Medi Edge Logo
Medi Edge EMS
Home About

Services

Advanced Life Support
Inter-Facility Transfers
Event Medical Standby
Aeromedical Evacuation
Occupational Health
Clinical Training
Blog Tools First Aid Guide CPR Guide Contact Careers & Vacancies WhatsApp Us Login

Privacy Policy

Last updated: April 2025  ·  Version 2.0

1. Introduction

Medi Edge Emergency Medical Services (Pty) Ltd (Registration No. 2022/746516/07) (“Medi Edge”, “we”, “us” or “our”), a licenced Emergency Medical Services (EMS) operator, is committed to protecting the privacy and confidentiality of all personal information in our possession. This Privacy Policy applies to all personal information collected, processed, stored, or shared by Medi Edge in the course of providing emergency medical services, managing employment relationships, processing medical aid claims, and operating our digital platforms.

This Policy is governed by, and must be read together with, the following legislation and regulatory frameworks applicable in the Republic of South Africa:

  • Protection of Personal Information Act, 4 of 2013 (POPIA) and its Regulations (2018)
  • National Health Act, 61 of 2003 (NHA) and associated Regulations
  • Health Professions Act, 56 of 1974 and HPCSA Ethical Rules and Guidelines
  • Electronic Communications and Transactions Act, 25 of 2002 (ECTA)
  • Medical Schemes Act, 131 of 1998 and Council for Medical Schemes (CMS) Rules
  • Board of Healthcare Funders (BHF) standards and data-sharing protocols
  • Labour Relations Act, 66 of 1995, and Basic Conditions of Employment Act, 75 of 1997

2. Information Officer

In terms of POPIA, Medi Edge has appointed an Information Officer who is responsible for ensuring compliance with this Policy and the Act. The Information Officer’s details are:

  • Name: Etienne Van Rooyen
  • Title: Information Officer
  • Email: [email protected]
  • Phone: 087 183 1129
  • Postal Address: 259 15th Avenue, Rietfontein, Pretoria, South Africa

3. Scope and Application

This Policy applies to:

  • Patients and beneficiaries who receive emergency medical services from Medi Edge
  • Job applicants and employees (current, former, and prospective)
  • Healthcare practitioners and independent contractors registered with Medi Edge
  • Medical aid members and healthcare funders engaging with Medi Edge for billing and claims
  • Website and digital platform users interacting with our online services
  • Business partners, suppliers, and service providers

4. Personal Information We Collect

We collect personal information only to the minimum extent necessary for specified, explicit, and legitimate purposes (POPIA s.10 & s.13). This may include:

4.1 Patient and Clinical Information

  • Full name, date of birth, gender, identity or passport number
  • Contact details (phone, address, next of kin / emergency contacts)
  • Medical history, current medications, allergies, and pre-existing conditions
  • Clinical observations, patient care records (PCRs), and treatment administered on scene
  • Vital signs, diagnostic findings, and transport records
  • Medical aid membership number, scheme name, and plan details
  • GPS and location data for dispatch and scene management purposes

4.2 Employment and Practitioner Information

  • Identity documents, qualifications, and professional registration details
  • HPCSA registration number, registration category, and renewal dates
  • Employment history, references, and background check results
  • Banking details, tax (SARS) information, and payroll data
  • Health and fitness-to-work declarations where lawfully required
  • Training records, competency assessments, and CPD logs
  • Vehicle licence, professional driving permit (PrDP), and endorsements

4.3 Website and Digital Platform Users

  • Name, email address, and contact number submitted via forms
  • IP addresses, browser type, device identifiers, and usage analytics
  • Cookie data (see Section 13)

5. Special Personal Information (Health Data)

As an emergency medical services provider, Medi Edge processes special personal information as defined under POPIA s.26, including health and medical data. Such information is processed only where:

  • The data subject has provided explicit consent (POPIA s.27(1)(a)); or
  • Processing is necessary to fulfil obligations under law, including the National Health Act and Health Professions Act; or
  • Processing is necessary to protect the vital interests of the data subject or another person where consent cannot be obtained in an emergency context; or
  • Processing is required for the proper treatment and care of the patient by a responsible party or third-party operator subject to an obligation of confidentiality (POPIA s.32(1)(b)).

In emergency situations where a patient is incapacitated, we may collect and process the minimum necessary health information to provide appropriate medical care, in line with our duty of care obligations under the National Health Act and HPCSA Ethical Rules.

6. Purpose of Processing Personal Information

We process personal information only for specific, explicitly defined, and lawful purposes. These include:

  • Providing, managing, and improving emergency medical services
  • Maintaining accurate patient care records (PCRs) as required by the NHA and HPCSA
  • Submitting medical aid and insurance claims on behalf of patients, in accordance with BHF data-sharing standards and the Medical Schemes Act
  • Facilitating dispatch, patient transport, and coordination with receiving hospitals and health facilities
  • Recruitment, employee management, payroll, and regulatory compliance
  • Verifying and monitoring HPCSA registration status of employed and contracted practitioners
  • Quality assurance, clinical governance, and incident reporting
  • Complying with statutory obligations including reporting to the South African Police Service (SAPS), Forensic Pathology Services, or coroner where required by law
  • Defending or pursuing legal claims
  • Operating and improving our website and digital platforms

We will not process personal information for a purpose other than those listed above without obtaining fresh consent or establishing a separate lawful basis.

7. Lawful Basis for Processing

In accordance with POPIA s.11, personal information is processed only where at least one of the following conditions is met:

  • Consent — the data subject has given voluntary, specific, informed, and unambiguous consent
  • Contractual necessity — processing is required to perform or enter into a contract with the data subject
  • Legal obligation — processing is necessary to comply with a statutory obligation applicable to Medi Edge
  • Vital interests — processing protects the life or physical integrity of the data subject or another person
  • Legitimate interests — processing is necessary for the legitimate interests of Medi Edge or a third party, provided these interests are not overridden by the data subject’s rights

8. Sharing of Personal Information

Medi Edge does not sell personal information. We may share personal information with the following categories of recipients only to the extent necessary and subject to appropriate confidentiality obligations or legal authority:

8.1 Healthcare Providers and Facilities

Receiving hospitals, trauma units, specialists, and health facilities to ensure continuity of patient care, in compliance with HPCSA guidelines on referral and patient handover.

8.2 Medical Aid Schemes and Healthcare Funders

Information is shared with registered medical aid schemes and healthcare funders (including BHF members) for the purposes of claims processing and benefit authorisation, in accordance with the Medical Schemes Act and applicable BHF data interchange standards. Only the minimum required clinical and administrative information is transmitted, and all transmissions are conducted over secure channels.

8.3 Regulatory and Government Bodies

We may disclose personal information to authorities including but not limited to the South African Police Service, National Department of Health, provincial health departments, HPCSA, SARS, and the Department of Employment and Labour, where required by law.

8.4 Third-Party Operators

We engage third-party service providers (operators as defined in POPIA) including IT infrastructure providers, billing agencies, and communications platforms. All operators are bound by written data processing agreements that impose obligations no less protective than those in this Policy, in compliance with POPIA s.21.

8.5 Emergency Services

We may share information with other emergency services (SAPS, Fire Department, Metro EMS) where operationally required for patient safety or scene management.

9. Cross-Border Transfers of Personal Information

In certain instances, personal information may be transferred to recipients in countries outside the Republic of South Africa (e.g., cloud infrastructure providers). Such transfers will only take place where:

  • The recipient country has adequate data protection laws as determined by the Information Regulator (POPIA s.72); or
  • The recipient has agreed to be bound by binding corporate rules or contractual clauses that provide equivalent protection; or
  • The data subject has consented to the transfer; or
  • The transfer is required for the performance of a contract with or in the interests of the data subject.

10. Retention of Personal Information

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required or permitted by law. Key retention periods include:

  • Patient care records (PCRs): Minimum of 6 years from the date of the last entry for adult patients, and until the patient reaches 26 years of age for minors, in accordance with the National Health Act Regulations Relating to Categories of Hospitals (2012) and HPCSA Booklet 14
  • Employee records: Duration of employment plus 5 years, or as required by the BCEA and relevant tax legislation
  • Medical aid claims records: Minimum of 5 years in accordance with the Medical Schemes Act and BHF record-keeping guidance
  • HPCSA practitioner records: Duration of the practitioner’s engagement plus the applicable statutory period
  • Recruitment records (unsuccessful applicants): 1 year from the date of the final decision, unless longer retention is consented to
  • Website and digital interaction data: As set out in our cookie notice, typically no longer than 26 months

Upon expiry of the applicable retention period, personal information is securely destroyed or de-identified in accordance with POPIA s.14.

11. Security Measures

Medi Edge implements appropriate technical and organisational measures to safeguard personal information against loss, damage, unauthorised access, disclosure, or destruction, as required by POPIA s.19. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Role-based access controls and multi-factor authentication for systems containing personal information
  • Physical access controls at premises where records are stored
  • Regular security assessments, vulnerability scanning, and penetration testing
  • Staff training on data protection and information security obligations
  • Incident response and breach notification procedures

In the event of a security compromise involving personal information, Medi Edge will notify the Information Regulator and affected data subjects as required by POPIA s.22, without undue delay.

12. Rights of Data Subjects

In terms of POPIA, data subjects whose personal information we hold have the following rights:

  • Right of access (s.23): You may request confirmation of whether we hold your personal information and obtain a copy thereof
  • Right to correction or deletion (s.24): You may request that inaccurate, misleading, out-of-date, incomplete, or unlawfully obtained information be corrected or deleted
  • Right to object (s.11(3)): You may object to the processing of your personal information on reasonable grounds relating to your particular situation
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
  • Right not to be subject to automated decision-making: You may request that automated decisions with significant impact on you be subject to human review
  • Right to complain: You have the right to lodge a complaint with the Information Regulator (see Section 16)

Requests to exercise these rights must be submitted in writing to the Information Officer. We will respond within a reasonable time, and no later than 30 days unless an extension is required and communicated. We may charge a prescribed fee for access requests in accordance with POPIA Regulations.

Note for patients: In terms of National Health Act s.14, patients also have a right to access their health records and request corrections. Requests for patient records should be addressed to the Information Officer and will be processed in accordance with applicable clinical governance policies.

13. Cookies and Digital Tracking

Our website uses cookies and similar technologies to improve functionality and analyse usage patterns. In accordance with ECTA and POPIA, we obtain consent for non-essential cookies through our cookie consent mechanism. You may control or withdraw cookie consent at any time via your browser settings or our cookie preference centre. A full list of cookies deployed on our website is available on request.

14. Processing of Children’s Personal Information

Medi Edge does not knowingly collect personal information from persons under the age of 18 for non-clinical purposes without the prior, verifiable consent of a competent person (parent or legal guardian), in accordance with POPIA s.35. Where a minor requires emergency medical treatment, we collect only the information strictly necessary to provide care, and take reasonable steps to notify or obtain consent from a parent or guardian as soon as practicable.

15. Patient Confidentiality and HPCSA Compliance

All healthcare practitioners employed by or contracted to Medi Edge are bound by the HPCSA Ethical Rules of Conduct for Practitioners Registered under the Health Professions Act (Booklet 1) and associated booklets relating to patient confidentiality, informed consent, and professional conduct.

Patient information is considered strictly confidential and may not be disclosed by practitioners to any third party without the patient’s informed consent, except where:

  • Disclosure is required by law (e.g., notifiable medical conditions, medico-legal obligations)
  • It is in the overriding public interest (as determined by the relevant ethical and legal framework)
  • Disclosure is necessary to protect the patient’s or another person’s vital interests and consent cannot be obtained
  • Disclosure is for teaching, research, or quality assurance purposes using appropriately anonymised or de-identified data

Breaches of patient confidentiality by practitioners may constitute professional misconduct under the Health Professions Act and may be reported to the HPCSA.

16. Medical Aid Claims and BHF Compliance

Where Medi Edge submits claims to medical aid schemes or healthcare funders on behalf of patients, we comply with the data standards and protocols established by the Board of Healthcare Funders (BHF), including the use of approved billing codes (ICD-10, CPT/NCCI), ERA standards, and secure data interchange requirements.

Personal and clinical information submitted for claims purposes is limited to what is strictly required for the adjudication of the claim. Patients are entitled to request details of information shared with their medical aid scheme. Information submitted to funders is protected under scheme rules and the Medical Schemes Act, and such schemes are independently responsible for their own compliance with POPIA.

We do not submit claims to medical aid schemes without patient authorisation or the applicable legal basis.

17. Complaints

If you believe that Medi Edge has interfered with your privacy rights or failed to comply with this Policy or POPIA, you may:

  1. Submit a complaint in writing to our Information Officer at [email protected]
  2. If unresolved within 30 days, escalate your complaint to the Information Regulator (South Africa):
    • Website: www.justice.gov.za/inforeg
    • Email: [email protected]
    • Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
    • Tel: 010 023 5207

    Practitioners with concerns relating to professional confidentiality may also contact the HPCSA at www.hpcsa.co.za.

18. Updates to This Policy

Medi Edge reserves the right to amend this Privacy Policy at any time to reflect changes in law, regulatory guidance, or our operational practices. Material changes will be communicated via our website. The date of the most recent revision is displayed at the top of this Policy. Continued use of our services following publication of an updated Policy constitutes acceptance of the revised terms.

19. Contact Us

For any privacy-related queries, requests, or complaints, please contact: