Masca Medical Aid Society

Join Masca

Join Masca

MASCA PRIVACY STATEMENT

(Issued in accordance with the Cyber and Data Protection Act [Chapter 12:07] of
Zimbabwe)

MASCA acknowledges and respects your constitutional and statutory right to privacy. In accordance with the Cyber and Data Protection Act [Chapter 12:07] (CDPA), MASCA is committed to ensuring that your personal information is collected, processed, stored, and shared lawfully, securely, and transparently.

References to “MASCA”, “we”, “our”, or “us” refer to the Medical Aid Society of Central Africa, including its authorised affiliates, administrators, and contracted
service providers.

1. DATA PROTECTION PRINCIPLES

MASCA processes personal data in compliance with Section 13 of the CDPA. Weadhere to the following principles:

  • Lawfulness, Fairness, and Transparency: Data is processed legally and transparently.
  • Purpose Limitation: Information is collected for defined, legitimate purposes only.
  • Data Minimisation: Only data necessary for the intended purpose is collected.
  • Accuracy: Reasonable steps are taken to keep data accurate and up to date.
  • Storage Limitation: Data is retained only for periods required by law or operational necessity.
  • Integrity and Confidentiality: Data is protected through appropriate technical
    and organisational safeguards.

Your privacy and data security remain central to all MASCA operations.

2. COLLECTION AND USE OF PERSONAL INFORMATION

2.1 Categories of Data Collected

MASCA may collect:

  • Personal identification details
  • Contact details
  • Financial and contribution information
  • Health and medical information (sensitive information)
  • Communication records
  • Digital identifiers (IP address, device data, browser type)
2.2 Purposes of Processing

Your information is processed to:

  • Administer membership and benefits
  • Validate, adjudicate, and settle claims
  • Conduct actuarial and risk assessments
  • Comply with legal and regulatory obligations
  • Prevent fraud
  • Facilitate communication and service updates
  • Improve operations, systems, and member experience

3. SENSITIVE PERSONAL DATA (HEALTH INFORMATION)

Health information is sensitive data under Sections 11 and 12 of the CDPA.
MASCA processes health data only when:

  • You have provided written consent
  • Processing is necessary for healthcare service delivery
  • Required for pricing, claims, or benefit entitlement
  • Mandated by law
  • Required to protect vital interests during emergencies
    Additional safeguards include restricted access, encryption, and enhanced
    confidentiality protocols.

4. CONSENT MECHANISM AND LAWFUL BASES FOR PROCESSING

4.1 Two-Tier Consent Framework

A. Non-Sensitive Personal Data
(e.g., name, address, contact details)

Processed on the basis of:

  • Implied consent (Section 10(2))
  • Contractual necessity
  • Legal obligations
  • Legitimate interests

B. Sensitive Data (including health information)

Processed only with your written, specific, informed consent, as required by:

  • Section 11(1) – written consent for sensitive data
  • Section 12(1) – written consent for health, genetic, or biometric data
    Written consent will be obtained through:
  • Membership/KYC forms
  • Claims documentation
  • Medical forms
  • Explicit opt-in declarations
4.2 Withdrawal of Consent

Under Section 11(2), you may withdraw consent at any time. However, withdrawal may limit MASCA’s ability to process claims or provide benefits.

5. MANDATORY VS. VOLUNTARY INFORMATION

In compliance with Section 15(1)(d) & (e) of the CDPA, MASCA provides the following disclosures:

5.1 Mandatory Information

You must provide:

  • Full name
  • National ID number
  • Date of birth
  • Contact information
  • Employment information
  • Relevant health and clinical information for claims

Consequences of non-provision:
MASCA cannot process membership, adjudicate claims, or provide benefits.

5.2 Voluntary Information

These may be withheld without consequence:

  • Marketing preferences
  • Optional communication preferences

6. METHODS OF DATA COLLECTION

Data is collected through:

  • Membership and claim forms
  • Email, SMS, telephone
  • Healthcare providers
  • Administrators, reinsurers
  • Digital platforms, cookies, analytics tools

7. COOKIES AND DIGITAL INFORMATION

Cookies support functionality, improve experience, enhance security, and analyse usage. You may disable cookies, but some website features may not function properly.

8. DATA SECURITY SAFEGUARDS

MASCA implements technical and organisational measures to protect your data. Data security is a continuous process, and MASCA is strengthening its systems to align with industry standards and the CDPA. MASCA employs technical and organisational measures to protect data against:

  • Unauthorised access or use
  • Loss, alteration, or destruction
  • Cybersecurity breaches
  • Internal misuse or negligence
    Current enhancement initiatives include:
8.1 Access Controls
  • Implementing Multi-Factor Authentication (MFA)
  • Strengthening password policies
  • Restricting internal access to sensitive data
8.2 Backup and Disaster Recovery
  • Formalising full backup procedures
  • Conducting regular disaster recovery testing
  • Documenting backup protocols
8.3 Third-Party Contract Compliance

In line with Section 18(5) of the CDPA:

  • All processors must operate under written Data Processing Agreements
    (DPAs)
  • MASCA is reviewing and strengthening SLAs with service providers (including
    ERP providers)
  • Agreements will include CDPA-aligned security obligations, data ownership
    clauses, and compliance commitments

9. DISCLOSURE TO THIRD PARTIES

MASCA may disclose personal data to authorised third parties strictly for legitimate
operational needs, including:

  • Healthcare providers for treatment authorisation
  • Administrators and claims processing partners
  • Reinsurers for underwriting and risk management
  • Internal and external auditors
  • IT vendors
  • Law enforcement and regulatory authorities (where required by law)
  • Partner organisations for benefit continuity All third parties must comply with data protection requirements and operate under formal Data Processing Agreements, as mandated by the Act.
9.1 Data Processors

Where third parties process data on MASCA’s behalf:

  • They act strictly as Data Processors
  • They must follow MASCA’s written instructions
  • They are contractually bound to protect your data and comply with the CDPA

10. CROSS-BORDER DATA TRANSFERS

Where personal data is transferred outside Zimbabwe, for example, to international reinsurers or cloud service providers—MASCA ensures compliance with Section 28 and 29 of the Act.
Transfers are permitted only where:

  • The receiving country has adequate data protection safeguards.
  • Contractual clauses ensure protection equivalent to Zimbabwe’s standards; or
  • You have provided explicit consent.

11. RETENTION AND DISPOSAL OF INFORMATION

To comply with Sections 7 and 13 of the CDPA:

Retention Schedule

Data CategoryRetention Period
Membership recordsDuration of membership + 7 years
Claims and health data7 years after claim settlement
Financial recordsAs required by fiscal laws (typically 7 years)
Marketing dataDuration of membership + 2 years
Audit/compliance recordsAs required by law

At the end of retention periods, data is securely anonymised.

12. CHILDREN’S DATA

MASCA processes the personal information of minors who are registered as dependents. In accordance with the Act:

  • Personal data of members under 18 is processed only with the consent of a
    parent or legal guardian.
  • Additional safeguards are applied to protect children’s information.

All rights of the child as a data subject, including the rights to access, correction, deletion, and objection, will be exercised by the parent or legal guardian on behalf of the child. Parents and legal guardians may contact the Data Protection Officer to exercise these rights or to raise any concerns about the processing of their child’s personal data.

13. AUTOMATED DECISION-MAKING AND PROFILING

MASCA may use automated systems for risk assessment and fraud detection, but:

  • Significant decisions affecting your benefits or claims are subject to human
    review.
  • You may request an explanation or challenge any automated decision.

14. YOUR RIGHTS UNDER THE CDPA

In accordance with Section 14 of the Act, you have the right to:
As a data subject, you have the following rights:

  • Right to Access: Receive a record of personal data held about you.
  • Right to Correction: Request correction of inaccurate or incomplete data.
  • Right to Erasure (Deletion): Request deletion of data no longer required.
  • Right to Object: Object to processing on legitimate grounds.
  • Right to Withdraw Consent: Withdraw consent at any time.
  • Right to Data Portability: Request transfer of your data to another controller,
    where applicable.
  • Right to Human Intervention: Object to fully automated decision-making.
    MASCA may require proof of identity before fulfilling such requests.

Response Timelines
MASCA will respond within 30 days of receiving a valid request. If more time is required, MASCA will notify you and explain the reason.

15. DATA BREACH MANAGEMENT

In accordance with Section 19 of the Act, MASCA will:

  • Investigate breaches promptly
  • Notify the Data Protection Authority within 24 hours
  • Inform affected members where necessary
  • Implement corrective and preventive measures

16. AMENDMENTS TO THIS PRIVACY STATEMENT

MASCA may update this statement to reflect regulatory or operational changes. Revisions will be published on official MASCA platforms.

17. DATA CONTROLLER INFORMATION

MASCA acts as the Data Controller and determines the purpose and means of processing your data. Third-party service providers act as Data Processors under MASCA’s supervision.

 

18. COMPLIANCE WITH NEW REGULATORY REQUIREMENTS (SI 155 OF 2024)

MASCA is committed to full compliance with the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (SI 155 of 2024). We have obtained our license as a data controller from the Data Protection Authority (POTRAZ) in accordance with the
timelines stipulated in the regulations.

Our Data Protection Officer has been appointed in accordance with the requirements of SI 155 of 2024 and possesses the necessary qualifications and experience in data protection and information security. The DPO has undergone the certification process approved by the Data Protection Authority and operates with full independence to ensure MASCA’s compliance with all data protection obligations.

 

19. CONTACT DETAILS

For inquiries, complaints, access requests, or to exercise your data protection rights, please contact:

MASCA Data Protection Officer
Email: agunzo@masca.co.zw
Phone: +263 8677004216

Address: MASCA House, Cnr 11th Avenue & Samuel Parirenyatwa Street,
Bulawayo, Zimbabwe

Subscribe to Our Newsletter

Stay updated on the latest healthcare plans, benefits, and news.

Facebook Linkedin Instagram X-twitter

Bulawayo

  • 11th Ave P O Box 1776, Bulawayo
  • +263 8677004216
  • marketing@masca.co.zw

Harare

  • 37 College Road, Alexandra Park P. O Box A842, Avondale, Harare
  • +263 8677009584
  • marketing@masca.co.zw

Office Hours

  • Mon - Thur / 8:00 AM - 4:30 PM Fri / 8:00 AM - 4:00 PM Weekends / Closed

Unique Benefits

Hospital Cash Back Plan
Emergency Medical Evacuation
Funeral Cover Benefit

Popular Schemes

Combo package
Supermasca
Principal Chronic
Principal Family
Principal Basic
Standard
Select
Hospital Clinic
Essential Core
Student Plans

Quick Links

Home
About Us
Our Schemes
Join MASCA
FAQ
Contact Us

Quick Links

Magazines
Downloads
Get a Quote
Find a Service Provider