EN | TH
Information Security and Privacy
Management Approach
BDMS determines the IT security structure, including policies, guidelines and operation standards for its subsidiaries to ensure appropriate use of IT system while preventing potential risks.
Patient safety and high service standards are the Company’s paradigm. To achieve such purpose, many factors and components are involved and one of the key components is effective information security systems adopted by BDMS and subsidiaries; namely, ISO 27001 Information Security System Management and ISO 27799 Information Security System in Health Data since 2020 with three main principles as follows:
BDMS cybersecurity and data protection management guidelines are as follows:
- Implementing international principles and standards such as ISO 27001 and ISO 27799 as framework in health data security management, cybersecurity and data protection management.
- Governing cybersecurity operations through the Information Security Management Policy Committee.
- Organizing regular training on cybersecurity, IT and data protection for personnel of all levels.
Governance
BDMS's leadership gives priority to optimize performance of IT systems and networks while safeguard against any threats that could compromise digital assets and the data integrity through announcement of the Information Technology Security Management Policy. BDMS's Board of directors monitors IT system while simultaneously ensuring the security of data and communication network so that any operations in term of personal data protection will be safe and in line with an international standard as well as conform to both Thai and foreign laws. BDMS has been certified by the British Standards Institution with Information Security Management System at an international level; namely, ISO/IEC 27001 and ISO 27799. Furthermore, the Board of Directors has approved and announced the Information Technology Security Management Policy to enable the most efficient use of IT system and computer network as well as to prevent potential problem arising from risky use that may cause damage.
To ensure the efficiency of Information Security Management, the Board of Directors has assigned the Risk Management Committee to identify and monitor the company’s risks that may affect business plans and strategies at high and very high levels, including cybersecurity and risks related to the information technology system. Additionally, relevant working committees have been established, comprising:
The Information Security Management Committee (ISMC), chaired by Mr. Chairat Panthuraamphorn, M.D., equivalent to the Chief Operations Officer (COO), is responsible for overseeing and monitoring the functioning of the ISMC Group. The roles and duties of the ISMC Group are as follows:
- Approve and promulgate on policies in relation to Information Security Management system
- Consider and approve risk criteria in risk assessment of Information Security Management system with risk appetite level
- Evaluate risk and prepare mitigation plan and improvement
- Consider for penalty criteria for those who violate policies in relation to Information Security Management system
- Supporting resource in operation of Information Security Management system
- Approve and promulgate on policies in relation to Personal Data Protection
BDMS Computer Emergency Response Team (BDMS CERT) with major roles and duties as follows:
- Respond and handle cyber security incident (Incident Response)
- Provide advice and resolve threats concerning cyber security (Cyber Security Advisor)
- Follow up and publicize news and incidents relating to cyber security to all relevant persons in the Company
- Study, improve and update tools and operation guidelines to enhance cyber security of the Company
BDMS monitors the percentage of users whose customer data is used for secondary purposes. | In 2023, 0% of customers data is used for secondary purposes. |
BDMS PDPA Policy
Following the Personal Data Protection Act B.E. 2019, BDMS enforces the policy on Personal Data Protection Act B.E. 2019 compliance to set the principles and practices on information management, covering the Board of Directors, top executives, employees, contractors and other parties working with BDMS. The objectives are to illustrate the Company’s responsibility for data and IT system protection while protecting the organization from personal data breaches. BDMS determines all business units to be responsible for information management and compliance with new laws or changing regulations. The Information Security Management Committee (ISMC), appointed by BDMS’ Board of Directors, is directly in charge of supervising such policy and assigning responsibilities to all BDMS business units for strict compliance.
BDMS Privacy and Security Working Group
BDMS has established the Privacy and Security Working Group (PSWG) which performs the following duties:
1. Set guidelines about personal data protection and IT security to submit to ISMC Committee for approval.
2. Provide opinions for development and improvement of personal data protection and IT security of BDMS and BDMS network to meet the international standards.
3. Follow up operations of personal data protection and IT security of each company to comply with BDMS policies and relevant laws.
4. Act as a representative for communication about personal data protection and IT security of BDMS to senior executives of each Company for acknowledgement.
5. Give suggestions about breach of personal data and IT security incidents.
6. Assess the impact and report incidents of personal data and IT security breaches of each company to the ISMC Committee for immediate acknowledgement.
7. Take action in accordance with the resolution of the working group as appropriate to suppress the incidents or support the smooth operation and maximize the Company’s benefits, including reporting the matter to the ISMC Committee for acknowledgement.
Patient Privacy Notice
BDMS processes personal data according to the Personal Data Protection Act B.E. 2019 by adhering to lawful basis of processing or after receiving consent from all customers in disclosing personal data to the doctors, nurses and/or other personnel within the medical facilities. Persona data shall be kept according to relevant specifications not exceeding 10 years after the last treatment date. Both paper and electronic documents will be destroyed unless any conflicts arise or extension of the retention period is required by the government agency.
Objectives of Patient Privacy Notice | |||||
To enable medical diagnosis, treatment and health services within the network hospitals and other medical facilities. | To study and analyze the quality improvement of medical facilities using confidential data. | To proceed claims to the insurance companies or reimbursement of medical expenses. | |||
To disclose information to the person assigned for health checkup or paying the medical fees (consent required). | To connect database of electronic medical record between medical facilities through applications (consent required). | To establish marketing objectives for healthcare or publication of medical newsletter as well as offer products and services (consent required). | To comply with contracts as customers and Company or as being requested for contract signing. |
BDMS Data Subject Rights According to PDPA
Data subjects have the right to manage personal data following BDMS Data Subject Rights in compliance with the Personal Data Protection Act B.E. 2019 by submitting request in writing, by phone or email which shall be completed within 30 days. BDMS Data Subject Rights consist of
Right to Withdraw Consent | Right of Access | Right to Rectification | Right to Erasure | ||
Right to Restriction of Processing | Right to Data Portability | Right to Object |
Data Protection Officer - DPO
The Personal Data Protection Act B.E. 2019 set forth roles and duties of all related parties to personal data. One of these individuals includes the data protection officer or DPO. The DPO is a person assigned to supervise, provide suggestions or inspect personal data protection in the organization to ensure its compliance with the established law.
BDMS appoints the DPO in accordance with Section 42 of the stipulated law and the DPO can gain access and report directly to the executive in case of data leakage or loophole which may be risky or inconsistent with the legal specifications can be directly reported to the authorized executive.
The data protection officer has the duties as follows:
(1) Provide suggestions to the data controller or data processor, including employee or contractor of the data controller or data processor concerning the compliance according to such atc.
(2) Supervise the performance of the data controller or data processor, including the employees or contractors of the data controller or data processor concerning the collection, use or disclosure of personal data to ensure strict compliance with such act.
(3) Coordinate with the agency in case of any problems regarding the collection, use or disclosure of personal data of the data controller or data processor, including employees or contractors of the data controller or data processor concerning the compliance according to such act.
(4) Maintain confidentiality of personal data of the person the DPO acknowledges or acquired from his/her performance of duty in accordance with such act
Corporate Information Disclosure Policy
This Corporate Information Disclosure Policy is part of the good corporate governance policy of Bangkok Dusit Medical Services PCL that is intended to provide access to corporate information equally for shareholders, investors, financial institutions, as well as those who need to use the financial information and the general public. It is therefore utmost important that the communication be transparent, accurate, complete, punctual, and consistent for both information in the past and value creation in the future, without any discrimination regarding the positive or negative aspects of the information. However, the Company is fully aware of the necessity to protect corporate secrets, confidential information as well as its operating strategies.
Meanwhile, this Policy must be in compliance with the rules and regulations on corporate information disclosure of the Stock Exchange of Thailand, the Office of the Securities and Exchange Commission as well as all other relevant rules and regulations. The Company has announced the BDMS Corporate Information Disclosure Policy as follows:
Employee Awareness Training
BDMS emphasizes skills and knowledge development of personnel to foster their potential in operation. BDMS personnel can attend training or learning programs via the Company’s learning system. In 2023, BDMS organized PDPA training under the topic of “PDPA for Healthcare Business” and “Personal Data Management under PDPA”.
Control of the Data Processor for Data Safety
BDMS employs other business partners to achieve the Company’s business objectives; therefore, as a data controller, BDMS realizes the significance of personal data control with business partners acting as the data processor. This is to ensure the utmost safety of personal data and must be in strict compliance with the established law.
BDMS determines the data processing agreement with the data processor. The data processing agreement specifies the duties of the data processor as follows:
Data Security Compliance Assessment
BDMS manage data security compliance assessment in 5 domains (Security Configuration Risk, Access Control Risk, Retention and Disposal Risk, Best Practices for Data Collection and Transfer Risk and Data Security Risk) and perform the assessment annually.
The assessment result meet 100% Data Security Assessment Measures, all of the company BDMS data security compliance.