SDRC Privacy Policy

1. Purpose and Commitment

SDRC Diagnostics LLP (“SDRC”, “we”, “us”, or “our”) is committed to safeguarding the privacy, confidentiality, and security of personal and health information collected from our clients (“you” or “patients”). This policy outlines how we collect, use, disclose, store, and protect your personal and sensitive health data in compliance with the Digital Personal Data Protection Act, 2023, and the Information Technology Act, 2000, including the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011.^[2][1]

2. Scope

This policy applies to:

All patient data collected through registration, diagnostic testing, sample processing, and reporting (both online and offline).
Data collected via our website, mobile apps, or electronic health records systems.
All employees, contractors, and partner organizations who have authorized access to patient data.^[1][2]

3. Categories of Information Collected

We may collect and process the following categories of data:

Personal Information: Name, age, contact details, address, gender, identification numbers.
Health and Medical Data: Medical history, diagnostic test results, prescriptions, sample data, and treatment notes.
Demographic Information: Age, sex, location, occupation, and relevant demographic details.
Financial Data: Billing, payment, or insurance information.
Technical and Usage Data: IP address, browser information, and usage logs when you use our website or client portal.^[3][1]

All such data is classified as Sensitive Personal Data or Information (SPDI) under Rule 3 of the 2011 Rules.^[3]

4. Basis for Collection and Use

We collect and process data on the following lawful bases:

Consent: Explicit or implied consent when presenting for diagnostic services.
Contractual Necessity: For performing diagnostic tests or providing medical services you request.
Legal Obligation: For disclosures mandated under applicable laws (e.g., PNDT Act, NCDC reporting).
Public Health Interest: For anonymized or aggregated reporting as required by authorities.^[2][3]

5. Purpose of Data Usage

Your personal and health data are used to:

Register patients and manage appointments.
Conduct diagnostic tests and issue results.
Communicate reports, updates, and health notifications.
Process billing, insurance claims, and related services.
Meet regulatory reporting obligations under Indian law.
Conduct internal quality control, audits, and research only after anonymizing data.^[1][2]

6. Data Storage and Security Practices

To ensure data integrity and confidentiality, SDRC follows reasonable security practices as defined in Rule 8 of the 2011 IT Rules:

Secure electronic databases with restricted role-based access.
Encryption of sensitive personal data at rest and during transmission.
Regular security audits and access logs.
Mandatory confidentiality agreements for all personnel.
Physical safeguards for paper-based records.^[4][3][1]

7. Data Sharing and Disclosure

SDRC does not disclose your data to any third party except:

Referral Doctors for continuity of care.
Referring Organizations (e.g., insurers, employers, or government schemes) under pre-agreed conditions.
Regulatory or Government Agencies where mandated by law.
Researchers or Analysts — only de-identified or aggregated data is shared for such purposes.

Disclosure may occur without prior permission where legally required for identity verification, public health, crime prevention, or court orders.^[3][1]

8. Patient Consent and Rights

Under the DPDP Act, 2023, and IT Rules, 2011, patients have the following rights:

To know what data is collected and how it is used.
To access and correct their personal information.
To withdraw consent for further data processing (where not required by law).
To file grievances or request deletion of redundant data after service completion.^[5][2]

For routine diagnostic tests, implied consent applies upon presenting for testing. For specialized tests or genetic analysis, explicit written consent will be obtained.^[1][3]

9. Data Retention

Patient data will be retained only as long as necessary to fulfill diagnostic, legal, and reporting obligations, after which it will be securely deleted or anonymized according to regulatory guidelines.^[6][1]

10. Cross-border Data Transfers

SDRC does not transfer patient data outside India. If in the future such processing is necessary (e.g., for cloud-based storage), it will comply with DPDPA 2023 cross-border transfer rules and use only government-approved jurisdictions.^[7][6]

11. Grievance and Contact

Patients may raise queries or complaints related to data privacy by contacting the Data Protection Officer (DPO):

Data Protection Officer (DPO)
SDRC Diagnostics LLP
Email: support@sdrc.in

All grievances will be acknowledged within 7 working days and resolved within 30 working days in line with the DPDPA.^[2][1]

12. Updates to This Policy

SDRC reserves the right to modify this Privacy Policy to reflect changes in law or operational practices. Updated versions will be made available at sdrc.in/privacy-policy.^[2][1]

⁂ References