Subpage banner

Privacy Notice

Bomaid Data Privacy Notice

At Bomaid we are committed to protecting your personal data by handling of all the personal data collected in accordance with best confidentiality practices and applicable laws. Personal data means any information relating to an identified or identifiable individual, which individual can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to an individual’s physical, physiological, mental, economic, cultural or social identity.

Our Data Privacy Notice explains how and when we collect your personal data, why we do so and how we treat this information. It also explains your rights in relation to the collection of such personal data and how you can exercise those rights.

We may update this privacy notice from time to time. Any changes will be communicated via our website or other appropriate channels.

Please read this Privacy Notice carefully as it sets out important information relating to how we handle your personal information.

The types of information we collect and process

For the purposes of facilitating the benefit of a member, we must collect and process your personal data.

We currently collect and process the following personal information:

  • Personal details: name, gender, marital status, date and place of birth, dependents details and relationship, educational background, employer, and employment history;
  • Identification details: identification numbers issued by government bodies or agencies (e.g. Omang (ID number), passport number, marriage certificate, birth certificate);
  • Financial information: Bank account number and details, bank statements and payslip;
  • Previous claims: information about previous claims, which includes health data;
  • Marketing data: customer satisfaction data, data about how you interact with the Bomaid website, mobile apps, text messages, social media pages, and emails
  • Website and communication usage: IP address, browser cookies, and device data

In addition, thereto we collect sensitive personal data. Sensitive personal data means information revealing racial or ethic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person. We currently process and collect the following sensitive personal data:

  • Health Data: current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g. smoking or consumption of alcohol), prescription information, medical history

How we use your personal information

We collect your data so that we can:

  • Process your application and manage your membership, including creating and maintaining your account details
  • Review, process, and settle claims for services such as doctor visits, hospital stays , and treatments
  • Determine and manage the benefits and coverage available to you under your benefit plan
  • Provide assistance with inquiries, resolve issues, and help with your coverage or claims
  • To arrange and coordinate with service providers such as referrals to specialists or scheduling treatments
  • To offer and manage wellness programs aimed at promoting your health and preventing illness
  • To share your information with appointed Service Providers to deliver membership benefits
  • To share important updates regarding your plan, changes to your benefits, or other relevant information related to your coverage
  • To share promotional materials or offers about new services, products or benefits, but only with your consent.
  • To comply with applicable laws and regulations, including reporting to regulatory authorities

How we obtain your personal information

Most of the personal data we collect, and process is provided to us directly by you, or by your guardian, , telephonically, online, via email, or from written correspondence in the following scenarios:

  • When establishing a relationship with you and assessing your most appropriate schemes and benefits
  • For the duration of your active membership
  • collection of subscriptions, processing of claims and facilitating other payments.

We may also receive personal information indirectly, from the following sources in the following scenarios:

  • your employer- payroll and subscriptions collection data for Corporate Members (processed based on the necessity of the contract or legitimate interest)
  • marketing and profiling- information obtained from marketing interactions to provide details about our products, benefits, and services , processed based on your consent
  • market research-data from customer satisfaction surveys and other market research

Do we have lawful reason to collect your personal information

We shall process your information where any of the following circumstances occur:

  • The provision of your consent to process your data when purchasing a benefit, making an inquiry and submitting a claim. You are able to withdraw your consent at any time. You can do this by emailing us at privacy@bomaid.co.bw
  • Where there is a contractual obligation between Bomaid and its member and processing is necessary to honor that obligation
  • Where we have a regulatory obligation to process your data in compliance with that legal obligation
  • Where processing is necessary to protect the vital interests of the member or of another natural person
  • Where processing is necessary to perform a duty that is in the public interest or in the exercise of an official authority vested in Bomaid
  • We have a legitimate interest – the processing takes place within the client relationship, and is necessary for direct marketing purposes, to prevent fraud or to ensure the network and information security of our IT systems.

Sharing of personal information

We may share your personal information with third party service providers who act as data processors under contract. These service providers perform specialist functions and services on our behalf for the benefit of a member such as administration of account, dental, pharmaceutical, optical, radiology and insurance. They are obligated to process your data only for the specified purpose of facilitating your benefit and kept secure.

We do not sell, otherwise disclose, or share data we collect and hold about you, with third parties for any other purpose. These processors are contractually obligated to protect your data in compliance with applicable data protection laws. You have the right to access, correct or request the deletion of your personal data at any time.

You may request more information about the safeguards that we have put in place in respect of sharing your of personal information by contacting the Bomaid Data Protection Officer at the email address or postal address given at the end of this notice

How we store and protect your personal information

Your information is securely stored at all times. We maintain administrative, technical and physical safeguards designed to protect the personal information you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. Service providers who perform functions and services on our behalf are contractually and legally obligated to ensure adequate data security measures are in place; and shall not use that data for any other purpose.

How We Store Your Personal and Medical Information

Your personal and medical information is stored in secure electronic and physical formats, based on the nature of the data and our regulatory obligations:

1. Digital Storage:

Your information is securely stored in encrypted databases and cloud services that meet industry standards for data protection. These systems are regularly backed up to ensure data recovery in case of an incident, with backup copies also encrypted and stored in a geographically secure location.

  • Access-Controlled Systems: Access to your information is restricted to authorized personnel only. We employ role-based access control (RBAC) to ensure that only those who require access for their duties can view or process your data. Additionally, all data is encrypted at rest, meaning it remains secure even when stored on our servers or in cloud storage.
  • Physical Storage: Paper-based records (if any) containing personal or medical information are stored in locked, secure areas within our facilities. Access to these physical records is limited to authorized personnel who are responsible for handling such information in accordance with privacy policies and regulations.
  • Secure Storage Facilities: All physical records are stored in controlled environments with fire protection, climate control, and other safeguards to prevent physical damage, loss, or unauthorized access.

2. Physical Security Measures

To protect the physical storage of your personal and medical data, we employ strict security protocols:

  • Access Control: All physical access to areas where sensitive data is stored is restricted. Only authorized personnel with appropriate security clearance are allowed to enter these areas. Access is controlled through badge-based entry systems, biometric authentication, and physical security personnel.
  • Surveillance and Monitoring: Our facilities are monitored around the clock with CCTV cameras to prevent unauthorized access and to detect any suspicious activity in real time.
  • Data Destruction: When physical records are no longer needed, we ensure they are securely destroyed through methods such as shredding or incineration to prevent unauthorized retrieval of your personal or medical information.

3. Digital Security Measures

To protect your personal and medical data stored electronically, we implement state-of-the-art digital security measures:

  • Encryption: All personal and medical data, whether at rest or in transit, is protected using encryption protocols to ensure that even if data is intercepted, it cannot be read or accessed by unauthorized parties.
  • Firewalls and Intrusion Detection Systems (IDS): We use firewalls and intrusion detection/prevention systems to protect our network from unauthorized access and cyber- attacks. These systems continuously monitor our digital infrastructure for signs of security breaches.
  • Multi-Factor Authentication (MFA): Access to our digital systems and databases that store sensitive information is secured through multi-factor authentication, ensuring that only authorized users can access your data.
  • Secure Backup Systems: We maintain encrypted backups of all your personal and medical data to ensure that we can recover it in case of accidental loss or corruption. These backups are stored securely both on-site and off-site in protected data centers to ensure redundancy and resilience.

4. Third-Party Service Providers

In some cases, we may use third-party service providers to process your personal and medical information. These third parties are contractually required to comply with strict security measures that align with our own, and they may only process your data for the purposes specified in our agreement. We ensure that all third-party providers:

  • Implement robust security measures to protect your data.
  • Are subject to regular security audits and assessments to ensure they meet our privacy and security standards.

Your data protection rights

Under data protection law, you have rights in relation to the handling of your personal information that we hold about you including:

  • Your right of access - You have the right to ask us for copies of your personal information.
  • Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate.
  • Your right to erasure - You have the right to ask us to erase your personal information in subject to the necessary legal limitations governing retention of your data.
  • Your right to restriction processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You have the right to “opt out” of receiving marketing communications at any time. You can do this by

  • i. clicking the unsubscribe link displayed in any of the marketing e-mails you receive,
  • ii. emailing privacy@bomaid.co.bw to indicate you no longer wish to receive marketing communications, or by
  • iii. writing to us at the address set out below.

You are not required to pay any charge for exercising your rights. If you make a request, we have one (1) month to respond to your request.

Should you decide to object to processing of your information or revoke consent , you have the right to do so in accordance with your rights under the Data Protection Act.

If you wish to make a request, please contact the Bomaid Data Protection Officer by emailing or writing to us at the details below.

Transfer of data

In order to provide you with the products and services you require from us, we may transfer to, and store the data we collect about you in, countries other than Botswana. In doing so, we implement measures to protect your data and comply with all relevant legal requirements laws and regulations of Botswana.

Where we transfer personal information to a country outside the above schedule, we will only do so if

i. the country to which the personal information will be transferred has been approved by the Minister in terms of the Data Protection

ii. there are appropriate safeguards in place to protect your personal data at all times during its transfer

You may request more information about the safeguards that we have put in place in respect of transfers of personal information by contacting the Bomaid Data Protection Officer at the email address or postal address below.

Links to Third Party Websites

Our websites and mobile apps may contain links to other third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Always check their policies before you submit any personal information to such third- party websites.

Questions, Requests or Complaints

If you have any queries, concerns, or requests about how your personal information is used or our privacy practices, please feel free to contact us at the following details:

Bomaid Data Protection Officer
Postal address: P.O. Box 632, Gaborone, Botswana
Plot 50638, Fairgrounds, Gaborone
Email address: privacy@bomaid.co.bw

Should you wish to report a complaint or if you feel that we have not adequately addressed your concern or requests in a satisfactory manner, you may submit a complaint to the Information and Data Protection Commissioners office at the following details:

Information & Data Protection Commissioner 
Postal address: Private Bag 001, Gaborone, Botswana 
Telephone: 3950800