STATMed Privacy Policy

Last updated: December 2025

1. Introduction

STATMed Pathology (Drs Hudson & Swart Inc.) ("STATMed", "we", "our") is committed to protecting the privacy, confidentiality and security of personal information that we process in providing blood testing and related pathology services.

This Privacy Policy explains how we collect, use, store, share and protect personal information, including health information, in accordance with the Promotion of Access to Information Act 2 of 2000 (PAIA), the Protection of Personal Information Act 4 of 2013 (POPIA), and good practice for medical laboratories aligned with ISO 15189 requirements.

2. Scope of this Privacy Policy

This policy applies to all personal information processed by STATMed in connection with:

• Laboratory testing and reporting for patients.
• Clinical advisory services provided to healthcare professionals.
• Use of our laboratory information systems and results platforms, including our mobile app.
• Interactions with our billing, accounts and support teams.
• Visitors to our laboratory premises or websites.

3. What information we collect

As a blood testing laboratory, we collect and process the following categories of personal and special personal information:

• Patient identification and contact details – full name, date of birth, gender, identity or passport number, hospital or medical record number, contact details and address (where supplied).
• Clinical and laboratory information – requesting clinician, clinical notes provided on the request form, tests requested, samples collected, results generated, interpretive comments and quality-related flags.
• Administrative and billing information – medical aid or funder details, account information, authorisation numbers, payment history and related correspondence.
• Healthcare professional details – name, practice number, contact details, speciality and practice location.
• Technical and security information – login identifiers, device details, access logs, IP addresses, audit trails and activity logs when using our systems.
• Premises security information – CCTV footage and visitor logs for safety and security purposes.

4. How we collect information

We collect personal information directly and indirectly, for example:

• From clinicians, hospitals and other healthcare providers who request tests from STATMed.
• From patients, where they communicate directly with us or use our digital services.
• From medical schemes, funders or billing intermediaries as part of claims processing.
• Automatically, through our laboratory information systems, results platforms and security systems.

5. Why we process personal information

We process personal information only for lawful purposes related to the operation of a medical laboratory. These include:

• Receiving and registering test requests, identifying the correct patient and ensuring the right samples are tested.
• Performing laboratory analyses and generating accurate, reliable test results.
• Reporting results to authorised healthcare professionals and, where appropriate, to patients.
• Providing advice to clinicians on the interpretation of results and appropriate test selection.
• Maintaining a comprehensive laboratory record and audit trail in line with ISO 15189 and applicable legislation.
• Participating in internal quality control and external quality assurance programmes.
• Managing billing, accounts and medical scheme claims.
• Monitoring, improving and developing our services, systems and processes.
• Complying with legal, regulatory and professional obligations, including record-keeping and reporting requirements.
• Ensuring the safety and security of our staff, patients, visitors and information systems.

6. Legal basis for processing

Depending on the context, we rely on one or more of the following legal grounds to process personal information:

• The processing is necessary for the performance of a contract for healthcare or laboratory services.
• The processing is required to comply with legal or regulatory obligations (for example, health, laboratory or tax laws).
• The processing is necessary to protect the legitimate interests of the patient, clinician or STATMed.
• The data subject (or authorised representative) has given consent, where required by POPIA or other laws.

7. Sharing of information

We do not sell personal information. We share information only where necessary and appropriate, for example with:

• Treating clinicians and healthcare facilities – to provide them with results and relevant clinical comments.
• Referral and partner laboratories – where specialised tests are performed elsewhere, under confidentiality obligations.
• Medical schemes, funders and billing agents – for processing claims and payments.
• IT and system support providers – who host, maintain or support our systems under written data protection agreements.
• Regulators, statutory bodies and law enforcement – where we are required to share information by law or professional rules.
• External quality assurance providers and auditors – for quality, accreditation and audit purposes, usually with de-identified or minimised data.

8. Cross-border transfers

Some of our technology services (for example, secure email, cloud hosting or backup services) may be provided from outside South Africa. Where personal information is transferred across borders, we take reasonable steps to ensure that the recipient is subject to legally binding obligations to provide a level of protection that is substantially similar to that required under POPIA.

9. Information security

STATMed maintains technical and organisational measures designed to protect the confidentiality, integrity and availability of personal information, consistent with POPIA and ISO 15189 principles. These include:

• Role-based access controls, unique user IDs and strong authentication for all systems.
• Encryption of data in transit and, where appropriate, at rest.
• Secure laboratory information systems with audit trails for result creation, modification and release.
• Physical security at laboratory and office sites, including controlled access and CCTV.
• Regular backups, system monitoring and incident response procedures.
• Staff training and awareness on privacy, information security and confidentiality obligations.

10. Retention of records

STATMed keeps personal and laboratory records only for as long as necessary to fulfil the purposes set out in this policy and to meet legal, regulatory and professional requirements. In particular:

• Minimum retention periods applicable to health records in South Africa are observed.
• ISO 15189 requirements for laboratory information and traceability are taken into account.
• Where longer retention is required for medico-legal or quality purposes, records may be kept securely for that extended period.

Once no longer required, records are securely destroyed or de-identified in line with our retention schedules.

11. Your rights

Under POPIA and PAIA, and subject to certain limitations, you have the right to:

• Request confirmation of whether we hold personal information about you.
• Request access to your personal or laboratory records.
• Request correction or deletion of inaccurate, irrelevant, excessive or outdated information.
• Object to certain forms of processing, or request restriction of processing in specific circumstances.
• Withdraw consent where processing is based on your consent (this will not affect prior lawful processing).

Requests to exercise these rights may be made using our contact details below. In some cases, we may require additional information to verify your identity or authority before acting on a request.

12. Children and incapable patients

Where tests relate to children or patients who are not legally able to provide informed consent, we will obtain information and manage access to results through a parent, guardian, curator or other legally authorised representative, in accordance with applicable laws.

13. Complaints

If you have concerns about how we process your personal information, please contact us first so we can attempt to resolve the issue.

You also have the right to lodge a complaint with the Information Regulator of South Africa if you believe that we have not complied with POPIA or PAIA in our handling of your personal information.

14. Contact details

For privacy-related queries, requests or complaints, please contact:

• Email: privacy@statmed.co.za
• General enquiries: info@statmed.co.za
• Results: results@statmed.co.za
• Billing: billing@statmed.co.za
• Support & complaints: support@statmed.co.za

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal or regulatory developments, or best practice for medical laboratories. The most recent version will be made available on our website or on request.