โรงพยาบาลธรรมศาสตร์เฉลิมพระเกียรติ
Thammasat University Hospital

หน้าหลัก / Privacy Notice

นโยบายคุ้มครองข้อมูลส่วนบุคคล
โรงพยาบาลธรรมศาสตร์เฉลิมพระเกียรติ

 

PDPA
(Personal Data Protection Act)
 

พ.ร.บ. คุ้มครองข้อมูลส่วนบุคคล

 

Privacy Notice
Thammasat University Hospital



       Thammasat University Hospital ("Hospital"), a division of Thammasat University, acts as the data controller in compliance with the Personal Data Protection Act B.E. 2562 (PDPA). We recognize the critical importance of safeguarding user confidentiality and have implemented rigorous data protection and privacy measures for individuals.

       This Privacy Notice, created in accordance with PDPA regulations, outlines the Hospital's practices for handling personal information, including its collection, storage, use, and disclosure. It also details user rights, as provided below.


1. Definition

       “Personal Data” : Any data that can directly or indirectly identify an individual, excluding data about deceased individuals.

       “Sensitive Personal Data” : Defined by the Personal Data Protection Committee as factual personal information that can lead to discriminatory treatment. This includes details such as ethnicity, race, political opinions, religious beliefs, philosophy, sexual behavior, criminal records, health information, disabilities, labor union membership, genetic data, biometric data, and any other information deemed similarly impactful.

       “User”:
               “Patient and Patient's Relatives”: Individuals receiving health services (check-ups, diagnosis, treatment, or nursing) from the hospital. This category includes owners of personal data, such as authorized representatives for minors, legal guardians for incapacitated persons, and guardians for quasi-incapacitated persons.

               “Website Users”: Individuals accessing the Thammasat University Hospital website (hospital.tu.ac.th).

             “Other Involved Parties”: Individuals participating in hospital operations but not covered in the above categories (e.g., volunteers, research participants).

             “Data Processing”: Any automated or manual actions performed on data, including collecting, recording, organizing, storing, adapting, altering, retrieving, using, disclosing, disseminating, restricting, deleting, or destroying.

             “Health Data”: Any information, communicated verbally or recorded, related to an individual's physical or mental health, past, present, or future. This includes information gathered during healthcare services, health management, or payment for services.

 

2. The hospital’s personal data acquisition sources

       The hospital reserves the right to directly gather personal data from service users, always obtaining explicit consent from the data owner prior to collection. Additionally, the hospital may acquire data indirectly from alternative sources. Regardless, the hospital commits to promptly notifying individuals of the collection of personal data from other sources within 30 days of the acquisition, unless such notification proves unfeasible or unnecessary as per legal stipulations.

 

3. Personal Data Category

           General personal data: e.g., full name, date of birth, gender, and/or nationality.

           Contact details: e.g., Registered address, alternative contact information (if any), phone number, email address, and emergency contact details.

           Identification: e.g., National identification numbers (ID) and/or IP addresses.

           Application Access: e.g., Usernames and/or passwords for accessing the hospital's applications.

           Biometric Data: Visual, audio, and/or video data capturing facial features or enabling individual identification.

           Sensitive Information: e.g., demographic details: ethnicity and religion., genetic data, sexual behavior, and/or health information including medical history; physical examination results; images of medical conditions; radiographic images; diagnostic results; treatment history; medication usage and prescription orders; medical appointment records.

           Healthcare Coverage: Healthcare entitlement information, health insurance, and policy numbers.

           Financial Information: e.g., payment methods, payment history, and/or credit card numbers.

 

4. Objective of Collecting and Utilizing Personal Data

       The hospital processes personal data only to the extent necessary for the following purposes, based on the legal grounds provided by the Personal Data Protection Act B.E. 2562.

 

Objective

Personal Data Category

Legal Basis

Medical Services purposes

Verifying your identity, Scheduling follow-up appointments, and/or coordinating and transferring care.

General personal data Contact details
ข้อมูลการติดต่อ

- - Based on the necessity to prevent or mitigate harm to the life, body, or health of a person, according to Section 24(1); or
- Based on the necessity to comply with a contract for the provision of medical services, according to Section 24(3).

Diagnosing your illness or symptoms, provide treatment, and offer relevant medical services, health information may be shared with the healthcare team to enhance your treatment and overall medical care.

 

Health data

 

- Based on the necessity to prevent or mitigate harm to the life, body, or health of individual, even if the data subject cannot give consent, for any reason, according to Section 26(1); or
- Based on the necessity to comply with the law in order to achieve the objectives of medical diagnosis, healthcare provision, medical treatment, and health management, according to Section 26(5)(ก).

Providing consultation, diagnosis, or treatment in telemedicine services through online channels.

 

General personal data - Based on the necessity to prevent or mitigate harm to the life, body, or health of a person, according to Section 24(1); or
- Based on the necessity to comply with a contract for the provision of medical services, according to Section 24(3).
Health data - Based on the explicit consent of the data subject, according to Section 26;
- Based on the necessity to prevent or mitigate harm to the life, body, or health of a person even if the data subject cannot give consent, for any reason, according to Section 26(1); or
- Based on the necessity to comply with the law in order to achieve the objectives of medical diagnosis, healthcare provision, medical treatment, and health management, according to Section 26(5)(ก).

Claiming medical expenses, including other related medical service charges

 

General personal data Financial data

Based on the necessity to comply with a contract for the provision of medical services, according to Section 24(3).

Health data

 

Based on the necessity to comply with the law in order to achieve the objectives of providing healthcare benefits to legal beneficiaries, according to Section 26(5)(ข)

Educational and Instructional purposes

Teaching, training for students and personnel, both inside and outside the institution (in cases where individuals may be identified).

Health data

Based on the explicit consent basis, under Section 26.

 

Planning and quality assurance of service delivery.

Health data

Based on the necessity to comply with the law in order to achieve public health objectives, according to Section 26(5)(ค).

Research Projects’ Education purposes

Conducting research projects on behalf of the hospital, using the personal data of service users who have consented to participate in the research and have consented to the collection of such data.

General personal data

 

Based on the consent, under Section 24.

 

Health data

Based on the explicit consent basis, under Section 26.

Undertaking research initiatives on behalf of the hospital by utilizing personal data already present in the hospital's internal database.

General personal data

- Based on Section 24(1), the data processing serves educational research, or statistical purposes; or
- Based on the need for lawful purposes, under Section 24(5).

Health data

 

- Based on scientific, historical, or statistical research, or other public interest purposes, under Section 26(5)(ง).

Exchanging data with other research institutions or research funders for the purpose of conducting research for the public good.

 

General personal data

- Based on the consent, under Section 24;
- Based on Section 24(1), the data processing serves educational, research, or statistical purposes; or
- Based on the need for lawful purposes, under Section 24(5).

Other purposes

Disclosure to contractors, subcontractors, or external agencies that have contracts or agreements with the hospital.

 

Health data

 

- Based on the necessity to comply with the law to achieve public interest objectives in public health or other important areas, under Section 26(5)(ข).

Disclosure to other agencies as necessary to perform legal duties or as required by specific laws.

 

Health data

- Based on the necessity to use or disclose health data to establish, exercise or defend legal claims, or to use or disclose such data to challenge legal claims, under Section 26(4); or
- Based on the necessity to comply with the law to achieve public interest objectives in public health or other important areas, under Sections 26(5)(ข) and 26(5)(จ).

Advertising or promoting the hospital's services (in cases where individuals may be identifiable).

Biometric Data (Visual or video data) Health data

Based on the explicit consent basis, under Section 26.

 

Distributing newsletters and promotional materials to present the hospital's products or services directly to users of the service.

 

General personal data Contact detail

 

- Based on the necessity for legitimate interests for offering products and/or services to medical service recipients who have previously used medical services within the hospital, under Section 24(5); or
- Based on consent in cases where the individual has never used medical services within the hospital, under Section 24.

Collecting the identifiable medical service statistics for professional councils or medical regulatory bodies, such as various royal colleges.

Health data

 

- Based on the necessity for compliance with the law in order to achieve objectives related to public interest in public health or other important matters, under Section 26(5)(ข) and 26(5)(จ).

Maintaining the safety of life and property in the hospital area.

 

Biometric Data (Visual or video data)

 

- Based on the necessity for legitimate interests in maintaining the safety of life and property of medical service recipients and other individuals, under Section 24(5).

Surveying the service satisfaction, answer inquiries or complaints

General personal data Contact detail

- Based on the necessity for compliance with the law in order to achieve objectives related to surveying service satisfaction, answering inquiries or complaints, under Section 26(5)(ก)

 

5. Disclosure of Personal Information

       The hospital may disclose personal information to the following types of persons:

          5.1 Information may be disclosed to healthcare professionals in other hospitals in cases of referral for treatment, or to specialist physicians at other institutions for consultation on treatment, which may occur in both emergency and non-emergency cases.

          5.2 Certain health information may be disclosed to other persons involved in the care, such as family members, relatives, friends, social workers, and nursing home staff, for the benefit of the service user.

          5.3 In cases where the service user brings a relative or other person to accompany or care for them while receiving services at the hospital, it will be considered that the service user has implicitly consented to allow these persons to know about the service user's illness while the healthcare professional is providing consultation to the service user.

          5.4 Physicians, nurses, or hospital staff shall take great care not to communicate with the service user or communicate between the team of professionals in a manner that would allow the service user or other persons to hear or know about the service user's health problems. However, the natural nature of service delivery within the hospital may result in cases where it is not possible to prevent others from knowing about the service user's information completely. For example, other patients waiting for service may hear about another patient's health problems while that patient is communicating with the hospital's screening staff, or if a doctor is visiting a patient in a ward, other patients may overhear the conversation between the doctor and the patient in the next bed.

          (5.5 Information may be disclosed to government officials, agencies with authority, or other persons for the purpose of carrying out actions as required by law, orders of authorized persons, or court orders.

          5.6 Information may be disclosed for the purpose of exchanging information with other educational institutions that have agreements with the hospital, for the benefit of teaching, research, training, and knowledge exchange between each other.

          5.7 Information may be disclosed to network agencies, contracting parties, service providers, or persons involved in or necessary for the provision of services of the institution that are related to the service user's information, such as database service providers, technology developers, document delivery personnel, or website developers.

          5.8 Information may be disclosed to agencies responsible for health insurance, such as social welfare agencies, the Social Security Office, the Comptroller General's Department, and insurance companies, in order to provide benefits for payment of medical expenses to the service user.

          5.9 Information may be disclosed to professional councils or organizations that control the practice of medicine.

          5.10 Information may be disclosed to internal auditors and auditors from external agencies for the purpose of improving or controlling the quality of medical services provided by the hospital.

          5.11 Information may be announced publicly, such as announcing the names of trainees/academic conference participants, the names of lecturers in the program, video clips of activities related to training, advertising and public relations media in which trainees or lecturers appear as part of the media, through the hospital's website hospital.tu.ac.th and announced through social media such as the hospital's Facebook.

           Whenever user consent is mandatory for disclosing personal information, the Hospital will acquire it according to relevant legal requirements. We also implement appropriate security measures like anonymization, encryption, and data recipient agreements to prevent unauthorized access or disclosure.

 

6. Cross-border Personal Data Sharing

          In cases where the hospital is required to send or transfer personal data abroad, the hospital will take steps to ensure that the personal data is sent or transferred abroad in accordance with the Personal Data Protection Act.

          In cases where the destination country or the receiving entity of the personal data does not have personal data protection measures that are in line with the Personal Data Protection Act of Thailand, the hospital will only send or transfer personal data as necessary, in accordance with the criteria set out by law, and may need to request explicit consent from the service user.

 

7. Rights of the Data Subject

       The data subject, the individual whose data is being processed, has the right to do as follows:

          7.1 The right to withdraw consent to the processing of personal data that has been given. However, the withdrawal of consent does not affect the collection, use, or disclosure of personal data that has already been consented to.

          7.2 The right to access personal data and request a copy of personal data, including requesting disclosure of the source of personal data that has not been consented to.

          7.3 The right to correct personal data to be accurate.

          7.4 The right to erase personal data.

          7.5 The right to restrict the use of personal data.

          7.6 The right to port personal data.

          7.7 The right to object to the processing of personal data.

           The data subject may exercise the aforementioned rights by submitting a written request to the hospital. The hospital shall notify the data subject of the outcome of the consideration of the request within 30 days from the date of receipt of the request.

           The hospital may refuse to grant the data subject's request in whole or in part, depending on the criteria of the law, for example, if it is found that the request will affect the rights and freedoms of others or the request is unreasonable. The hospital will inform the data subject if there are any restrictions on the exercise of the rights.

 

8. Retention Period of Personal Data

          The hospital shall retain personal data for as long as necessary to achieve the hospital's stated purposes, or for the period required by relevant laws, or for as long as the service user continues to consent to the retention of the data, or the service user requests the withdrawal of consent, or there is a requirement to cancel it, or in the event of a dispute and a final order or judgment has been made. The hospital shall then delete or destroy the personal data or render the personal data unidentifiable.

          As a general rule, the retention period for medical treatment data is set at no less than 10 years, and the retention period for data related to cases is set at no less than 20 years, unless there is a law that requires the data to be retained for a longer period than that specified above, or if there is a necessity for other purposes, such as for security, to prevent abuse or misconduct, or for financial records.

 

9. Cookies

         The hospital collects and uses cookies and other similar technologies on websites under the care of the hospital, including hospital.tu.ac.th, or on the user's device.

          The purpose of this is to carry out security operations in the hospital's service provision and to provide convenience and a good experience in using the hospital's services. This information will be used to improve the hospital's website to better meet the needs of users. Users can set or delete cookies themselves from the settings in their web browser.

 

10. Security of Personal Data

          The hospital has appropriate technical and administrative measures in place to protect personal data from loss, unauthorized access, destruction, use, modification, or disclosure. These measures are in line with the Information Security Policy under the ISO 27001 standard.

          In addition, the hospital has established a Privacy Policy which is announced throughout the organization, along with guidelines to ensure the security of the collection, use, and disclosure of personal data. The policy upholds the confidentiality, integrity, and availability of personal data. The policy and this announcement will be reviewed at appropriate intervals.

 

11. Third-Party Service Providers and Sub-Processors

          In necessary cases, the hospital may assign or hire a third party (data processor) to process personal data on behalf of the hospital. Such third parties may provide services such as hosting, outsourcing, cloud computing, or other forms of employment.

          When assigning a third party to process personal data as a data processor, the hospital will have an agreement specifying the rights and responsibilities of the hospital as the data controller and the third party assigned by the hospital as the data processor. This includes specifying the types of personal data that the institution assigns for processing, the purpose, the scope of the processing of personal data, and other relevant agreements. The data processor is only responsible for processing personal data within the scope specified in the agreement and according to the instructions of the institution and cannot process it for other purposes.

          In the event that the data processor assigns a sub-processor to process personal data on behalf of or in the name of the data processor, the hospital will instruct the data processor to have a written agreement between the data processor and the sub-processor in a format and standard not lower than the agreement between the hospital and the data processor.

 

12. Clearance to access personal data

          The hospital has specified that employees, officials, and individuals with relevant authority are authorized to collect, use, and disclose personal information related to processing activities, with rights granted based on the access levels to personal data.

 

13. Review and Amendment of Personal Data Protection Policy

          The hospital may revise or amend this policy from time to time to comply with legal requirements, changes in the hospital's operations, and suggestions and comments from various agencies. The hospital will announce the changes clearly on the website hospital.tu.ac.th, with the latest version date attached, before the changes take effect.

          Your use of the products or services under this processing activity constitutes your acceptance of the terms of this announcement. Please discontinue use if you do not agree with the terms of this announcement. If you continue to use the products or services after this announcement has been revised and posted on the above channel, you will be deemed to have acknowledged the changes.

 

14. Hospital’s contact information

For further inquiry, please contact:

          14.1 Data Controller

                   Information Technology Subdivision, Thammasat University Hospital

                   Address: 95 moo 8 Khlong Nueng, Khlong Luang District, Pathum Thani 12120

                   Phone number: +66 (0) 2926 9999 ext. 8497

 

          14.2 Data Protection Officer: DPO

                   Mr. Phalawat Phruekmanee

                   The Office of Information and Communication Technology,/span>

                   Thammasat University

                   Address: 99 moo 18 Phahonyothin Rd. Khlong Nueng, Khlong Luang District,

                   Pathum Thani 12120

                   Phone number: +66 (0) 2564 4451-79 ext. 1965

                   Email: notzafia@tu.ac.th

 

Latest edition: on October 2566

 

Translator: Chayada Hongsuppinyo, Master of Science

MSc in Safety and Human Factors in Aviation

Cranfield University, United Kingdom

Copyright © 2024-2025 All rights reserved.
ทั้งหมด
1609097
ออนไลน์
7