The case for CSR/ Sustainability Reporting Done Responsibly


Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How Mediclinic promotes information security

Case study: How Mediclinic promotes information security

Mediclinic is an international private healthcare services group established in South Africa in 1983, with divisions in Switzerland, Southern Africa (South Africa and Namibia) and the UAE. Effective information and cyber security is paramount for Mediclinic  Tweet This!, to conduct its business in a safe and secure manner.

This case study is based on the 2020 Sustainable Development Report by Mediclinic published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

With operations spanning multiple geographical areas and a global data network required in support of such scale, the protection of information assets is a top priority for Mediclinic. In order to promote information security Mediclinic took action to:

  • implement a Group InfoSec programme
  • promote data privacy

What are the material issues the company has identified?             

In its 2020 Sustainable Development Report Mediclinic identified a range of material issues, such as climate change, human rights, supply chain management, employee wellness and safety, waste and hazardous waste management. Among these, promoting information security stands out as a key material issue for Mediclinic.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Mediclinic engages with:

To identify and prioritise material topics Mediclinic engaged with its stakeholders through the following channels: 

Stakeholder Group                Method of engagement


·      Press Ganey® patient experience index surveys

·      Disclosure of clinical performance results

·      Systematic patient rounds during hospital stay

·      24-hour helplines

·      Health awareness days

·      Brochures and magazines

·      Websites and blogs offering health-related information

·       Social media

·      Client alliance programmes



·      Corporate social responsibility (‘CSR’) initiatives

·      Supporting employee volunteer initiatives

·      Participation at national level in health training and education

·      Public-private initiatives and joint ventures at Hirslanden, Mediclinic Southern Africa and Mediclinic Middle East

·      Participation in the Public Health Enhancement Fund (‘PHEF’) in South Africa

Employees and potential applicants


·      Annual Gallup® employee engagement surveys

·      Training and development

·      Growth opportunities

·      Intranet and social media

·      Newsflashes and regular electronic updates

·      Performance reviews and formal recognition

·      Leadership video conferences and roadshows

·      Employee wellness programmes

·      Magazines and newsletters

·      Non-executive director for workforce engagement

Governments and authorities


·      Regular meetings

·      Participation in conferences and seminars

·      Representation on industry bodies and government boards

·      Participation in PPPs to enable healthcare, training and research

Healthcare insurers ·      Regular meetings regarding possible cost savings, clinical quality and healthcare delivery improvements

·      Annual tariff negotiations in a fair and transparent manner

Industry associations


·      Membership of industry associations and representation on governing bodies

·      Participation in research commissioned by associations

·      Participation in conferences

Industry partners


·      Direct engagement based on industry knowledge and market reputations

·      Cooperation and PPPs

·      Introductions through advisors

·      Industry conferences and events



·      Investor Relations department

·      Shareholder annual general meetings

·      Financial results reporting and presentations

·      Investor meetings, roadshows and conferences

·      Operational site visits

·      Stock exchange announcements

·      Sell-side analyst and salesforce meetings

·      Corporate website

Media ·      Media releases

·      Press conferences

·      Financial results reporting and presentations

·      Interviews and responses to media enquiries

·      Paid advertisements

·      Monitoring industry-related news and proactive response

·      Social media

·      The Future of Healthcare blog

Medical practitioners ·      Regular meetings

·      Participation in hospital clinical committees

·      Continuous professional education events

·      Electronic newsletters

·      Networking and know-how exchange events at Hirslanden

·      Dedicated medical practitioner portals at Hirslanden and Mediclinic Southern Africa

·      Medical practitioner participation in hospital boards

·      Biannual engagement events at Mediclinic Middle East

·      Annual Research Day at Mediclinic Middle East

Suppliers ·      Regular meetings and business reviews

·      Contract negotiations and management post-signature

·      Electronic product approval processes

·      Product demonstrations and evaluations

·      Training on product specifications

·      Attendance at trade fairs

·      Factory visits

·      Annual Modern Slavery Act due diligence questionnaire

What actions were taken by Mediclinic to promote information security?

In its 2020 Sustainable Development Report Mediclinic reports that it took the following actions for promoting information security:

  • Implementing a Group InfoSec programme
  • Mediclinic implements an elaborate Group InfoSec programme to optimally manage, monitor, detect and respond to InfoSec. The Group InfoSec Committee is represented by all divisions through dedicated Divisional Information Security Officers, while the proceedings of this committee are governed and informed through information security best practices sourced from several internationally acclaimed information and cyber security institutions. The Group InfoSec programme is based on the following guiding principles:
    • Adopting a risk-based approach towards cyber threats, which considers the likelihood of any risk materialising as well as its potential impact and measures for prevention and detection.
    • Expanding responsibility for cyber security beyond ICT to the whole organisation.
    • Ensuring end-to-end security across business processes, for mobile workers and teams as well as for data flows across geographic borders.
    • Implementing cyber-security-by-design, i.e. provision for effective protection against cyber threats from the outset when ICT capabilities are acquired or developed.
  • Promoting data privacy
  • Mediclinic reaffirmed its commitment to protecting the personal data of its stakeholders by embarking on an extensive Group-wide data privacy project to align and ensure compliance with all relevant data protection legislation, as may be applicable in the various countries of operation, including the EU’s General Data Protection Regulation (‘GDPR’), widely regarded as the gold standard for data protection. The Group Privacy and Data Protection Policy has been reviewed to ensure alignment to the GDPR standards and various initiatives are underway to ensure that core components are compliant with the GDPR framework. The project has been rolled out to the entire Group to ensure that other applicable data protection legislation is also complied with, or where no such specific legislations exist (i.e. Namibia), GDPR standards are complied with as a minimum.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:


80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

FBRH GRI Standards Certified, IEMA & CIM recognised Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI Standards Certified, IEMA & CIM recognised course you will be taking the first step in gaining the many benefits of sustainability reporting.

Most importantly, you will gain the knowledge to use the GRI Standards, project manage your own first-class sustainability report and:

  • Identify your most important impacts on the Environment, Economy and Society
  • Begin taking solid, focused, all-round sustainability action ASAP



1) This case study is based on published information by Mediclinic, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:


Note to Mediclinic: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.