Shoebill Health Care

Data Protection Policy and Practices

Last updated: 1 April 2026

Policy

Shoebill Health Care Limited (“the Company”) is committed to safeguarding the privacy, confidentiality and security of personal data collected and held by the Company, in compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (“PD(P)O”). The Company undertakes to:

  1. Collect personal data by lawful and fair means, which is adequate but not excessive, for lawful purposes;

  2. Take all reasonably practicable steps to ensure that personal data collected or retained is accurate and up-to-date for its intended use;

  3. Take all reasonably practicable steps to erase personal data that is no longer necessary for the purposes for which it was collected;

  4. Use personal data only for the purposes for which it was collected or for directly related purposes, unless prior consent is obtained from the data subject or such use is permitted by law;

  5. Take all reasonably practicable steps to ensure that personal data is protected against unauthorised or accidental access, processing, erasure, loss or use;

  6. Take all reasonably practicable steps to ensure transparency, enabling individuals to be informed of the kinds of personal data held and the purposes for which the data is used;

  7. Handle data access and correction requests in accordance with the PD(P)O;

  8. Comply with all applicable duties and obligations under the PD(P)O.

Kinds of Personal Data Held

The Company may hold the following categories of personal data:

  1. Personal particulars, including but not limited to name, gender, date of birth, identification document type and number, contact details, email address, emergency contact details, billing and payment information, and insurance information;

  2. Medical records, including medical history, health conditions, medication records and other health-related information;

  3. Employment-related records, including but not limited to personal particulars, family information, employment details, remuneration, benefits, training, qualifications, disciplinary records and performance assessments;

  4. Other records, including personal data collected in connection with enquiries and complaints.

Main Purposes for Keeping Personal Data

  1. The Company collects and retains personal data for the following purposes:

  2. Healthcare and treatment purposes, including:

    1. Verification of identity;

    2. Provision of medical consultation, treatment, counselling and rehabilitation services;

    3. Communication regarding service arrangements;

    4. Processing of payments, billing and insurance claims;

  3. Manpower planning, staff development and employment-related purposes;

  4. Handling and processing enquiries or complaints;

  5. Clinical audit, quality assurance and statistical analysis;

  6. Other lawful purposes as required, authorised or permitted by law.

Practices

To ensure compliance with the PD(P)O, the Company adopts the following practices:

  1. A Data Protection Officer is appointed to oversee privacy matters and monitor compliance with the PD(P)O;

  2. The Personal Information Collection Statement is made available at registration counters and on the Company’s website for reference prior to data collection;

  3. Data access or correction requests may be directed to the Data Protection Officer at [email protected].

Data Retention

The Company maintains a records management system in accordance with internal policies and guidelines to ensure that personal data is properly created, stored, retained and securely disposed of when no longer required.