Privacy Policy

Privacy Policy

​

Introduction and Commitment

Grand RoyalCare Medical is committed to protecting the privacy, confidentiality, and security of all personal and health information entrusted to us by our patients, website visitors, and community members. This Privacy Policy outlines our practices regarding the collection, use, storage, and protection of your personal data in strict compliance with the Kenya Data Protection Act 2019, the Kenya Health Act 2017, and international best practices for healthcare data protection.

​

As a Level 4 healthcare facility, Grand RoyalCare Medical processes sensitive personal information including medical records, treatment histories, and health-related data. We recognize the critical importance of maintaining the highest standards of data protection and patient confidentiality in accordance with ethical medical practice and legal requirements.

​

Legal Framework and Compliance

Our data protection practices are governed by:

• Kenya Data Protection Act 2019

• Kenya Health Act 2017

• Kenya National Patients' Rights Charter 2013

• Constitution of Kenya 2010 (Article 31 - Right to Privacy)

• International healthcare data protection standards

​

Grand RoyalCare Medical holds a valid Certificate of Data Handler/Processor issued by the Office of the Data Protection Commissioner (ODPC) as required for all healthcare facilities in Kenya.

​

Categories of Personal Information We Collect

Patient Health Information:

• Personal identification details (full name, ID/passport number, date of birth, nationality)

• Contact information (residential address, phone numbers, email addresses)

• Emergency contact details and next-of-kin information

• Comprehensive medical history and current health status

• Diagnostic test results, imaging studies, and laboratory reports

• Treatment plans, medications, and therapeutic interventions

• Surgical records and procedural documentation

• Mental health assessments and psychological evaluations (where applicable)

​

Insurance and Billing Information:

• Social Health Authority (SHA) registration details and membership numbers

• Private insurance policy information and coverage details

• Billing addresses and payment method information

• Claims processing and reimbursement records

• Financial assistance and payment plan arrangements

Website and Digital Services Data:

• IP addresses and device information for website visitors

• Cookies and similar tracking technologies

• User preferences and website interaction patterns

• Communication records through contact forms or online portals

​

Lawful Basis for Data Processing

We process your personal data based on the following lawful grounds under the Kenya Data Protection Act 2019

Consent: For non-essential services, marketing communications, and research participation where you have provided explicit consent

Contractual Necessity: For providing healthcare services as outlined in our patient care agreements

Legal Obligation: To comply with healthcare regulations, SHA requirements, medical record retention laws, and public health reporting requirements

​

Vital Interests: For emergency medical treatment and life-saving interventions

Public Interest: For epidemiological research, public health monitoring, and healthcare quality improvement initiatives

​

How We Use Your Personal Information

Direct Patient Care:

• Diagnosis, treatment, and ongoing medical management

• Coordination of care between medical specialists and departments

• Medication management and monitoring for adverse reactions

• Scheduling appointments and managing healthcare logistics

• Emergency medical response and acute care provision

​

Healthcare Administration:

• Processing SHA and private insurance claims

• Managing hospital admissions, discharges, and transfers

• Quality assurance and clinical audit activities

• Medical research and evidence-based practice improvement

• Staff training and professional development programs

​

Legal and Regulatory Compliance:

• Maintaining accurate medical records as required by Kenyan law

• Reporting communicable diseases to public health authorities

• Complying with medical device and pharmaceutical regulations

• Supporting legal proceedings and medical malpractice investigations

​

Communication and Patient Engagement:

• Providing test results and treatment updates

• Sending appointment reminders and follow-up instructions

• Health education and wellness program notifications

• Patient satisfaction surveys and feedback collection

​

Information Sharing and Disclosure

Grand RoyalCare Medical maintains strict confidentiality standards and will not share your personal information without appropriate legal basis. We may share information in the following circumstances:

​

With Your Explicit Consent:

• Referrals to specialist healthcare providers

• Sharing information with family members as directed by you

• Participation in medical research studies

• Transfer of care to other healthcare facilities

​

Legal and Regulatory Requirements:

• Reporting to the Ministry of Health and public health authorities

• SHA claims processing and audit requirements

• Court orders and legal proceedings

• Professional regulatory body investigations (KMPDC)

​

Emergency Situations:

• Life-threatening medical emergencies requiring immediate intervention

• Mental health crises requiring involuntary commitment procedures

• Public health emergencies and disease outbreak management

​

Authorised Healthcare Partners:

• Laboratory and diagnostic imaging service providers

• Pharmaceutical suppliers for medication management

• Medical equipment maintenance and calibration services

• Healthcare IT systems and electronic health record platforms

​

All third parties handling your data are bound by confidentiality agreements and must comply with the same data protection standards we maintain.

​

Data Security and Protection Measures

Grand RoyalCare Medical implements comprehensive technical, physical, and administrative safeguards to protect your personal information:

Technical Security:

• End-to-end encryption for all electronic health records

• Multi-factor authentication for system access

• Regular security audits and vulnerability assessments

• Secure data backup and disaster recovery procedures

• Network firewalls and intrusion detection systems

​

Physical Security:

• Restricted access to medical records storage areas

• Biometric access controls for sensitive data areas

• Surveillance systems in data processing locations

• Secure destruction of physical documents containing personal data

• Climate-controlled environments for data storage equipment

​

Administrative Controls:

• Mandatory data protection training for all staff members

• Role-based access controls limiting data access to authorized personnel only

• Regular review and update of data protection policies

• Incident response procedures for data breaches

• Employee background checks and confidentiality agreements

​

Your Data Protection Rights

Under the Kenya Data Protection Act 2019, you have the following rights regarding your personal data

Right of Access: You may request copies of your medical records and information about how your data is processed

Right to Rectification: You can request correction of inaccurate or incomplete personal information

Right to Erasure: In certain circumstances, you may request deletion of your personal data (subject to medical record retention requirements)

Right to Restrict Processing: You may request limitation of how your data is used

Right to Data Portability: You can request transfer of your medical records to another healthcare provider

Right to Object: You may object to certain types of data processing, particularly for marketing purposes

Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

To exercise these rights, please contact our Data Protection Officer using the contact information provided below.

​

Data Retention and Disposal

Grand RoyalCare Medical retains personal information only for as long as necessary to fulfil the purposes for which it was collected and in accordance with Kenyan legal requirements:

Medical Records: Retained for a minimum of 7 years after the last patient encounter, or longer as required by law or clinical need

Billing and Insurance Records: Retained for 7 years for audit and financial management purposes

Website Data: Retained for 2 years unless you request earlier deletion

Research Data: Retained as specified in research protocols and ethics approvals

When retention periods expire, we securely dispose of personal information using methods that prevent unauthorised recovery or reconstruction.

​

International Data Transfers

Grand RoyalCare Medical primarily processes personal data within Kenya. When international transfers are necessary (such as for specialized medical consultations or research collaborations), we ensure appropriate safeguards are in place, including:

• Adequacy decisions by the Office of the Data Protection Commissioner

• Standard contractual clauses with international partners

• Certification schemes recognising equivalent data protection standards

​

Cookies and Website Technologies

Our website uses cookies and similar technologies to enhance user experience and analyse website performance. Types of cookies we use include:

Essential Cookies: Necessary for website functionality and security
Analytics Cookies: Help us understand how visitors use our website
Preference Cookies: Remember your settings and personalization choices

You can control cookie settings through your browser preferences. Disabling certain cookies may affect website functionality.

​

Marketing Communications and Opt-Out

With your consent, Grand RoyalCare Medical may send you:

• Health education materials and wellness tips

• Information about new services and medical specialties

• Appointment reminders and healthcare maintenance notifications

• Patient satisfaction surveys and feedback requests

​

You may opt out of marketing communications at any time by:

• Clicking unsubscribe links in email communications

• Contacting our patient services department

• Updating your preferences through our patient portal

​

Data Breach Notification

In the unlikely event of a data breach that poses risks to your privacy or security, Grand RoyalCare Medical will:

• Notify the Office of the Data Protection Commissioner within 72 hours

• Inform affected individuals without undue delay

• Provide clear information about the breach and mitigation measures

• Take immediate steps to contain and remedy the breach

​

Children's Privacy Protection

Special protections apply to personal information of patients under 18 years of age. We obtain appropriate consent from parents or legal guardians and ensure child-specific privacy protections are maintained throughout treatment and data processing.

​

Updates to This Privacy Policy

This Privacy Policy may be updated periodically to reflect changes in legal requirements, healthcare practices, or organizational policies. We will notify you of significant changes through:

• Website announcements and email notifications

• Updated privacy notices during registration or appointments

• Direct communication for material changes affecting your rights

​

Contact Information and Data Protection Officer

For questions about this Privacy Policy, to exercise your data protection rights, or to report privacy concerns, please contact:

Data Protection Officer
Grand RoyalCare Medical
Off Eldoret-Kisumu Road
Next to Eldoret National Polytechnic
Eldoret, Kenya

Phone: +254 788 111 123 / +254 722 520 131
Email: privacy@grandroyalcaremedical.ke
Website: www.grandroyalcaremedical.ke

​

Office of the Data Protection Commissioner
For complaints or concerns that cannot be resolved directly with us:
Website: www.odpc.go.ke
Email: info@odpc.go.ke