Department of Medical Services, Ministry of
Public Health
This Privacy Notice (“Notice”) is prepared to inform and
help you, as a user of the I+DMS Application, Department of Medical Services,
Ministry of Public Health, understand the methods of collection, use, and
disclosure (“processing”) of personal data carried out by the Department of
Medical Services, Ministry of Public Health, hereinafter referred to in this
Notice as “DMS.” The Department of Medical Services, Ministry of Public Health
serves as the Data Controller for the personal data collected from you to
operate under this system.
The Department of Medical Services, Ministry of Public
Health (DMS) has developed the “I+DMS” Application as tools to provide public
health services to you as the data subject. For you to access the public health
services operated by the I+DMS Application, it is necessary to provide personal
data to comply with the law, a contract, or the necessity to provide personal
data to enter into a contract or provide public health services. Failure to
provide such information may result in you being unable to use the “I+DMS”
Application. Our processing of your personal data is as follows:
1. Legal Basis for Processing Personal Data
The Department of Medical Services, Ministry of Public
Health collects your personal data under lawful grounds for the necessity of
carrying out public missions or policies of the Ministry of Public Health, in
accordance with the Personal Data Protection Act, B.E. 2562 (2019).
2. Purposes for Collecting Your Personal Data
“I+DMS” Application
will collect, use, or disclose your personal data through lawful, transparent,
and fair methods. Data will be collected, used, or disclosed only as much as
necessary for the following purposes and legal bases under the Personal Data
Protection Act, B.E. 2562:
(1) Necessary for the performance of a contract for using
the “I+DMS” Application to which you are a party, or to take steps at your
request prior to entering into that contract
(2) Necessary for the performance of a task carried out in
the public interest by the Department of Medical Services, Ministry of Public
Health, or the exercise of official authority vested in the Department of
Medical Services, Ministry of Public Health.
(3) Necessary for the legitimate interests of the Department
of Medical Services, Ministry of Public Health, or of another person or legal
entity, except where such interests are overridden by your fundamental rights
in personal data.
(4) Compliance with the law by the Department of Medical
Services, Ministry of Public Health.
(5) To achieve purposes relating to research or
statistics, provided that appropriate safeguards are in place to protect the
rights and freedoms of the data subject.
In the case of collecting sensitive personal data, the Department
of Medical Services, Ministry of Public Health may do so if necessary to comply
with the law to achieve purposes regarding public interest in public health,
scientific research, statistics, or other important public interests. This
includes medical diagnosis, health or social services, medical treatment,
health management, national health security management, or medical benefits for
eligible persons by law.
3. Personal Data Collected and Used
The “I+DMS” Application collect personal data only as
necessary for providing services according to the objectives of the “I+DMS” Application.
Such personal data includes data of the service user and those who are legally
assigned or authorized. The “I+DMS” Application
will collect, use, or disclose your personal data according to the purposes
informed to you prior to or at the time of collection. Use or disclosure of
personal data different from the informed purposes may be done if the
provisions of the Personal Data Protection Act, B.E. 2562 (2019) or other laws
permit such actions.
3.1 Data sources from which the Department of Medical
Services collects and uses data are as follows:
|
Source/Method
of Collection |
Items
of Items of Personal Data Collected |
|
1. Types of
personal data that the “I+DMS” Application collect |
(1) General Info:
Name, Surname, ID Number, Gender, Age, Height, Weight, Date of Birth,
Nationality, Passport No., etc. (2) Contact Info:
Registered address, Mobile number, Email, Emergency contact, etc. (3)
Identifier/Device Info: ID card number or IP Address, etc. (4) Authentication
data for accessing the I+DMS system applications of the Department of Medical
Services, Ministry of Public Health, such as Username, Password, etc. (5) Image or video
data showing an identifiable face, etc. (6) Sensitive
personal data such as data regarding race, ethnicity, political opinions,
cult, religious or philosophical beliefs, sexual behavior, criminal records,
health data, disability, labor union information, genetic data, biometric
data, or any other data which affects the data subject as announced by the
Personal Data Protection Committee (7) Medical
treatment entitlement information such as health insurance and insurance
policies, policy numbers, etc. (8) Payment
information such as methods, payment history, credit card numbers, etc. |
The I+DMS Application may collect your personal data from
sources other than directly from you to ensure that the personal data is
accurate, current, complete, not misleading, and for the benefit of providing
public health services of the I+DMS Application.
4. Your Rights under the Personal Data
Protection Act, B.E. 2562 (2019)
Service users as data subjects may exercise their rights
under the Personal Data Protection Act, B.E. 2562 (2019) under the conditions
and exceptions prescribed by law, as follows:
(1) Right of access and to obtain a copy of personal data,
including the right to request disclosure of the source of personal data of the
service user collected by the “I+DMS” Application without the user’s consent,
except where the I+DMS system has the right to refuse the request by law or
court order, and where the request for access and copy by the user would affect
or cause damage to the rights and freedoms of others.
(2) Right to receive personal data from the “I+DMS”
Application in a format that is readable or commonly used by ways of automatic
tools or equipment and can be used or disclosed by automated means, including
the right to request the transmission or transfer of personal data in such
format to other data controllers when it can be done by automated means, and
the right to receive personal data that is transmitted or transferred directly
to other data controllers, unless it is technically
impossible.
(3) Right to request rectification of inaccurate or
incomplete personal data of the service user to ensure it is accurate, current,
complete, and not misleading.
(4) Right to request restriction of the use of personal
data of the service user in the following cases:
(a) During the period when
the Department of Medical Services, Ministry of Public Health is verifying the
user’s request to rectify the user’s personal data to be accurate, complete,
and current.
(b) When the personal data of
the service user has been collected, used, or disclosed unlawfully.
(c) When the personal data of
the service user is no longer necessary to be retained for the purposes
informed to the user by the I+DMS system at the time of collection, but the
service user wishes the I+DMS system to continue storing that data for the
exercise of the user’s legal rights.
(d) While the Department of
Medical Services, Ministry of Public Health is proving to the service user the
legitimate grounds for collecting the user’s personal data, or verifying the
necessity of collecting, using, or disclosing the user’s personal data for the
public interest, resulting from the user’s exercise of the right to object to
the collection, use, or disclosure of their personal data.
(5) Right to object to the collection, use, or disclosure
of the service user’s personal data, except in cases where the Department of
Medical Services, Ministry of Public Health has lawful grounds to refuse the
user’s objection, such as when the I+DMS system can demonstrate that the
collection, use, or disclosure of the user’s personal data has compelling
legitimate grounds or is for the establishment, compliance, or exercise of
legal claims, or for the public interest according to the missions of the “I+DMS”
Application.
(6) Right to request erasure, destruction, or
anonymization of personal data so that it becomes data that cannot identify the
data subject.
When the service user requests to exercise such rights,
the Department of Medical Services, Ministry of Public Health will
verify and process the request without delay and within the timeframe
required by law. Each type of right may have different conditions and
limitations as specified in the Personal Data Protection Act, B.E. 2562
(2019). In the event you believe that any action of the “I+DMS” Application
violates or fails to comply with the Personal Data Protection Act, B.E. 2562
(2019), you have the right to lodge a complaint with the Expert Committee of
the Office of the Personal Data Protection Committee according to the
conditions prescribed by law.
5. Personal Data Retention Period
The “I+DMS” Application retain the personal data of
service users for the period required by law and according to the purposes of
collection to align with the legal authority and duties of the Department of
Medical Services, Ministry of Public Health or “I+DMS” Application in providing
public services and other duties under the law, including for the benefit of
exercising legal rights or resolving any disputes in the future. Upon the
expiration of such storage period, the “I+DMS” Application will immediately
erase and destroy the service user’s personal data, except in cases where the
user has exercised their rights or there is a dispute or lawsuit concerning the
user’s service.
6. Personal Data Security
The “I+DMS” Application have measures for the security of
personal data in accordance with the Notification of the Department of Medical
Services, Ministry of Public Health Re: Policy and Guidelines for Information
Security of the Ministry of Public Health, B.E. 2565 (2022), set to be
consistent with the ISO/IEC 27001 Information Security Standard and in
accordance with the minimum standards according to the Notification of the
Personal Data Protection Committee Re: Security Measures for Personal Data
Controllers, B.E. 2565 (2022).
7. Participation of the Data Subject
The “I+DMS” Application prioritize the protection of
service users’ personal data by granting users the right to access and control
their own personal data, and by stipulating that the “I+DMS” Application do not
allow others to access or use the user’s personal data, except in cases of
mandatory disclosure by law, or to achieve purposes related to public interest
in public health, etc.
The “I+DMS” Application may disclose your personal data to
individuals or agencies as follows:
(1) Other agencies within the Department of Medical
Services, Ministry of Public Health for the benefit of national administration
and the duty of providing public services.
(2) Contractual parties, external service providers, or
third parties involved in providing services to the I+DMS system related to the
personal data of service users, such as system providers, website developers,
auditors, or consultants.
(3) Government officials, agencies with authority, or
other persons to
carry out actions as prescribed by law, orders of
authorized persons by law, or according to court orders or warrants, etc.
(4) External agencies such as the Digital Government
Development Agency (Public Organization) that operate government data links
(Open Data), data links with government and private agencies that request
cooperation for data disclosure, the Office of the Auditor General,
cybersecurity regulatory agencies, investigation agencies for the suppression
of electronic crimes or offenses, agencies for the prevention and suppression
of corruption, audit agencies for finance or taxation, and other law
enforcement agencies.
(5) Other agencies with health data system links for the
benefit of linking public health service data in the possession and use of
various agencies, both public and private, to integrate the health system,
which is an important component of public health service provision, such as
hospitals, pharmacies, various service units, etc.
8. Access to Personal Data
The Department of Medical Services, Ministry of Public
Health has restricted access to your personal data only to officials and
specific persons with relevant duties for the collection, use, and disclosure
of personal data for this system. The Ministry of Public Health will ensure
that such officials and persons strictly comply with this Notice.
9. Changes to the Privacy Notice
The Department of Medical Services, Ministry of Public
Health may consider updating, amending, or changing this Notice as it deems
appropriate, and will notify you through the website and email, with the date
of the latest version specified at the end. However, the Ministry recommends
that you regularly check for the new notice, especially before you disclose
personal data. Your access to this system constitutes acknowledgment of the
terms in this Notice. Please stop using the system if you do not agree with the
terms in this Notice. If you continue to use the system after this Notice has
been amended and published on the channels above, it shall be deemed that you
have acknowledged such changes.
10.Transmission or Transfer of Personal Data
Abroad or to International Organizations
In the event that the “I+DMS” Application find it
necessary to transmit or transfer personal data abroad to fulfill missions for
the important public interest of the Office of the Permanent Secretary,
Ministry of Public Health, allowing the “I+DMS” Application to achieve
objectives concerning the provision of public health services, such
transmission or transfer of personal data of service users abroad or to
international organizations will be conducted in accordance with personal data
protection standards as prescribed by law.
11. Case where the Service User is a Natural
Person who is a Minor
In the event that you are a natural person under 20 years
of age or have not reached legal maturity, if you confirm that you are over 15
years old and are capable of performing legal acts and any matters that must be
done personally or are appropriate to your status by yourself with legal
binding, including but not limited to using any services from the “I+DMS”
Application, and acknowledging and accepting to comply with this Personal Data
Protection Policy. In the event that you are a natural person aged 15 years or
younger, if you confirm that you have received consent from a legal
representative to use any services from the “I+DMS” Application, whereby you
and your legal representative acknowledge and accept to comply with this
Privacy Policy and are willing to send relevant evidence to the “I+DMS”
Application as requested by the “I+DMS” Application.
12. Data Protection
To coordinate the protection of data subject interests and
the interests of the Department of Medical Services, Ministry of Public Health,
helping to manage risks and personal data management effectively and
efficiently. In the event the data subject wishes to exercise their rights or
has questions regarding the exercise of their rights or the consent provided by
the data subject, they may contact: Department of Medical Services, Ministry of
Public Health
To: Digital Medical Bureau, Department of Medical
Services, 5th Floor, Building 3, 88/23 Moo 4, Tiwanon Road, Talat Khwan, Mueang
Nonthaburi, Nonthaburi 11000.
Email: WEBMASTER@DMS.MAIL.GO.TH
Telephone: 0 2590 6315
Website: https://pdpa.dms.go.th