Contact Us: (284) 852-7500 | (284) 394-3497

Request An Appointment
DATA PRIVACY NOTICE

Privacy Policy

This notice sets out how the British Virgin Islands Health Services Authority (BVIHSA) will process personal information as a Data Controller.

Who We Are

The British Virgin Islands Health Services Authority (BVIHSA) is a statutory body responsible for delivering and managing healthcare services within the British Virgin Islands. We are committed to protecting your privacy and ensuring the confidentiality of your personal data.

Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person (the “data subject”). This includes, but is not limited to, names, contact details, health information, and online identifiers
  • Processing: Any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data Controller: The BVIHSA is the data controller responsible for determining the purposes and means of processing personal data.
  • Data Protection Officer: An individual responsible for overseeing data protection compliance within the BVIHSA.
  • BVI Data Protection Act: The British Virgin Islands Data Protection Act, 2021.
  • Data Subject: A natural person whose personal data is being processed.

What Information We Collect About You?

We collect various types of personal data, including:

  • Identification Data: Name, date of birth, gender, marital status, nationality, passport/ID information, and Unique Patient Identifier.
  • Contact Data: Address, email address, phone number.
  • Health Data: Medical history, diagnosis, treatment plans, lab results, prescriptions, and other health-related information. This includes sensitive data about your physical or mental health, and genetic information.
  • Financial Data: Payment information, insurance details, and billing records.
  • Website Usage Data: IP address, browser type, operating system, pages visited, and other information about your interaction with our website. This may include cookies and similar technologies.
  • CCTV Footage: Images and video recordings of individuals within BVIHSA facilities, captured by our CCTV systems. This may include your likeness, activities, and location within the premises.
  • Other Information: Information provided during interactions, such as complaints, feedback, or participation in surveys. This can include information provided by third parties, such as family members or referring physicians.
  • Voice Recordings: Recordings of telephone calls with BVIHSA staff, with your consent or where necessary for quality assurance or service improvement.

What Do We Do With Your Personal Data?

We process your personal data for the following purposes:

  • Providing Healthcare Services: To provide medical care, treatment, and related services, including diagnosis, treatment, and ongoing care.
  • Administration of Services: To manage appointments, billing, insurance claims, and other administrative tasks.
  • Improving Our Services: To analyze patient data to improve the quality, effectiveness, and efficiency of our healthcare services.
  • Website Functionality and Security: To operate our website, personalize your experience, and protect the security of our online platforms.
  • Compliance with Legal Obligations: To comply with applicable laws, regulations, and legal processes, including reporting to public health authorities.
  • Safety and Security (CCTV): To ensure the safety and security of patients, staff, and visitors within BVIHSA facilities, prevent and detect crime, and protect BVIHSA property.
  • Research Purposes: To conduct medical research, subject to your consent and ethical review. This can include clinical trials and studies.
  • Patient Satisfaction Surveys: To gather feedback and improve patient experience.
  • Quality Assurance and Training: To review medical records for quality improvement, clinical audits, and staff training.
  • Handling Complaints and Enquiries: To respond to your complaints, questions, and requests.

Direct Marketing

We will not use your personal data for direct marketing purposes without your explicit consent. If you have consented to receive marketing communications, you can opt-out at any time by contacting us or using the unsubscribe link provided in our emails.

Legal Basis for Processing Personal Data

We process your personal data under the following legal bases, as permitted by the BVI Data Protection Act:

  • Consent: Where you have given us explicit consent to process your personal data for a specific purpose (e.g., direct marketing, some research activities).
  • Performance of a Contract: Where processing is necessary for the performance of a contract with you (e.g., providing healthcare services).
  • Legal Obligation: Where processing is necessary to comply with a legal obligation (e.g., mandatory reporting to public health authorities, responding to court orders).
  • Vital Interests: Where processing is necessary to protect your vital interests or the vital interests of another person (e.g., in a medical emergency).
  • Public Interest: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (e.g., public health initiatives).
  • Legitimate Interests: Where processing is necessary for our legitimate interests (e.g., security and safety in our facilities, quality assurance, preventing fraud) provided that these interests do not override your fundamental rights and freedoms. We will carefully assess and document our legitimate interests.

Use of Your Data for Research Purposes

We may use your anonymized and aggregated data for medical research purposes to improve healthcare outcomes and public health. We will only use your identifiable personal data for research purposes with your explicit, informed consent and subject to ethical review board approval. You have the right to withdraw your consent at any time without affecting the quality of care you receive.

Use of Your Data for Patient Satisfaction Surveys

We may use your personal data to conduct patient satisfaction surveys to gather feedback on our services and improve the patient experience. Your participation in these surveys is voluntary. Your responses will be kept confidential.

Closed Circuit Television (“CCTV”)

CCTV systems are in operation at various BVIHSA facilities to ensure the safety and security of our patients, staff, and visitors. We use CCTV footage for the following purposes:

  • Security and Safety: To monitor our premises and deter criminal activity.
  • Incident Investigation: To investigate accidents, incidents, or complaints.
  • Evidence: To provide evidence in legal proceedings.
  • Staff Training: To train staff on appropriate procedures.
  • Patient safety: To monitor high-risk areas within the facility.

CCTV footage is typically retained for a limited period 90 days, unless required for legal or investigative purposes, in which case it may be retained for a longer period. Access to CCTV footage is restricted to authorized personnel only. Clear signage is displayed in areas monitored by CCTV. CCTV footage will be stored securely and protected from unauthorized access.

Children Below 18 Years

We recognize the importance of protecting the privacy of children. We will not knowingly collect personal data from children under the age of 18 without the verifiable consent of a parent or legal guardian. If you believe that we have inadvertently collected personal data from a child under 18, please contact us immediately so we can take appropriate action.

Who We Share Your Data With, and Why?

We may share your personal data with the following categories of recipients, and only when necessary:

  • Healthcare Professionals: Doctors, nurses, specialists, therapists, and other healthcare professionals involved in your care.
  • Administrative Staff: Staff involved in scheduling appointments, processing billing, managing your medical record, and other administrative functions.
  • Insurance Providers: With your explicit consent, we may share information necessary for processing insurance claims or verifying eligibility.
  • Laboratories and Diagnostic Centers: For the performance of tests, analyses, and diagnostic procedures.
  • Legal and Regulatory Authorities: As required by law, we may disclose your personal data to law enforcement agencies, courts, or other governmental authorities (e.g., the Public Health Department).
  • IT Service Providers: Third-party vendors that provide IT support, including website hosting, data storage, software maintenance, and cloud services, who process data on our behalf under strict contractual agreements and confidentiality obligations.
  • Payment Processors: To process payments for services.
  • Family members or representatives: With your explicit consent, we may share relevant information with your designated family members or legal representatives.

Sharing with Non-BVIHSA Organisations

We may share your personal data with non-BVIHSA organizations only with your explicit consent, or by regulation. Examples include:

  • Referrals to other specialists or healthcare providers outside BVIHSA (e.g., overseas specialists).
  • Sharing with research partners for approved research projects, subject to your consent and ethical approvals.
  • Sharing with your designated family members or representatives, with your express consent.
  • Sharing with external auditors or regulatory bodies for audit or inspection purposes.
  • Collaboration with other healthcare providers to coordinate care, provided they adhere to data protection principles.

How Do We Protect Your Data?

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures include:

  • Data Encryption: Encrypting sensitive data both in transit and at rest.
  • Access Controls: Limiting access to personal data to authorized personnel only, based on their job roles and responsibilities.
  • Secure Servers and Data Centers: Utilizing secure servers and data centers, with robust physical and electronic security measures.
  • Regular Security Audits: Conducting regular security audits, vulnerability assessments, and penetration testing to identify and address potential weaknesses.
  • Staff Training: Providing comprehensive data protection training to our staff, including awareness of data privacy principles, data security procedures, and incident response protocols.
  • Data Breach Procedures: Implementing robust procedures to detect, investigate, and respond to data breaches promptly, in accordance with the BVI Data Protection Act.
  • Firewalls and Intrusion Detection: Employing firewalls and intrusion detection systems to protect our networks and systems.
  • Secure Data Transfer: Using secure methods for transmitting data, such as secure email and encrypted file transfers.
  • Regular Backups: Implementing regular data backups to prevent data loss.
  • Physical Security: Securing physical access to our facilities and data storage areas.

In certain circumstances, we may process your personal data without your explicit consent where required by law, including for public health purposes, legal/law related investigations, or to protect vital interests.

Transfers Outside the BVI

We do not typically transfer your personal data outside the BVI. However, if such a transfer becomes necessary (e.g., for specialist consultations, treatment abroad, or research collaborations), we will ensure that appropriate safeguards are in place to protect your data in accordance with the BVI Data Protection Act. These safeguards may include:

  • Adequacy Decisions: Relying on an adequacy decision by the BVI Information Commissioner for the destination country.
  • Standard Contractual Clauses (SCCs): Implementing Standard Contractual Clauses.
  • Your Explicit Consent: Obtaining your explicit consent for the transfer.
  • Binding Corporate Rules (BCRs): Where the BVI has Binding Corporate Rules.

Public Health Department

We are required to share your personal data with the Primary Healthcare (Public Health) Department for public health purposes, such as the control of communicable diseases, disease surveillance, public health emergencies, and health reporting. This sharing is permitted under legal obligations and is essential to protect the health and safety of the community.

Your Rights Under the Data Protection Law

The BVI Data Protection Act grants you various rights regarding your personal data:

1. The Right to be Informed

You have the right to be informed about how we collect and use your personal data, as detailed in this Privacy Policy. We will provide this information in a clear, concise, and transparent manner.

2. The Right of Access

You have the right to request access to your personal data held by us. This includes the right to obtain confirmation of whether your data is being processed and access to your personal data and related information (purpose of processing, categories of data, recipients, storage period, etc.). We will provide this information to you free of charge within 30 days, unless your request is complex or excessive, in which case we may extend this timeframe or charge a reasonable fee.

3. The Right to Rectification

You have the right to request the correction of inaccurate or incomplete personal data. We will make the necessary corrections as soon as possible.

4. The Right to Stop/Restrict Processing

You have the right to restrict the processing of your personal data in certain circumstances, such as:

  • If you contest the accuracy of the data (until we verify its accuracy).
  • If the processing is unlawful, and you oppose erasure.
  • If we no longer need the data, but you require it for legal claims.
  • If you have objected to processing based on our legitimate interests (pending verification).

5. The Right to Stop Direct Marketing

You have the right to object to the processing of your personal data for direct marketing purposes. We will immediately stop processing your data for this purpose.

6. The Right in Relation to Automated Decision Making

We do not use automated decision-making processes that have legal or significant effects on you.

7. The Right to Complain

You have the right to lodge a complaint with the BVI Information Commissioner if you believe that we have not processed your personal data in accordance with the BVI Data Protection Act.

Exercising Your Rights

To exercise any of your rights, please contact our Data Protection Officer (DPO) at the contact details provided below. We will respond to your request within the timeframe specified by the BVI Data Protection Act. We may require proof of your identity before processing your request to ensure that your data is protected and disclosed only to the correct individual.

Do you have a complaint or questions?

Please contact:

Mr. Ryan Ross (Safety And Compliance Manager)
Dr. D Orlando Smith Hospital
Main Street
Road Town, Tortola
British Virgin Islands
E-mail: rross@bvihsa.vg
Telephone: (284) 852-6434

How Long We Keep Your Data?

We will retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The retention period will vary depending on the type of data and the purpose for which it is processed. Factors considered include:

  • Legal and Regulatory Requirements: We must comply with legal and regulatory requirements regarding the retention of medical records and other data.
  • Clinical Needs: We may need to retain medical records for clinical care and future reference.
  • Audit Purposes: We may retain data for audit purposes.
  • Statistical Purposes: We may retain anonymized data for statistical purposes.
  • Security: We may retain logs to maintain security and protect against fraud.

Once the retention period has expired, your personal data will be securely destroyed or anonymized.

Changes to this Privacy Notice

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technology. Any changes will be effective immediately upon posting the revised Privacy Policy on our website. We will notify you of significant changes. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data.
This policy was last updated on 02/20/2025.

 © 2025 British Virgin Islands Services Authority. All rights reserved.

Terms of UsePrivacy Policy