your voice, finger prints etc., visit a Outspan Teaching and referral Hospital or other branches.

3.2.7 Your call data records: phone numbers that you call or send messages to (or receive calls and messages from), log of calls, messages or data sessions on the Outspan Teaching and referral Hospital network.

3.2.8 We use Closed Circuit Television (CCTV) surveillance recordings. CCTV Devices are installed at strategic locations to provide a safe and secure environment in all Outspan Teaching and referral Hospital premises as a part of our commitment to community safety, security and crime prevention.

3.2.9 When you request us to reserve parking for you, we will collect and retain your personal data (name, telephone number, and vehicle registration details) when you request Outspan Teaching and referral Hospital to reserve parking space for you and where you use any of our parking facilities as a contractor. We use the data you provide to ensure effective visitor, contractor and car park management, Health and Safety compliance (orderly entry and exiting to and from the car parks and buildings) and inventory management.

3.2.10 We maintain a register of visitors in which we collect and keep your personal data such as names, company/institution details, telephone number, vehicle registration details and National ID number. This information is collected for health, safety and security purposes.

3.2.11 When you use Outspan Teaching and referral Hospital WIFI for guest and visitors, we will provide user name and password. We record the device address and also log traffic information in the form of sites visited, duration and date sent/received.

3.2.12 We may use your medical information to manage our services and products to you.

3.2.13 We collect your personal information when you visit us for purposes of accident and incident reporting. Outspan Teaching and referral Hospital will collect personal data from the injured party or person suffering from ill health, such as, Name, Address, Age, next of kin, details of the incident to include any relevant medical history. The data is collected as Outspan Teaching and referral Hospital has a legal duty to document workplace incidents/accidents and to report certain types of accidents, injuries and dangerous occurrences arising out of its work activity to the relevant enforcing authority.

3.2.14 Incidents and accidents will be investigated to establish what lessons can be learned to prevent such incidents/accidents reoccurring including introduction of additional safeguards, procedures, information instruction and training, or any combination of these. Monitoring is undertaken but on an anonymized basis. The information is also retained in the event of any claims for damages

3.2.15 Incidents and accidents will be investigated to establish what lessons can be learned to prevent such incidents/accidents reoccurring including introduction of additional safeguards, procedures, information instruction and training, or any combination of these. Monitoring is undertaken but on an anonymized basis. The information is also retained in the event of any claims for damages.

3.3 Use of Information

We may use and analyses your information for the following purposes:

3.3.1 Processing products and services that you have received from Outspan Teaching and referral Hospital or our branches;

3.3.2 Billing you for using our products or services.

3.3.3 Responding to any of your queries or concerns;

3.3.4 Verifying your identity information through publicly available and/or restricted government databases in order to comply with applicable regulatory requirements;

3.3.5 Keeping you informed generally about new products and services and contacting you with offers or promotions based on how you use our products and services unless you opt out of receiving such marketing messages (you may contact Outspan Teaching and referral Hospital at any time to opt out of receiving marketing messages);

3.3.6 to comply with any legal, governmental or regulatory requirement or for use by our lawyers in connection with any legal proceedings;

3.3.7 In business practices including to quality control, training and ensuring effective systems operations;

3.3.8 To understand how you use our products and services for purposes of developing or improving products and services

3.3.9 Preventing and detecting fraud or other crimes and for debt recovery;

3.3.10 For research, statistical, survey and other scientific or business purposes;

3.3.11 Provide aggregated data (which do not contain any information which may identify you as an individual) to third parties for research and scientific purpose;

3.3.12 Administer any of our online platforms/websites.

3.3.13 To understand clinical needs & provide necessary or desirable clinical treatment.

3.4. Categories of Data

Categories of Personal Data as defined in the Data Protection Act of Kenya may be processed depending on the particular types of products and services you receive

3.5. Lawful Basis for processing your information

We will process your personal information based on any of the lawful basis provided for under the Data Protection Law:

3.5.1 The performance of a Product/Service Agreement with you;

3.5.2 Outspan Hospital’s legitimate business interests;

3.5.3 Compliance with a mandatory legal obligation;

3.5.4 Consent you provide;

3.5.5 Public interest;

3.5.6 Your vital interest.

3.6. Retention of Information We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, the need to comply with our internal policy and the applicable legal, regulatory, tax, accounting or other requirements. Anonymized information that can no longer be associated with you may be held indefinitely.

4.0 Disclosure of Information

Any disclosure of your information shall be in accordance with applicable law and regulations. Outspan Teaching and referral Hospital shall assess and review each application for information and may decline to grant such information to the requesting party.

4.1 We may disclose your information to:

a) Law-enforcement agencies, regulatory authorities, courts or other statutory authorities in response to a demand issued with the appropriate lawful mandate and where the form and scope of the demand is compliant with the law.

b) our branches, associates, partners, software developers or agents who are involved in delivering Outspan Teaching and referral Hospital products and services you order or use;

c) Fraud prevention and Anti money laundering agencies, credit- reference agencies;

d) publicly available and/or restricted government databases to verify your identity information in order to comply with regulatory requirements;

e) debt-collection agencies or other debt-recovery organizations;

f) Survey agencies that conduct surveys on behalf of Outspan Hospital;

g) Emergency service providers when you make an emergency call (or where such disclosure to emergency service providers is necessary for your rescue, health and safety) including your approximate location;

h) Any other person that we deem legitimately necessary to share the data with.

4.2 Some of your information may be passed on to any person whom you have registered as next of kin or legal guardian

4.3 We shall not release any information to any individual or entity that is acting beyond its legal mandate.

4.4 We will get your express consent before we share your personal data with any third party for direct marketing purposes.

4.5 Direct Marketing

4.6.1 You may be required to opt in or give any other form of explicit consent before receiving marketing messages from us.

4.6.2 You can ask us to stop sending you marketing messages at any time by writing to us or logging into our website, www.OutspanHospital.org and checking or unchecking relevant boxes to adjust your marketing preferences or by following the optout links on any marketing message sent to you or by attending to us or contacting us at any time through the provided contacts.

4.6.3 Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product, service already taken up.

5.0 The Use of Cookies

5.1 We may store some information (using “cookies”) on your computer when you visit our websites. This enables us to recognize you during subsequent visits. The type of information gathered is non-personal (such as: the Internet Protocol (IP) address of your computer, the date and time of your visit, which pages you browsed and whether the pages have been delivered successfully.

5.2 We may also use this data in aggregate form to develop customized services – tailored to your individual interests and needs. Should you choose to do so, it is possible (depending on the browser you are using), to be prompted before accepting any cookies, or to prevent your browser from accepting any cookies at all. This will however cause certain features of the web site not to be accessible.

6.0 The Use of Hyperlinks

6.1 Our websites may provide hyperlinks to other locations or websites on the Internet. These hyperlinks lead to websites published or operated by third parties who are not affiliated with or in any way related to us and have been included in our website to enhance your user experience and are presented for information purposes only. 6.2 We do not endorse, recommend, approve or guarantee any third- party products and services by providing hyperlinks to an external website or webpage and do not have any co-operation with such third parties unless otherwise disclosed. We are not in any way responsible for the content of any externally linked website or webpage.

6.3 By clicking on a hyperlink, you will leave the Outspan Teaching and referral Hospital webpage and accordingly you shall be subject to the terms of use, privacy and cookie policies of the other website that you choose to visit.

7.0 Access to and Updating your Information

To update your information, visit or contact Outspan Teaching and referral Hospital via all available channels to look at your personal information. You can change how we get in touch with you and your account details whenever you like.

8.0 Safeguarding and Protection of Information

Outspan Teaching and referral Hospital has put in place technical and operational measures to ensure integrity and confidentiality of your data via controls around: information classification, access control, cryptography, physical and environmental security and monitoring and compliance.

9.0 International Data

Transfers From time to time, we may need to transfer your personal information outside the Republic of Kenya to provide a particular product or service. Where we send your information outside Kenya, we will make sure that your information is properly protected in accordance with the applicable Data Protection Laws.

10.0 Your Rights Subject to legal and contractual exceptions, you have rights under data protection laws in relation to your personal data.

These are listed below: –

a) Right to be informed that we are collecting personal data about you;

b) Right to access personal data that we hold about you and request for information about how we process it;

c) Right to request that we correct your personal data where it is inaccurate or incomplete;

d) Right to request that we erase your personal data noting that we may continue to retain your information if obligated by the law or entitled to do so;

e) Right to object and withdraw your consent to processing of your personal data. We may continue to process if we have a legitimate or legal reason to do so;

f) Right to request restricted processing of your personal data noting that we may be entitled or legally obligated to continue processing your data and refuse your request;

g) Right to request transfer of your personal data in [an electronic format]. If you wish to exercise any of the rights set out above, please contact us on dataprotectionofficer@Outspanhospital.org We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within reasonable time. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

11.0 How to Contact Us

If you would like to contact us on any topics in this privacy policy, you can email us on dataprotectionofficer@Outspan Hospital.org or submit a request via our digital platforms. As a Data Controller and Processor, below are the contact details of our Data Protection Officer: Data Protection Officer Outspan Teaching and referral Hospital Outspan Teaching and referral Hospital P.O Box 2058- 10100 Nyeri. Tel: +254 722 696901 www.Outspan Hospital.org

12.0 Right to Lodge Complaint

You have the right to lodge a complaint with the relevant supervisory authority that is tasked with personal data protection within the Republic of Kenya

13.0 Non-Compliance with this Statement

Outspan Teaching and referral Hospital shall have the right to terminate any agreement with you for failure to comply with the provisions of this statement and reject any application for information contrary to this statement.

14.0 Amendments to this Statement

Outspan Teaching and referral Hospital reserves the right to amend or modify this statement at any time. If Outspan Teaching and referral Hospital amends this statement, You can access the most current version of the privacy statement by clicking this link Outspan Teaching and Referral Hospital Privacy Statement so that you will always know how your personal information is being used or shared. Any amendment or modification to this statement will take effect from the date of notification.

Statement Effective Date 01/08/2024