MIS is a WhatsApp-based platform that helps Zimbabwean residents locate medicines and health services by:

• Receiving product and service availability queries from users.
• On some occasions, distributing images/messages to participating licensed providers (either licensed individuals or people acting on behalf of entire practices).
• Collecting availability and sometimes, pricing responses from providers.
• Consolidating responses and providing information to users.

1. Purpose of This Agreement

This Agreement establishes the data processing and confidentiality obligations that apply when your practice receives and processes images/messages through the MIS platform.

2. What You’re Agreeing To

To participate, and by participating on the MIS platforms, your practice will:

• Receive images/messages submitted by users via WhatsApp
• Review these images/messages to determine product or service availability and pricing
• Respond to MIS with CORRECT availability information as per rules
• Delete all images/messages that contain personal information (name of patient and address) within the timeframes specified in this Agreement.
• Need to be licenced by the relevant regulator as a data controller

3. DATA PROTECTION OBLIGATIONS 

• Purpose Limitation

You may ONLY use images/messages to:

• Determine product or service availability at your practice or branches of your practice
• Provide pricing information to MIS
• Respond to medicine availability queries

• You may NOT use images/messages for:

• Marketing or advertising purposes
• Published research or data analysis (without separate written consent from the patient for whom the prescription was written or their legal guardian)
• Building customer databases
• Any purpose other than responding to the specific query

• Mandatory Requirements

While we insist on users cropping out or otherwise concealing personal information from images of prescriptions before sharing those images with MIS, this does not always happen. YOU MUST permanently delete images/messages that contain personal information (names, addresses or phone numbers) within 7 calendar days of receiving them from MIS.

“Delete” means: Permanent removal from the devices where MIS Chats can be accessed

If you use a personal phone (rather than a practice-owned device) to access MIS you must:

✓Enable WhatsApp chat lock for the MIS conversation

✓ Use a strong device password/PIN (not easily guessable)

✓ Enable biometric lock (fingerprint/face ID) if available

✓ Not allow family members, friends or other persons to access your device

Recommended:

✓ Use a separate work phone for MIS if possible

✓ Disable automatic WhatsApp media download to gallery

✓ Clear MIS chat media regularly.

• Confidentiality

All images/messages are confidential medical information.

You, your staff and/or your practice must:

• Treat images/messages with the same confidentiality as if the patient visited your practice in person
• Not disclose images/messages or information contained therein to any third parties unless for the purposes of determining whether you will be able to fulfil that prescription. In that case, remove any personal information (names, addresses and phone numbers) on the image before onward sharing.
• Not discuss images/messages details with anyone outside authorized practice staff unless for the purposes of determining whether you will be able to fulfil that prescription. In that case, remove any personal information on the image before that discussion.
• Comply with all professional practice confidentiality obligations.

Exceptions: You may only disclose prescription information if:

• Required by law (e.g., court order, regulatory investigation)
• Necessary for emergency medical treatment, with user consent
• Reporting suspected child abuse or crime (as required by law)

In any such cases, notify MIS immediately via info@medicalinformation.co.zw or +263788680608.

• Access Control

Only authorized practice staff may access images/messages.

You must not allow access by any persons who does not have access to patients and patient prescriptions in your practice.

• Security Requirements

If you store images/messages electronically (even temporarily):

You must:

• Use password-protected devices only
• Enable device encryption if available (especially mobile phones)
• Lock devices when unattended
• Install security updates regularly
• Use antivirus software where applicable

If you print images/messages:

You must:

• Store printed copies in the same secure area you store paper prescriptions
  • Prohibition on Sharing

You must NOT share images/messages with:

• Pharmaceutical companies or medical representatives
• Researchers or academics
• Insurance companies or medical aid societies
• Marketing agencies or data brokers
• Family, friends, or social media
• Anyone else not authorized under this Agreement.
  • MIS’s Protection of Your Data

Through your participation in MIS, we collect and process these aspects of you and/or your practice, which may constitute trade secrets or commercially sensitive business information:

– Business contact information (name, address, phone, email)

– Licensing and registration details

– Product/service availability and pricing information you provide

– Response efficiency and frequency data

– Query patterns

– Your pricing strategies and discount structures

– Stock levels and inventory patterns

– Demand patterns in your area

MIS agrees to:

• Treat all Provider business information as strictly confidential
• Not disclose in any way that allows the identification of your practice, your pricing, stock levels, or business data to:

– Competing providers

– Pharmaceutical companies or suppliers

– Marketing agencies or data brokers

– Media or researchers (without your explicit consent)

– Any third party without your written consent.

• Use Provider data ONLY for:

– Operating the MIS platform (matching queries to providers)

– Aggregate anonymous analytics (no individual provider identified)

– Compliance with legal obligations (court orders, regulatory

investigations)

– Platform improvement and quality assurance

• Implement security measures to protect Provider data:

– Access restricted to authorized MIS staff only

– All access logged and monitored

– Encryption of sensitive business data

– Regular security audits

• Not use Provider data to compete with Providers

EXCEPTIONS – MIS MAY DISCLOSE PROVIDER DATA:

1. With Your Consent: We will ask permission before sharing identifiable data for research, media, or other purposes
2. If it’s aggregated and anonymous data: We may publish industry statistics (e.g., “average medicine prices in Zimbabwe”) provided no individual provider can be identified.

As per legal requirements: If compelled by court order, regulatory investigation, or law enforcement (we will notify you unless prohibited from doing so)

4. As part of the MIS platform operations: Your business name, location, and contact details are visible to users receiving your availability responses
5. For quality assurance: Anonymous performance metrics may be used for platform improvement.

3.9. PROVIDER’S RIGHTS REGARDING THEIR DATA:

You may:

– Request a copy of all data MIS holds about your business

– Request correction of inaccurate information

– Request deletion of your data (subject to legal retention requirements)

– Object to processing for specific purposes

– Contact the MIS to exercise these rights.

• DATA RETENTION BY MIS:

Active provider data is retained while you participate in MIS.

After termination:

– Business contact information is retained for 12 months

– Historical pricing/availability data will be anonymized after 12 months

– Aggregate anonymous data retained indefinitely for analytics purposes.

3.11. DATA BREACH AFFECTING PROVIDER DATA:

If MIS experiences a breach affecting your business data, we will:

– Notify you within 24 hours

– Describe what data was compromised

– Explain steps we’re taking to prevent recurrence

– Cooperate with any investigation you undertake

3.12. PROVIDER DATA IN DISPUTES:

If there is a dispute between providers about data misuse,

MIS will:

– Investigate thoroughly

– Provide findings to affected parties

– Take appropriate action (suspend access, terminate violators)

– Cooperate with legal proceedings if necessary.

4. BREACH NOTIFICATION OBLIGATIONS

 

• What Constitutes a Data Breach

A data breach includes any:

• Unauthorized access to images/messages (e.g., someone who shouldn’t see them views them)
• Loss or theft of device containing images/messages
• Accidental disclosure (e.g., emailing to wrong person, showing to unauthorized person)
• Malware or hacking incident affecting systems with images/messages
• Employee misuse of prescription data.
  • Reporting Timeline

If a breach occurs, you MUST:

Stop the breach if ongoing (e.g., secure device, revoke access) immediately.

Notify MIS via info@medicalinformation.co.zw or +263788680608 (Phone or WhatsApp), within two hours of discovery and include details of the circumstances and any corrective measures to be implemented. Your notification communication must include:

• Date, time, and nature of breach
• How many images/messages were affected
• What personal information was exposed
• Who had unauthorized access (if known)
• What immediate actions you took
• What steps you’re taking to prevent recurrence
• Whether you’ve reported to the data protection regulator (if applicable)

Following a breach, MIS may:

• Suspend your access to images/messages pending investigation
• Require independent security audit at your cost
• Require additional staff training
• Impose enhanced security requirements
• Terminate this Agreement (see Section 6)
• Report to data protection regulatory authorities
• Report to law enforcement if criminal activity suspected

5. COMPLIANCE AND AUDIT RIGHTS

 

• Regulatory Compliance

You must comply with all regulations that are relevant for your practice. If your practice is suspended from practicing by any regulator, your participation from the MIS platform will be terminated until such a suspension by the regulator is lifted:

• MIS Audit Rights

MIS reserves the right to:

• Conduct compliance audits of your data handling practices if there are concerns raised by a user. Your practice must cooperate fully with audits as a condition for continued participation on MIS platforms.

6. TERMINATION

 

• Termination by MIS

MIS may immediately terminate your participation for:

• Breach of data protection obligations (failure to delete, unauthorized sharing, etc.)
• Providing inaccurate or misleading information in response to queries.
• Repeatedly failing to follow the prescribed way of responding to queries.
• Prolonged dormancy (not responding to a single query for 14 consecutive days.
• Failure to report data breaches as required
• Refusal to cooperate with audits
• Loss or suspension of practice licence
• Repeated complaints from users
• Failure to implement corrective actions after audit
• Repeated failure to comply with the query response format prescribed by MIS
• Any conduct that compromises user privacy or MIS reputation

• Termination by You

You may terminate participation at any time by requesting removal from MIS by contacting the MIS via info@medicalinformation.co.zw or +263788680608.

• Effect of Termination

Upon termination (by either party):

• You remain bound by confidentiality obligations indefinitely
• You remain liable for any breaches occurring before termination.

• Survival of Terms

The following sections survive termination indefinitely:

• Section on (Confidentiality)
• Section on (Breach notification for pre-termination incidents)
• Section 7 on (Liability and indemnification)
• Section on (Dispute resolution)

7. LIABILITY AND INDEMNIFICATION

 

• Your Liability

You are fully liable for:

• Any unauthorized access to images/messages in your possession
• Breaches by your staff members
• Any misuse of prescription data

• Failure to report breaches in a timely manner

• Indemnification

You agree to indemnify MIS and hold MIS harmless from:

• Any claims, damages, or losses resulting from your breach of this Agreement
• Legal costs incurred by the MIS in defending claims related to your data handling.
• Regulatory fines or penalties imposed due to your non-compliance
• Reputational damage to MIS caused by your actions

Examples:

• If a user sues MIS because your practice disclosed their prescription to an unauthorized person, you are liable.
• If a data protection regulator fines MIS because your practice breached data protection regulations, you are liable.
• If a data breach at your practice causes MIS reputational harm, you are liable.

• Limitation of MIS Liability

MIS is not liable for:

• Inaccurate medicine availability information you provide
• Business losses resulting from participation in MIS activities, suspension from or termination of participation in MIS activities
• Technical issues with the WhatsApp platform
• User complaints about your service quality

• Insurance

You are encouraged (but not required) to maintain professional indemnity insurance covering data breaches and privacy violations.

8. GENERAL PROVISIONS

 

8.1. Governing Law

This Agreement is governed by the laws of Zimbabwe. Any disputes shall be resolved in the courts of Harare, Zimbabwe.

8..2. Entire Agreement

This Agreement constitutes the entire agreement between you and MIS regarding data obligations. It supersedes any prior verbal or written agreements.

8.3. Amendment

MIS may amend this Agreement, in which case, it shall post the updated Agreement on the MIS website and notify providers. Continued participation after notification period constitutes acceptance of amendments.

8.4. Assignment

You may not transfer or assign your rights or obligations under this Agreement without MIS written consent.

8.5. Waiver

MIS’s failure to enforce any provision does not constitute a waiver of that provision or any other provision.

8.6. Severability

If any provision is found unenforceable, the remaining provisions remain in full effect.

8.7. Language

This Agreement is in English. In case of translation, the English version prevails.

8.8. Contact for Questions

For questions about this Agreement, contact MIS Data Protection Officer:
Email: info@medicalinformation.co.zw
Phone and WhatsApp: +263788680608

9. ACCEPTANCE AND ACKNOWLEDGMENT

By clicking “I Accept” or “Submit Registration” below, I confirm that:

You have read and understood this entire Data Sharing Agreement

You understand that prescription data is confidential and must not be shared with third parties

You understand that breaches must be reported to MIS within 2 hours

You understand that MIS may terminate our participation for violations

You are authorized to bind the practice/s that I am registering, to this Agreement

The practice/s you are registering agrees to all terms and conditions stated herein

*************************End***********************

Thank you for joining MIS and helping Zimbabweans access healthcare more efficiently!