Privacy Policy – SDRC Diagnostics LLP

1. Purpose and Commitment

SDRC Diagnostics LLP (“SDRC”, “we”, “us”, or “our”) is committed to safeguarding the privacy, confidentiality, and security of personal and health information collected from our clients (“you” or “patients”). This policy outlines how we collect, use, disclose, store, and protect your personal and sensitive health data in compliance with the Digital Personal Data Protection Act, 2023, and the Information Technology Act, 2000, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

2. Scope

This policy applies to:

All patient data collected through registration, diagnostic testing, sample processing, and reporting (both online and offline).
Data collected via our website, mobile applications, or electronic health record systems.
All employees, contractors, and partner organizations who have authorized access to patient data.

3. Categories of Information Collected

We may collect and process the following categories of data as part of delivering our diagnostic services:

Personal Information: Name, age, contact details, address, gender, identification numbers.
Health and Medical Data: Medical history, diagnostic test results, prescriptions, sample data, clinical notes, and treatment-related information shared with us.
Demographic Information: Age, sex, location, occupation, and other relevant demographics.
Financial Data: Billing details, payment information, and insurance-related data where applicable.
Technical and Usage Data: IP address, browser information, device identifiers and usage logs when you use our website, client portal, or online report access.

All such data relating to health, financials and medical records is treated as Sensitive Personal Data or Information (SPDI) in line with Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

4. Basis for Collection and Use

We collect and process data on the following lawful bases:

Consent: Explicit or implied consent when you present for diagnostic services, register with us, or submit information online.
Contractual Necessity: To perform diagnostic tests, issue reports, and provide services that you or your doctor request from us.
Legal Obligation: To comply with applicable laws, including but not limited to PNDT regulations, infectious disease reporting requirements, and other statutory directions.
Public Health Interest: For anonymised or aggregated reporting as required by public health authorities and regulators.

5. Purpose of Data Usage

Your personal and health data may be used by SDRC for the following purposes:

Registering patients, creating records, and managing appointments or scheduling.
Conducting diagnostic tests, processing samples, and issuing reports.
Communicating reports, follow-up alerts, preparation instructions, and health-related notifications.
Processing billing, payments, and insurance claims where applicable.
Meeting regulatory, accreditation, and statutory reporting obligations under Indian law.
Conducting internal quality control, audits, training, analytics, and research activities, strictly using de-identified or anonymised data wherever feasible.

6. Data Storage and Security Practices

To ensure data integrity and confidentiality, SDRC follows reasonable security practices as defined under Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Measures include, but are not limited to:

Secure electronic databases with restricted, role-based access controls.
Encryption and secure configurations for sensitive personal data at rest and during transmission, where applicable.
Regular security audits, monitoring of access logs, and review of authorisations.
Mandatory confidentiality and non-disclosure agreements for all employees and authorised personnel.
Physical safeguards for paper-based records, including restricted storage and controlled access.

7. Data Sharing and Disclosure

SDRC does not sell or rent your personal or health data. We may disclose information only in the following situations:

Referral Doctors / Treating Physicians: To support continuity of care, interpretation of reports, and clinical decision-making.
Referring Organisations: Such as employers, insurers, wellness programs or government schemes, strictly under pre-agreed terms and valid consent or lawful basis.
Regulatory or Government Agencies: Where mandated by applicable law, court orders or directions of competent authorities.
Researchers or Analysts: Only de-identified, anonymised or aggregated data may be shared for audits, quality improvement or research, without directly identifying individual patients.

Disclosure may occur without prior permission where legally required for identity verification, public health protection, prevention or investigation of offences, or pursuant to orders from courts and law enforcement agencies.

8. Patient Consent and Rights

Under the Digital Personal Data Protection Act, 2023 and applicable IT Rules, patients have certain rights in relation to their personal data, including the right:

To know what categories of data are collected and the purposes for which they are used.
To request access to and correction of their personal information maintained with us.
To withdraw consent for further processing of personal data, where processing is based solely on consent and not required under law or for legitimate purposes.
To raise grievances, or request deletion or restriction of redundant data after completion of services, subject to legal retention requirements.

For routine diagnostic tests, implied consent is considered to apply when a patient presents for testing or submits a prescription. For specialised tests (such as certain advanced, genetic or highly sensitive investigations), explicit written consent may be obtained in addition to routine consent.

9. Data Retention

Patient data is retained only as long as necessary to fulfil diagnostic, legal, regulatory, medico-legal, and reporting obligations, including quality assurance and audit requirements. Thereafter, data will be securely deleted, archived, or anonymised in accordance with applicable regulations and internal policies.

10. Cross-border Data Transfers

SDRC currently does not transfer patient data outside India in the ordinary course of operations. If, in the future, cross-border processing or cloud-based storage in other jurisdictions becomes necessary, SDRC will ensure compliance with the Digital Personal Data Protection Act, 2023 and any rules on cross-border data transfers, using only permitted mechanisms or government-approved jurisdictions.

11. Grievance and Contact

Patients may raise queries, concerns, or complaints related to data privacy and protection by contacting our designated Data Protection Officer (DPO):

Data Protection Officer (DPO)
SDRC Diagnostics LLP
Email: support@sdrc.in

All grievances will be acknowledged within 7 working days and we aim to resolve them within 30 working days in line with the Digital Personal Data Protection Act, 2023 and applicable regulatory guidance.

12. Updates to This Policy

SDRC reserves the right to modify, amend or update this Privacy Policy from time to time to reflect changes in law, regulatory guidance, technology or operational practices. Updated versions will be made available at sdrc.in/privacy-policy.php.

Continued use of SDRC services after such updates will be deemed as acceptance of the revised terms, to the extent permitted by applicable law.

References

The following publicly available resources and legal materials have informed SDRC’s data protection approach and this Privacy Policy:

SDRC Privacy Policy