HCLH recognizes the expectations of its customers with regard to privacy, confidentiality and security of their personal information that resides with the organization. HCLH has adopted a privacy policy aimed at protecting the personal information of patients and organizational staff encompassing under the scope of ISO 27001: 2022.Privacy Policy governs the way in which the organization collects, uses, discloses, stores, secures, and disposes of personal information and sensitive personal data or information of borrowers.

Information We Collect

We collect only the information needed for legitimate business purposes.

You may need to provide some personal information such as your full name, email ID, contact details, and other essential credit information etc. when you sign up for an account, register for an event, ask for customer support.

If you are availing our services; we may collect the following personal information from you or through your employer – full name, email id, contact details, address, designation, and essential health information about you like, but not limited to, your medical history, allergies, lab test reports, etc.

Throughout the course of the relationship with the Relevant Individual, HCL Healthcare needs to collect Personal Data and PHI. The type of Information that may be collected includes (but is not limited to), where relevant:

  • Basic Information regarding the Relevant Individuals such as name, contact details, address, gender, birth date, marital status, children, parents’ details, dependent details, photos, photo id proof, pan card, passport, voter ID, Aadhar card, life insurance nominees/beneficiaries, fingerprint information, emergency contact details, citizenship, visa, work permit details;
  • Information about the Relevant Individual’s medical records
  • The terms and conditions of employment/engagement, employment contracts with HCL Healthcare and/or previous employer.
  • Performance, conduct and disciplinary records within HCL Healthcare and/or with previous employers; mobility records generated in the course of employment/work with HCL Healthcare.
  • Information captured as result of monitoring of HCL Healthcare assets, equipment, network owned and/ or provided by HCL Healthcare.
  • Any other Information as required by HCL Healthcare.

What we do with your personal information?

We do not share or sell your personal information to anyone. We use personal information solely for the purpose of interacting with you and to enable you to avail yourself of our product or services. We use personal information only for the specific reason for which it is provided.

Some personal information is required:

  • To manage, administer and fulfil the obligations under contracts.
  • We will only use your personal data for the purposes for which we collect it, we reasonably consider that we need to use it for another reason that is compatible with the original purpose and applicable local law. Any exceptions will be brought to your notice and the legal basis for the same will be explained.

HCL Healthcare may collect, process and disclose Personal and PHI Data of the Relevant Individual for purposes connected with its business activities including the following purposes, hereinafter the

Agreed Purposes”:

  • Managing the Relevant Individual’s employment/ work with HCL Healthcare including deployment/assignment of the individual to specific client projects.
  • Record-keeping purposes; Payroll Administration, Payment of the Relevant Individual’s salary or invoice; Performance Assessment and Training.
  • Compliance with a legal requirement/obligation; health and safety rules and other legal obligations; Administration of benefits, including insurance, provident fund, pension plans; immigration, visa related purposes; HCL Healthcare reporting purposes.
  • IT, Security, Cyber security and Access Controls.
  • Disaster recovery plan, crisis management, internal and external communications.
  • For any other purposes as HCL Healthcare may deem necessary.

HCL Healthcare only collects uses and discloses Personal and PHI Data for purposes that are reasonable and legitimate. Such Personal and PHI Data shall be processed in a manner compatible with the Agreed Purposes; unless the Relevant Individuals have consented to it being processed for a different purpose or the use for a different purpose is permitted by applicable law. There may be circumstances, when the Relevant Individual may have volunteered personal information and given explicit/fully informed consent to its processing.

We will not share your personal information.

We do not share your personal data with anyone else and we will never sell personal data. However, exemptions to the above are where HCLH is asked to provide information because of any legal or regulatory requirements. We will make every effort to ensure that such mandated disclosures from the regulatory authorities are communicated to you.

Only those Employees who “need-to-know” or require access to function in their role should have access to Personal and PHI Data.

HCL Healthcare will not disclose Personal Data and PHI to any person outside HCL Healthcare except for the Agreed Purposes, or with the Relevant Individuals’ consent, or with a legitimate interest or legal reason for doing so, such as where HCL Healthcare reasonably considers it necessary to do so and where it is permitted by applicable law. In each instance, the disclosed Personal and PHI Data will be strictly limited to what is necessary and reasonable to carry out the Agreed Purposes.

When HCL Healthcare works with third parties which may have access to Personal and PHI Data in the course of providing their services, HCL Healthcare contractually requires third party to process Personal and PHI Data only on.

HCL Healthcare’s instructions and consistent with HCL Healthcare’s Data Privacy policies.

Disclosure or Transfer of PII and PHI

HCL Healthcare may, from time to time, disclose and/or transfer the Relevant Individuals’ Personal and PHI Data to third parties (including but not limited) listed below:-

  • Affiliate companies and/or other business associates.
  • Medical practitioners appointed by HCL Healthcare.
  • External companies or third-party service providers HCL Healthcare engages to perform Services on the Company’s behalf.
  • Third Parties providing certain information technology and data processing services to enable business operations.

Notwithstanding anything contained elsewhere, any Personal or Sensitive Personal and PHI Data may be disclosed by HCL Healthcare to any third party as required by a Court of Law or any other regulatory or any other law enforcement agency established under a statute, as per the prevailing law without the Relevant Individual’s consent.

When using external data processers or transferring personal data to external third parties, HCL Healthcare shall enter into agreements with appropriate contractual clauses for protection of Personal and PHI Data and confidentiality including requirements to process the Personal and PHI Data only in accordance with instructions from HCL Healthcare and to take appropriate technical and organizational measures to ensure that there is no unauthorized or unlawful processing or accidental loss or destruction of or damage to Personal Data and PHI.

How long will we keep your personal information?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

In some circumstances, we may anonymize your personal data so that it can no longer be directly associated with you.

It is HCL Healthcare’s policy to retain certain Personal and PHI Data of the Relevant Individuals when they cease to be employed/ engaged by HCL Healthcare. This Personal and PHI Data may be required for HCL Healthcare’s legal and business purposes, including any residual activities relating to the employment/engagement, including for example, provision of references, processing of applications for re-employment/re- engagement, matters relating to retirement benefits (if applicable) and allowing HCL Healthcare to fulfil any of its contractual or statutory obligations.

All Personal Data and PHI of the Relevant Individuals may be retained for periods as prescribed under law or as per HCL Healthcare policy from the date the Relevant Individuals cease to be employed/engaged by HCL Healthcare. Personal and PHI Data may be retained for a longer period if there is a subsisting reason that obliges HCL Healthcare to do so, or the Personal Data is necessary for HCL Healthcare to fulfil contractual or legal obligations. Once HCL Healthcare no longer requires the Personal and PHI Data, it is destroyed appropriately and securely or anonymized in accordance with the law.

How will we keep your information safe?

We are fully committed to information security and compliance with applicable regulations. We have implemented strong security controls for the protection of data. We have designed and implemented an information security program in line with International Organization for Standardization (ISO) 27001:2022.

Though we take reasonable measures to protect our assets against unauthorized access or attack; the Internet inherently is not fully secure. While we work towards and strive to protect your personal information/privacy, we would like you to take note of the inherent Internet risks associated with data transfer and processing. You also need to ensure that your User ID, Password etc. are not disclosed to anyone and that your systems are safe for usage.

We use a range of security measures to protect your personal information. Please be aware, however, that HCL HEALTHCARE cannot guarantee that third parties will safeguard your personal data in a similar manner. Unencrypted information – including information sent via E-mail – may also be able to be read by third parties. As a user of our services, you are responsible for protecting the information you provide, including usernames and passwords, from misuse, by encryption or other means. If you have any questions about the security of your personal data, you can contact us at privacy_hclh@hcl.com.

How are cookies used?

A cookie is a small piece of data stored on the user’s computer by the web browser while browsing a website. We use cookies to improve the quality of our site and service and to try and make your browsing experience meaningful. Cookies may be used to track how you interact with our sites and to analyze trends. The types of data collected may include IP addresses, cookies identifiers, site activities etc.

We use first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way.

The third-party cookies used on our websites are used mainly for understanding how the website performs, how you interact with our website, keeping our services secure, providing information that is relevant to you, and all in all providing you with a better and improved user experience.

You can control the use of cookies, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service.

How do we monitor?

HCL Healthcare may, from time to time, monitor the Relevant Individual’s use of company premises, property, and network resources (including computer systems, e-mails, and internet) primarily for following purposes:

  • Facilitating business, securing personnel and property of HCL Healthcare; For example, some of the locations are equipped with surveillance cameras.
  • Maintaining a stable network environment for communications within HCL Healthcare, and communications with external parties.
  • Responding to any legal processes or to investigate any suspected breach of Relevant Individual’s obligations under this Policy or other HCL Healthcare’s policies or applicable law.
  • Providing information to HCL Healthcare’s management to ensure the proper utilization of HCL Healthcare’s resources.

This section is not meant to suggest that all employees will in fact be monitored or their actions subject to constant surveillance. It is meant to notify the fact that monitoring may occur and may result in the collection of personal information (e.g., through the use of company network resources). When using company equipment or resources, employees should not have any expectation of privacy with respect to their use of such equipment or resources.

How to contact us?

If you have any questions about this Privacy Statement, then you can contact the Global Privacy Office online via privacy_hclh@hcl.com. Additionally, the contact information for the Grievance Officer for India is Sandeep Kumar, e-mail address – grievance.redressal@hcl.com.

You have certain choices-

You may contact us at privacy_hclh@hcl.com on various matters pertaining to your personal information such as –

  • request access
  • request rectification
  • request deletion
  • request data portability
  • request to opt-out from receiving email newsletters, alerts or other marketing emails

Upon receiving your request, we will make every effort to fulfil your request, if it is not otherwise required to be treated differently by law or for legitimate business purposes. You must identify yourself prior to making a request; we may not be able to process your request if it is deemed unreasonable or inappropriate.

We will respond to your queries within a reasonable timeframe. Please note that we may need to maintain residual copies even after your information gets deleted from the active environment (e.g., backup copies or to ensure we don’t contact you if you have opted out).

Legal Notice

HCLH may need to disclose personal information to legal authorities for compliance, fraud investigation, statutory purposes or other legal activities as per the local laws and government requests.

Changes to this Privacy Statement

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

Breach Notification Procedure

The breach notification period under the Digital Information Security in Healthcare Act (DISHA) is 72 hours. This means that healthcare organizations must notify the affected individuals within 72 hours of becoming aware of a data breach.

Digital Information Security in Healthcare Act (DISHA) also requires healthcare organizations to notify the Digital Information Security in Healthcare Act (DISHA) within 24 hours of becoming aware of a data breach. The NDHA is responsible for coordinating the government’s response to data breaches in the healthcare sector.

If a healthcare organization fails to comply with the DISHA breach notification requirements, it may be subject to civil penalties of up to INR 5 lakhs.

Here are some of the key provisions of the DISHA breach notification requirements:

  • The healthcare organization must notify the affected individuals within 72 hours of becoming aware of a data breach.
  • The notification must be in plain language and must include the following information:
    • The type of information that was breached.
    • The number of individuals affected by the breach.
    • The steps that the healthcare organization is taking to investigate the breach and protect the affected individuals.
    • Instructions on how the affected individuals can protect themselves from identity theft and other harms.
  • The HCL Healthcare organization must also notify the NDHA within 24 hours of becoming aware of a data breach.

The DISHA breach notification requirements are an important part of the law’s efforts to protect the privacy and security of healthcare data. By requiring healthcare organizations to notify affected individuals and the NDHA promptly, the DISHA helps to ensure that individuals can take steps to protect themselves from the risks of identity theft and other harms.

  • How would we notify the affected individuals?
    • Determine whether notification is required based on risk assessment criteria specified by HIPAA/Digital Information Security in Healthcare Act regulations.
    • If notification is necessary, promptly notify affected individuals in writing or through other appropriate means.
    • Include the following information in the notification:
    • Description of the incident and types of PHI involved.
    • Steps taken to investigate and mitigate the breach.
    • Actions individuals should take to protect themselves from potential harm.
  • How would we notify the Regulators & Authorities?
  • Determine which regulatory authorities need to be notified based on applicable laws and regulations (e.g., state-specific regulations).
  • Notify relevant regulators within specified timeframes as required by HIPAA/Digital Information Security in Healthcare Act regulations.
  • Provide regulators with all relevant details regarding the breach, investigation, mitigation measures, etc.
  • How would we notify the Business Associates & Other Relevant Parties?
  • Identify any business associates who may have been involved in or impacted by the breach.
  • Promptly inform affected business associates about the breach and their responsibilities under HIPAA/Digital Information Security in Healthcare Act regulations.


Remediation & Prevention

  • Take appropriate actions to remediate vulnerabilities that contributed to the breach.
  • Update security protocols and procedures to prevent future breaches from occurring.
  • Conduct regular training sessions for employees on data protection practices.