Everything related to a person and their being can be described as data. A person’s personal data includes, for example, their name, address, contact information, as well as information about their financial situation, etc. In addition, personal data includes data that is more sensitive in nature, i.e. special categories of personal data, which includes a person’s health data. Thus, personal data are all data which enable a person to be identified, directly or indirectly, whatever their form.
The processing of personal data is any act performed on personal data. The North Estonia Medical Centre processes personal data, including health data, for the provision of specialised medical care, emergency care, and ambulance services. The medical centre also participates in conducting studies within the framework of teaching and research and performs other tasks assigned to the medical centre by various legal acts.
We process personal data if:
- you are admitted to our hospital – we process your personal data, as well as health data, for the diagnosis and treatment of illness, injury, or poisoning to alleviate your ailments, prevent the deterioration or exacerbation of the illness, and restore health;
- the patient has marked you as their contact person – we process your personal data for the purpose of transmitting information related to the patient;
- your loved one has been admitted to our hospital – we process your personal data (personal identification code, name) to verify your connection with the patient. We provide you, as a person close to the patient, with data reflecting the patient’s state of health. This is only the case if the patient or the investigating body (e.g. the police) has not forbidden the transfer of data;
- you are a donor – we process your personal data, including health data, to assess your suitability as a donor, but only to the extent permitted by law;
- you participate in screening – we process your personal data for screening and analysis;
- you wish for documents or data related to the treatment to be released – we will use your personal data or the personal data of the person who applied for the documents or data with your consent to issue the documents or data;
- you send us a request for explanation, a letter of formal notice, a request for information, or a complaint – we will use your personal data to clarify the circumstances of the complaint and to respond to the letter. If you have sent us a letter to which another authority can reply, we will forward the letter there and inform you as the sender of the letter;
- you submit a proposal or letter of thanks to us – with your consent, we will publish your personal data (name) on our medical centre’s website and intranet;
- you apply for a job with us – we use the information published by you and data collected from public sources. We assume that we can communicate with the people named as your referrers. Each candidate has the right to know what data we have collected about them and the right to access, explain, or object to the data we have collected;
- you participate in a training we offer – we process your data (name, contact details, position) to provide organisational information, request consent, issue documents proving participation in the training, prepare and forward payment documents, and send information letters about trainings and conferences. More information can be found on the training website;
When storing the collected data, we follow the deadlines specified in legislation.
In order to fulfil our legal obligation, we provide data related to treatment:
- to other databases – the health information system (patient portal) and the cancer register;
- to the Estonian Health Insurance Fund to settle the costs related to your treatment.
All letters sent to us are registered in the medical centre’s document management system. Correspondence with private individuals is subject to a general access restriction, as the letters contain personal data. This means that if someone wants to see an individual’s correspondence or a document, they must make a request for information to the medical centre. Upon receipt of a request for information, we will review whether the requested documents may be issued or may be issued in part. In the event of a partial issuance, we will cover your personal data, which the applicant does not have the right to process, to prevent the data being issued in excess. Possible grounds for access restrictions are set out in section 35 of the Public Information Act.
Notwithstanding the access restriction, we will issue documents and data related to you to institutions or persons who have the legal right to receive these documents or this data (e.g. police, court, Health Insurance Fund, Health Board, insurer in case of an insured event, etc.).
We only send documents containing special categories of personal data to the addressees by registered mail or encrypted e-mail. If possible, we forward documents to agencies through a secure document exchange centre.
We generally keep correspondence with private individuals for five years, after which the documents are destroyed.
The cameras installed in the medical centre are used for two purposes:
- the protection of persons and the prevention of situations endangering the preservation of property, responding to a dangerous situation, or identifying the cause of damage in the event of damage to property (security cameras);
- to monitor the patient remotely to ensure their safety during the provision of healthcare.
Security cameras are cameras mounted on the exterior walls or interiors of the medical centre’s buildings that transmit a real-time image, record it, and allow it to be processed and reproduced later. Security cameras are not allowed to record sound or monitor a specific person, but only a specific area (such as a room or yard) and what is happening there.
When processing data obtained with security cameras, we use such security measures that protect the collected data from unintentional or unauthorised monitoring, copying, modification, transfer, and deletion. Only the medical centre’s security staff have the right to access security camera recordings. The recordings may only be transmitted outside the medical centre or made available if there is a legal basis for this (e.g. to the police). We store security camera recordings for 30 calendar days. After this, we will delete the recordings either by deleting the data or by overwriting the data, depending on the technical capabilities of the camera.
Cameras for remote patient monitoring are installed in wards where continuous patient monitoring is required and in the anteroom of the radiology department examination room. These cameras transmit real-time images.
- The cameras installed in the wards allow the medical staff to constantly monitor the patients who need to be monitored and to intervene quickly if the patients need help.
- With the camera installed in the anteroom of the radiology department, the examination nurse can monitor the patient entering the anteroom from their workplace, communicate with them via an audio solution, give them instructions, ask questions, and, if necessary, intervene quickly if the patient is feeling sick or needs help. The cameras are connected only to the computer of the examination nurse of the radiology department and allow to monitor only the image transmitted by the camera in the anteroom of this particular examination room. The cameras do not record an image and do not have any other access to them.
Labels with a camera image indicate the use of the cameras in the medical centre.
If you have any questions related to the cameras, you can contact the medical centre’s hotline at 617 1300 or write to the e-mail address firstname.lastname@example.org.
Personal data breach
- If a personal data breach has occurred in our medical centre and it poses a probable threat to your rights and freedoms, we will notify the Data Protection Inspectorate of the breach. We will take steps to resolve the violation immediately and prevent further violations.
- If your personal rights and freedoms are likely to be seriously compromised as a result of the personal data breach, we will also notify you. The purpose of the notification is to enable you to take the necessary precautions to alleviate the situation.
Accessing your data
You have the right to:
- access the data we have collected about you;
- request the rectification or supplementation of incorrect personal data if they are incorrect or insufficient;
- demand the deletion of personal data for the use of which we have no legal basis;
- request a restriction on the processing of personal data (e.g. while the accuracy of your personal data is being verified);
- object to the processing of personal data concerning you.
To do this, submit a handwritten or digitally signed request to us. The request can be submitted to the hospital office on the spot or sent by post to 19 J. Sütiste tee, 13419, Tallinn or as a digitally signed document to the e-mail address email@example.com.
We will respond to your request as soon as possible, but no later than within one month. We will release the data collected about you, either on paper or electronically, in accordance with your wishes. If we have reasonable doubts about the identity of the person who submitted the request, we may require additional information to identify them.
We will refuse to comply with your request if it may:
- harm the rights and freedoms of another person;
- undermine national security;
- prevent or damage the prevention, detection, or proceeding of an offence or the execution of the sentence.
If you have any doubts about the decision made by our doctor, you can turn to another specialist for a secondary opinion, the purpose of which is to assess:
- the correctness of the diagnosis made,
- the need for the medicinal product or healthcare prescribed to the patient,
- the explained alternatives and expected effects; and
- the risks associated with the provision of healthcare.
Protection of rights and contact details
If you find that we have violated your rights when processing personal data, you can file a complaint with either the medical centre’s data protection specialist or the Data Protection Inspectorate (39 Tatari Street, Tallinn, 10134, e-mail address firstname.lastname@example.org).
The North Estonia Medical Centre does its best to protect your personal data and to comply with data protection and privacy legislation.