Staff Terms & Conditions of Use

First Step Investments (Pty) Ltd t/a MediScan  |  Version 1.0  |  Effective: 1 June 2025

1. Definitions

• "MediScan" means First Step Investments (Pty) Ltd t/a MediScan, its officers, employees, agents, and successors.
• "Platform" means the MediScan web application, mobile application (Flutter / MAUI), and associated APIs.
• "Facility" means the healthcare facility at which you are employed or contracted.
• "Patient Data" means any personal or special personal information relating to a patient that you access, create, or modify via the Platform.
• "POPIA" means the Protection of Personal Information Act 4 of 2013.
• "NHA" means the National Health Act 61 of 2003.
• "Authorised User" means a staff member who has been granted access credentials by their Facility Administrator.

2. Access and Account Security

1. Access to the Platform is granted solely for the performance of your official duties at the Facility.
2. You must keep your login credentials (email, password, PIN, biometric) strictly confidential. You must not share credentials with any other person, including colleagues.
3. You are responsible for all actions performed under your account. Any suspected unauthorised access must be reported to your Facility Administrator and to MediScan at security@medi-scan.co.za immediately.
4. Accounts that are inactive for 90 days may be automatically deactivated. You must request reactivation through your Administrator.
5. MediScan reserves the right to suspend or terminate your access without prior notice if suspicious activity is detected.

3. Permitted Use

You may use the Platform only to:

1. Register new patients on behalf of the Facility.
2. Verify patient identity through biometric, PIN, or document methods.
3. Record clinical encounters, consent, and completed forms for patients at your assigned Facility.
4. Access patient records strictly on a need-to-know basis for the purposes of providing or coordinating care.
5. Generate reports authorised by your role and required by the Facility.

4. Prohibited Conduct

You must not:

1. Access patient data for patients not under the care of your Facility, or beyond the scope of your role.
2. Export, copy, print, screen-capture, or disclose Patient Data outside the Platform except as is strictly required for clinical care and with appropriate authorisation.
3. Share, sell, or otherwise transfer access credentials or patient information to any unauthorised third party.
4. Attempt to bypass, disable, or circumvent any security control, audit mechanism, or access restriction.
5. Introduce malware, viruses, scripts, or any code that could damage, disrupt, or gain unauthorised access to the Platform or any connected system.
6. Use the Platform for any purpose that violates POPIA, the NHA, the Health Professions Act 56 of 1974, or any other applicable law or professional code of conduct.
7. Access or query records for personal curiosity, academic research, or commercial gain without explicit written consent from the patient and authorisation from your Facility.
8. Falsify, manipulate, or delete any patient record, consent form, or audit log entry.

5. Patient Confidentiality and POPIA Obligations

1. All Patient Data accessed through the Platform constitutes confidential health information. You are bound by a duty of confidentiality that survives termination of your employment or access.
2. You must inform patients of their rights under our Patient Privacy Notice before capturing biometric data or clinical information.
3. You must obtain and record the patient's explicit informed consent before capturing biometric (fingerprint/facial) data.
4. A patient's refusal to provide consent must be respected and recorded; it must not result in denial of emergency care.
5. Any suspected data breach, accidental disclosure, or loss of patient records must be reported to your Facility Administrator and to MediScan at privacy@medi-scan.co.za within 24 hours of discovery.

6. Biometric Data Handling

1. Biometric data (fingerprint templates, facial vectors) are special personal information under POPIA s 26. Capture is only permitted with the explicit consent of the patient.
2. You must not capture biometric data of any person without their knowledge and consent.
3. Biometric templates are stored as non-reversible hashes; you must not attempt to reconstruct or extract the underlying biometric from any record.
4. You must follow the on-screen instructions for biometric quality thresholds; low-quality captures must be retaken, not accepted, to prevent false matches or refusals.

7. Device and Environment Security

1. You must only access the Platform from devices that are authorised by your Facility and that have current operating-system security updates installed.
2. You must not access the Platform on a device that is known to be compromised, infected with malware, jailbroken, or rooted.
3. Always lock or log out of the Platform when leaving your workstation unattended, even briefly.
4. The use of personal (non-Facility) devices is subject to your Facility's Bring-Your-Own-Device (BYOD) policy. Where no such policy exists, personal-device access is prohibited.

8. Intellectual Property

All software, algorithms, designs, documentation, and training material forming part of the Platform are the exclusive intellectual property of First Step Investments (Pty) Ltd t/a MediScan or its licensors. Nothing in these Terms grants you any ownership right or licence other than the right to use the Platform as described herein.

9. Limitation of Liability

To the maximum extent permitted by applicable law:

1. MediScan provides the Platform on an "as is" basis and does not warrant that it will be uninterrupted or error-free.
2. MediScan shall not be liable for any indirect, incidental, or consequential damages arising from your use of the Platform.
3. MediScan's total aggregate liability to you shall not exceed the fees paid by your Facility to MediScan in the 12 months preceding the claim.
4. Nothing in these Terms limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by law.

10. Monitoring and Audit

All actions on the Platform - including logins, data access, biometric captures, consent records, and administrative changes - are logged in an immutable audit trail. By using the Platform you consent to this monitoring. Audit logs may be reviewed by MediScan, your Facility Management, or regulators in the event of a compliance investigation or data breach.

11. Termination of Access

Access will be terminated or suspended upon:

• Resignation, dismissal, or end of contract with the Facility;
• Breach of these Terms;
• Reasonable suspicion of misconduct or unlawful activity;
• Written request by the Facility Administrator.

Upon termination all obligations of confidentiality remain in force indefinitely.

12. Governing Law and Jurisdiction

These Terms are governed by the laws of the Republic of South Africa. Any dispute arising from or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of South Africa, without prejudice to the right to seek urgent interim relief in any competent jurisdiction.

13. Amendments

MediScan may amend these Terms from time to time. Updated Terms will be presented in the Platform at next login for re-acceptance. Continued use of the Platform after notification of changes constitutes acceptance of the updated Terms.

14. Contact

• Compliance: compliance@medi-scan.co.za
• Data Breach / Security: security@medi-scan.co.za
• Privacy / POPIA: privacy@medi-scan.co.za