PURPOSE

1. The purpose of this Consent Framework (“Framework”) is to regulate and give effect to the lawful, transparent, secure and user-controlled processing of Personal Information and Special Personal Information, including health information, within the Mammoth Health Information Exchange (“HIE”).

2. This Framework establishes the principles and mechanisms in terms of which Data Subjects provide informed, voluntary, explicit and granular consent for the collection, processing, access and sharing of their Personal Information.

3. This Framework shall be read together with the Privacy Policy and the Patient Access User Agreement (“User Agreement”), which collectively govern the processing of Personal Information and the use of the HIE.

2. LEGAL BASIS FOR PROCESSING AND ROLES

   1. Personal Information shall be processed in accordance with the Protection of Personal Information Act (“POPIA”) and all applicable healthcare legislation, including the National Health Act.

   2. The processing of Special Personal Information, including health information, shall be undertaken on the basis of the Data Subject’s explicit consent or where otherwise permitted by applicable law. Processing may also occur where otherwise permitted under applicable law, including for the performance of a contract, compliance with legal obligations, or legitimate interests, where such interests are not overridden by the rights of the Data Subject.

   3. Mammoth shall act primarily as an Operator in respect of Personal Information processed on behalf of Participating Data Sources within the HIE and shall process such information strictly in accordance with the knowledge and authorisation of the relevant Responsible Parties. For purposes of this Framework, unless the context indicates otherwise; “Participating Data Sources (Data Sources)” means healthcare providers, institutions and other authorised entities that contribute Personal Information to the HIE. 

   4. Notwithstanding clause 2.3, Mammoth shall act as a Responsible Party in respect of demographic information associated with the Data Subject and health information that is self-reported or otherwise submitted by the User within the HIE, and shall determine the purpose of and means for processing such information in accordance with applicable law.

   5. For the avoidance of doubt, Mammoth shall not be deemed to be a Responsible Party in respect of health information originating from Participating Data Sources.

3. CONSENT LIFECYCLE WITHIN THE HIE

   1. A Data Subject shall be required to create a digital profile within the HIE, which shall enable identity verification and access to the Unified Care Record (“UCR”).

   2. Prior to the compilation of the UCR, the Data Subject shall provide explicit, informed and voluntary consent to the collection of Personal Information from Participating Data Sources, the aggregation, linkage and integration of such information, and the creation and presentation of the UCR.

   3. Upon obtaining valid consent, Mammoth shall utilise identity matching and data integration processes to compile the UCR.

   4. Subject to the Data Subject’s ongoing consent, Personal Information shall be continuously retrieved, integrated and updated from Participating Data Sources in order to maintain the accuracy, completeness and currency of the UCR.

   5. The Data Subject shall be entitled to withdraw consent to such ongoing processing at any time, subject to the limitations set out in this Framework and the User Agreement.

4. UNIFIED CARE RECORD

   1. The Unified Care Record shall constitute a consolidated, longitudinal and informational view of health-related information compiled from one or more Participating Data Sources.

   2. The UCR shall not replace, supersede or assume control over the underlying systems of record maintained by Participating Data Sources.

   3. Access to and use of the UCR shall be subject to the Data Subject’s consent and the provisions of the User Agreement.

5. CONSENT-BASED ACCESS AND SHARING

   1. The Data Subject shall retain control over access to and sharing of Personal Information contained within the UCR.

   2. The Data Subject may elect to share Personal Information either directly with a designated recipient or in response to a prompt generated within the HIE.

   3. All sharing of Personal Information shall be subject to explicit, informed consent, shall be limited to the scope defined by the Data Subject, and shall occur only for a lawful and specified purpose, subject to the limitations of liability set out in the User Agreement.

   4. Unless expressly stated otherwise, consent provided for the sharing of Personal Information shall be transaction-specific and shall not constitute ongoing, recurring or blanket consent.

6. PROMPT-BASED CONSENT

   1. The Data Subject may elect to receive prompts generated by Mammoth based on the analysis of information within the HIE.

   2. Consent to receive such prompts shall be obtained separately and shall not constitute consent to share Personal Information.

   3. Any sharing of Personal Information in response to a prompt shall require separate, explicit and transaction-specific consent.

   4. No automated, implied or default sharing of Personal Information shall occur without the Data Subject’s express consent.

7. DATA MINIMISATION

   1. Mammoth shall ensure that any Personal Information shared through the HIE is limited to that which is necessary to achieve the intended purpose of such sharing.

   2. Appropriate technical and organisational measures shall be implemented to ensure that only relevant and proportionate information is disclosed in each instance.

8. TRANSFER OF RESPONSIBILITY

   1. Upon the lawful sharing of Personal Information by the Data Subject with a designated recipient, such recipient shall become an independent Responsible Party in respect of the Personal Information received.

   2. Such recipient shall assume full responsibility for compliance with applicable data protection and healthcare laws in respect of such information.

   3. Mammoth shall not be responsible for, nor incur any liability in respect of, any processing of Personal Information undertaken by such recipient following lawful disclosure.

9. SYSTEMS OF RECORD AND DATA CONTROL

   1. Participating Data Sources shall remain the primary systems of record in respect of all clinical and healthcare information originating from such sources.

   2. Mammoth shall act as the system of record, within the context of the HIE, in respect of demographic information associated with the Data Subject and information that is self-reported by the Data Subject.

   3. Nothing in this Framework shall be construed as transferring ownership, control or responsibility for underlying clinical records from Participating Data Sources to Mammoth.

10. WITHDRAWAL AND MANAGEMENT OF CONSENT

    1. The Data Subject may withdraw or modify consent at any time through the mechanisms made available within the HIE.

    2. Upon withdrawal of consent, further processing and sharing of Personal Information shall cease, except where such processing is required or permitted by law.

    3. The withdrawal of consent shall not affect the lawfulness of any processing undertaken prior to such withdrawal.

    4. The Data Subject acknowledges that the withdrawal of consent may result in the limitation, restriction or unavailability of certain functionalities of the HIE, including the ability to access, update or share the Unified Care Record.

11. SECURITY AND CONFIDENTIALITY

    1. Mammoth shall implement appropriate, reasonable technical and organisational measures to safeguard the integrity and confidentiality of Personal Information, as further described in the Privacy Policy.

    2. All health information shall be treated as confidential in accordance with applicable healthcare legislation, including the National Health Act.

12. DATA SUBJECT RIGHTS

    1. The rights of Data Subjects in respect of Personal Information, including the rights of access, correction, deletion and objection, shall be governed by the Privacy Policy and applicable law.

    2. Mammoth shall provide mechanisms to enable the exercise of such rights in accordance with applicable law.

13. INFORMATION OFFICER AND GOVERNANCE

    1. Mammoth has appointed an Information Officer responsible for ensuring compliance with applicable data protection laws.

    2. The roles, responsibilities and contact details of the Information Officer are set out in the Privacy Policy.

14. CROSS-BORDER PROCESSING, RETENTION AND SECURITY INCIDENTS

    1. Cross-border processing of Personal Information, data retention practices and the management of security incidents shall be conducted in accordance with the Privacy Policy and applicable law.

15. AMENDMENTS

    1. Mammoth reserves the right to amend this Framework from time to time.

    2. Where any amendment materially affects the processing of Personal Information, Mammoth shall provide appropriate notice and, where required by law, obtain renewed consent from Data Subjects.

16. CONTACT AND COMPLAINTS

    1. Any queries, requests or complaints relating to this Framework or the processing of Personal Information may be directed to the Information Officer.

    2. Data Subjects shall have the right to lodge a complaint with the Information Regulator in accordance with POPIA.